Top 5 Bash Bunny Exfiltration Payloads to "steal files"
As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It’s perfect for binary injection, staged payloads and more.
It’s also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it’s simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the “loot” folder. It couldn’t be more straightforward.
Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
This payload is a rewrite of a previous SMB exfiltration attack which uses a robocopy method to quickly exfiltrate loot in a multithreaded fashion. Further, an EXFILTRATION_COMPLETE file is used to indicate when the attack is finished.
This is a quick HID only attack to write an HTML/JS file to target machine and open a browser, to exfiltrate data Using QR Codes and a video recording device.
It's based on QR Extractor, which converts a selected file to base64, then chunks up the string based on the specified qr_string_size (Note: the larger the chunk size, the larger you'll need to set the qr_image_size, or you won't be able to read the QR Code). These Chunks are then converted into QR Codes and displayed in the browser and can be played back at a speed specified by the playback_delay setting.
We love this payload because it uses free-space-optics to exfiltrate data in such a way that no meaningful mass storage or network logs would be created. Check out the video on this novel attack!
This is a proof-of-concept payload using a stager. That means the staged powershell payload will download and execute an exfil.ps1 from dropbox which compresses the users documents folder and uploads it to dropbox.
It uses a powershell IWR/IEX method to compress and exfiltrate documents using a public Dropbox share. We love it because to any network traffic analyzer, it's just your ordinary encrypted Dropbox traffic.