Quick Links

Payloads

Most community contributed payloads are hosted from the centralized library on the Hak5 git repository.

Forums

The Hak5 forums are home to community support, payload development and general Packet Squirrel discussion.

Packet Squirrel Basics

The Packet Squirrel in a nutshell

Packets go in. Packets go out. What happens in between is up to you.

Of the three built-in payloads (tcpdump, dns spoof, openVPN) only the later two need to be configured. This can be done via SSH or SCP (Windows users check out puTTY and winSCP).

To get into the device flip the switch to arming mode (far right position), plug an Ethernet cable from your computer into the Ethernet In port (left side, above the micro USB port), and power on the Packet Squirrel with any ordinary Micro USB cable and USB power supply (phone charger, computer’s USB port, battery bank). It takes 30-40 seconds to boot, indicated by a blinking green LED. Once it’s booted it’ll be in arming mode, indicated by a blinking blue LED.

From here your computer will receive an IP address from the Packet Squirrel in the 172.16.32.x range, and you’ll be able to ssh in as root to 172.16.32.1. The default password is hak5squirrel

You’ll find the default payloads from /root/payloads in their corresponding switch folders.

RGB LED Indicator
This status LED will light to indicate various states such as boot-up, errors and payload execution.
Push Button
The push button may be used by various payloads to perform functions using the BUTTON command. The push button has two default actions.
Arming Mode
In Switch Position 4 (closest to the USB host port) the Packet Squirrel will boot into arming mode, enabling SSH access. From this dedicated mode, Packet Squirrel payloads may be managed via SCP or the Linux shell. This mode is indicated by a slow blinking blue LED.

USB flash disk support

The Packet Squirrel supports USB flash disks formatted with either EXT4 or NTFS file systems. This is of particular importance since most USB flash disks come pre-formatted with FAT32 file systems and must be reformatted before use with the Packet Squirrel.

Windows users

With a USB flash disk connected, open Explorer and navigate to This PC. Right-click the USB flash disk and select Format. From the file system options, select NTFS and click Start. A volume label may be added for convenience. A quick format is all that is necessary to provision the drive.

Linux users

Most Linux distributions include the “Disks” utility. With a flash disk connected, launch Disks. Select the USB flash disk then click the gear icon and choose format. From the format volume menu, choose EXT4 from the type options and click format. A volume label may be added for convenience.

Default settings

  • Username: root
  • Password: hak5squirrel
  • IP Address: 172.16.32.1

LED status indications

LED Status
Green (blinking) Booting up
Blue (blinking) Arming Mode
Red (blinking) Error reading USB disk
Cyan (1 blink) Starting payload 1
Cyan (2 blinks) Starting payload 2
Cyan (3 blinks) Starting payload 3

Selecting and adding payloads

To choose a payload, flip the selection switch to the desired position before powering on the Packet Squirrel. When it boots up, it will start the payload associated with the switch position.

Payloads can be stored on internal memory or externally from a USB disk.

On boot priority will be given to the USB disk – so if a payload exists there it will override any payloads stored on the internal memory.

If no USB disk is connected, or a USB disk is connected that does not contain payloads, the payloads stored on internal memory will start.

Payloads on internal memory are stored in /root/payloads in folders named switch1, switch2 and switch3 – which are associated with the payload selector switch hardware.

Payloads on USB disks should be stored in /payloads/ in corresponding switch1, switch2 and switch3 folders.

 

 

Default Payloads

The Packet Squirrel includes three out of the box payloads for logging packets to USB drives, spoofing DNS and tunneling out through a VPN. The later can either provide remote access into a network, or encrypt the connection of whatever you plug it into.

How to log network traffic with the Packet Squirrel

 

The built-in tcpdump payload from switch position 1 will save standard pcap files to a loot folder on a USB flash drive. This payload doesn’t require any configuration to use, other than having a properly formatted USB flash drive.

 

The USB flash drive must be formatted in either the NTFS (Windows, Mac OSX) or EXT4 (Linux) file system. This is of particular importance since most USB drives come formatted with a FAT32 or exFAT file system.

 

  1. Plug a USB drive formatted in NTFS or EXT4 into the USB host port on the right side of the Packet Squirrel.
  2. Flip the switch to position 1 to select the built-in tcpdump payload. Position one is on the far left, closest to the Micro USB power port.
  3. Plug the device you want to capture packets from into the Ethernet In port. It’s the Ethernet port on the left side above the Micro USB power port. This could be a computer, a network printer, an IP camera, or similar.
  4. Plug the network into the Ethernet Out port. That’s the one on the side with the USB type A female port.
  5. Power on the Packet Squirrel with a Micro USB cable and any ordinary USB power adapter like a smartphone charger, a computer’s USB port, USB battery bank, etc…
  6. Wait 40 seconds while the Packet Squirrel boots up, indicated by a flashing green LED. Once booted, tcpdump will begin saving pcap files containing the packets between the two Ethernet links to a loot folder on the inserted USB disk, indicated by a single flashing yellow LED.
  7. When you’re ready to stop capturing packets, press the button atop the Packet Squirrel. The LED will flash red to indicate that the file has completed writing to the USB flash drive. It is now safe to unplug the Packet Squirrel, remove the USB flash drive, and inspect the stored pcap file with a protocol analyzer such as Wireshark.

 

The tcpdump payload will write a pcap file to a connected USB disk until the disk is full. A full disk will be indicated by a solid green LED.

 

If the Packet Squirrel is powered off before pressing the button, the file may be corrupt or unreadable.

 

If the Packet Squirrel is unable to read the USB disk (for example if the disk has not been formatted as NTFS or EXT4) the payload will fail, indicated by a blinking red LED.

How to spoof DNS with the Packet Squirrel

The built-in DNS spoofing payload from switch position 2 will intercept DNS requests between the target and the LAN and provide spoofed responses. By default the payload is configured to spoof all requests with the IP address of the Packet Squirrel.

 

To configure the DNS Spoof payload with custom mapping, just power on the Packet Squirrel in Arming Mode (switch to far right position) and edit the /root/payloads/switch2/spoofhost file. This can be achieved by either using an SCP graphical utility such as WinSCP or FileZilla, or from the command line via SSH.


SSH into the Packet Squirrel and edit the spoofhost file with nano

 

Replace # with the domain you wish to spoof, and the IP address with the spoofed destination.

 

Responds to request for asitewewanttospoof.com to 159.203.210.247

 

With the spoofhost file configured and saved, power off the Packet Squirrel and flip the switch to position 2. Now place the Packet Squirrel inline between a target and the network. When it powers on the DNS spoof payload will run, indicated by a single blinking yellow LED.

 

Pro Tip: Modify the DNS Spoof payload to be more inconspicuous and to not blink the LED by changing line 22 of /root/payloads/switch2/payload.sh from LED ATTACK to LED OFF

How to use the Packet Squirrel OpenVPN payload

The OpenVPN payload for the Packet Squirrel can provide remote access or client tunneling.

Remote Access

The first, default behavior, is to provide remote access into the network. In this mode the target plugged into the “Ethernet In” port on the Packet Squirrel will have access to the network plugged into the “Ethernet Out” port without interruption. Meanwhile, an OpenVPN connection will be established – typically to your server on the Internet – enabling remote access into the Packet Squirrel.

Client Tunneling

The second, optional behavior, is to tunnel all of the traffic from the target device plugged into the “Ethernet In” port through the configured OpenVPN connection. This is configured by editing the /root/payloads/switch3/payload.sh file and changing line 5 to FOR_CLIENTS=1

 

In either mode the SSH server on the Packet Squirrel will be enabled for remote access.

Server Setup

Begin by setting up an OpenVPN server, typically on a VPS or dedicated server with a static IP address. For reference, see the Hak5 youtube playlist titled “Hak5: VPNs – Everything You Need to Know” or search for Hak5 episode 2022 for a 5-minute OpenVPN install script.

Quick Setup: Try the OpenVPN installer from https://github.com/Nyr/openvpn-install
From a shell on your new VPS or dedicated server on the Internet, issue:

wget https://git.io/vpn -O openvpn.sh && bash openvpn.sh

Accept all of the defaults and in a few moments a client.ovpn file will be created.

Client Setup

With the server setup, generate a new client certificate file and copy it to the Packet Squirrel in /root/payloads/switch3/config.ovpn

Quick Setup: SSH into the Packet Squirrel in Arming Mode and have it copy the client.ovpn file from your OpenVPN server to the OpenVPN payloads config.ovpn file using SCP (Secure Copy)

 

scp [email protected]:client.ovpn /root/payloads/switch3/config.ovpn

Deployment

With the OpenVPN server ready and the client on the Packet Squirrel configured, flip the selector switch to position 3 and deploy inline between a target and network in the same manner as the previous Packet Capture and DNS Spoof examples. When the OpenVPN connection is established the Packet Squirrel will blink yellow.

 

If you’re using the Client Tunneling mode there’s no further configuration necessary. To test the connection, for example if the target is a computer, try browsing to one of the many IP address testing sites like ipchicken.com to verify that the connection is being tunneled through the VPN.

 

If you’re using the Remote Access mode, the Internet connection of the target will not go through the VPN. Rather, the VPN may be used to SSH into the Packet Squirrel. To do so, begin by connecting to the VPN server via SSH and determine the IP address of the Packet Squirrel on its OpenVPN network. Typically this is the incremented one following the IP address of the OpenVPN servers tunnel interface. For example, on the OpenVPN server issue ifconfig and look for a tun0 interface. The default address is 10.8.0.1. From there, SSH into the Packet Squirrel as root at 10.8.0.2.

 

Internet Connection

Getting the Packet Squirrel online

To get your Packet Squirrel online, plug it into an Internet connected network that supports DHCP. By default the Packet Squirrel will be looking for a network connection from its Ethernet Out port, otherwise known as its WAN port. This is the RJ45 jack on the right side of the device above the female USB type A port.

Downloads

Firmware Upgrades

From time to time the Packet Squirrel may be updated with new firmware to add features and security improvements. It is highly recommended that you keep your Packet Squirrel up to date with the latest firmware. To install the latest firmware:

  1. Download the upgrade file. Make sure that the filename is upgrade-version.bin (where version is the firmware version, e.g. 1.2) and check that the SHA-256 sum matches.
  2. Copy the upgrade file to the root of an NTFS or EXT4 formatted USB flash drive. Do not rename, unpack or otherwise alter this file.
  3. Plug the USB drive into the powered-off Packet Squirrel
  4. Flip the Packet Squirrel payload select switch to Arming mode (far right, closest to the USB flash drive)
  5. Power on the Packet Squirrel from a reliable USB power source. This process takes 5-10 minutes and will be indicated by a series of LED lights. Do not power-off or otherwise interrupt the device until the flashing process completes.

During the firmware flashing process, the LED will indicate the following states:

  1. Green flashing – booting up
  2. Red/Blue alternating – beginning firmware flash
  3. Solid Red or Blue – firmware flash in progress
  4. Green flashing – rebooting
  5. Blue flashing – upgrade complete, arming mode ready

Firmware version 1.2

Download upgrade-1.2.bin

SHA-256: c1f2cbe2096fd04df3a91721b447573b1005894809592d0a76bf865992d16b7a

Changelog v1.2:

  • Added crc32c libaries and kernel modules for better mass storage support
  • Added ’empty’ to firmware
  • Added shadowsocks client to firmware

Firmware release thread


Firmware version 1.1

Download upgrade-1.1.bin

SHA-256: c229dab9807f3555b22eed28f32e10f762b831bce860e5e097b97c43a43ee323

Changelog v1.1:

  • Added NETMODE CLONE
  • Added wireless drivers for RT3070 and RT5370
  • Added ASIX AX88772 and CDC-Ethernet drivers
  • Added ssh-copy-id command
  • Added lsusb command
  • Replaced AutoSSH with SSHTunnel
  • The default OpenVPN payload is now portable (can be moved to a different switch positions)

Firmware release thread

Payload Development

Payload development basics

Packet Squirrel payloads can be written in any standard text editor, such as notepad, vi or nano.

Payloads may be written in bash, Python or PHP and as such must be named payload.sh, payload.py or payload.php respectively. Additionally a payload.txt file will be processed according to its interpreter directive.

All payloads should begin with an interpreter directive. For example, bash payloads should begin with the typical shebang /bin/bash

#!/bin/bash

Similarly, Python payloads should begin with shebang /usr/bin/python

#!/usr/bin/python

Squirrel Script

Squirrel Script is not an actual scripting language, however it is a friendly moniker for the set of Packet Squirrel specific commands. These commands simplify interfacing with the hardware and may be called from payloads written in bash, python and PHP, or directly from the console via SSH.

COMMAND Description
NETMODE Specifies the networking mode to NAT, BRIDGE, TRANSPARENT or VPN.
LED Control the RGB LED. Accepts color and pattern or payload state.
BUTTON Pauses the payload for a specified time or until the button is pressed.
SWITCH Reports the current switch position.

NETMODE

NETMODE is a squirrel script command which specifies which network mode to use in a given payload. These network modes determine how the Packet Squirrel will route traffic.

 

NETMODE BRIDGE

This creates a bridge between the two Ethernet interfaces. This means that both the Packet Squirrel and it’s target device get IP addresses from the target network’s router.

 

NETMODE TRANSPARENT

This mode is similar to the bridge network mode with the exception that the Packet Squirrel does not get an IP address from the target network’s router. This means that the Packet Squirrel will not have network (typically Internet) access, however it will be able to sniff the packets across the wire.

 

NETMODE NAT

In this network mode the Packet Squirrel obtains an IP address from the target network’s router and the target device gets an IP address from the Packet Squirrel.

 

NETMODE VPN

This network mode is the same as NAT with special VPN interface setup specific for client tunneling.

 

NETMODE CLONE

This network mode clones the MAC address of the target device from the Ethernet In port, spoofing it for use on the LAN from the Packet Squirrel’s Ethernet Out ports.

In practice, when deploying a Packet Squirrel payload with NETMODE CLONE, the MAC address is sniffed from the target (IN) and will change the MAC address on the LAN (OUT) side. This is done by inspecting sniffed packets from the target device and is typically done in just a few seconds.

For stealth deployments, have the Packet Squirrel clone the MAC address of the target device from its Ethernet IN port before connecting the cable to the Ethernet OUT port. The Packet Squirrel will indicate that the MAC address has been successfully cloned by several seconds of rapid white blinking on its LED.

LED

The multi-color RGB LED status indicator on the Packet Squirrel may be set using the LED command. It accepts either a combination of color and pattern, or a common payload state.

LED Colors

COMMAND Description
R Red
G Green
B Blue
Y Yellow (AKA Amber)
C Cyan (AKA Light Blue)
M Magenta (AKA Violet or Purple)
W White

LED Patterns

PATTERN Description
SOLID Default No blink. Used if pattern argument is ommitted
SLOW Symmetric 1000ms ON, 1000ms OFF, repeating
FAST Symmetric 100ms ON, 100ms OFF, repeating
VERYFAST Symmetric 10ms ON, 10ms OFF, repeating
SINGLE 1 100ms blink(s) ON followed by 1 second OFF, repeating
DOUBLE 2 100ms blink(s) ON followed by 1 second OFF, repeating
TRIPLE 3 100ms blink(s) ON followed by 1 second OFF, repeating
QUAD 4 100ms blink(s) ON followed by 1 second OFF, repeating
QUIN 5 100ms blink(s) ON followed by 1 second OFF, repeating
ISINGLE 1 100ms blink(s) OFF followed by 1 second ON, repeating
IDOUBLE 2 100ms blink(s) OFF followed by 1 second ON, repeating
ITRIPLE 3 100ms blink(s) OFF followed by 1 second ON, repeating
IQUAD 4 100ms blink(s) OFF followed by 1 second ON, repeating
IQUIN 5 100ms blink(s) OFF followed by 1 second ON, repeating
SUCCESS 1000ms VERYFAST blink followed by SOLID
1-10000 Custom value in ms for continuous symmetric blinking

LED State

These standardized LED States may be used to indicate common payload status. The basic LED states include SETUPFAILATTACKCLEANUP and FINISH. Payload developers are encouraged to use these common payload states. Additional states including multi-staged attack patterns are shown in the table below.

STATE COLOR PATTERN Description
SETUP M SOLID Magenta solid
FAIL R SLOW Red slow blink
FAIL1 R SLOW Red slow blink
FAIL2 R FAST Red fast blink
FAIL3 R VERYFAST Red very fast blink
ATTACK Y SINGLE Yellow single blink
STAGE1 Y SINGLE Yellow single blink
STAGE2 Y DOUBLE Yellow double blink
STAGE3 Y TRIPLE Yellow triple blink
STAGE4 Y QUAD Yellow quadruple blink
STAGE5 Y QUIN Yellow quintuple blink
SPECIAL C ISINGLE Cyan inverted single blink
SPECIAL1 C ISINGLE Cyan inverted single blink
SPECIAL2 C IDOUBLE Cyan inverted double blink
SPECIAL3 C ITRIPLE Cyan inverted triple blink
SPECIAL4 C IQUAD Cyan inverted quadriple blink
SPECIAL5 C IQUIN Cyan inverted quintuple blink
CLEANUP W FAST White fast blink
FINISH G SUCCESS Green 1000ms VERYFAST blink followed by SOLID

Examples

LED Y SINGLE
LED M 500
LED SETUP

SWITCH

The SWITCH command will report back the current position of the hardware payload selection switch and may be used by advanced payloads as a toggle where user input is required.

The command will output either “switch1”, “switch2”, “switch3” or “switch4”

BUTTON

The BUTTON command pauses the payload until either the hardware push-button has been momentarily depressed, or an optionally specified time has elapsed.

In the event that a time is specified, BUTTON will exit with a non zero return code if the push-button is not pressed in the given time, and zero if the push-button was pressed.

BUTTON 1m && {
  echo "button pressed"
} || {
  echo "button not pressed"
}

If no time is specified the BUTTON command will pause indefinitely until the push-button is pressed.

During this pause, the LED will light the SPECIAL status, meaning a solid cyan color which blinks off for 100 ms every second.

Time may be specified in (s)econds, (m)inutes, (h)ours or (d)ays. For example:

BUTTON 10s # Wait for 10 seconds for button press
BUTTON 30m # Wait for 30 minutes for button press
BUTTON 365d # Wait 1 year for button press
BUTTON # wait indefinitely for button press

The special LED status light may be suppressed by setting the NO_LED environment variable to 1.

NO_LED=1 BUTTON 1m

Included tools

Tools on the Packet Squirrel include:

  • openvpn
  • autossh
  • tcpdump
  • ngrep
  • urlsnarf
  • meterpreter-php
  • meterpreter-https
  • cron
  • nmap
  • dsniff
  • ncat-ssl
  • ncat
  • sshfs
  • tcpdump
  • wget

Additionally a utility to reformat a USB flash disk is included:

  • reformat_usb

Payload Best Practices / Style Guide

Payloads should begin with comments specifying the name of the payload, a description, the author(s), any special requirements, the intended target, category, netmodes and the LED status.

# Title:         CATERNET
# Description:   DNS Spoofs the Internet and serves up random cat photos
# Author:        Hak5Darren
# Version:       1.0
# Category:      Prank
# Target:        Any
# Net Mode:      NAT

Configurable options should be specified in variables at the top of the payload file


#!/bin/bash
# OpenVPN payload

# Set to 1 to allow clients to use the VPN
FOR_CLIENTS=0

DNS_SERVER="8.8.8.8"

LED should use common payload states rather than unique color/pattern combinations when possible. The LED command should precede the NETMODE command for any given stage. Common payload states include a SETUP, with may include a FAIL if certain conditions are not met.

When the payload has FINISHed, the Packet Squirrel is safe to power off.

Submitting payloads

Payloads may be submitted to the Packet Squirrel Payload git repository. For a video tutorial on submitting payloads, see Hak5 episode 2126.

FAQ / Troubleshooting

How do I reset the device or recover its firmware?

Firmware Recovery

Holding the push button for 3-7 seconds while powering on the device in the arming mode will enable access to the firmware recovery web console. From this mode you can browse to the recovery console at http://192.168.1.1 from a computer connected to the Ethernet In port.

In some cases where an IP address is not obtained from the Packet Squirrel’s DHCP server, a static IP address must be set within the 192.168.1.x range in order to access the firmware recovery web console.

Download the squirrel-recovery.bin factory recovery image.
SHA256 sum: f4f724929b9c314a34885346c8b7d381760f21015fb2452151333744e6b58867

 

Factory Reset

Settings may be restored to defaults using the factory reset procedure. This process will restore the device to the initial configuration of the latest installed firmware. Upon performing the factory reset procedure, all settings including password will be reset. To perform a factory reset from a fully booted Packet Squirrel, hold the push button for approximately 7 seconds. The device will then reboot.

I'm not getting an IP address from the Packet Squirrel in Arming Mode

Make sure you’re plugging your computer into the “Ethernet In” port on left side of the device. This is the LAN port, which will offer the receiving device an IP address via DHCP. The “Ethernet Out” port on the right side of the device is the WAN port, which will seek to obtain an IP address via DHCP.

My Packet Squirrel doesn't light up for the first 10 seconds on boot.

This is normal, expected behavior. The boot-up process takes 30-40 seconds, at which time the LED will blink green starting at around the 10 second mark.

Is the Packet Squirrel gigabit?

No, but it will auto negotiate down to 100 Mbps. In most scenarios, like planting it behind a network printer or workstation, it won’t be a bottleneck.

Does the Packet Squirrel do POE?

No, that wouldn’t fit in its tiny footprint. However, it is powered by USB with an extremely low (120 mA) draw.

What are the hardware specifications?

  • Atheros AR9331 SoC at 400 MHz MIPS
  • 16 MB Onboard Flash
  • 64 MB DDR2 RAM
  • 2x 10/100 Ethernet Port
  • USB 2.0 Host Port
  • 4-way payload select switch
  • RGB Indicator LED
  • Scriptable Push-Button
  • Power: USB 5V 120mA average draw
  • Dimensions: 50 x 39 x 16 mm
  • Weight: 24 grams

Videos


 

Community Support

Hak5 Gear is more than just hardware or software — it’s home to a helpful community of creative penetration testers and IT professionals. Welcome!

The forums are a great place to share feedback and ideas. You’ll also find community support and discussion as well as modules, payloads, tutorials and software releases. Be sure to use the search feature to find answers to common questions.

Looking for something a little more informal? The IRC channel is home to a passionate group of Hak5 enthusiasts. Join us on irc.hak5.org.

Please be aware that views expressed by community members are not those of Hak5 LLC.

Resources

Payloads

Many payloads are hosted from the centralized library on the Hak5 git repository at github.com/hak5/packetsquirrel-payloads. Payloads from this repository are contributed from the Bash Bunny community. As with any script downloaded from the Internet, you are advised to proceed with caution.

WARNING: Community payloads come with absolutely no warranty. You are solely responsible for the outcome of their execution.

 

Wiki

The Packet Squirrel Wiki is brought to you by Hak5 and many other community members and can be found at wiki.packetsquirrel.com.