I think everyone knows what a LAN turtle is. It’s quite possibly, the most dangerous damned USB-ethernet dongle looking device that can be conceived. It can…
- 1. Operate as it’s own functional Linux box, much like a Raspberry Pi
- 2. Deploy malware, run remote nmap scans
- 3. Sniff, alter, redirect, and spoof traffic on the network
- 4. Exfiltrate important data using techniques such as DNS tunneling, HTTP tunneling, SSH tunneling, and even tunneling through TOR
But a lesser known ability of the LAN turtle, and it’s sister Hak5 product, the Packet Squirrel, is it’s usefulness to Computer Hacking Forensic Investigators and Incident Responders.
It allows you to…
- 1. Remotely capture packets (frames actually) into a local file
- 2. Sweep potentially comprised networks for intruders
- 3. Remotely detect breach incidents such as arpspoofing (if arpalert is installed)
In this chapter, we will turn a common $50 penetration testing tool, commonly known as a “LAN Tap”, into a forensics tool for Incident Responders, as recently I received a $50/hr gig to perform a investigation on a possibly compromised Massage Parlor chain and badly needed a way to remotely administer and monitor networks for signs of intrusion, lateral movement, and unwarranted data exfiltration. Should I confirm the presence of malicious traffic, I would immediately request my client to authorize me in creating a forensic image of the compromised machine(s).
We are assuming that you have already followed your initial LAN Turtle startup guide here so your LAN turtle is ready for configuration
We are also assuming that you have read my previous article on how to configure a remote VPS Jumpbox using Amazon AWS, DigitalOcean, Linode, Rackspace, or Vultr, and therefore you have a publicly reachable IP address in the cloud.
Now it’s time to convert a LAN turtle into a forensic packet sniffer that saves to a local disk from a remote location!
1. Properly configure your LAN turtle to connect to your remote VPS with a public IP via AutoSSH
The LAN Turtle exclusively uses public key authentication and therefore, you need to generate a public key
CTRL+Z out of the menu into the LAN turtle console.
Since the LAN turtle is effectively a pocket-held Linux distribution much like a Raspberry Pi, you can use standard Linux commands to connect to your remote, publicly reachable IPv4 JumpBox
First generate the keys
Then from the console of the LAN turtle, remotely install the keys to your jumpbox
Since it’s using a default SSH id_rsa.pub key, the KeyManager module in LAN turtle is not required to be enabled or activated.
Now type “fg” and enter to bring the menu back to the foreground and configure autoSSH
Submit, activate and enable this service and verify that autoSSH has opened a tunnel by logging into your jumpbox via SSH
At this point, you may login to your LAN turtle remotely by typing, which throws you back to the interactive menu.
ssh root@localhost -p 8443
In this state, the remainder of the guide can be administered REMOTELY.
2. Enable remote SSH file systems on the LAN turtle
On your jumpbox, make a directory to store the SSH Filesystem
Back in the main menu on your LAN turtle menu select SSHFS configuration then configure it as so
Then select submit and enable and activate the service.
3. Test tcpdump
Ctrl+Z out of the menu again and run tcpdump
tcpdump -i any -U -w /sshfs/capture.pcap
On your jumpbox, check that the pcap file is properly being written to
4. Add a CRON daemon cronjob that automatically starts a tcpdump packet capture and forwards it to your remote SSH file system
This will start when the LAN turtle “boots”, or “reboots” as soon as you plug it into a workstation-in-suspect.
Go back to the EZ-Mode crontab creator, “fg” and select the crontab module
Add the line to the bottom of the text. All hash-marked lines are ignored and only serve as examples
@reboot /bin/sh tcpdump -i any -U -w /sshfs/capture.pcap
Now select OK and enable and activate it.
If at any time this module is failing, you can manually create the crontab by CTRL+Zing out of the menu and then manually edit crontabs with ‘crontab -e’
5. Forensic Analysis of Packet Captures
Now that we managed to remotely capture packets through the LAN turtle, that in turn, is writing the file to a VPS that we control, we can now analyze the network traffic for any suspicious activity
If you prefer using a console, you can use tshark
tshark -q -r capture.pcap -z expert
Otherwise, you may just download the capture file locally and then run wireshark on it.
Furthermore, common IDPS systems (Intrusion Detection/Prevention Systems) can parse out the data from the pcap file in order to match it’s notorious malware signature detection algorithms against the capture, for suricata its
suricata -r capture.pcap
Same for snort
snort -r capture.pcap
If you are using Kali Linux, you also have the option of using pcredz to extract credentials or tcpxtract to arbitrary extract downloaded files, key-exchanges, downloaded pages.
pcredz -f capture.pcap
For tcpxtract it is
tcpxtract -f capture.file -o /dumpdirectory
Thank you, and know that a LAN Turtle or Packet Squirrel can be used as a forensics and incident response tool, and not just something for pentesters!