nirokato Posted October 23, 2017 Share Posted October 23, 2017 On 10/21/2017 at 4:13 PM, Darren Kitchen said: Here's the official specs: Atheros AR9331 SoC at 400 MHz MIPS 16 MB Onboard Flash 64 MB DDR2 RAM 2x 10/100 Ethernet Port USB 2.0 Host Port 4-way payload select switch RGB Indicator LED Scriptable Push-Button Power: USB 5V 120mA average draw Dimensions: 50 x 39 x 16 mm Weight: 24 grams You guys did a great job at keeping the power envelope as small as possible! That means that basically /anything/ with a USB port can power this naughty squirrel. I'm a bit sad there isn't gigabit, but I understand this device is not designed for being put in front of systems that push terabytes of traffic a day. Plug it in behind the smart TV that happens to be connected to the corporate network or maybe the fancy IP phone that happens to have a USB port for a headset, right? Link to comment Share on other sites More sharing options...
Darren Kitchen Posted October 23, 2017 Share Posted October 23, 2017 3 minutes ago, nirokato said: You guys did a great job at keeping the power envelope as small as possible! That means that basically /anything/ with a USB port can power this naughty squirrel. I'm a bit sad there isn't gigabit, but I understand this device is not designed for being put in front of systems that push terabytes of traffic a day. Plug it in behind the smart TV that happens to be connected to the corporate network or maybe the fancy IP phone that happens to have a USB port for a headset, right? Exactly. It's not that we aren't keen on doing high end hardware specs either - but at the moment this is the goldilocks version. The 80/20 rule at play. Link to comment Share on other sites More sharing options...
nirokato Posted October 23, 2017 Share Posted October 23, 2017 6 minutes ago, Darren Kitchen said: Exactly. It's not that we aren't keen on doing high end hardware specs either - but at the moment this is the goldilocks version. The 80/20 rule at play. I think people will realize that relatively low-bandwidth connections tend to be the ones that get scrutinized the least. To steal a quote from Johnny Mnemonic "He'll use his connections on the net. Narrow the bandwidth. Go low rent." Any plans to snag the MAC from the client side to spoof on the upstream connection? You could pick up the DHCP lease and potentially get around some exfiltration mitigation techniques by doing this. Also, you could flash/blink the LED to indicate that it's safe to plug in the upstream connection once the squirrel gets the MAC address and create a quick bond0 on the upstream connection or just set that interface to that MAC. Might requiring a NAT configuration on the squirrel to support this, but would be fairly easy to implement. Link to comment Share on other sites More sharing options...
Darren Kitchen Posted October 23, 2017 Share Posted October 23, 2017 11 minutes ago, nirokato said: I think people will realize that relatively low-bandwidth connections tend to be the ones that get scrutinized the least. To steal a quote from Johnny Mnemonic "He'll use his connections on the net. Narrow the bandwidth. Go low rent." Any plans to snag the MAC from the client side to spoof on the upstream connection? You could pick up the DHCP lease and potentially get around some exfiltration mitigation techniques by doing this. Also, you could flash/blink the LED to indicate that it's safe to plug in the upstream connection once the squirrel gets the MAC address and create a quick bond0 on the upstream connection or just set that interface to that MAC. Might requiring a NAT configuration on the squirrel to support this, but would be fairly easy to implement. Sounds like an ideal new NETMODE, and one that has been just recently recommended. Looking into it currently. In any event, it would require a firmware update -- but totally worth it for "those" networks. Link to comment Share on other sites More sharing options...
nirokato Posted October 23, 2017 Share Posted October 23, 2017 Awesome, thank you guys for putting out quality hardware and backing it up with quick support responses and a great community! Link to comment Share on other sites More sharing options...
sundhaug92 Posted October 23, 2017 Share Posted October 23, 2017 8 hours ago, Darren Kitchen said: Sounds like an ideal new NETMODE, and one that has been just recently recommended. Looking into it currently. In any event, it would require a firmware update -- but totally worth it for "those" networks. Another reason for adding it: Some devices, such as printers, tend to be exceptions to 802.1x... because they don't support it Link to comment Share on other sites More sharing options...
badasset Posted October 25, 2017 Share Posted October 25, 2017 Since it is built with an AR9331, does it mean it has an 802.11n radio? Link to comment Share on other sites More sharing options...
Sebkinne Posted October 25, 2017 Share Posted October 25, 2017 46 minutes ago, badasset said: Since it is built with an AR9331, does it mean it has an 802.11n radio? No, it does not support WiFi. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 25, 2017 Share Posted October 25, 2017 Recurring theme here.. *Bash Bunny -> No WiFi* *Packet Squirrel -> No WiFi* ...I'm crying on the inside. :( Link to comment Share on other sites More sharing options...
mame82 Posted October 28, 2017 Share Posted October 28, 2017 On 22.10.2017 at 1:08 AM, sundhaug92 said: MIPS actually The post referred to an order of an OrangePi on AliExpress. I'm pretty sure the Allwinner SoC is ARM based, not MIPS. The packet squirrel is based on a MIPS SoC, which doesn't seem to be the fastest one (according to the complains on LanTurtle, which uses the same SoC) Link to comment Share on other sites More sharing options...
mame82 Posted October 28, 2017 Share Posted October 28, 2017 On 25.10.2017 at 4:37 AM, Dave-ee Jones said: Recurring theme here.. *Bash Bunny -> No WiFi* *Packet Squirrel -> No WiFi* ...I'm crying on the inside. :( Common, there's a LanTurtle with a 3G shield added (and a small price increase ) Link to comment Share on other sites More sharing options...
RazerBlade Posted October 28, 2017 Share Posted October 28, 2017 5 hours ago, mame82 said: The post referred to an order of an OrangePi on AliExpress. I'm pretty sure the Allwinner SoC is ARM based, not MIPS. The packet squirrel is based on a MIPS SoC, which doesn't seem to be the fastest one (according to the complains on LanTurtle, which uses the same SoC) The SoC is also the same as the one found in Pineapple Nano. I found that the SoC was the wifi pineapples limiting factor so it's sad to see the packet squirrel go with the same route. Darren said that if you were using it as a firewall, the speed you would expect would be around 3-6 mbps/s which I find extremely disappointing. Link to comment Share on other sites More sharing options...
biob Posted October 29, 2017 Share Posted October 29, 2017 When the packet squirrel is in packet capture mode, is it invisible to the PC and network e.g. acts like a passive tap, only PC MAC adresss seen? Link to comment Share on other sites More sharing options...
sundhaug92 Posted October 29, 2017 Share Posted October 29, 2017 1 hour ago, biob said: When the packet squirrel is in packet capture mode, is it invisible to the PC and network e.g. acts like a passive tap, only PC MAC adresss seen? If you're using the default tcpdump-payload it appears so as it doesn't get an IP-address or get a network-connection (because it uses NETMODE TRANSPARENT) Link to comment Share on other sites More sharing options...
j4mm3r Posted November 3, 2017 Share Posted November 3, 2017 When I set PS to packet capture mode, I cannot reach anything on the network. Cables are all plugged in correctly. If PS is invisible (no IP address assigned to it) and it is acting as a passthrough, not sure what is happening. Any thoughts? Link to comment Share on other sites More sharing options...
j4mm3r Posted November 3, 2017 Share Posted November 3, 2017 So, reading further in the documentation, I see that there are multiple NETMODE options: NETMODE is a squirrel script command which specifies which network mode to use in a given payload. These network modes determine how the Packet Squirrel will route traffic. NETMODE BRIDGE This creates a bridge between the two Ethernet interfaces. This means that both the Packet Squirrel and it’s target device get IP addresses from the target network’s router. NETMODE TRANSPARENT This mode is similar to the bridge network mode with the exception that the Packet Squirrel does not get an IP address from the target network’s router. This means that the Packet Squirrel will not have network (typically Internet) access, however it will be able to sniff the packets across the wire. NETMODE NAT In this network mode the Packet Squirrel obtains an IP address from the target network’s router and the target device gets an IP address from the Packet Squirrel. NETMODE VPN This network mode is the same as NAT with special VPN interface setup specific for client tunneling. The default payload has this set for NETMODE TRANSPARENT, which by the above definition (if I am interpreting correctly) does not allow access to anything on the network or Internet. Trying to understand why this would be the default for packet capture, but I must be missing something. Seems that you would want the target PC to operate as normal and capture what it is doing. I am new, so please tell me what I am missing. I will modify the payload to try the other options to see result. Thanks. Link to comment Share on other sites More sharing options...
Philip From Australia Posted November 11, 2017 Share Posted November 11, 2017 On 04/11/2017 at 3:22 AM, j4mm3r said: The default payload has this set for NETMODE TRANSPARENT, which by the above definition (if I am interpreting correctly) does not allow access to anything on the network or Internet. Trying to understand why this would be the default for packet capture, but I must be missing something. Seems that you would want the target PC to operate as normal and capture what it is doing. I am new, so please tell me what I am missing. I will modify the payload to try the other options to see result. It does not let the PACKET SQUIRREL access the internet (or network). The setting makes the PS invisibly pass all the data to the other connection. But it still SEES the traffic. Thus is can manipulate it, write it to disk, whatever. But itself, is invisible to the network. Philip Link to comment Share on other sites More sharing options...
j4mm3r Posted November 13, 2017 Share Posted November 13, 2017 Thanks Philip. I did not explain my issue correctly. I put the PS in-line with my laptop and had the PS set for NETMODE TRANSPARENT and the laptop was not able to communicate with anything beyond the PS. I assumed it would since this is the default NETMODE setting for this payload. The laptop does not get an IP address from DHCP (I assumed the DHCP request would be passed through to the DHCP server). The PS does capture packets, but since I can't do anything on the laptop, it only captures broadcast traffic, etc. on my local subnet. I also tried NAT and BRIDGE mode, with much the same result (no IP address assigned to the PS or my laptop). In arming mode, my laptop does get a 172.16.32.212 address and I can SSH to the PS and access my network and the Internet. Clearly, I am doing something wrong, but I haven't been able to figure out what it is. Seems simple enough. I'd like to use this device to troubleshoot network issues without having to install Wireshark or some other packet capture software and/or port mirroring. Any ideas? Thanks. Link to comment Share on other sites More sharing options...
biob Posted November 13, 2017 Share Posted November 13, 2017 16 minutes ago, j4mm3r said: Thanks Philip. I did not explain my issue correctly. I put the PS in-line with my laptop and had the PS set for NETMODE TRANSPARENT and the laptop was not able to communicate with anything beyond the PS. I assumed it would since this is the default NETMODE setting for this payload. The laptop does not get an IP address from DHCP (I assumed the DHCP request would be passed through to the DHCP server). The PS does capture packets, but since I can't do anything on the laptop, it only captures broadcast traffic, etc. on my local subnet. I also tried NAT and BRIDGE mode, with much the same result (no IP address assigned to the PS or my laptop). In arming mode, my laptop does get a 172.16.32.212 address and I can SSH to the PS and access my network and the Internet. Clearly, I am doing something wrong, but I haven't been able to figure out what it is. Seems simple enough. I'd like to use this device to troubleshoot network issues without having to install Wireshark or some other packet capture software and/or port mirroring. Any ideas? Thanks. Don’t know if this will cause a problem, but you have got the ports the correct way around? Sorry if this comes across as patronising, not meant that way. Link to comment Share on other sites More sharing options...
biob Posted November 13, 2017 Share Posted November 13, 2017 Also are you powering down the PS when changing modes. Might be worth disconnecting network cables before starting new mode as you NIC might not try to get another IP address if the connection hasnt been dropped. Link to comment Share on other sites More sharing options...
j4mm3r Posted November 13, 2017 Share Posted November 13, 2017 OK, so I swapped the cables (contrary to the diagram on the hak5.org website) and it does seem to work. The laptop now gets a DHCP address from my network (with NETMODE TRANSPARENT set in the SWITCH1 payload) and I can both browse the web and hit my network as well as capture packets. Interestingly, when I switch back to arming mode, I also have to swap the cables back (like the diagram shows) to SSH into the PS. Not a huge deal, but I definitely must have misunderstood the diagram. I will continue to experiment. Thanks for all of your help. Link to comment Share on other sites More sharing options...
killergeek Posted November 13, 2017 Share Posted November 13, 2017 @j4mm3r sounds like there is a issue with the code behind the mode which talks to the wrong port. maybe @Sebkinne knows what happens. Link to comment Share on other sites More sharing options...
Sebkinne Posted November 13, 2017 Share Posted November 13, 2017 5 minutes ago, killergeek said: @j4mm3r sounds like there is a issue with the code behind the mode which talks to the wrong port. maybe @Sebkinne knows what happens. Unfortunately I can't reproduce this issue. NETMODE BRIDGE and TRANSPARENT should both allow you to plug into any of the ethernet ports, but NETMODE NAT and arming mode require you to be plugged into the correct port. Link to comment Share on other sites More sharing options...
j4mm3r Posted November 13, 2017 Share Posted November 13, 2017 Thanks for the additional info. Seems to be working as I described, so I will keep messing with it. I have several packet captures to do for work in the next week, so the PS will get a workout. Will let you know if I have other questions. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.