Bash Bunny USB
The best penetration testers know that with the right tools and a few seconds of physical access, all bets are off. Since 2005 Hak5 has been developing just such tools - combining lethal power elegant simplicity. Now, with the Bash Bunny, we're taking pentesting to the next level...
The Bash Bunny by Hak5 is the world's most advanced USB attack platform.
It opens up attack surfaces that weren't possible before in one single device. Penetration testing attacks and IT automation tasks are all delivered in seconds with the Bash Bunny. By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards - computers are tricked into divulging data, exfiltrating documents, installing backdoors and many more exploits.
It features a simple scripting language that you can write in any text editor like notepad. The growing collection of payloads are hosted in a single library - so finding the right attack is quick and easy. Setting up Bash Bunny attacks is just a matter of flicking its switch to arming mode and copying a payload file. It's the same as you would for an ordinary flash drive — it's literally that convenient.
Carrying multiple payloads and getting feedback on each attacks is effortless. Slide the switch to your payload of choice, plug the Bash Bunny into the victim computer and watch the multi-color LED. With a quad-core CPU and desktop-class SSD it goes from plug to pwn in 7 seconds.
Plus, the Bash Bunny is a full featured Linux box with shell access from a dedicated serial console - so all of the pentesting tools you've come to know and love are just keystrokes away.
With the Bash Bunny, compromising a system is as quick and easy as hopping on a box.
For the sake of convenience, computers trust a number of devices. Flash drives, Ethernet adapters, serial devices and keyboards to name a few. These have become mainstays of modern computing. Each has their own unique attack vectors. When combined? The possibilities are limitless. The Bash Bunny is all of these things, alone - or in combination - and so much more!
Each attack, or payload, is written in a simple "Bunny Script" language consisting of text files. A central repository is home to a growing library of community developed payloads. Staying up to date with all of the latest attacks is just a matter of downloading files from git. Then loads 'em onto the Bash Bunny just as you would any ordinary flash drive.
Under the hood it's a full featured Linux computer — so tools you've come to love work out of the box. It's fast too — booting in under 7 seconds thanks to the powerful quad-core CPU and desktop-class SSD. The payload switch and RGB LED make selecting and monitoring attacks convenient — and with a dedicated Serial console, there's always a Linux terminal at the ready.
Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters.
This is done in such a way that allows the Bash Bunny to be recognized on the victim computer as the fastest network, without drivers, automatically - locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trusts the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure.
These bring-your-own-network attacks are cross-platform, with the Bash Bunny exploiting Mac, Linux, and Android computers with its ECM Ethernet attack mode, and Windows computers with its Microsoft proprietary RNDIS Ethernet attack mode.
Using these methods, attack like QuickCreds for example are able to steal hashed credentials from locked computers in seconds. Plug the Bash Bunny into a computer, wait a few seconds and when the light is green - the trap is clean!
With a full TCP/IP stack and all common Linux-based tools at your disposal, the possibilities for pocket network attacks are endless!
Computers trust humans. Humans interact with keyboards. Hence the Human Interface Device or HID standard used by all modern USB keyboards. To a computer, if the device says it's a keyboard — it's a keyboard.
To penetration testers, a small USB device pre-programmed to inject keystrokes into the victim computer covertly hidden inside a regular flash-drive case is a recipe for social engineering success. Hence the popular Hak5 USB Rubber Ducky - the device that invented keystroke injection attacks.
Building on this, the Bash Bunny directly interprets the Ducky Script language that has become synonymous with HID attacks with its HID attack mode. Advanced attacks are enabled by combining HID attacks with the additional USB device supported by the Bash Bunny - like gigabit Ethernet, Serial and Storage. Coupled with a scripting language that supports conditions and logic using BASH, a new era of keystroke injection attacks are possible.
As anyone in IT knows, two is one — one is none. It's important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It's perfect for binary injection, staged payloads and more.
It's also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it's simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the "loot" folder. It couldn't be more straightforward.
Dedicated Shell Access
Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it's widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we've made it convenient as ever - without the need for a serial-to-USB converter.
With dedicated shell access from the arming mode, dropping to the Bash Bunny Linux terminal is simple over serial from any OS. When combined with advanced payloads, using the serial attack mode, there's limitless potential for creativity with this often overlooked interface.
Deploying payloads is done by copying a payload.txt to a folder on the Bash Bunny which corresponds with its multi-position payload selector switch. This way carrying multiple payloads and swapping payloads is easy. Select your payload with the switch, plug the Bash Bunny into the victim computer and watch as the multi-color LED indicates the attack status.
This functionality builds on the Hak5 USB Rubber Ducky with added conveniences and advanced features. Unlike the popular keystroke injection attack tool, payload text files do not need to be specially encoded, and can be loaded without card readers. Additionally, the "Bunny Script" language is coupled with BASH - so advanced logic and conditions can be easily programmed.
As a collaborative project, it's straightforward to contribute. Fork your favorite payloads, customize and easily commit changes to the Bash Bunny git repository. With a centralized payload library, the entire community benefits from our creativity.
Conveniences are built-in, like the 3-way payload selector switch and multi-color LED status indicator. A Linux terminal is always at the ready via Serial console - so a familiar BASH prompt is never more than a few clicks away.
WiFi Pineapple integration is achieved with specialized payloads. The Bash Bunny can further extend the effectiveness of your penetration testing arsenal by enhancing our gold standard WiFi auditing tool with additional horsepower.
From IT automation tasks to penetration testing attacks, the Bash Bunny Hak5 is the perfect addition to any computing arsenal. It's as quick and easy as hopping on a box.