Bash Bunny [Hak5]


Bash Bunny [Hak5]

Introduction: What’s Bash Bunny?

Bash Bunny is a simple and powerful multi-function USB attack device and automation platform for all pentesters and sysadmins, designed by Hak5, which allows you to easily perform multiple USB (badUSB) based attacks. It’s a tiny and portable Debian based linux computer with a USB interface designed specifically to execute payloads when plugged into a target computer.

           _____  _____  _____  _____     _____  _____  _____  _____  __ __
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|
 Bash Bunny by Hak5                           USB Attack/Automation Platform

Bush Bunny can be used to preform attacks on the following operating systems:

  • Linux, OS X, Windows, Unix-based systems and Android.

This amazing, small and powerful device can run anything that a normal Debian-based linux machines can (linux commands, custom payloads, python scripts, etc.). Once plugged in target machine, Bash Bunny can fake its identity as a keyboard or as other trustworthy media or network device. Therefore, it can mimics the keystrokes, which gives you the ability to inject number of payloads (from Bush Bunny payload repository or your own custom payloads).

How it works?

  1. Load an attack script on the device.
  2. Slide the device switch to “arming mode”.
  3. Plug it into the USB port.
  4. Open payload file/s and
  5. watch the script executes.
Deploying payloads is done by copying a payload.txt to a folder on the Bash Bunny which corresponds with its multi-position payload selector switch. This way carrying multiple payloads and swapping payloads is easy. Select your payload with the switch, plug the Bash Bunny into the victim computer and watch as the multi-color LED indicates the attack status. (Hak5 Bush Bunny docu)

Bash Bunny: Powerful USB Attack & Automation Platform [specs, features, design]

The Bash Bunny is a programmable device that contains two separate attack modes and an Arming Mode. It’s very fast, thanks to the powerful quad-core CPU and desktop-class SSD. This feature allows you to finish your pentesting/hacking tasks in seconds. In addition, very simple ‘Bush Script’ scripting language allows you to write scripts in any text editor, even in the basic notepad.

Features:

  • Intelligent exfiltration (keystroke injection attacks, custom payloads)
  • Dedicated shell access from the Arming Mode
  • 3-way payload selector switch
  • Multi-color LED status indicator
  • The “Bunny Script” language (text files, notepad)
  • Centralized payload repository

Hardware Specs:

  • Quad-core ARM Cortex A7
  • 32 K L1/512 K L2 Cache
  • 512 MB DDR3 Memory
  • 8 GB SLC NAND Disk
Bush Bunny Hardware

Hacking with Bush Bunny

Bash Bunny does not allow you to do anything that you can not already do, but the fact that such a small, portable and powerful device can help you a lot in your pentesting and hacking activities, raise the whole thing to a higher level.

  • It’s cross-platform USB flash which is small, portable and most importantly powerful Linux computer with a USB interface. 
  • You can imitate keystrokes, steal browser cookies and credentials, steal Wi-Fi passphrases, gain remote access, create and launch backdoors.
  • It enables: Network Hijacking, Keystroke Injection, Intelligent Exfilitration, Dedicated Shell Access, and much more.
  • You can also create reverse shells, download remote files, execute programs and malicious scripts even on the locked-screen machines.
  • You can modify Bash Bunny and enable malicious scripts to execute while victim thinks it’s a normal USB drive.
  • Stolen passwords and access data can be saved to the integrated flash memory, which allows you to access target machine remotely and make some serious damage (open backdoors, download data, run payloads, exploit systems, etc.).
  • In addition, Bush Bunny allows WiFi Pineapple integration with specialized payloads.

Conclusion

Bash Bunny is truly a very useful physical hacking tool. With this little devil hacking possibilities are limitless. It’s an exciting and fun tool for any pentester, hacker and security professional, but we must say that it’s a bit expensive ($100). If you can’t afford it, you can always make your own Bash Bunny alternative. You will need a few components such as: USB stick, a couple of buttons, switches, resistors, LEDs, a perf board and Raspberry Pi Zero W.