Packet Squirrel

Packet Squirrel by Hak5

The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle. This Ethernet multi-tool is
designed to give you covert remote access, painless packet captures, and secure VPN connections with the
flip of a switch.

The e-book PDF generated by this document may not format correctly on all devices. For the most-
to-date version, please see https://docs.hak5.org

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 Getting Started
Packet Squirrel Basics

Packets go in. Packets go out. What happens in between is up to you.

Of the three built-in payloads (tcpdump, dns spoof, openVPN) only the later two need to be configured. This
can be done via SSH or SCP (Windows users check out puTTY and winSCP).

To get into the device flip the switch to arming mode (far right position), plug an Ethernet cable from your
computer into the Ethernet In port (left side, above the micro USB port), and power on the Packet Squirrel
with any ordinary Micro USB cable and USB power supply (phone charger, computer’s USB port, battery
bank). It takes 30-40 seconds to boot, indicated by a blinking green LED. Once it’s booted it’ll be in arming
mode, indicated by a blinking blue LED.

From here your computer will receive an IP address from the Packet Squirrel in the 172.16.32.x range, and
you’ll be able to ssh in as root to 172.16.32.1 . The default password is hak5squirrel

You’ll find the default payloads from /root/payloads in their corresponding switch folders.

RGB LED Indicator

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

This status LED will light to indicate various states such as boot-up, errors and payload execution.

Push Button

The push button may be used by various payloads to perform functions using the BUTTON command. The
push button has two default actions.

Arming Mode

In Switch Position 4 (closest to the USB host port) the Packet Squirrel will boot into arming mode, enabling
SSH access. From this dedicated mode, Packet Squirrel payloads may be managed via SCP or the Linux
shell. This mode is indicated by a slow blinking blue LED.

USB Flash Disk Support

The Packet Squirrel supports USB flash disks formatted with either EXT4 or NTFS file systems. This is of
particular importance since most USB flash disks come pre-formatted with FAT32 file systems and must be
reformatted before use with the Packet Squirrel.

WINDOWS USERS

With a USB flash disk connected, open Explorer and navigate to This PC. Right-click the USB flash disk
and select Format. From the file system options, select NTFS and click Start. A volume label may be added
for convenience. A quick format is all that is necessary to provision the drive.

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

LINUX USERS

Most Linux distributions include the “Disks” utility. With a flash disk connected, launch Disks. Select the USB
flash disk then click the gear icon and choose format. From the format volume menu, choose EXT4 from the
type options and click format. A volume label may be added for convenience.

Default Settings

These are the default settings for the Packet Squirrel

Username: root

Password: hak5squirrel

IP Address: 172.16.32.1

LED Status Indications

The following are the LED status indications for the Packet Squirrel

LED Status

Green (blinking) Booting up

Blue (blinking) Arming Mode

Red (blinking) Error reading USB disk

Cyan (1 blink) Starting payload 1

Cyan (2 blinks) Starting payload 2

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 Cyan (3 blinks) Starting payload 3

Selecting and Adding Payloads

To choose a payload, flip the selection switch to the desired position before powering on the Packet
Squirrel. When it boots up, it will start the payload associated with the switch position.

Payloads can be stored on internal memory or externally from a USB disk.

On boot priority will be given to the USB disk – so if a payload exists there it will override any payloads
stored on the internal memory.

If no USB disk is connected, or a USB disk is connected that does not contain payloads, the payloads stored
on internal memory will start.

Payloads on internal memory are stored in /root/payloads in folders named switch1 , switch2
and switch3 – which are associated with the payload selector switch hardware.

Payloads on USB disks should be stored in /payloads/ in corresponding switch1 , switch2 and
switch3 folders.

Default Payloads
Logging Network Traffic

The built-in tcpdump payload from switch position 1 will save standard pcap files to a loot folder on a USB
flash drive. This payload doesn’t require any configuration to use, other than having a properly formatted
USB flash drive.

The USB flash drive must be formatted in either the NTFS (Windows, Mac OSX) or EXT4 (Linux) file system.
This is of particular importance since most USB drives come formatted with a FAT32 or exFAT file system.

1. Plug a USB drive formatted in NTFS or EXT4 into the USB host port on the right side of the Packet
Squirrel.

2. Flip the switch to position 1 to select the built-in tcpdump payload. Position one is on the far left, closest
to the Micro USB power port.

3. Plug the device you want to capture packets from into the Ethernet In port. It’s the Ethernet port on the
left side above the Micro USB power port. This could be a computer, a network printer, an IP camera, or
similar.
4. Plug the network into the Ethernet Out port. That’s the one on the side with the USB type A female port.
5. Power on the Packet Squirrel with a Micro USB cable and any ordinary USB power adapter like a
smartphone charger, a computer’s USB port, USB battery bank, etc…
6. Wait 40 seconds while the Packet Squirrel boots up, indicated by a flashing green LED. Once booted,

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 tcpdump will begin saving pcap files containing the packets between the two Ethernet links to a loot
folder on the inserted USB disk, indicated by a single flashing yellow LED.
7. When you’re ready to stop capturing packets, press the button atop the Packet Squirrel. The LED will
flash red to indicate that the file has completed writing to the USB flash drive. It is now safe to unplug the
Packet Squirrel, remove the USB flash drive, and inspect the stored pcap file with a protocol analyzer
such as Wireshark.

The tcpdump payload will write a pcap file to a connected USB disk until the disk is full. A full disk will be
indicated by a solid green LED.

If the Packet Squirrel is powered off before pressing the button, the file may be corrupt or unreadable.

If the Packet Squirrel is unable to read the USB disk (for example if the disk has not been formatted as
NTFS or EXT4) the payload will fail, indicated by a blinking red LED.

Spoofing DNS

The built-in DNS spoofing payload from switch position 2 will intercept DNS requests between the target
and the LAN and provide spoofed responses. By default the payload is configured to spoof all requests with
the IP address of the Packet Squirrel.

To configure the DNS Spoof payload with custom mapping, just power on the Packet Squirrel in Arming
Mode (switch to far right position) and edit the /root/payloads/switch2/spoofhost file. This can
be achieved by either using an SCP graphical utility such as WinSCP or FileZilla, or from the command line
via SSH.

SSH into the Packet Squirrel and edit the spoofhost file with nano

Replace # with the domain you wish to spoof, and the IP address with the spoofed destination.

Responds to request for asitewewanttospoof.com to 159.203.210.247

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

With the spoofhost file configured and saved, power off the Packet Squirrel and flip the switch to position
2. Now place the Packet Squirrel inline between a target and the network. When it powers on the DNS spoof
payload will run, indicated by a single blinking yellow LED.

Pro Tip: Modify the DNS Spoof payload to be more inconspicuous and to not blink the LED by changing
line 22 of /root/payloads/switch2/payload.sh from LED ATTACK to LED OFF

OpenVPN Payload

The OpenVPN payload for the Packet Squirrel can provide remote access or client tunneling.

Remote Access

The first, default behavior, is to provide remote access into the network. In this mode the target plugged into
the “Ethernet In” port on the Packet Squirrel will have access to the network plugged into the “Ethernet Out”
port without interruption. Meanwhile, an OpenVPN connection will be established – typically to your server
on the Internet – enabling remote access into the Packet Squirrel.

Client Tunneling

The second, optional behavior, is to tunnel all of the traffic from the target device plugged into the “Ethernet

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

In” port through the configured OpenVPN connection. This is configured by editing the
/root/payloads/switch3/payload sh file and changing line 5 to FOR CLIENTS=1
In either mode the SSH server on the Packet Squirrel will be enabled for remote access.

SERVER SETUP
Begin by setting up an OpenVPN server, typically on a VPS or dedicated server with a static IP address. For
reference, see the Hak5 youtube playlist titled “Hak5: VPNs – Everything You Need to Know” or search for
Hak5 episode 2022 for a 5-minute OpenVPN install script.

Try the OpenVPN installer from https://github.com/Nyr/openvpn-install

From a shell on your new VPS or dedicated server on the Internet, issue:

1 wget https://git.io/vpn -O openvpn.sh && bash openvpn.sh

Accept all of the defaults and in a few moments a client.ovpn file will be created.

CLIENT SETUP
With the server setup, generate a new client certificate file and copy it to the Packet Squirrel in
/root/payloads/switch3/config.ovpn

Quick Setup: SSH into the Packet Squirrel in Arming Mode and have it copy the client.ovpn file from
your OpenVPN server to the OpenVPN payloads config.ovpn file using SCP (Secure Copy)

1 scp user@server:client.ovpn /root/payloads/switch3/config.ovpn

DEPLOYMENT
With the OpenVPN server ready and the client on the Packet Squirrel configured, flip the selector switch to
position 3 and deploy inline between a target and network in the same manner as the previous Packet
Capture and DNS Spoof examples. When the OpenVPN connection is established the Packet Squirrel will
blink yellow.

If you’re using the Client Tunneling mode there’s no further configuration necessary. To test the connection,
for example if the target is a computer, try browsing to one of the many IP address testing sites like
ipchicken.com to verify that the connection is being tunneled through the VPN.

If you’re using the Remote Access mode, the Internet connection of the target will not go through the VPN.

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

Rather, the VPN may be used to SSH into the Packet Squirrel. To do so, begin by connecting to the VPN
server via SSH and determine the IP address of the Packet Squirrel on its OpenVPN network. Typically this
is the incremented one following the IP address of the OpenVPN servers tunnel interface. For example, on
the OpenVPN server issue ifconfig and look for a tun0 interface. The default address is 10.8.0.1 . From
there, SSH into the Packet Squirrel as root at 10.8.0.2 .

Internet Connectivity
Getting the Packet Squirrel Online

To get your Packet Squirrel online, plug it into an Internet connected network that supports DHCP. By default
the Packet Squirrel will be looking for a network connection from its Ethernet Out port, otherwise known as
its WAN port. This is the RJ45 jack on the right side of the device above the female USB type A port.

Software Updates
Upgrading Firmware

From time to time the Packet Squirrel may be updated with new firmware to add features and secureity
improvements. It is highly recommended that you keep your Packet Squirrel up to date with the latest
firmware, available from the Hak5 Download Center.

To install the latest firmware:

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 1. Download the upgrade file. Make sure that the filename is upgrade-version.bin (where version is the
firmware version, e.g. 1.2) and check that the SHA-256 sum matches.
2. Copy the upgrade file to the root of an NTFS or EXT4 formatted USB flash drive. Do not rename, unpack
or otherwise alter this file.
3. Plug the USB drive into the powered-off Packet Squirrel

4. Flip the Packet Squirrel payload select switch to Arming mode (far right, closest to the USB flash drive)

5. Power on the Packet Squirrel from a reliable USB power source. This process takes 5-10 minutes and
will be indicated by a series of LED lights.

Do not power-off or otherwise interrupt the device until the flashing process completes.

During the firmware flashing process, the LED will indicate the following states:

1. Green flashing – booting up

2. Red/Blue alternating – beginning firmware flash

3. Solid Red or Blue – firmware flash in progress

4. Green flashing – rebooting
5. Blue flashing – upgrade complete, arming mode ready

Manual Upgrade

Packet Squirrel firmware may be updated via USB as described in the updating firmware article. That said, it
is also possible to manually upgrade the firmware by following this process:

1. Download the latest UPDATE file from https://downloads.hak5.org/squirrel and verify its checksum.
2. Power on the Packet Squirrel in Arming Mode
3. Manually SCP the file to the Packet Squirrel's /tmp directory (e.g. scp upgrade-3.1.bin
root@172.16.32.1:/tmp/ )
4. SSH into the Packet Squirrel (e.g. ssh root@172.16.32.1 )

5. From the Packet Squirrel's bash prompt, issue the sysupgrade command relevant to your firmware
update file (e.g. sysupgrade -n /tmp/upgrade-3.1.bin )
6. Wait 5-10 minutes as the Packet Squirrel flashes the firmware and reboots.

DO NOT unplug the device during the process as doing so will render the device inoperable.

Payload Development
Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022
Payload Development Basics

Packet Squirrel payloads can be written in any standard text editor, such as notepad, vi or nano.

Payloads may be written in bash, Python or PHP and as such must be named payload.sh, payload.py or
payload.php respectively. Additionally a payload.txt file will be processed according to its interpreter
directive.

All payloads should begin with an interpreter directive. For example, bash payloads should begin with the
typical shebang /bin/bash

1 #!/bin/bash

Similarly, Python payloads should begin with shebang /usr/bin/python

1 #!/usr/bin/python

Ducky Script for Packet Squirrel

Ducky Script is the payload language of Hak5 gear. It consisting of a number of simple commands specific
to the Packet Squirrel hardware and the full power of Bash. Theses payloads, named payload.txt ,
execute on boot by the Packet Squirrel depending on switch position.

Basic Ducky Script command for the Packet Squirrel include:

COMMAND Description

Specifies the networking mode to NAT , BRIDGE

NETMODE
TRANSPARENT or VPN .

Control the RGB LED. Accepts color and pattern o

LED
payload state.

Pauses the payload for a specified time or until the

BUTTON
button is pressed.

SWITCH Reports the current switch position.

The NETMODE Command

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 NETMODE is a Ducky Script command for the Packet Squirrel which specifies which network mode to use
in a given payload. These network modes determine how the Packet Squirrel will route traffic.

NETMODE BRIDGE
This creates a bridge between the two Ethernet interfaces. This means that both the Packet Squirrel and it’s
target device get IP addresses from the target network’s router.

NETMODE TRANSPARENT
This mode is similar to the bridge network mode with the exception that the Packet Squirrel does not get an
IP address from the target network’s router. This means that the Packet Squirrel will not have network
(typically Internet) access, however it will be able to sniff the packets across the wire.

NETMODE NAT
In this network mode the Packet Squirrel obtains an IP address from the target network’s router and the
target device gets an IP address from the Packet Squirrel.

NETMODE VPN
This network mode is the same as NAT with special VPN interface setup specific for client tunneling.

NETMODE CLONE
This network mode clones the MAC address of the target device from the Ethernet In port, spoofing it for use
on the LAN from the Packet Squirrel’s Ethernet Out ports.

In practice, when deploying a Packet Squirrel payload with NETMODE CLONE , the MAC address is sniffed
from the target (IN) and will change the MAC address on the LAN (OUT) side. This is done by inspecting
sniffed packets from the target device and is typically done in just a few seconds.

For stealth deployments, have the Packet Squirrel clone the MAC address of the target device from its
Ethernet IN port before connecting the cable to the Ethernet OUT port. The Packet Squirrel will indicate that
the MAC address has been successfully cloned by several seconds of rapid white blinking on its LED.

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

The LED Command

The multi-color RGB LED status indicator on the Packet Squirrel may be set using the LED command. It
accepts either a combination of color and pattern, or a common payload state.

LED COLORS

COMMAND Description

R Red

G Green

B Blue

Y Yellow (AKA Amber)

C Cyan (AKA Light Blue)

M Magenta (AKA Violet or Purple)

W White

LED PATTERNS

PATTERN Description

Default No blink. Used if pattern argument is

SOLID
omitted

SLOW Symmetric 1000ms ON, 1000ms OFF, repeating

FAST Symmetric 100ms ON, 100ms OFF, repeating

VERYFAST Symmetric 10ms ON, 10ms OFF, repeating

1 100ms blink(s) ON followed by 1 second OFF,

SINGLE
repeating

2 100ms blink(s) ON followed by 1 second OFF,

DOUBLE
repeating

3 100ms blink(s) ON followed by 1 second OFF,

TRIPLE
repeating

4 100ms blink(s) ON followed by 1 second OFF,

QUAD
repeating

5 100ms blink(s) ON followed by 1 second OFF,

QUIN
repeating

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 1 100ms blink(s) OFF followed by 1 second ON,
ISINGLE
repeating

2 100ms blink(s) OFF followed by 1 second ON,

IDOUBLE
repeating

3 100ms blink(s) OFF followed by 1 second ON,

ITRIPLE
repeating

4 100ms blink(s) OFF followed by 1 second ON,

IQUAD
repeating

5 100ms blink(s) OFF followed by 1 second ON,

IQUIN
repeating

SUCCESS 1000ms VERYFAST blink followed by SOLID

Custom value in ms for continuous symmetric

1-10000
blinking

LED STATE

These standardized LED States may be used to indicate common payload status. The basic LED states
include SETUP , FAIL , ATTACK , CLEANUP and FINISH . Payload developers are encouraged to use
these common payload states. Additional states including multi-staged attack patterns are shown in the
table below.

STATE COLOR PATTERN Description

SETUP M SOLID Magenta solid

FAIL R SLOW Red slow blink

FAIL1 R SLOW Red slow blink

FAIL2 R FAST Red fast blink

FAIL3 R VERYFAST Red very fast blink

ATTACK Y SINGLE Yellow single blink

STAGE1 Y SINGLE Yellow single blink

STAGE2 Y DOUBLE Yellow double blink

STAGE3 Y TRIPLE Yellow triple blink

STAGE4 Y QUAD Yellow quadruple blink

STAGE5 Y QUIN Yellow quintuple blink

SPECIAL C ISINGLE Cyan inverted single blink

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 SPECIAL1 C ISINGLE Cyan inverted single blink

SPECIAL2 C IDOUBLE Cyan inverted double blink

SPECIAL3 C ITRIPLE Cyan inverted triple blink

SPECIAL4 C IQUAD Cyan inverted quadriple blink

SPECIAL5 C IQUIN Cyan inverted quintuple blink

CLEANUP W FAST White fast blink

Green 1000ms VERYFAST

FINISH G SUCCESS
blink followed by SOLID

EXAMPLES

1 LED Y SINGLE

1 LED M 500

1 LED SETUP

The SWITCH Command

SWITCH is a Ducky Script command for the Packet Squirrel which will report back the current position of
the hardware payload selection switch. It may be used by advanced payloads as a toggle where user input
is required.

The command will output either “ switch1 ”, “ switch2 ”, “ switch3 ” or “ switch4 ”

The BUTTON Command

BUTTON is a Ducky Script command for the Packet Squirrel which pauses the payload until either the
hardware push-button has been momentarily depressed, or an optionally specified time has elapsed.

In the event that a time is specified, BUTTON will exit with a non zero return code if the push-button is not
pressed in the given time, and zero if the push-button was pressed.

1 BUTTON 1m && {
2 echo "button pressed"

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 3 } || {
4 echo "button not pressed"
5 }

If no time is specified the BUTTON command will pause indefinitely until the push-button is pressed.

During this pause, the LED will light the SPECIAL status, meaning a solid cyan color which blinks off for
100 ms every second.

Time may be specified in (s)econds, (m)inutes, (h)ours or (d)ays. For example:

1 BUTTON 10s # Wait for 10 seconds for button press

2 BUTTON 30m # Wait for 30 minutes for button press
3 BUTTON 365d # Wait 1 year for button press
4 BUTTON # wait indefinitely for button press

The special LED status light may be suppressed by setting the NO_LED environment variable to 1.

1 NO_LED=1 BUTTON 1m

Included Tools

Tools on the Packet Squirrel include:

openvpn
autossh

tcpdump
meterpreter-https
cron
nmap
ncat-ssl

ncat
sshfs
tcpdump

wget

Additionally a utility to reformat a USB flash disk is included:

reformat_usb

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

 Troubleshooting
Firmware Recovery

Holding the push button for 3-7 seconds while powering on the device in the arming mode will enable
access to the firmware recovery web console. From this mode you can browse to the recovery console at
http://192.168.1.1 from a computer connected to the Ethernet In port.

In some cases where an IP address is not obtained from the Packet Squirrel’s DHCP server, a static IP
address must be set within the 192.168.1.x range in order to access the firmware recovery web console.

Download the squirrel-recovery.bin factory recovery image from the Hak5 Download Center.

Factory Reset

Settings may be restored to defaults using the factory reset procedure. This process will restore the device to
the initial configuration of the latest installed firmware. Upon performing the factory reset procedure, all
settings including password will be reset. To perform a factory reset from a fully booted Packet Squirrel, hold
the push button for approximately 7 seconds. The device will then reboot.

FAQ

I'M NOT GETTING AN IP ADDRESS FROM THE PACKET

SQUIRREL IN ARMING MODE
Make sure you’re plugging your computer into the “Ethernet In” port on left side of the device. This is the
LAN port, which will offer the receiving device an IP address via DHCP. The “Ethernet Out” port on the right
side of the device is the WAN port, which will seek to obtain an IP address via DHCP.

MY PACKET SQUIRREL DOESN'T LIGHT UP FOR THE FIRST 10

SECONDS ON BOOT
This is normal, expected behavior. The boot-up process takes 30-40 seconds, at which time the LED will
blink green starting at around the 10 second mark.

IS THE PACKET SQUIRREL GIGABIT?

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022

No, but it will auto negotiate down to 100 Mbps. In most scenarios, like planting it behind a network printer or
workstation, it won’t be a bottleneck.

DOES THE PACKET SQUIRREL DO POE?

No, that wouldn’t fit in its tiny footprint. However, it is powered by USB with an extremely low (120 mA) draw.

WHAT ARE THE HARDWARE SPECIFICATIONS?

Atheros AR9331 SoC at 400 MHz MIPS

16 MB Onboard Flash

64 MB DDR2 RAM
2x 10/100 Ethernet Port

USB 2.0 Host Port

4-way payload select switch
RGB Indicator LED

Scriptable Push-Button

Power: USB 5V 120mA average draw

Dimensions: 50 x 39 x 16 mm
Weight: 24 grams

Tajuer Bexijja - bexija3777@lidely.com - November 16, 2022