NETMODE is a Ducky Script command for the Packet Squirrel which specifies which network mode to use in a given payload. These network modes determine how the Packet Squirrel will route traffic.

NETMODE BRIDGE

This creates a bridge between the two Ethernet interfaces. This means that both the Packet Squirrel and it’s target device get IP addresses from the target network’s router.

NETMODE TRANSPARENT

This mode is similar to the bridge network mode with the exception that the Packet Squirrel does not get an IP address from the target network’s router. This means that the Packet Squirrel will not have network (typically Internet) access, however it will be able to sniff the packets across the wire.

NETMODE NAT

In this network mode the Packet Squirrel obtains an IP address from the target network’s router and the target device gets an IP address from the Packet Squirrel.

NETMODE VPN

This network mode is the same as NAT with special VPN interface setup specific for client tunneling.

NETMODE CLONE

This network mode clones the MAC address of the target device from the Ethernet In port, spoofing it for use on the LAN from the Packet Squirrel’s Ethernet Out ports.

In practice, when deploying a Packet Squirrel payload with NETMODE CLONE, the MAC address is sniffed from the target (IN) and will change the MAC address on the LAN (OUT) side. This is done by inspecting sniffed packets from the target device and is typically done in just a few seconds.

For stealth deployments, have the Packet Squirrel clone the MAC address of the target device from its Ethernet IN port before connecting the cable to the Ethernet OUT port. The Packet Squirrel will indicate that the MAC address has been successfully cloned by several seconds of rapid white blinking on its LED.