vepr Posted December 31, 2020 Share Posted December 31, 2020 If possible, I want to be able to plug my Packet Squirrel into a router or switch, get an IP assigned to the P.S., get the network's subnet, and run an Nmap scan on the network. I know there is already an Nmap payload, but I want to keep my code simple and do it from scratch. Here is my current script I am playing with: #!/bin/bash # Nmap for the Packet Squirrel LED STAGE1 # NETMODE BRIDGE # NETMODE TRANSPARENT NETMODE NAT sleep 5 #### OPTIONS LootPath="/mnt/loot/nmap" # Path to store results LOG="nmap_$(date +%Y-%m-%d-%H%M)" # File name scheme #### # Grab the network you are in mynet=$(ip -o -f inet addr show | awk '/scope global/{sub(/[^.]+\//,"0/",$4);print $4}') echo $mynet >> $LootPath/$LOG sleep 2 LED ATTACK nmap -F -T 4 $mynet >> $LootPath/$LOG LED FINISH I can only seem to get an IP when I use Nat mode and plug the Packet Squirrel in via the Ethernet Out. But I only get the IP 172.16.32.1 which is the local IP. I can't get an IP/subnet using any other modes. Is there another way I should be doing this? As I'm typing this, I'm wondering if I'm checking for the subnet with the incorrect NIC. I'll see if I can dump a list of NICs that the P.S. uses in Nat mode. Link to comment Share on other sites More sharing options...
vepr Posted December 31, 2020 Author Share Posted December 31, 2020 Yeah, I don't know. When I plug my P.S. into my router and get network info, it lists: 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 inet 172.16.32.1/24 brd 172.16.32.255 scope global eth0 valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet6 fe80::213:37ff:fea6:e934/64 scope link tentative valid_lft forever preferred_lft forever My home network is 192.168.90.0/24. So it's not getting an IP. My script only port scans 172.16.32.1 which is the actual Packet Squirrel. Link to comment Share on other sites More sharing options...
chrizree Posted December 31, 2020 Share Posted December 31, 2020 You have set: #### OPTIONS INTERFACE='eth0' #interface of the outgoing interface eth0 is the internal interface, right? eth1 is the one that should get an IP from the network, at least on my PS. Also not sure what INTERFACE is used for. I'm not aware of that it is an internal parameter of the PS and it's not used anywhere else in your payload code. Haven't used it myself so it's news to me and I can't find it in the PS docs. May be correct though. Also be aware of that ip -o -f inet addr show | awk '/scope global/{sub(/[^.]+\//,"0/",$4);print $4}' will list both interfaces, if available. Also, if you run the "mynet" line of the code manually and then echo that variable, it's empty. Link to comment Share on other sites More sharing options...
vepr Posted January 1, 2021 Author Share Posted January 1, 2021 I think I got the Interface from some other code. It might have been tied to a function that I didn't see. I've edited the code above. The PS isn't grabbing an IP from my router on eth0 or eth1. Link to comment Share on other sites More sharing options...
chrizree Posted January 1, 2021 Share Posted January 1, 2021 I think that you might be too eager to get the dessert when the main course isn't even ready to be served... in other words, the PS isn't all finished with the network stuff when the payload executes. I put in a sleep for 30 sec and I got the correct network in NAT mode. As I said before, using the "mynet" variable might get you into problems since it will show more than one network if both interfaces of the PS is up and running. You might also get into issues if not checking first that the nmap directory exists on the USB storage device that is attached to the PS. Check the code on my GitHub, note that it's just a PoC to verify that it works, a full blown payload needs more error handling and logging (and code cleanup), but... I would probably use the already existing one at the Hak5 GitHub, no need to jump over the stream to get water if the new variant doesn't add or elevate things. Although, I respect your choice to develop it from scratch since it has a value when it comes to learning instead of just being a skiddie and copy things to execute. https://github.com/chrizree/Nmap-for-Hak5-Packet-Squirrel Link to comment Share on other sites More sharing options...
vepr Posted January 1, 2021 Author Share Posted January 1, 2021 Ahh thank you. I actually had a "sleep 60" in my recent code. But it was in a slightly differently place and causing it to not work. I just wanted to get some basic functionality, then I'll start customizing it properly. Thanks for posting your example code. That will definitely help me. I started down this path because I was not able to get the original Nmap payload to run properly. I haven't had issues with many of the other payloads. I even created a Responder payload that works pretty well. I thought the original Nmap payload was too complicated. I see that it's written that way to provide options and perform checks. But I don't really need all of that for my personal use. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.