September 24, 2020

Bash Bunny

USB Attack/Automation Platform by Hak5

  • Switch Position 1: Customizable Payload.
  • Switch Position 2: Customizable Payload.
  • Switch Position 3 (closest position to the USB plug): Setup Mode – Serial + Mass Storage.

Default Settings

  • Username: root
  • Password: hak5bunny
  • IP Address: 172.16.64.1
  • DHCP Range: 172.16.64.10-12
  • LED Status:
    • Blinking Green – Booting up
    • Blinking Blue – Setup Mode
    • Blinking Red – Recovery Mode

Mass-Storage Directory Structure

  • payloads
    • library
      • Payloads from Bash Bunny repository go here.  You can find new payloads on GitHub.
        • git clone https://github.com/hak5/bashbunny-payloads.git
    • switch1
      • payload.txt – Bunny Script executed on boot in switch position 1
    • switch2
      • payload.txt – Bunny Script executed on boot in switch position 2

Recovery

If the Bash Bunny Setup Mode fails to boot >3 times the file system will recover automatically. DO NOT UNPLUG while the red LED is blinking.

Partitions

/dev/root – Main Linux file system
/dev/nandg – Recovery file systems do not modify
/dev/nandf – Mass storage partition Mounted at /root/udisk

Attack Modes

Three of five attack modes may be executed simultaneously.

  • SERIAL
    • [ACM] Abstract Control Model
    • for Serial Console
  • ECM_ETHERNET
    • [ECM] Ethernet Control Model
    • for Linux/Mac/Android
  • RNDIS_ETHERNET
    • [RNDIS] Remote Network Dvr Int Spec
    • for Windows (some *nix)
  • STORAGE
    • [UMS] USB Mass Storage
    • for Flash Drive
  • HID
    • [HID] Human Interface Device
    • for Keystroke Injection

Ducky Script

  • REM
  • DELAY
  • STRING
  • WINDOWS/GUI
  • MENU/APP
  • SHIFT
  • ALT
  • CONTROL/CTRL
  • UPARROW/UP
  • DOWNARROW/DOWN
  • LEFTARROW/LEFT
  • RIGHTARROW/RIGHT
  • PAUSE/BREAK
  • DELETE
  • END
  • ESCAPE/ESC
  • HOME
  • INSERT
  • PAGEUP
  • PAGEDOWN
  • PRINTSCREEN
  • SPACE
  • TAB
  • NUMLOCK
  • SCROLLOCK
  • CAPSLOCK
  • F1...F12
  • SET_LANGUAGE

Bunny Script

  • ATTACKMODE
    • Specifies the USB devices to emulate.  Accepts combinations of three:
      • SERIAL,
      • ECM_ETHERNET,
      • RNDIS_ETHERNET,
      • STORAGE,
      • HID
    • LED
      • Control the RGB LED. Accepts color and time.
        • R (red),
        • G (green),
        • B (blue),
        • blink time (ms)
      • LED R 1000 – Set LED to blink red at 1 second interval
      • LED R B 0 – Set LED to solid purple (red + blue)
      • LED – Turn off LED
    • QUACK / Q
      • Injects specified keystrokes
      • Accepts file relative to /payloads/ path
      • Accepts Ducky Script directly
    • QUACK switch1/hw.txt
      • Inject keystrokes from file
    • Q STRING Hello World
      • Inject keystrokes from Ducky Script

Environment Variables

  • $TARGET_IP
    • IP Address of the computer received by the Bash Bunny DHCP Server.
  • $TARGET_HOSTNAME
    • Host name of the computer on the Bash Bunny network.
  • $HOST_IP
    • IP Address of the Bash Bunny(Default: 172.16.64.1)

Serial Settings

  • 115200/8N1
    • Baud: 115200
    • Data Bits: 8
    • Parity Bit: No
    • Stop Bit: 1

Connecting to the Linux Serial Console from Windows

Find the COM# from Device Manager > Ports (COM & LPT)  Look for USB Serial Device (COM#). Example: COM3 Or run the following powershell command to list ports:

  • [System.IO.Ports.SerialPort]::getportnames()

Open Putty (putty.org) and select Serial. Enter COM# for serial line and 115200 for Speed. Clock Open.

Connecting to the Linux Serial Console from Linux/Mac

Find the device from the terminal with: ls /dev/tty*" or "dmesg | grep tty
On Linux the Bash Bunny may be /dev/ttyUSB0 or /dev/ttyACM0
Connect to the serial device with screen. (apt-get install screen if needed)
Example: sudo screen /dev/ttyACM0 115200
Disconnect with keyboard combo: CTRL+a followed by CTRL+\

Example Payload Structure

In the payloads/switch#/ directory

  • payload.txt – Primary payload file executed on boot in specified switch position
  • readme.txt – Optional payload documentation
  • config.txt – Optional payload configuration for variables sourced by complex payloads
  • install.sh – Installation script for complex payloads requiring initial setup (may require Internet)
  • remove.sh – Uninstall/Cleanup script for complex payloads

Share Internet Connection with Bash Bunny from Windows

  • Configure a payload.txt for ATTACKMODE RNDIS_ETHERNET
  • Boot Bash Bunny from RNDIS_ETHERNET configured payload on the host Windows PC
  • Open Control Panel > Network Connections (Start > Run > “ncpa.cpl” > Enter)
  • Identify Bash Bunny interface. Device name: “USB Ethernet/RNDIS Gadget”
  • Right-click Internet interface (e.g. Wi-Fi) and click Properties.
  • From the Sharing tab, check “Allow other network users to connect through this computer’s Internet connection”, select the Bash Bunny from the Home networking connection list (e.g. Ethernet 2) and click OK.
  • Right-click Bash Bunny interface (e.g. Ethenet 2) and click Properties.
  • Select TCP/IPv4 and click Properties.
  • Set the IP address to 172.16.64.64. Leave Subnet mask as 255.255.255.0 and click OK on both properties windows. Internet Connection Sharing is complete

Share Internet Connection with Bash Bunny from Linux

  • Download the Internet Connection Sharing script from bashbunny.com/bb.sh e.g: wget bashbunny.com/bb.sh
  • Run the bb.sh connection script with bash as root e.g: sudo bash ./bb.sh
  • Follow the [M]anual or [G]uided setup to configure iptables and routing
  • Save settings for future sessions and [C]onnect
h1 h2 h3
1 a b
2 a b
3 a b

The source of all this goodness was created by Hak5’s bashbunny.com site.