When I bought the Bash Bunny from Hak5, I was lucky as they have just released the Packet Squirrel device. I have ordered it for our business, and I would like to share my experience with you. As it is, once again, a smart device with interesting functionality, I will start straightforward with what it can do.
What can the Packet Squirrel do?
-
HW VPN
If you are a regular user, the device can make a “HW” VPN for you. That means everything you plug behind the Packet Squirrel will be tunneled through VPN. This will make it unreadable for your local network administrator, and it can also make your corporate network available remotely. Of course, you usually have a VPN connected directly to your PC / NTB. However, there may be cases where it may be useful (eg, connecting multiple devices to a VPN, or when the connected device should not know the VPN parameters).
-
Packet capture
The device can also do the packet capture of network traffic. It connects to the network as a transparent bridge and records all of the data that passes through it to the attached USB flash drive (tcpdump is used to filter traffic). The device may not always be connected between a PC and a switch, but you can also connect it in between two switches or a switch and a router to see more traffic. This is useful for network traffic debugging or network interception. Additionally, in “TRANSPARENT” mode, the device is undetectable on the network (that is if the network is only 100 Mbps 🙁 ).
-
MITM
Another option is to perform an active MITM, meaning to modify data passing through the device. The fantasy is unlimited – DNS spoofing, ARP poisoning, rogue DHCP, proxying, SSL striping. Poorly secured services can thus leak user data (RDP, telnet, ftp [s], pop, imap [s], http [s], potentially SSH) or data altered (such as eventually modifying / infecting websites or transmitted programs, which will further compromise the computers connected behind the Packet Squirrel). Discovered passwords can be stored directly on a connected USB flash drive or be sent out via the Internet (if you no longer plan to return to come back for the device or you want to use the data to move around the network as soon as possible).
-
Backdoor
Since the Packet Squirrel is a normal microcomputer, it can also be embedded into a network as a backdoor, through which you will be able to go on scrambling (Nmap, OpenVAS) throughout the network. Packet Squirrel will look like a regular networking device on your network that calls VPN to you. You will then be able to get into a network where the Packet Squirrel is plugged in through this very VPN.
What is the Packet Squirrel?
This is again a microcomputer (Atheros AR9331 SoC at 400 MHz MIPS, 64MB DDR2 RAM, 16MB internal storage, 5V @ 120mA). It includes one USB host port, one micro USB for power and two 100 Mbps Ethernet ports. Unlike Bash Bunny, it is not intended for BadUSB attacks but for MITM attacks.
As it does not connect to USB, but in between two separate ethernet cables, it needs a separate power supply. PoE is unfortunately not supported, so the device needs to be powered via a micro USB cable (external battery, PC, printer, router). I think the less powerful HW is chosen just because of the long external battery run-time. The 10,000mAh external power bank should be able to run for about 3 days.
Just like the Bash Bunny, the Packet Squirrel is equipped with a programmable RGB diode for status signaling (attack progress), a programmable pushbutton, and a four-position switch (one position more than Bash Bunny) to select pre-set attacks.
Unfortunately, the big drawback of Packet Squirrel is that it supports only 10/100 Mbps ethernet. If you connect it to a 1 Gbps connection, the connection will downgrade to 100 Mbps.
Official manufacturer video once again – 20 minutes of video for thousands of words. 🙂
Practical notes
Unfortunately, as of last time, I didn´t have enough time to play around. However, some of my observations are:
- You can write your attacks yourself. Their uploading is a bit more complicated since Packet Squirrel needs to be plugged into a network and then connected via SSH and SCP. There is a repository at https://github.com/hak5/packetsquirrel-payloads once again, but this time is significantly poorer because it is a new device.
- Packet Squirrel can run in the following network modes. Transparent bridge (not visible on the network), bridge with an interface (all in one network), NAT with an interface (devices behind the Packet Squirrel are hidden behind NAT).
- The device boots longer than Bash Bunny for about 38 seconds. On the other hand, it is not meant for fast action like Bash Bunny, but for much longer engagement in the environment (in a matter of hours), so it does not matter that much.
Where to get Packet Squirrel from?
I have ordered the Packet Squirrel as well as the Bash Bunny, directly from the USA, but it got quite costly. I thought it might not be a bad variant to use a Raspberry-Pi with an additional USB-Ethernet adapter. This would allow higher performance and support of 1 Gbps interface. What do you think? Do you have some experience with it?
In fact, I´ve been thinking for a long time to prepare Raspberry-Pi with Kali Linux and use it as a backdoor in the network for penetration testing.
My plans for use
Just like Bash Bunny, I plan to use Packet Squirrel for customer demonstrations, penetration testing, and colleague training. I can imagine that when you plug in the Packet Squirrel on a PC (including USB power) or at a switch/router with an external battery and stick a label on it “do not disconnect”, no one will ever touch it. 😉
I think most networks are much more vulnerable within the LAN network rather than via the Internet, so it’s good to have a backdoor in the target network that will lead you through penetration testing.
Conclusion
There are significantly more interesting devices for “tinkering”. I came across this German site https://www.heise.de/ct/ausgabe/2017-18-Bash-Bunny-3800517.html.
I personally hope that I will be able to find more time to play around this year and bring together some impressive “performance” for customers. 🙂 I would like to share the findings with you again.
What is your experience? Do you have any similar “pub tricks”?
EDIT 23. 4. 2018: I wrote a follow-up article “How to Hack a Computer in Seconds, or an Attack with Bash Bunny and Packet Squirrel”. I will translate it into English ASAP.