Bash Bunny
Search…
ATTACKMODE
ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions.
ATTACKMODE
Description
SERIAL
ACM – Abstract Control Model Serial Console
ECM_ETHERNET
ECM – Ethernet Control Model Linux/Mac/Android Ethernet Adapter
RNDIS_ETHERNET
RNDIS – Remote Network Driver Interface Specification Windows (and some Linux) Ethernet Adapter
AUTO_ETHERNET
Automatic Ethernet. This attack mode will first attempt to bring up ECM_ETHERNET. If after the default timeout of 20 seconds no connection is established, RNDIS_ETHERNET will be attempted. The timeout may be changed by adding ETHERNET_TIMEOUT_XX where XX is the number of seconds, e.g. ETHERNET_TIMEOUT_60 for one minute.
Requires firmware version 1.5+
STORAGE
UMS – USB Mass Storage Flash Drive
HID
HID – Human Interface Device Keyboard – Keystroke Injection via Ducky Script
Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not. Each attack mode combination registers using a different USB VID/PID (Vendor ID/Product ID) by default. VID and PID can be spoofed using the VID and PID commands.
ATTACKMODE COMBINATION
VID / PID
SERIAL STORAGE
0xF000/0xFFF0
HID
0xF000/0xFF01
STORAGE
0xF000/0xFF10
SERIAL
0xF000/0xFF11
RNDIS_ETHERNET
0xF000/0xFF12
ECM_ETHERNET
0xF000/0xFF13
HID SERIAL
0xF000/0xFF14
HID STORAGE
0xF000/0xFF02
HID RNDIS_ETHERNET
0xF000/0xFF03
HID ECM_ETHERNET
0xF000/0xFF04
HID STORAGE RNDIS_ETHERNET
0xF000/0xFF05
HID STORAGE ECM_ETHERNET
0xF000/0xFF06
SERIAL RNDIS_ETHERNET
0xF000/0xFF07
SERIAL ECM_ETHERNET
0xF000/0xFF08
STORAGE RNDIS_ETHERNET
0xF000/0xFF20
STORAGE ECM_ETHERNET
0xF000/0xFF21
Copy link