Skip to content

Hak5 Packet Squirrel Cheatsheet

Hak5 Packet Squirrel Cheatsheet

Overview

The Hak5 Packet Squirrel is a stealthy, pocket-sized man-in-the-middle attack tool. It is designed for covert network monitoring, data capture, and manipulation.

Key Features

  • Man-in-the-Middle: Sits between two network devices to intercept traffic.
  • Multi-Payload: Can be configured with multiple payloads, selectable via a switch.
  • Covert: Small and discreet, can be easily hidden.
  • Powerful: Runs on a quad-core ARM processor.
  • Simple Scripting: Payloads are written in a simple scripting language.
  • USB Mass Storage: Can be used as a USB flash drive to store captured data.

Hardware Specifications

  • Processor: Quad-core ARM
  • Memory: 256 MB RAM
  • Storage: 2 GB onboard flash
  • Networking: 2x 10/100 Ethernet ports
  • Power: USB-C

Modes of Operation

The Packet Squirrel has a three-position switch to select the payload to run:

  • Position 1: Payload 1
  • Position 2: Payload 2
  • Position 3: Arming Mode

Getting Started

  1. Power On: Connect the Packet Squirrel to a power source via USB-C.
  2. Arming Mode: Set the switch to Position 3 to enter Arming Mode. In this mode, the Packet Squirrel acts as a USB flash drive, allowing you to access and edit payloads.
  3. Select Payload: Set the switch to Position 1 or 2 to select the desired payload.
  4. Deploy: Place the Packet Squirrel between two network devices (e.g., a computer and a wall jack).

Payload Development

Payloads are written in a simple scripting language and placed in the /payloads/ directory on the Packet Squirrel.

Payload Structure:

#!/bin/bash

# Set the LED to indicate the payload is running
LED SETUP

# Your payload logic here
# Example: Capture all traffic to a pcap file
NETMODE BRIDGE
TCPDUMP -i br-lan -w /root/loot/capture.pcap

# Set the LED to indicate the payload is finished
LED FINISH

Common Payloads

  • Packet Capture: Capture all network traffic to a pcap file.
  • DNS Spoofing: Spoof DNS responses to redirect traffic.
  • Session Hijacking: Hijack web sessions by stealing session cookies.
  • Data Exfiltration: Exfiltrate captured data to a remote server.
  • VPN Pivot: Create a VPN tunnel to pivot into the target network.

LED Status Indicators

  • Solid Blue: Arming Mode
  • Solid Magenta: Payload running
  • Blinking Green: Payload finished
  • Blinking Red: Error

Networking Modes

  • NETMODE BRIDGE: Bridge the two Ethernet ports together.
  • NETMODE NAT: Create a NAT network between the two Ethernet ports.
  • NETMODE TRANSPARENT: Transparently bridge the two Ethernet ports.

Additional Resources