🐿️

Packet Squirrel

Mark II — Ethernet Man-in-the-Middle

A stealthy, pocket-sized Ethernet multi-tool. Capture packets, hijack networks, tunnel VPN connections, and deploy reactive payloads — all at the flip of a switch.

MAN-IN-THE-MIDDLE PACKET CAPTURE DUCKYSCRIPT 2.0 BASH + PYTHON WIREGUARD CLOUD C²

// Overview

The Man-in-the-Middle That's Nuts for Networks

The Packet Squirrel Mark II sits inline between a target device and the network, giving you full visibility and control over all traffic passing through. Matchbox-sized and powered via USB-C, it's designed to disappear behind a workstation, IP camera, or point-of-sale terminal. Run packet captures, poison DNS, deploy Meterpreter, tunnel to VPN, or exfiltrate traffic — all controlled via web UI, SSH, or Cloud C².

💻

Target Device

Target Ethernet Port

ETH ←→

🐿️

Packet Squirrel

Intercept · Modify · Exfiltrate

ETH ←→

🌐

Network / Internet

Network Ethernet Port

// Network Modes

Three Ways to Handle Traffic

Each payload selects a network mode that determines how traffic flows between the target and the network.

MODE

🔀

NAT

Target gets an address in the 172.16.32.x range. Squirrel acts as the gateway with full routing control. VPN-capable.

MODE

🌉

BRIDGE

Transparent Layer 2 bridging. Target obtains IP directly from the real network. Invisible to the target. VPN-capable.

MODE

🔒

JAIL

Target is completely isolated from the network. Perfect for forensic analysis, malware sandboxing, and traffic inspection.

// Hardware Layout

Ports & Controls

🔌

Target Ethernet

Connect target device here. Traffic flows through the Squirrel.

↖ Upper left

🌐

Network Ethernet

Connects to existing network/switch. Obtains IP via DHCP.

↗ Upper right

⚡

USB-C Power

Power only — any USB charger or power bank. No data.

↙ Lower left

💾

USB-A Storage

Attach USB drives (ext4/fat32/NTFS) for pcaps and loot.

↘ Lower right

🎛️

4-Way Payload Switch

Positions 1–3 for payloads, position A for arming/config mode.

▼ Bottom

💡

RGB Status LED + Button

Multi-color status. Button for reboot, factory reset, or payload input.

▲ Front

// Switch Positions

Flip → Boot → Execute

Payload 1

First configurable payload slot

Payload 2

Second configurable payload slot

Payload 3

Third configurable payload slot

Arming

Web UI + SSH config mode

// Capabilities

Key Features

▸

Packet Capture — Full pcap capture to USB storage. Filter by protocol, port, or host. Capture gigabytes of traffic for offline analysis in Wireshark.

▸

VPN Tunneling — WireGuard and OpenVPN support in any network mode. Tunnel target traffic through your VPN or establish remote access tunnels back to your infrastructure.

▸

DNS Spoofing — SPOOFDNS command redirects DNS queries to your controlled server. Phish credentials, redirect updates, or inject malicious responses inline.

▸

Stream Filtering — KILLSTREAM and KILLPORT selectively block traffic. DYNAMICPROXY intercepts and modifies HTTP/HTTPS streams in real time.

▸

Cloud C² — Remote command and control from anywhere via browser. Deploy payloads, exfiltrate loot, and manage fleets of Packet Squirrels from a single dashboard.

▸

Web UI — Built-in browser interface at 172.16.32.1:1471 for payload management, live configuration, and web terminal access. No SSH client required.

▸

Multi-Language Payloads — Write payloads in DuckyScript, Bash, or Python 3 out of the box. Install additional interpreters via USB storage for other languages.

▸

Self-Destruct — SELFDESTRUCT command wipes payloads, loot, and configuration from the device. Critical for red team operational security.

// DuckyScript Commands

20+ Network-Specific Functions

The Mark II introduces powerful new DuckyScript commands designed specifically for network manipulation.

SPOOFDNS Redirect DNS queries to attacker-controlled addresses

DYNAMICPROXY Intercept and modify HTTP/S traffic inline

KILLPORT Silently block specific ports on the target

KILLSTREAM Drop all traffic matching specified criteria

SELFDESTRUCT Wipe all payloads, config, and loot from device

PCAP Start/stop packet capture to USB storage

NETMODE Set NAT, BRIDGE, or JAIL network mode

VPN Establish WireGuard or OpenVPN tunnel

// Payload Example

DNS Spoofing + Packet Capture

This payload redirects the target's DNS to a controlled server while silently capturing all network traffic to USB.

      #!/bin/bash

      # Title: DNS Spoof + Full Capture

      # Description: Redirect DNS and log all packets

      # Configure network mode

      NETMODE NAT

      LED SETUP

      # Spoof DNS — redirect all queries to our server

      SPOOFDNS * 10.0.0.50

      # Start full packet capture to USB drive

      PCAP /mnt/usb/loot/capture_$(date +%s).pcap

      LED ATTACK

      # Wait for button press to stop

      BUTTON

      # Cleanup

      SPOOFDNS off

      PCAP stop

      LED FINISH

// Use Cases

Deployment Scenarios

🕵️

Covert Network Tap

Plant behind a target workstation in BRIDGE mode. Transparent to the target — capture all traffic without disruption.

🔓

Credential Interception

DNS spoof login portals to capture credentials. Combine with DYNAMICPROXY for SSL stripping and form injection.

🛡️

Hardware Firewall

Use JAIL mode as a portable network isolator. Inspect traffic from untrusted devices without exposing your network.

🔐

VPN Router

Tunnel all target traffic through WireGuard. Protect yourself on hostile hotel or conference networks automatically.

📹

IoT / Camera Audit

Plant inline with IP cameras, printers, or IoT devices. Capture and analyze their network behavior and phone-home traffic.

🎓

Network Training

Demonstrate MITM attacks, DNS poisoning, and traffic analysis in controlled lab environments with real hardware.