Hardware specs

[nirokato]

On 10/21/2017 at 4:13 PM, Darren Kitchen said:

Here's the official specs:

• Atheros AR9331 SoC at 400 MHz MIPS
• 16 MB Onboard Flash
• 64 MB DDR2 RAM
• 2x 10/100 Ethernet Port
• USB 2.0 Host Port
• 4-way payload select switch
• RGB Indicator LED
• Scriptable Push-Button
• Power: USB 5V 120mA average draw
• Dimensions: 50 x 39 x 16 mm
• Weight: 24 grams
   

You guys did a great job at keeping the power envelope as small as possible! That means that basically /anything/ with a USB port can power this naughty squirrel. I'm a bit sad there isn't gigabit, but I understand this device is not designed for being put in front of systems that push terabytes of traffic a day. Plug it in behind the smart TV that happens to be connected to the corporate network or maybe the fancy IP phone that happens to have a USB port for a headset, right?

[Darren Kitchen]

3 minutes ago, nirokato said:

You guys did a great job at keeping the power envelope as small as possible! That means that basically /anything/ with a USB port can power this naughty squirrel. I'm a bit sad there isn't gigabit, but I understand this device is not designed for being put in front of systems that push terabytes of traffic a day. Plug it in behind the smart TV that happens to be connected to the corporate network or maybe the fancy IP phone that happens to have a USB port for a headset, right?

Exactly. It's not that we aren't keen on doing high end hardware specs either - but at the moment this is the goldilocks version. The 80/20 rule at play.

[nirokato]

6 minutes ago, Darren Kitchen said:

Exactly. It's not that we aren't keen on doing high end hardware specs either - but at the moment this is the goldilocks version. The 80/20 rule at play.

I think people will realize that relatively low-bandwidth connections tend to be the ones that get scrutinized the least. To steal a quote from Johnny Mnemonic "He'll use his connections on the net. Narrow the bandwidth. Go low rent."

Any plans to snag the MAC from the client side to spoof on the upstream connection? You could pick up the DHCP lease and potentially get around some  exfiltration mitigation techniques by doing this. Also, you could flash/blink the LED to indicate that it's safe to plug in the upstream connection once the squirrel gets the MAC address and create a quick bond0 on the upstream connection or just set that interface to that MAC. Might requiring a NAT configuration on the squirrel to support this, but would be fairly easy to implement.

[Darren Kitchen]

11 minutes ago, nirokato said:

I think people will realize that relatively low-bandwidth connections tend to be the ones that get scrutinized the least. To steal a quote from Johnny Mnemonic "He'll use his connections on the net. Narrow the bandwidth. Go low rent."

Any plans to snag the MAC from the client side to spoof on the upstream connection? You could pick up the DHCP lease and potentially get around some  exfiltration mitigation techniques by doing this. Also, you could flash/blink the LED to indicate that it's safe to plug in the upstream connection once the squirrel gets the MAC address and create a quick bond0 on the upstream connection or just set that interface to that MAC. Might requiring a NAT configuration on the squirrel to support this, but would be fairly easy to implement.

Sounds like an ideal new NETMODE, and one that has been just recently recommended. Looking into it currently. In any event, it would require a firmware update -- but totally worth it for "those" networks.

[nirokato]

Awesome, thank you guys for putting out quality hardware and backing it up with quick support responses and a great community!

[sundhaug92]

8 hours ago, Darren Kitchen said:

Sounds like an ideal new NETMODE, and one that has been just recently recommended. Looking into it currently. In any event, it would require a firmware update -- but totally worth it for "those" networks.

Another reason for adding it: Some devices, such as printers, tend to be exceptions to 802.1x... because they don't support it

[badasset]

Since it is built with an AR9331, does it mean it has an 802.11n radio?

[Sebkinne]

46 minutes ago, badasset said:

Since it is built with an AR9331, does it mean it has an 802.11n radio?

No, it does not support WiFi.

[Dave-ee Jones]

Recurring theme here..

*Bash Bunny -> No WiFi*
*Packet Squirrel -> No WiFi*

...I'm crying on the inside. :(

[mame82]

On 22.10.2017 at 1:08 AM, sundhaug92 said:

MIPS actually

The post referred to an order of an OrangePi on AliExpress. I'm pretty sure the Allwinner SoC is ARM based, not MIPS. The packet squirrel is based on a MIPS SoC, which doesn't seem to be the fastest one (according to the complains on LanTurtle, which uses the same SoC)

[mame82]

On 25.10.2017 at 4:37 AM, Dave-ee Jones said:

Recurring theme here..

*Bash Bunny -> No WiFi*
*Packet Squirrel -> No WiFi*

...I'm crying on the inside. :(

Common, there's a LanTurtle with a 3G shield added (and a small price increase )

[RazerBlade]

5 hours ago, mame82 said:

The post referred to an order of an OrangePi on AliExpress. I'm pretty sure the Allwinner SoC is ARM based, not MIPS. The packet squirrel is based on a MIPS SoC, which doesn't seem to be the fastest one (according to the complains on LanTurtle, which uses the same SoC)

The SoC is also the same as the one found in Pineapple Nano. I found that the SoC was the wifi pineapples limiting factor so it's sad to see the packet squirrel go with the same route. Darren said that if you were using it as a firewall, the speed you would expect would be around 3-6 mbps/s which I find extremely disappointing.

[biob]

When the packet squirrel is in packet capture mode, is it invisible to the PC and network e.g. acts like a passive tap, only PC MAC adresss seen?

[sundhaug92]

1 hour ago, biob said:

When the packet squirrel is in packet capture mode, is it invisible to the PC and network e.g. acts like a passive tap, only PC MAC adresss seen?

If you're using the default tcpdump-payload it appears so as it doesn't get an IP-address or get a network-connection (because it uses NETMODE TRANSPARENT)

[j4mm3r]

When I set PS to packet capture mode, I cannot reach anything on the network. Cables are all plugged in correctly. If PS is invisible (no IP address assigned to it) and it is acting as a passthrough, not sure what is happening. Any thoughts?

[j4mm3r]

So, reading further in the documentation, I see that there are multiple NETMODE options:

NETMODE is a squirrel script command which specifies which network mode to use in a given payload. These network modes determine how the Packet Squirrel will route traffic.

 

NETMODE BRIDGE

This creates a bridge between the two Ethernet interfaces. This means that both the Packet Squirrel and it’s target device get IP addresses from the target network’s router.

 

NETMODE TRANSPARENT

This mode is similar to the bridge network mode with the exception that the Packet Squirrel does not get an IP address from the target network’s router. This means that the Packet Squirrel will not have network (typically Internet) access, however it will be able to sniff the packets across the wire.

 

NETMODE NAT

In this network mode the Packet Squirrel obtains an IP address from the target network’s router and the target device gets an IP address from the Packet Squirrel.

 

NETMODE VPN

This network mode is the same as NAT with special VPN interface setup specific for client tunneling.

 

The default payload has this set for NETMODE TRANSPARENT, which by the above definition (if I am interpreting correctly) does not allow access to anything on the network or Internet. Trying to understand why this would be the default for packet capture, but I must be missing something. Seems that you would want the target PC to operate as normal and capture what it is doing. I am new, so please tell me what I am missing. I will modify the payload to try the other options to see result.

Thanks.

 

 

[Philip From Australia]

On 04/11/2017 at 3:22 AM, j4mm3r said:

The default payload has this set for NETMODE TRANSPARENT, which by the above definition (if I am interpreting correctly) does not allow access to anything on the network or Internet. Trying to understand why this would be the default for packet capture, but I must be missing something. Seems that you would want the target PC to operate as normal and capture what it is doing. I am new, so please tell me what I am missing. I will modify the payload to try the other options to see result.

It does not let the PACKET SQUIRREL access the internet (or network). 

 

The setting makes the PS invisibly pass all the data to the other connection. But it still SEES the traffic. Thus is can manipulate it, write it to disk, whatever. 

 

But itself, is invisible to the network. 

Philip

[j4mm3r]

Thanks Philip. I did not explain my issue correctly. I put the PS in-line with my laptop and had the PS set for NETMODE TRANSPARENT and the laptop was not able to communicate with anything beyond the PS. I assumed it would since this is the default NETMODE setting for this payload. The laptop does not get an IP address from DHCP (I assumed the DHCP request would be passed through to the DHCP server). The PS does capture packets, but since I can't do anything on the laptop, it only captures broadcast traffic, etc. on my local subnet.

I also tried NAT and BRIDGE mode, with much the same result (no IP address assigned to the PS or my laptop).

In arming mode, my laptop does get a 172.16.32.212 address and I can SSH to the PS and access my network and the Internet.

Clearly, I am doing something wrong, but I haven't been able to figure out what it is. Seems simple enough. I'd like to use this device to troubleshoot network issues without having to install Wireshark or some other packet capture software and/or port mirroring.

Any ideas?

Thanks.

 

 

 

 

[biob]

16 minutes ago, j4mm3r said:

Thanks Philip. I did not explain my issue correctly. I put the PS in-line with my laptop and had the PS set for NETMODE TRANSPARENT and the laptop was not able to communicate with anything beyond the PS. I assumed it would since this is the default NETMODE setting for this payload. The laptop does not get an IP address from DHCP (I assumed the DHCP request would be passed through to the DHCP server). The PS does capture packets, but since I can't do anything on the laptop, it only captures broadcast traffic, etc. on my local subnet.

I also tried NAT and BRIDGE mode, with much the same result (no IP address assigned to the PS or my laptop).

In arming mode, my laptop does get a 172.16.32.212 address and I can SSH to the PS and access my network and the Internet.

Clearly, I am doing something wrong, but I haven't been able to figure out what it is. Seems simple enough. I'd like to use this device to troubleshoot network issues without having to install Wireshark or some other packet capture software and/or port mirroring.

Any ideas?

Thanks.

 

 

 

 

Don’t know if this will cause a problem, but you have got the ports the correct way around? 

Sorry if this comes across as patronising, not meant that way.

[biob]

Also are you powering down the PS when changing modes. Might be worth disconnecting network cables before starting new mode  as you NIC might not try to get another IP address if the connection hasnt been dropped.

[j4mm3r]

OK, so I swapped the cables (contrary to the diagram on the hak5.org website) and it does seem to work. The laptop now gets a DHCP address from my network (with NETMODE TRANSPARENT set in the SWITCH1 payload) and I can both browse the web and hit my network as well as capture packets. Interestingly, when I switch back to arming mode, I also have to swap the cables back (like the diagram shows) to SSH into the PS. Not a huge deal, but I definitely must have misunderstood the diagram. I will continue to experiment. Thanks for all of your help.

 

 

[killergeek]

@j4mm3r sounds like there is a issue with the code behind the mode which talks to the wrong port. maybe @Sebkinne knows what happens.

[Sebkinne]

5 minutes ago, killergeek said:

@j4mm3r sounds like there is a issue with the code behind the mode which talks to the wrong port. maybe @Sebkinne knows what happens.

Unfortunately I can't reproduce this issue. NETMODE BRIDGE and TRANSPARENT should both allow you to plug into any of the ethernet ports, but NETMODE NAT and arming mode require you to be plugged into the correct port. 

[j4mm3r]

Thanks for the additional info. Seems to be working as I described, so I will keep messing with it. I have several packet captures to do for work in the next week, so the PS will get a workout. Will let you know if I have other questions.