WHEN THE LIGHT TURNS GREEN, IT’S A HACKED MACHINE.
I got my Bash Bunny two months ago and have been messing around with it since then to get a feel of it and what it can do as although I had an idea I was really not too clued up about it.
The Bash Bunny by Hak5 is a simple and powerful multi-function USB attack and automation platform for penetration testers and systems administrators.
It’s easy setup & deployment with a simple “Bunny Script” language, multi-position attack switch and a centralized repository of payloads.
It’s powerful with multiple attack vectors including HID keyboard, USB Ethernet, Serial and Mass Storage. Simultaneously perform keystroke injection attacks, bring-your-own-network attacks and intelligent exfiltration.
One of the first things I started to realise was how powerful it was, its not just a USB that can act like a keyboard, it has a Quad-core ARM processor, 512 MB of RAM and a desktop-class 8 GB SSD which is quite frankly ridiculous for something this size.
The USB device allows you to choose TWO attacks that you can load with payloads which allows you to switch between them easily.
Because it is SSD it’s super-fast, there is an LED that allows you to keep track of what’s happening very easily, say I load my bash bunny with a payload, plug it into the USB and click over to my attack, and then follow the led to see how it’s running.
You can then go check your “loot” folder on the bash bunny to see what you got and depending on what payloads you used you could have got anything from WIFI passwords to harvested credentials from the browsers.
Most of the scripts used PowerShell which is cool with me as I use it already in my day job so it was nice to go through and have a nosey at the scripts as well.
All of the payloads are kept at github.com/hak5/bashbunny-payloads/ and there are hundreds, I actually downloaded them all but clearly haven’t tried them all yet.
A word of advice though, DO NOT USE YOUR WORK LAPTOP, clearly I didn’t take my own advice though… oops, I was so excited when it was delivered I downloaded all the payloads to my works laptop to install onto the bash bunny and Symantec Endpoint Protection went utter crazy hahaha at least I was in charge of the alerts and not one of the regular users.
What I never realised as well for a good while was that the bash bunny is actually a full-on Debian computer with a USB interface but still mostly just assumed it was a USB drive when I had it out.
The possibilities of what a hacker could do with one of these are endless really but I personally choose to run the likes of ‘UnifiedRickRoll’ which allowed me to put the volume up full blast and Rickroll the target at 2:02pm every day for four days running and ‘Startup-Message’ that allowed me to set a message on the same machine every start-up saying “We’re no strangers to love, You know the rules and so do I” keeping in the never going to give you up vibe.
Now where I used mine for a laugh because I am a good guy I am actually going to look into some payloads that could help in my day job as well (and some actual hacking ones) so again the bash bunny is an absolute hit with me, there is also a book i might look at getting too as my library in Ethical Hacking grows this could be a decent addition.
It’s the first Hak5 item I have owned and have looked (and drooled) throughout their store I would like one of everything they have but realistically I would KILL for a WIFI pineapple, they look so much fun and I think reconnaissance and WIFI hacking is a route I am looking at so would love to get my hands on one.
Check out Hak5 if you haven’t already, who am I kidding we’ve all been to their site loads of times 😉
Also, i got a bunch of new stickers from them that now adorns my laptop.