aclx

Do you know the behavior of Layer 2 multicast? Yes I want to capture it and replay some specific multicast data ... I have verified tcpreplay -i br-lan -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng -> OK tcpreplay -i eth0 -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng -> OK tcpreplay -i eth1 -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng -> NOK with wireshark ...

how can I check if the cc-client service is running?

tcpreplay only works on br-lan and eth0 interface. eth1 is not sending any traffic ... NETMODE BRIDGE tcpreplay -i br-lan -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng -> OK tcpreplay -i eth0 -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng -> OK tcpreplay -i eth1 -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng -> NOK

I have done it like your great description without any success 😞 Does the packet squirrel connect to the C2 Server in the arming mode?

tcpreplay -i br-lan -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng works! I aspect that the traffic will be sent out on the LAN (Ethernet Out) interface and not out on the PC (Ethernet In) Interface. Is there a command in bridge mode to send multicast layer2 traffic on Ethernet out interface?

yes it is firmware version 3.2 Mk1 Squirrel

thanks a lot for your time and support!!! I will reset the squirrel to factory defaults and try it again.

okay. so far I am understand. the squirrel needs no client certificate, right? and the public key from the C2SERVER must be added to /etc/ssl/certs/ca-certificates.crt right?

no the squirrel is called squirrel01 and the server DemoC2. the squirrel can resolve the the name DemoC2 via DNS. Ping is working fine. is it necessary the that the CN (squirrel01) is sequel the hostname (squirrel)? I added the public key from the rootca /etc/ssl/certs/ca-certificates.crt and the priv/pub key to /etc/ssl/private/cert.pem

yes. I have changed it. And I can ping the C2 server from the PS. DNS works also fine

hi I am not able to get this simple payload running on my packet squirrel NETMODE BRIDGE sleep 20 tcpreplay -i br-lan -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng ------------------------------------------------------------------------------ LED starts with green - blue - red In arming mode I have access and see the test.pcapng under /mnt/loot/tcpdump/ Also the command tcpreplay -i br-lan -p 200000 -l 200 /mnt/loot/tcpdump/test.pcapng is working fine in arming mode ....

the CN=squirrel01

My own one. I using my private PKI

how can i check, if I have installed my private/public key and the ca certificate correctly on the packet squirrel?