Bash Bunny
  • Bash Bunny by Hak5
  • Getting Started
    • Switch Positions
    • Mass Storage Structure
    • LED Status Indications
    • Installing Additional Tools
    • Installing Additional Languages
    • Considerations for Mark II
  • Writing Payloads
    • Payload Development Basics
    • DuckyScript™ on the Bash Bunny
    • QUACK
    • Extensions
    • ATTACKMODE
      • VID, PID, MAN, PROD, SN
    • LED
    • Working with the File System
    • CPU Control
    • Contributing Best Practices
    • Submitting Payloads
    • WAIT_FOR_PRESENT
  • Internet Connectivity
    • Getting the Bash Bunny Online
    • Sharing an Internet connection from Windows
    • Sharing an Internet connection from Linux
    • Sharing an Internet connection from MacOS
  • Software Updates
    • Updating the Bash Bunny Firmware
  • Troubleshooting
    • Factory Reset
    • Password Reset
  • Beginner Guides
    • Writing Keystroke Injection Payloads for the Bash Bunny
    • Network Hijacking Attacks with the Bash Bunny
    • Top 5 Bash Bunny Exfiltration Payloads to "steal files"
    • Getting Root on a Bash Bunny from the Serial Console
    • Remote Triggers for the Bash Bunny Mark II
    • Geofencing for the Bash Bunny Mark II
  • Video Guides
    • Bash Bunny Primer
    • Bash Bunny Phishing Attack with Hamsters
    • Password Grabber Bash Bunny Payload
    • Operating System Detection with the Bash Bunny
    • Bash Bunny Extensions
    • Reverse Shells on Linux with Bash Bunny
    • Bash Bunny Payload - Sudo Bashdoor on Linux
    • Bash Bunny Payload - 1990's Prank
    • Bash Bunny Dev - Behind the Scenes
    • Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny
    • How to write Bash Bunny payloads and contribute on GitHub
Powered by GitBook
On this page
  1. Writing Payloads

ATTACKMODE

ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.

ATTACKMODE
Description

SERIAL

ACM – Abstract Control Model Serial Console

ECM_ETHERNET

ECM – Ethernet Control Model Linux/Mac/Android Ethernet Adapter

RNDIS_ETHERNET

RNDIS – Remote Network Driver Interface Specification Windows (and some Linux) Ethernet Adapter

AUTO_ETHERNET

Automatic Ethernet. This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET_TIMEOUT_XX where XX is the number of seconds, e.g. ETHERNET_TIMEOUT_60 for one minute.

Requires firmware version 1.5+

STORAGE

UMS – USB Mass Storage Flash Drive

HID

HID – Human Interface Device Keyboard – Keystroke Injection via Ducky Script

Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.

ATTACKMODE COMBINATION
VID / PID

SERIAL STORAGE

0xF000/0xFFF0

HID

0xF000/0xFF01

STORAGE

0xF000/0xFF10

SERIAL

0xF000/0xFF11

RNDIS_ETHERNET

0xF000/0xFF12

ECM_ETHERNET

0xF000/0xFF13

HID SERIAL

0xF000/0xFF14

HID STORAGE

0xF000/0xFF02

HID RNDIS_ETHERNET

0xF000/0xFF03

HID ECM_ETHERNET

0xF000/0xFF04

HID STORAGE RNDIS_ETHERNET

0xF000/0xFF05

HID STORAGE ECM_ETHERNET

0xF000/0xFF06

SERIAL RNDIS_ETHERNET

0xF000/0xFF07

SERIAL ECM_ETHERNET

0xF000/0xFF08

STORAGE RNDIS_ETHERNET

0xF000/0xFF20

STORAGE ECM_ETHERNET

0xF000/0xFF21

Last updated 11 months ago