Just got the new toy from Hak5 recently in my mail called the Packet Squirrel Here are my first impressions and information about the device
To log into the device, connect a CAT5 ethernet cable to your computer and the other end to the ETHERNET IN port (next to the power adapter port)
Bring the local netwrok interface up in your computer and run a dhclient on the device
Connect to via ssh as follows:
ssh root@172.16.32.1
BusyBox v1.23.2 (2017-06-28 18:58:08 PDT) built-in shell (ash)
__ (\\_ Packet Squirrel _//) __
(_ \( '.) by Hak5 (.' )/ _)
) \ _)) _ __ ((_ / (
(_ )_ (') Nuts for Networks ((') _( _)
root@squirrel:~#
Running a standard dmesg query is the first thing I usually do
root@squirrel:~# dmesg [ 0.000000] Linux version 3.18.45 (sebkinne@buildbot) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49389) ) #49 Thu Jul 13 17:58:25 PDT 2017 [ 0.000000] MyLoader: sysp=d5a28125, boardp=293d0927, parts=b826e6ed [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc) [ 0.000000] SoC: Atheros AR9330 rev 1 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] Initmem setup node 0 [mem 0x00000000-0x03ffffff] [ 0.000000] On node 0 totalpages: 16384 [ 0.000000] free_area_init_node: node 0, pgdat 803660f0, node_mem_map 81000000 [ 0.000000] Normal zone: 128 pages used for memmap [ 0.000000] Normal zone: 0 pages reserved [ 0.000000] Normal zone: 16384 pages, LIFO batch:3 [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768 [ 0.000000] pcpu-alloc: [0] 0 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 [ 0.000000] Kernel command line: board=HAK5-SQUIRREL console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 60880K/65536K available (2523K kernel code, 143K rwdata, 540K rodata, 240K init, 188K bss, 4656K reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:51 [ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz [ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104) [ 0.080000] pid_max: default: 32768 minimum: 301 [ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.100000] NET: Registered protocol family 16 [ 0.100000] MIPS: machine is Squirrel V1.0 [ 0.570000] Switched to clocksource MIPS [ 0.580000] NET: Registered protocol family 2 [ 0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.580000] TCP: Hash tables configured (established 1024 bind 1024) [ 0.590000] TCP: reno registered [ 0.590000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.610000] NET: Registered protocol family 1 [ 0.610000] PCI: CLS 0 bytes, default 32 [ 0.620000] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.640000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.650000] msgmni has been set to 118 [ 0.660000] io scheduler noop registered [ 0.660000] io scheduler deadline registered (default) [ 0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.670000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART [ 0.680000] console [ttyATH0] enabled [ 0.690000] bootconsole [early0] disabled [ 0.700000] m25p80 spi0.0: found mx25l12805d, expected m25p80 [ 0.710000] m25p80 spi0.0: mx25l12805d (16384 Kbytes) [ 0.710000] 5 tp-link partitions found on MTD device spi0.0 [ 0.720000] Creating 5 MTD partitions on "spi0.0": [ 0.720000] 0x000000000000-0x000000020000 : "u-boot" [ 0.730000] 0x000000020000-0x00000013aa14 : "kernel" [ 0.730000] 0x00000013aa14-0x000000ff0000 : "rootfs" [ 0.740000] mtd: device 2 (rootfs) set to be root filesystem [ 0.740000] 1 squashfs-split partitions found on MTD device rootfs [ 0.750000] 0x000000e50000-0x000000ff0000 : "rootfs_data" [ 0.750000] 0x000000ff0000-0x000001000000 : "art" [ 0.760000] 0x000000020000-0x000000ff0000 : "firmware" [ 0.780000] libphy: ag71xx_mdio: probed [ 1.370000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY] [ 1.380000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:MII [ 1.970000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch [ 2.000000] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:GMII [ 2.000000] TCP: cubic registered [ 2.010000] NET: Registered protocol family 17 [ 2.010000] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 2.020000] 8021q: 802.1Q VLAN Support v1.8 [ 2.040000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2. [ 2.040000] Freeing unused kernel memory: 240K (80384000 - 803c0000) [ 3.560000] init: Console is alive [ 3.570000] init: - watchdog - [ 5.640000] usbcore: registered new interface driver usbfs [ 5.640000] usbcore: registered new interface driver hub [ 5.650000] usbcore: registered new device driver usb [ 5.710000] SCSI subsystem initialized [ 5.720000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 5.730000] ehci-platform: EHCI generic platform driver [ 5.730000] ehci-platform ehci-platform: EHCI Host Controller [ 5.740000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1 [ 5.750000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000 [ 5.770000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00 [ 5.770000] hub 1-0:1.0: USB hub found [ 5.770000] hub 1-0:1.0: 1 port detected [ 5.780000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 5.790000] ohci-platform: OHCI generic platform driver [ 5.800000] usbcore: registered new interface driver usb-storage [ 6.620000] init: - preinit - [ 7.380000] random: procd urandom read with 11 bits of entropy available [ 10.570000] mount_root: loading kmods from internal overlay [ 10.870000] jffs2: notice: (343) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orph an) and 0 of xref (0 dead, 0 orphan) found. [ 10.890000] block: attempting to load /tmp/jffs_cfg/upper/etc/config/fstab [ 10.900000] block: extroot: not configured [ 10.930000] jffs2: notice: (340) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orph an) and 0 of xref (0 dead, 0 orphan) found. [ 11.050000] block: attempting to load /tmp/jffs_cfg/upper/etc/config/fstab [ 11.060000] block: extroot: not configured [ 11.070000] mount_root: switching to jffs2 overlay [ 11.120000] procd: - early - [ 11.120000] procd: - watchdog - [ 11.920000] procd: - ubus - [ 12.930000] procd: - init - [ 15.400000] NET: Registered protocol family 10 [ 15.410000] tun: Universal TUN/TAP device driver, 1.6 [ 15.410000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> [ 15.430000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 15.450000] fuse init (API version 7.23) [ 15.460000] Loading modules backported from Linux version v4.4-rc5-1913-gc8fdf68 [ 15.470000] Backport generated by backports.git backports-20151218-0-g2f58d9d [ 15.480000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 15.500000] nf_conntrack version 0.5.0 (955 buckets, 3820 max) [ 15.530000] usbcore: registered new interface driver ums-alauda [ 15.540000] usbcore: registered new interface driver ums-cypress [ 15.540000] usbcore: registered new interface driver ums-datafab [ 15.550000] usbcore: registered new interface driver ums-freecom [ 15.560000] usbcore: registered new interface driver ums-isd200 [ 15.570000] usbcore: registered new interface driver ums-jumpshot [ 15.570000] usbcore: registered new interface driver ums-karma [ 15.580000] usbcore: registered new interface driver ums-sddr09 [ 15.590000] usbcore: registered new interface driver ums-sddr55 [ 15.600000] usbcore: registered new interface driver ums-usbat [ 15.630000] xt_time: kernel timezone is -0000 [ 15.750000] PPP generic driver version 2.4.2 [ 15.760000] NET: Registered protocol family 24 [ 21.440000] hub 1-0:1.0: USB hub found [ 21.450000] hub 1-0:1.0: 1 port detected [ 37.340000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 37.390000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready [ 38.990000] eth1: link up (1000Mbps/Full duplex) [ 38.990000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready [ 80.280000] random: nonblocking pool is initialized [ 261.110000] eth1: link down [ 264.290000] eth0: link up (100Mbps/Full duplex) [ 264.290000] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Lets see what kernel and arch we are running here … MIPS !
root@squirrel:/etc/ssh# uname -a Linux squirrel 3.18.45 #49 Thu Jul 13 17:58:25 PDT 2017 mips GNU/Linux
What is the detailed info about the current kernel ?
root@squirrel:/etc/ssh# cat /proc/version Linux version 3.18.45 (sebkinne@buildbot) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49389) ) #49 Thu Jul 13 17:58:25 PDT 2017
Lets check what modules are loaded on the Packet Squirrel
root@squirrel:/etc/ssh# lsmod arc4 1296 0 ath 20005 3 ath9k ath9k 87286 0 ath9k_common 19294 1 ath9k ath9k_hw 336753 2 ath9k cfg80211 216387 4 ath9k compat 12643 4 ath9k crc16 999 1 ext4 crc_ccitt 1003 1 ppp_async crypto_blkcipher 10503 1 arc4 crypto_hash 9746 2 ext4 ehci_hcd 31996 1 ehci_platform ehci_platform 3360 0 ext4 312204 0 fuse 66153 0 gpio_button_hotplug 4464 0 ip6_tables 9281 3 ip6table_raw ip6t_REJECT 1184 2 ip6table_filter 608 1 ip6table_mangle 1072 1 ip6table_raw 576 1 ip_tables 9437 4 iptable_nat ipt_MASQUERADE 624 2 ipt_REJECT 912 2 iptable_filter 672 1 iptable_mangle 944 1 iptable_nat 752 1 iptable_raw 640 1 ipv6 257144 24 nf_conntrack_ipv6 jbd2 47538 1 ext4 ledtrig_usbdev 1920 0 mac80211 399098 1 ath9k mbcache 4525 1 ext4 nf_conntrack 47579 11 nf_nat_ipv4 nf_conntrack_ftp 5264 1 nf_nat_ftp nf_conntrack_ipv4 4640 10 nf_conntrack_ipv6 4928 3 nf_conntrack_rtcache 2448 0 nf_defrag_ipv4 790 1 nf_conntrack_ipv4 nf_defrag_ipv6 9063 1 nf_conntrack_ipv6 nf_log_common 2271 2 nf_log_ipv4 nf_log_ipv4 3120 0 nf_log_ipv6 3280 0 nf_nat 8843 5 nf_nat_ipv4 nf_nat_ftp 1184 0 nf_nat_ipv4 3649 1 iptable_nat nf_nat_masquerade_ipv4 1388 1 ipt_MASQUERADE nf_reject_ipv4 1811 1 ipt_REJECT nf_reject_ipv6 1879 1 ip6t_REJECT nls_base 4960 1 usbcore ohci_hcd 22175 1 ohci_platform ohci_platform 2736 0 ppp_async 6320 0 ppp_generic 20578 3 pppoe pppoe 8160 0 pppox 1338 1 pppoe scsi_mod 85623 3 ums_cypress sd_mod 25536 0 slhc 4283 1 ppp_generic tun 15183 0 ums_alauda 8240 0 ums_cypress 2224 0 ums_datafab 4656 0 ums_freecom 1952 0 ums_isd200 5008 0 ums_jumpshot 3584 0 ums_karma 1520 0 ums_sddr09 8688 0 ums_sddr55 4800 0 ums_usbat 7312 0 usb_common 1144 1 usbcore usb_storage 37727 10 ums_usbat usbcore 118164 16 ums_usbat x_tables 11746 26 ipt_REJECT xt_CT 2208 0 xt_LOG 752 0 xt_REDIRECT 1040 0 xt_TCPMSS 2592 2 xt_comment 480 76 xt_conntrack 2160 12 xt_id 480 0 xt_limit 992 20 xt_mac 624 0 xt_mark 656 0 xt_multiport 1168 0 xt_nat 1056 0 xt_state 688 0 xt_tcpudp 1680 10 xt_time 1632 0
How is the kernel loaded ?
root@squirrel:/etc/ssh# cat /proc/cmdline board=HAK5-SQUIRREL console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
Lets check the CPU info
root@squirrel:/etc/ssh# cat /proc/cpuinfo system type : Atheros AR9330 rev 1 machine : Squirrel V1.0 processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 265.42 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available
Looks like this system is a modified openwrt
root@squirrel:/etc/ssh# cat /etc/openwrt_version 15.05.1
First thing after initial login, regenerating the host DSA/RSA hostkeys and changing the default root password is a good practice
root@squirrel:/etc/ssh# ls -al drwxrwxr-x 1 root root 0 Jul 14 00:59 . drwxrwxr-x 1 root root 0 Jul 14 01:06 .. -rw-r--r-- 1 root root 1632 Jul 5 02:33 ssh_config -rw------- 1 root root 668 Jul 14 00:59 ssh_host_dsa_key -rw-r--r-- 1 root root 603 Jul 14 00:59 ssh_host_dsa_key.pub -rw------- 1 root root 1675 Jul 14 00:59 ssh_host_rsa_key -rw-r--r-- 1 root root 395 Jul 14 00:59 ssh_host_rsa_key.pub -rw-rw-r-- 1 root root 114 Jul 5 02:29 sshd_config root@squirrel:/etc/ssh# rm ssh_host_rsa_key* root@squirrel:/etc/ssh# rm ssh_host_dsa_key* root@squirrel:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa root@squirrel:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa root#squirrel:/etc/ssh# passwd
Let’s check the OpenSSH version on the Packet Squirrel and some configuration details
root@squirrel:/etc/ssh# /usr/sbin/sshd --version OpenSSH_7.1p2, OpenSSL 1.0.2j 26 Sep 2016 root@squirrel:/etc/ssh# cat /etc/ssh/sshd_config PermitRootLogin yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys Subsystem sftp internal-sftp
What options does the opensshd run under (defaults apart from the above) ?
root@squirrel:/etc/ssh# /usr/sbin/sshd -T port 22 protocol 2 addressfamily any listenaddress 0.0.0.0:22 listenaddress [::]:22 serverkeybits 1024 logingracetime 120 keyregenerationinterval 3600 x11displayoffset 10 maxauthtries 6 maxsessions 10 clientaliveinterval 0 clientalivecountmax 3 streamlocalbindmask 0177 permitrootlogin yes ignorerhosts yes ignoreuserknownhosts no rhostsrsaauthentication no hostbasedauthentication no hostbasedusesnamefrompacketonly no rsaauthentication yes pubkeyauthentication yes passwordauthentication yes kbdinteractiveauthentication yes challengeresponseauthentication yes printmotd yes printlastlog yes x11forwarding no x11uselocalhost yes permittty yes permituserrc yes strictmodes yes tcpkeepalive yes permitemptypasswords no permituserenvironment no uselogin no compression delayed gatewayports no usedns no allowtcpforwarding yes allowagentforwarding yes allowstreamlocalforwarding yes useprivilegeseparation yes fingerprinthash SHA256 pidfile /var/run/sshd.pid xauthlocation /usr/bin/xauth ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@open ssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 versionaddendum none kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sh a256,diffie-hellman-group14-sha1 hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert -v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-ni stp521,ssh-ed25519,ssh-rsa hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@ope nssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,s sh-ed25519,ssh-rsa pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v0 1@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp 521,ssh-ed25519,ssh-rsa loglevel INFO syslogfacility AUTH authorizedkeysfile .ssh/authorized_keys hostkey /etc/ssh/ssh_host_rsa_key hostkey /etc/ssh/ssh_host_dsa_key hostkey /etc/ssh/ssh_host_ecdsa_key hostkey /etc/ssh/ssh_host_ed25519_key subsystem sftp internal-sftp maxstartups 10:30:100 permittunnel no ipqos lowdelay throughput rekeylimit 0 0 permitopen any
What default network daemons are listening ?
root@squirrel:/usr/share# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1309/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1098/sshd tcp 0 0 172.16.32.1:22 172.16.32.132:44530 ESTABLISHED 2301/0 tcp 0 0 :::53 :::* LISTEN 1309/dnsmasq tcp 0 0 :::22 :::* LISTEN 1098/sshd
Finally some info on local tools available on the Packet Squirrel
root@squirrel:/proc# nmap --version
Nmap version 6.47 ( http://nmap.org )
Platform: mips-openwrt-linux-gnu
Compiled with: openssl-1.0.2j nmap-libpcre-7.6 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without: liblua
Available nsock engines: epoll poll sele
root@squirrel:/proc# openvpn --version
OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 28 2017
library versions: PolarSSL 1.3.14, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
root@squirrel:/usr/sbin# ./dsniff -h
Version: 2.4
root@squirrel:/usr/sbin# ./dnsspoof -h
Version: 2.4
root@squirrel:/usr/sbin# ./sshmitm -h
Version: 2.4
root@squirrel:/usr/sbin# ./webmitm -h
Version: 2.4
root@squirrel:/usr/sbin# ./mailsnarf -h
Version: 2.4
root@squirrel:/usr/sbin# ./macof -h
Version: 2.4
root@squirrel:/rom# python2.7 -v
# installing zipimport hook
import zipimport # builtin
# installed zipimport hook
import site # from /usr/lib/python2.7/site.py
import os # from /usr/lib/python2.7/os.py
import errno # builtin
import posix # builtin
import posixpath # from /usr/lib/python2.7/posixpath.py
import stat # from /usr/lib/python2.7/stat.py
import genericpath # from /usr/lib/python2.7/genericpath.py
import warnings # from /usr/lib/python2.7/warnings.py
import linecache # from /usr/lib/python2.7/linecache.py
import types # from /usr/lib/python2.7/types.py
import UserDict # from /usr/lib/python2.7/UserDict.py
import _abcoll # from /usr/lib/python2.7/_abcoll.py
import abc # from /usr/lib/python2.7/abc.py
import _weakrefset # from /usr/lib/python2.7/_weakrefset.py
import _weakref # builtin
import copy_reg # from /usr/lib/python2.7/copy_reg.py
import traceback # from /usr/lib/python2.7/traceback.py
import sysconfig # from /usr/lib/python2.7/sysconfig.py
import re # from /usr/lib/python2.7/re.py
import sre_compile # from /usr/lib/python2.7/sre_compile.py
import _sre # builtin
import sre_parse # from /usr/lib/python2.7/sre_parse.py
import sre_constants # from /usr/lib/python2.7/sre_constants.py
dlopen("/usr/lib/python2.7/lib-dynload/_locale.so", 2);
import _locale # dynamically loaded from /usr/lib/python2.7/lib-dynload/_locale.so
import _sysconfigdata # from /usr/lib/python2.7/_sysconfigdata.py
import encodings # directory /usr/lib/python2.7/encodings
import encodings # from /usr/lib/python2.7/encodings/__init__.py
import codecs # from /usr/lib/python2.7/codecs.py
import _codecs # builtin
import encodings.aliases # from /usr/lib/python2.7/encodings/aliases.py
import encodings.ascii # from /usr/lib/python2.7/encodings/ascii.py
Python 2.7.12 (default, Jun 28 2017, 19:07:03)
[GCC 4.8.3] on linux2
Type "help", "copyright", "credits" or "license" for more information
Next I will configure some test PAYLOADS on the Packet Squirrel, hopefully I will be able to post my next findings soon.
P.S. Need to get an emulated system with MIPS and install GCC to build some tools that might be of use for the next exploits with the Packet Squirrel
From the QEMU LinuxMIPS WIKI the CPU on the Packet Squirrel is compatible with Qemu and since Packet Squirrel is based on OpenWRT it looks like it should work
OpenWrt in QEMU MIPS
Use QEMU >= 2.2 (earlier versions can have bugs with MIPS16) ticket 16881 – Ubuntu 14.03.x LTS uses qemu 2.0 which is has this bug.
The “malta” platform is meant for use with QEMU for emulating a MIPS system.
The malta target supports both big and little-endian variants, pick the matching files and qemu version (qemu-system-mips, or qemu-system-mipsel).
qemu-system-mipsel -kernel openwrt-malta-le-vmlinux-initramfs.elf -nographic -m 256
In recent enough versions one can enable ext4 root filesystem image building, and since r46269 ( only in trunk, it’s not part of the 15.05 CC release) it’s possible to boot straight from that image (without an initramfs):
qemu-system-mipsel -M malta \ -hda openwrt-malta-le-root.ext4 \ -kernel openwrt-malta-le-vmlinux.elf \ -nographic -append "root=/dev/sda console=ttyS0"