Darren Kitchen grants us another introduction to the world of hacking and cybersecurity with the latest from Hak5: The Packet Squirrel Mark II.
What is the Packet Squirrel Mark II?
Darren Kitchen in the “Hack Across America Van” gives us an existing introduction to the new toolset and features that are offered by the Packet Squirrel Mark II. A matchbook-sized Linux box, the Packet Squirrel can be used in the middle of any network segment via two RJ-45 ethernet ports. Some of the top features that are offered by the Packet Squirrel:
· DNS Spoofing
· Dynamic Proxy
· Regex Stream Matching
· Remote Access VPN
· Ducky Script, Bash, and Python abilities
Why was the Packet Squirrel Born?
“Necessity is the mother of invention.”
- Plato.
Hak5, like many other companies, faced manufacturing challenges during the Covid-19 pandemic. With not enough chips to go around, Hak5, with the famous Mike Kershaw (dragorn on Github) from the Kismet Wireless Project, teamed up to start over with a new packet squirrel design that eliminated the main IC (Integrated Circuit) issues they were facing. “ Mike took this and ran with it because what he’s come up with is nothing short of a masterpiece (Kitchen, 2023).”
The Packet Squirrel not only has 20 new ducky script commands but is also being packed with what Kitchen described as “low-level utilities that do some really heavy lifting network manipulation wise.”
Just like the Keycroc can read keystrokes and perform regex based on what’s typed in, the packet squirrel can do just the same but network-wise. Reading the contents of a TCP-Stream, the packet squirrel will perform custom actions based on the regex you might be looking for. One could be looking to log only BasicAuth traffic, Telnet, or HTTP. With these protocols chosen, The Packet Squirrel can then be instructed to either log that traffic, drop those packets, or perform some custom action by the penetration tester.
The Different Network Modes
The Packet Squirrel II comes with some incredible modes to help you manage the victim’s traffic in the best way possible.
NAT –
The most basic of networking modes, NAT acts as a router, and devices will be given an IP address via DHCP in the 172.16.32.X range. What the PSII does to receive internet from the outside world is it will ask for its own IP via DHCP as well. This mode is best for when stealth really isn’t necessary.
BRIDGE –
The Packet Squirrel operates as a layer-2 bridge. This mode is more subtle than NAT because devices connected to the Target port will continue to get IP addresses from the network connected to the Network port, essentially not using the Packet Squirrels 172.16.32.X range.
TRANSPARENT –
The Packet Squirrel in this mode still operates as a layer-2 bridge but does not attempt to obtain an IP address from the Network Port, making it invisible to the network. The stealthiest mode the PACKET SQUIRREL has to offer. But there are some downsides such as no VPN or Cloud C^2 Connectivity.
JAIL –
This mode will disconnect target devices from the network. Effectively removing network and internet access from the target devices. The PACKET SQUIRREL will continue to have internet and provide VPN and Cloud C2 access. This mode is best for blue teams wanting traffic detection to see what resources a target device is reaching to that might be malicious.
ISOLATE –
Disconnects the Packet Squirrel and targets devices connected to itself away from the internet and internal networks until a payload changes state or the device is rebooted into another mode.
Summary
This is just a small snippet of what the Packet Squirrel II is capable of, with an entire whitepaper on Dynamic Proxy, the ability to use encrypted storage and so many other great features. The Packet Squirrel II is another incredible tool in a pentesters arsenal. Up next we’ll go over the software and hardware tools in reverse engineering.