USB Attack/Automation Platform by Hak5
- Switch Position 1: Customizable Payload.
- Switch Position 2: Customizable Payload.
- Switch Position 3 (closest position to the USB plug): Setup Mode – Serial + Mass Storage.
Default Settings
- Username:
root
- Password:
hak5bunny
- IP Address:
172.16.64.1
- DHCP Range:
172.16.64.10-12
- LED Status:
- Blinking Green – Booting up
- Blinking Blue – Setup Mode
- Blinking Red – Recovery Mode
Mass-Storage Directory Structure
payloads
library
- Payloads from Bash Bunny repository go here. You can find new payloads on GitHub.
git clone https://github.com/hak5/bashbunny-payloads.git
- Payloads from Bash Bunny repository go here. You can find new payloads on GitHub.
switch1
payload.txt
– Bunny Script executed on boot in switch position 1
switch2
payload.txt
– Bunny Script executed on boot in switch position 2
Recovery
If the Bash Bunny Setup Mode fails to boot >3 times the file system will recover automatically. DO NOT UNPLUG while the red LED is blinking.
Partitions
/dev/root
– Main Linux file system
/dev/nandg
– Recovery file systems do not modify
/dev/nandf
– Mass storage partition Mounted at /root/udisk
Attack Modes
Three of five attack modes may be executed simultaneously.
- SERIAL
- [ACM] Abstract Control Model
- for Serial Console
- ECM_ETHERNET
- [ECM] Ethernet Control Model
- for Linux/Mac/Android
- RNDIS_ETHERNET
- [RNDIS] Remote Network Dvr Int Spec
- for Windows (some *nix)
- STORAGE
- [UMS] USB Mass Storage
- for Flash Drive
- HID
- [HID] Human Interface Device
- for Keystroke Injection
Ducky Script
REM
DELAY
STRING
WINDOWS/GUI
MENU/APP
SHIFT
ALT
CONTROL/CTRL
UPARROW/UP
DOWNARROW/DOWN
LEFTARROW/LEFT
RIGHTARROW/RIGHT
PAUSE/BREAK
DELETE
END
ESCAPE/ESC
HOME
INSERT
PAGEUP
PAGEDOWN
PRINTSCREEN
SPACE
TAB
NUMLOCK
SCROLLOCK
CAPSLOCK
F1...F12
SET_LANGUAGE
Bunny Script
- ATTACKMODE
- Specifies the USB devices to emulate. Accepts combinations of three:
- SERIAL,
- ECM_ETHERNET,
- RNDIS_ETHERNET,
- STORAGE,
- HID
- LED
- Control the RGB LED. Accepts color and time.
- R (red),
- G (green),
- B (blue),
- blink time (ms)
LED R 1000
– Set LED to blink red at 1 second intervalLED R B 0
– Set LED to solid purple (red + blue)LED
– Turn off LED
- Control the RGB LED. Accepts color and time.
- QUACK / Q
- Injects specified keystrokes
- Accepts file relative to /payloads/ path
- Accepts Ducky Script directly
- QUACK switch1/hw.txt
- Inject keystrokes from file
- Q STRING Hello World
- Inject keystrokes from Ducky Script
- Specifies the USB devices to emulate. Accepts combinations of three:
Environment Variables
$TARGET_IP
- IP Address of the computer received by the Bash Bunny DHCP Server.
$TARGET_HOSTNAME
- Host name of the computer on the Bash Bunny network.
$HOST_IP
- IP Address of the Bash Bunny(Default: 172.16.64.1)
Serial Settings
- 115200/8N1
- Baud: 115200
- Data Bits: 8
- Parity Bit: No
- Stop Bit: 1
Connecting to the Linux Serial Console from Windows
Find the COM# from Device Manager > Ports (COM & LPT) Look for USB Serial Device (COM#). Example: COM3 Or run the following powershell command to list ports:
[System.IO.Ports.SerialPort]::getportnames()
Open Putty (putty.org) and select Serial. Enter COM# for serial line and 115200 for Speed. Clock Open.
Connecting to the Linux Serial Console from Linux/Mac
Find the device from the terminal with: ls /dev/tty*" or "dmesg | grep tty
On Linux the Bash Bunny may be /dev/ttyUSB0
or /dev/ttyACM0
Connect to the serial device with screen. (apt-get install screen if needed)
Example: sudo screen /dev/ttyACM0 115200
Disconnect with keyboard combo: CTRL+a
followed by CTRL+\
Example Payload Structure
In the payloads/switch#/
directory
payload.txt
– Primary payload file executed on boot in specified switch positionreadme.txt
– Optional payload documentationconfig.txt
– Optional payload configuration for variables sourced by complex payloadsinstall.sh
– Installation script for complex payloads requiring initial setup (may require Internet)remove.sh
– Uninstall/Cleanup script for complex payloads
Share Internet Connection with Bash Bunny from Windows
- Configure a payload.txt for ATTACKMODE RNDIS_ETHERNET
- Boot Bash Bunny from RNDIS_ETHERNET configured payload on the host Windows PC
- Open Control Panel > Network Connections (Start > Run > “ncpa.cpl” > Enter)
- Identify Bash Bunny interface. Device name: “USB Ethernet/RNDIS Gadget”
- Right-click Internet interface (e.g. Wi-Fi) and click Properties.
- From the Sharing tab, check “Allow other network users to connect through this computer’s Internet connection”, select the Bash Bunny from the Home networking connection list (e.g. Ethernet 2) and click OK.
- Right-click Bash Bunny interface (e.g. Ethenet 2) and click Properties.
- Select TCP/IPv4 and click Properties.
- Set the IP address to 172.16.64.64. Leave Subnet mask as 255.255.255.0 and click OK on both properties windows. Internet Connection Sharing is complete
Share Internet Connection with Bash Bunny from Linux
- Download the Internet Connection Sharing script from bashbunny.com/bb.sh e.g: wget bashbunny.com/bb.sh
- Run the bb.sh connection script with bash as root e.g: sudo bash ./bb.sh
- Follow the [M]anual or [G]uided setup to configure iptables and routing
- Save settings for future sessions and [C]onnect
h1 | h2 | h3 |
1 | a | b |
2 | a | b |
3 | a | b |
The source of all this goodness was created by Hak5’s bashbunny.com site.