Can I get help with running Nmap?

[vepr]

If possible, I want to be able to plug my Packet Squirrel into a router or switch, get an IP assigned to the P.S., get the network's subnet, and run an Nmap scan on the network.

I know there is already an Nmap payload, but I want to keep my code simple and do it from scratch.

Here is my current script I am playing with:

 

#!/bin/bash 
# Nmap for the Packet Squirrel

LED STAGE1
# NETMODE BRIDGE
# NETMODE TRANSPARENT
NETMODE NAT
sleep 5

#### OPTIONS

LootPath="/mnt/loot/nmap"		    # Path to store results
LOG="nmap_$(date +%Y-%m-%d-%H%M)"	# File name scheme 

####

# Grab the network you are in
mynet=$(ip -o -f inet addr show | awk '/scope global/{sub(/[^.]+\//,"0/",$4);print $4}')

echo $mynet >> $LootPath/$LOG

sleep 2

LED ATTACK
nmap -F -T 4 $mynet >> $LootPath/$LOG
LED FINISH

 

I can only seem to get an IP when I use Nat mode and plug the Packet Squirrel in via the Ethernet Out.  But I only get the IP 172.16.32.1 which is the local IP.  I can't get an IP/subnet using any other modes.  Is there another way I should be doing this?

As I'm typing this, I'm wondering if I'm checking for the subnet with the incorrect NIC.  I'll see if I can dump a list of NICs that the P.S. uses in Nat mode. 

[vepr]

Yeah, I don't know.  When I plug my P.S. into my router and get network info, it lists:

2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    inet 172.16.32.1/24 brd 172.16.32.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet6 fe80::213:37ff:fea6:e934/64 scope link tentative 
       valid_lft forever preferred_lft forever

My home network is 192.168.90.0/24.  So it's not getting an IP.  My script only port scans 172.16.32.1 which is the actual Packet Squirrel.

[chrizree]

You have set:

#### OPTIONS
INTERFACE='eth0' #interface of the outgoing interface

eth0 is the internal interface, right? eth1 is the one that should get an IP from the network, at least on my PS.

Also not sure what INTERFACE is used for. I'm not aware of that it is an internal parameter of the PS and it's not used anywhere else in your payload code. Haven't used it myself so it's news to me and I can't find it in the PS docs. May be correct though.

Also be aware of that ip -o -f inet addr show | awk '/scope global/{sub(/[^.]+\//,"0/",$4);print $4}' will list both interfaces, if available.

Also, if you run the "mynet" line of the code manually and then echo that variable, it's empty.

[vepr]

I think I got the Interface from some other code.  It might have been tied to a function that I didn't see.  I've edited the code above.  The PS isn't grabbing an IP from my router on eth0 or eth1.

[chrizree]

I think that you might be too eager to get the dessert when the main course isn't even ready to be served... in other words, the PS isn't all finished with the network stuff when the payload executes. I put in a sleep for 30 sec and I got the correct network in NAT mode.

As I said before, using the "mynet" variable might get you into problems since it will show more than one network if both interfaces of the PS is up and running.

You might also get into issues if not checking first that the nmap directory exists on the USB storage device that is attached to the PS.

Check the code on my GitHub, note that it's just a PoC to verify that it works, a full blown payload needs more error handling and logging (and code cleanup), but... I would probably use the already existing one at the Hak5 GitHub, no need to jump over the stream to get water if the new variant doesn't add or elevate things. Although, I respect your choice to develop it from scratch since it has a value when it comes to learning instead of just being a skiddie and copy things to execute.

https://github.com/chrizree/Nmap-for-Hak5-Packet-Squirrel

[vepr]

Ahh thank you.  I actually had a "sleep 60" in my recent code.  But it was in a slightly differently place and causing it to not work.

I just wanted to get some basic functionality, then I'll start customizing it properly. Thanks for posting your example code.  That will definitely help me. 

I started down this path because I was not able to get the original Nmap payload to run properly.  I haven't had issues with many of the other payloads.  I even created a Responder payload that works pretty well.  I thought the original Nmap payload was too complicated.  I see that it's written that way to provide options and perform checks.  But I don't really need all of that for my personal use.