Bash Bunny
Search…
Bash Bunny by Hak5
Getting Started
Switch Positions
Mass Storage Structure
LED Status Indications
Installing Additional Tools
Installing Additional Languages
Considerations for Mark II
Beginner Guides
Writing Keystroke Injection Payloads for the Bash Bunny
Network Hijacking Attacks with the Bash Bunny
Top 5 Bash Bunny Exfiltration Payloads to "steal files"
Getting Root on a Bash Bunny from the Serial Console
Remote Triggers for the Bash Bunny Mark II
Geofencing for the Bash Bunny Mark II
Internet Connectivity
Getting the Bash Bunny Online
Sharing an Internet connection from Windows
Sharing an Internet connection from Linux
Sharing an Internet connection from MacOS
Software Updates
Updating the Bash Bunny Firmware
Writing Payloads
Payload Development Basics
DuckyScript™ on the Bash Bunny
Extensions
ATTACKMODE
LED
QUACK
VID, PID, MAN, PROD, SN
Working with the File System
CPU Control
Contributing Best Practices
Submitting Payloads
WAIT_FOR_PRESENT
Troubleshooting
Factory Reset
Password Reset
Video Guides
Bash Bunny Primer
Bash Bunny Phishing Attack with Hamsters
Password Grabber Bash Bunny Payload
Operating System Detection with the Bash Bunny
Bash Bunny Extensions
Reverse Shells on Linux with Bash Bunny
Bash Bunny Payload - Sudo Bashdoor on Linux
Bash Bunny Payload - 1990's Prank
Bash Bunny Dev - Behind the Scenes
Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny
How to write Bash Bunny payloads and contribute on GitHub
Powered By GitBook
ATTACKMODE
ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.
ATTACKMODE
Description
SERIAL
ACM – Abstract Control Model Serial Console
ECM_ETHERNET
ECM – Ethernet Control Model Linux/Mac/Android Ethernet Adapter
RNDIS_ETHERNET
RNDIS – Remote Network Driver Interface Specification Windows (and some Linux) Ethernet Adapter
AUTO_ETHERNET
Automatic Ethernet. This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET_TIMEOUT_XX where XX is the number of seconds, e.g. ETHERNET_TIMEOUT_60 for one minute.
Requires firmware version 1.5+
STORAGE
UMS – USB Mass Storage Flash Drive
HID
HID – Human Interface Device Keyboard – Keystroke Injection via Ducky Script
Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.
ATTACKMODE COMBINATION
VID / PID
SERIAL STORAGE
0xF000/0xFFF0
HID
0xF000/0xFF01
STORAGE
0xF000/0xFF10
SERIAL
0xF000/0xFF11
RNDIS_ETHERNET
0xF000/0xFF12
ECM_ETHERNET
0xF000/0xFF13
HID SERIAL
0xF000/0xFF14
HID STORAGE
0xF000/0xFF02
HID RNDIS_ETHERNET
0xF000/0xFF03
HID ECM_ETHERNET
0xF000/0xFF04
HID STORAGE RNDIS_ETHERNET
0xF000/0xFF05
HID STORAGE ECM_ETHERNET
0xF000/0xFF06
SERIAL RNDIS_ETHERNET
0xF000/0xFF07
SERIAL ECM_ETHERNET
0xF000/0xFF08
STORAGE RNDIS_ETHERNET
0xF000/0xFF20
STORAGE ECM_ETHERNET
0xF000/0xFF21
Writing Payloads - Previous
Extensions
Next - Writing Payloads
LED
Last modified 3mo ago
Copy link