Top 5 Bash Bunny Exfiltration Payloads to "steal files"

As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It’s perfect for binary injection, staged payloads and more.

It’s also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it’s simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the “loot” folder. It couldn’t be more straightforward.


These are just some of our favorite exfiltration payloads. For the complete listing, check out the Bash Bunny payload highlights.


USB Exfiltrator on Hak5 PayloadHub

Exfiltrates files from the users Documents folder Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.


Faster SMB Exfiltrator on Hak5 PayloadHub

Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME

This payload is a rewrite of a previous SMB exfiltration attack which uses a robocopy method to quickly exfiltrate loot in a multithreaded fashion. Further, an EXFILTRATION_COMPLETE file is used to indicate when the attack is finished.


Optical Exfiltration on Hak5 PayloadHub

This is a quick HID only attack to write an HTML/JS file to target machine and open a browser, to exfiltrate data Using QR Codes and a video recording device.

It's based on QR Extractor, which converts a selected file to base64, then chunks up the string based on the specified qr_string_size (Note: the larger the chunk size, the larger you'll need to set the qr_image_size, or you won't be able to read the QR Code). These Chunks are then converted into QR Codes and displayed in the browser and can be played back at a speed specified by the playback_delay setting.

We love this payload because it uses free-space-optics to exfiltrate data in such a way that no meaningful mass storage or network logs would be created. Check out the video on this novel attack!


Dropbox Exfiltrator on Hak5 PayloadHub

This is a proof-of-concept payload using a stager. That means the staged powershell payload will download and execute an exfil.ps1 from dropbox which compresses the users documents folder and uploads it to dropbox.

It uses a powershell IWR/IEX method to compress and exfiltrate documents using a public Dropbox share. We love it because to any network traffic analyzer, it's just your ordinary encrypted Dropbox traffic.


Powershell TCP Extractor on Hak5 PayloadHub

This payload copies data to temp directory, compresses the data as a zip file, and uses powershell tcp socket to extract to a listener on remote machine.

The netcat listener IP address and port is configurable. This can be adapted to use an off-site machine as the receiver, or even the Bash Bunny itself.

More Exfiltration Payloads for the Bash Bunny

These only illustrate a very few of the many techniques to an perform exfiltration attack with the Bash Bunny. See all the featured exfiltration payloads at

Last updated