TCPDUMP NETMODE CLONE NOT WORKING

[OEZD]

Hello,

I would appriciate help running the squirrel TCPDUMP payload in CLONE mode

packet squirrel version the squirrel is running on: 3.2

Downloaded payload from github: packetsquirrel-payloads/payloads/library/sniffing/tcpdump/payload.sh

When running the script in TRANSPARENT mode it runs OK.

When changing the mode to CLONE  - can not have network connection.

Thx

 

[chrizree]

Running the script in CLONE mode isn't working due to the fact that the Packet Squirrel hasn't got a br-lan interface in CLONE mode. You can easily add a couple of lines to the original payload script to see what is happening "live" as the payload is running and watch the br-lan interface "disappear" when entering CLONE mode.

Replace these lines in the "run" function:

# Set networking to TRANSPARENT mode and wait five seconds

NETMODE TRANSPARENT

sleep 5

With these lines:

# Set networking to TRANSPARENT mode and wait ten seconds
NETMODE TRANSPARENT
sleep 10

echo "TRANSPARENT mode 1" >> /mnt/loot/tcpdump/run_log.txt
ifconfig >> /mnt/loot/tcpdump/run_log.txt

# Set networking to CLONE mode and wait ten seconds
NETMODE CLONE
sleep 10

echo "CLONE mode" >> /mnt/loot/tcpdump/run_log.txt
ifconfig >> /mnt/loot/tcpdump/run_log.txt

# Set networking to TRANSPARENT mode and wait ten seconds
NETMODE TRANSPARENT
sleep 10

echo "TRANSPARENT mode 2" >> /mnt/loot/tcpdump/run_log.txt
ifconfig >> /mnt/loot/tcpdump/run_log.txt

Then set the Packet Squirrel in Switch 1 and let it run as intended. After that, go back to Arming Mode and look in the run_log.txt file to see that br-lan is not available in CLONE mode.

[Mr_Kci]

There seems to be little detail on this topic when googling, so I'll detail my findings.

Spinning up the PS and usig nano to edit:

/root/payloads/switch1/payload.sh

on line 37:"        NETMODE TRANSPARENT"

changing it to "       NETMODE CLONE" 

Save the changes, then:

1. Pull the power from the PS.
2. Insert NTFS formatted USB
3. Move the switch to position #1
4. Plug the victim laptop (you want to spoof) into eth0
5. Power up the PS
6. White LED eventually flashes as eth1 has the MAC address cloned to eth0
7. Plug in the network cable (that goes to the switch) into eth1
8. do some networking stuff (view sites etc)
9. Once done, press the little round button on the PS - the LED flashes red to signify the tcpdump pcap is being written to the USB drive (but it doesnt!) and the PS powers off.

a workaround is:

Switch the PS back to ARMED/SETUP mode

SSH to it.

manually change the MAC address of eth1 using the following commands:

• ip a                                  #<< display all the network interface details
• ip link set dev eth1 down                #<< this was already down for me, by to change a MAC, you need to bring the interfacce down
• ip link set dev eth1 address 48:2A:E3:00:00:00     #<< change the MAC to your chosing (i.e. your victim laptop).

Change /root/payloads/switch1/payload.sh BACK to TRANSPARENT MODE

on line 37:"        NETMODE TRANSPARENT"

Back to step 1 above, but this time, the TCP dump is saved successfully to the USB stick.

Maybe have fun with baking this manal MAC clone into the script itself, thats next on my list, but for now, at least its working.

 

Cheers

 

Mr_Kci

[dark_pyrro]

4 hours ago, Mr_Kci said:

Spinning up the PS and usig nano to edit:

/root/payloads/switch1/payload.sh

on line 37:"        NETMODE TRANSPARENT"

changing it to "       NETMODE CLONE" 

 

Why would you edit the payload and change NETMODE TRANSPARENT to NETMODE CLONE?

[Mr_Kci]

Hi dark_pyrro

follwing this section of the documentation:

https://docs.hak5.org/packet-squirrel/payload-development/the-netmode-command

I have yet to read a better way to enable or switch between the modes, hence the edit directly. And CLONE largely works, except for the actual capture of traffic.

NETMODE CLONE makes your PS look like your victim device at the network level. so if MAC Access control is enabled on the switch, this is bypassed.

I saw NETMODE TRANSPARENT mode uses the native MAC address of eth1, which is not as stealthy.

Do you have any tips or better suggestions? all very welcome as I'm pretty new to the PS

Cheers

 

Mr_Kci

 

[dark_pyrro]

As already have been posted here in this thread, NETMODE CLONE will not work with the tcpdump payload since it doesn't have a br-lan device to capture on and the tcpdump is set to use that. If in need of using NETMODE CLONE, one way could be to use another device/interface other than br-lan for tcpdump to sniff on, for example eth1.

[Mr_Kci]

Yeah I saw that in the above. but I have a capture AND my MAC is cloned. it looks like my method makes NETMODE CLONE redundant?

and re:

Quote

"If in need of using NETMODE CLONE, one way could be to use another device/interface other than br-lan for tcpdump to sniff on, for example eth1." 

are you suggesting changing Line 41 in:

/root/payloads/switch1/payload.sh

from:

tcpdump -i br-lan -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &

to:

tcpdump -i eth1 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &

and then set NETMODE CLONE?

[dark_pyrro]

Just try it and see what happens

[dark_pyrro]

And, just curious, how did you end up with the conclusion that the Squirrel isn't "stealth" in NETMODE TRANSPARENT? Just an assumption, or did you try it and verify it?

You said:

10 hours ago, Mr_Kci said:

I saw NETMODE TRANSPARENT mode uses the native MAC address of eth1, which is not as stealthy

Where did you see that?

[Mr_Kci]

 

24 minutes ago, dark_pyrro said:

Where did you see that?

Nope, not an assumption, I logged into the PS and checked the MAC addresses of the 2 ports (wrote them down)

Rebooted and fired up the PS to switch1 (TCPDUMP) with its default setting of NETMODE TRANSPARENT

Logged into my network switch and saw the PS MAC address appear in the ARP table against the port in question and NOT my laptop MAC (obviously) - my PS MAC starts with 00:13:37:x:x:x = vendor: "my Orient Power Home Network Ltd." - which stand out like a sore thumb in an entrprise of typical Dell or HP machines.

25 minutes ago, dark_pyrro said:

how did you end up with the conclusion that the Squirrel isn't "stealth"

Dont get me wrong, its very good. excellently seemless to the victim as far as network connectivity goes. But there are 2 give-aways in an well protected enterprise environment.

1) in a Gigabit Switch setup, the PS will scale down the link speed to 100Mbits (much like the LAN TAP), but theres not much you can do about this within the device budget, and detection and alerts against this event would likely create a high level of false positives - in which case the PS would hide amonst the noise.

2) there are multiple solutions that can detect unauthorised MAC addresses, as well as switch level MAC access control.

 

[dark_pyrro]

Ok, I set up a payload using NETMODE TRANSPARENT (a tweaked version of the official tcpdump payload) and connected the Squirrel to a target PC and a router (freshly installed OpenWrt based router) that the Squirrel had never been connected to before (no legacy/history). In the DHCP leases of the router, it was the MAC address of the target Ethernet interface that was listed, not the MAC address of the Squirrel eth1 interface. If looking at ARP tables/cache or sniffing traffic live it might be detected.

An enterprise environment may for sure be something different (it's part of my daily work), and it's all up to what tools are used and where to look for anomalies. I would, however, not recommend using MAC address based access control in an enterprise environment at all. At least not alone.

 

[Mr_Kci]

10 hours ago, dark_pyrro said:

Just try it and see what happens

yep! that seems to work just as well. NETMODE CLONE makes the PS pops up with the victim MAC (according to my switch ARP table) - and pcap file successfully created! cheers for the suggestion, allot less hassle than mine.

 

to be clear to other readers:

I edited the line inside /root/payloads/switch1/payload.sh  to this

tcpdump -i eth1 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &

 

8 hours ago, dark_pyrro said:

I would, however, not recommend using MAC address based access control in an enterprise environment at all.

yeah totally, this is my daily work too. MAC address access control at switch levels is not for enterprise as the management overhead would be beyond epic (adding and removing ever changing devices), its only worth mentioning as a control for the average home network user, and I would not recomend it for home networks (unless you suspect a wifi intruder.....but if you have one of those, MAC Access control is not gona stop them, only a new strong password will)