E.g.

HOLDDOWN/ALLDOWN/etc... A,B,C 0.5 # press A B and C and the same time for 0.5 seconds
DELAY ...

OR

KEYDOWN A
KEYDOWN B
KEYDOWN C
DELAY ...
KEYUP A
KEYUP B
KEYUP C # or just KEYUP with no args for all keys up

As of 10.9.5, the default path for Chrome's goodies is not where the script directs us: /Library/Application\ Support/Google/Chrome/Default/Cookies
The correct path is as follows:/Library/Application\ Support/Google/Chrome/Profile/Cookies

Here's the rub- that cute little "Profile" folder always has a number associated with it; Profile 2 , Profile 3 etc. If the variable could be set to download the payload of said Profile folder then it should work. I don't know how to write the code. Help me make this better for all of us!

I recently had an idea for a super stealthy exfil method and maybe some of you are able to implement it 😄

1. The bash bunny registeres itself as network printer.

2. The target prints everything.

Alternatively (for bigger files), you can try:

1. The bunny fires up an hostspot (as in UndercoverBunny)

2. An external device (like an RaspberryPi connects to the hotspot and registeres itself as network printer)

3. The bunny launches a script waiting for the Raspi to connect and then print's everything.

The alternative may (or may not) be executed with a RubberDucky instead of a BashBunny.

Hi there,

I haven't been able to figure out how to actually submit a Payload to the Bash Bunny repository... I haven't been able to submit a Pull Request (if that's even the way you're supposed to submit your written payload).

Anyway, if someone could please upload my Payload for me, that'd be great: https://github.com/0xCoto/bashbunny-payloads/tree/master/payloads/library/DuckyTemplate

Thank you. :)

As per the title - if we are creating a new payload that we intend to contribute to the main repository, how would you prefer us to tackle dependencies which could be used across multiple payloads in the future?

Should we add the dependencies to the tools_installer payload and refer users to run it via the README, or should we be creating a copy of the install.sh file in our own payload directories and handling it within our own payload execution?

I thought personally the best way to do it would be via the tools_installer payload, as to not duplicate code in various different payloads, but wanted to verify before submitting anything that relies on other Python libraries to those already present.

I'm from Mexico, and the keyboards here are Spanish ISO (Latin) so my BashBunny isn't working here, I got a working .properties file for the Rubber Ducky keyboard, but that is not the expected format for the BB.

Any plans of doing this keyboard? I'd like to help but need to know how. I've been searching but no clues.

Thanks!

I think the title says enough. Thanks in advance!

due to the bash interpreting QUACK textfiles/commands literally, if you have bash special characters in your commands the ducky attack will fail. Need to escape the special chars.

So my bash bunny came yesterday and I tried USB_exfiltration, everything goes OK but it would not save any documents to loot.

Hi all, I've updated a few keys that were not correctly configured in the PT language file when using a Portuguese Mac keyboard. It still misses a few special characters that can be used, specially the c cedilla: Ç

See file attached with the changes

pt.json.zip

in the 28 Feb release, install.sh was in the tools_installer payload.

It is disappear in the latest commit.

If the UAC window does not have focus, the bypass UAC will not work (as the Alt-o will not take affect.

There is an error when running the bb script on linux (not sure if it affects macOS). I'd like to help fix it but I don't know where the source is kept outside of bashbunny.com/bb.sh

Would it be helpful to have a top level tools/ or utilities/ folder to keep handy scripts and things that aren't payloads in this repo too?

After looking through the payloads, it's not always imeediatly obvious which platform the payload is for. I think it would make sense to organize them into Windows/Linux/Mac/Other folders.

Yay first github issue post :p Found some minor typos in the wiki.

http://wiki.bashbunny.com/#!./index.md#Sharing_an_Internet_Connection_with_the_Bash_Bunny_form_Windows

form should be from

http://wiki.bashbunny.com/#!././index.md#Firmware_Recovery

This process takes about 3 minuites. should be minutes

Hey all!

I like the new 1.1 structure of creating enhancements, it can be used for creating a specific loot folder.. doing several fun stuff like for example start up an apache server, etc.

But it would be nice if we could share eachothers idea of generic functions, so i would like to have a folder to share extensions as well. I couldn't find the folder on this git.

More of a suggestion really but may i suggest running payload.txt through either of the following before execution?

cat $payloadfile | dos2unix -U > /tmp/payload.sh && chmod +x /tmp/payload/sh && /tmp/payload.sh

cat $payloadfile | sed 's/\r$//' > /tmp/payload.sh && chmod +x /tmp/payload/sh && /tmp/payload.sh

tr -d '\r' < $payloadfile > /tmp/payload.sh && chmod +x /tmp/payload.sh && /tmp/payload.sh

When testing the smb_exfiltration payload, I noticed that the BB didn't correctly switch from HID to RNDIS... I decided to make a new payload with just this:

LED R
ATTACKMODE HID
LED G
ATTACKMODE RNDIS_ETHERNET

To my surprise, it actually didn't work (on multiple Windows 10 machines).
When plugging the BB in, it first shows up as a keyboard in the device manager, then the keyboard disconnects. After that I can hear a "there has been a connection" sound from Windows, but nothing shows up in device manager or adapter settings. Not even an unidentified device.

[EDIT]
It does show up in the device manager, however it is still shown as a keyboard.

"/root/udisk/payloads/$SWITCH_POSITION/git.log" gets moved by line 48, which makes "payloads/$SWITCH_POSITION/git.log" an invalid path until line 58.

@ralphyz
where do i get the nc.exe and where will I put it ?

All of my nmap scans on multiple computers (ECM_ETHERNET and RNDIS_ETHERNET) return:

MAC Address: 00:11:22:33:44:55 (Cimsys)

for the mac address. What is going on here?

Good day guys,
Great work with all the payloads guys.

I just noticed the "macDesktop" payload.
It's script makes use of wget which is not include in OSX operating system.
You can use brew or something to install it but your assuming the system your going in this case Prank has it installed

So I tried to create a bridged interface on the interface file and when I rebooted, I lost the ability to SSH into the USB or even via serial.

Is there a way to reimage/revert/recover the usb so that the network configuration is back to its original state?

FYI I came across

Currently, when merging Pull Requests, the changes are "merged" by the collaborators, however, the commits by their original authors are not preserved and therefore not given credit.

Example: Merge PR from mrt0mat0 (here)

@mrt0mac0's changes are merged into the main repo, however, he is not credited with the commit.

My proposal: instead of merging changes, choose "rebase and merge". This will preserve the original author's commits and give them credit in the commit history.

While running GET SWITCH_POSITION in ssh I am able to get the variable:

root@bunny:~# GET SWITCH_POSITION
root@bunny:~# echo $SWITCH_POSITION
switch3

But when using the new WAIT extension I realized that when running an attack I could not get $SWITCH_POSITION. WAIT would not wait and completely skip the line (@hak5darren). I am also running 1.5_298 (@sebkinne)

My code is as follows:

GET SWITCH_POSITION
TEST=$SWITCH_POSITION
ATTACKMODE HID
Q STRING Test: $TEST and SWITCH_POSITION: $SWITCH_POSITION

This results in Test: and SWITCH_POSITION: which is not a great response.

Any help would be greatly appreciated.

Just a general suggestion...
My bunny already went through a recovery cycle and it blinks the led red for a couple of minutes during that time. Shortly after that recovery was successful, I was trying out quick creds, which also uses a blinking red led to show failure. I waited a good ten minutes to make sure it wasn't going through a recovery mode before I unplugged it, because of the double use of the error state. I think that the recovery mode blink should be some sort of pattern (like morse code 'sos') to differentiate it from a standard blinking red light, that might be frequently used in these payloads.

~s resolve to root, not current user on macOS

paths resolve with double dashes //

volume doesn't mount as /Volumes/BashBunny

lootdir points to nonexistent path

Edit: After speaking with other users, stock BBs do mount as /Volume/BashBunny. My bad.

Feature Idea: It'd be pretty cool to make use of the TARGETs env variables in our scripts.

FILES=(a.txt b.txt c.txt)
QUACK STRING tar -cf $USER.tar.gz $FILES
QUACK ENTER

End desired results in TARGET's Terminal:

tar -cf $USER.tar.gz a.txt b.txt c.txt

Which would leave us with a file called bob.tar.gz

Can Drive letter support be added to bunny_helpers.sh so that ducky scrips can be ran as something like $drive_letter/payloads/$switch_position/

the wiki says that one can place payloads into "switch1/xss.txt" and that it can be called by saying:
Q switch1/xss.txt

However in practice, I cannot get this to function. I have even created a script to attempt to identify where the path is when the switch position is set to '1', and where the files live on disk. I'm getting weird mixed results.

Also, it would seem that the payloads:

and

' or 1=1;--

Appear to need some heavy escaping.

Perhaps a howto for this sort of thing could be done? Or maybe a way to put the raw characters somewhere when specifying a file for reading the payload where the chars don't have to be escaped?

my BB is now only limited to 2 GB instead of the original 8GB what is happening

Don't set DUCKY_LANG in payloads (see Version 1.2 changelog)

• Incident_Response/Hidden_Images/payload.txt
• Incident_Response/Link File analysis/payload.txt
• recon/Link File analysis/payload.txt
• credentials/SudoBackdoor/cleaner/payload.txt
• credentials/SudoBackdoor/injector/payload.txt
• prank/win93/payload.txt
• remote_access/Win_x64_JS_Rev_Meter/payload.txt

Don't reference bunny_helpers.sh (see Version 1.1 changelog)

• exfiltration/Powershell_TCP_Extractor/payload.txt
• exfiltration/ftp_exfiltrator/payload.txt
• general/ExecutableInstaller/payload.txt
• remote_access/NothingLess/payload.txt
• exfiltration/BlackBackup/payload.txt
• exfiltration/FileInfoExfil/payload.txt
• sFTP Directory Grabber/payload.txt
• credentials/WifiGrabber/payload.txt
• prank/RickRoll/payload.txt
• recon/PrivEscChecker/payload.txt
• android/fireytv/payload.txt
• credentials/BruteBunny/payload.txt
• remote_access/WindowsMeterpreterStaged/payload.txt
• general/Proxy_Interceptor/payload.txt
• credentials/DumpCreds/payload.txt

I keep getting the file not found error (blue flashing) when trying to run the RAZ_ReverseShell script.

I have sshed into the bunny and I do not see anything in /root/udisk
I ran the following in the bunny in switch mode 3 connecting using screen:

Linux bunny 3.4.39 #130 SMP PREEMPT Fri Feb 10 14:24:25 CST 2017 armv7l
           _____  _____  _____  _____     _____  _____  _____  _____  __ __ 
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|  
 Bash Bunny by Hak5     USB Attack/Automation Platform      

root@bunny:~# ls 
ATTACKMODE  LICENSE.txt  bash_bunny.sh      ducklog.txt  tools
EULA.txt    Q            bootcount          g_ether.ko   udisk
LED         QUACK        do_post_update.sh  private      version.txt
root@bunny:~# ll udisk/
total 8
drwxr-xr-x 2 root root 4096 Feb  9  2017 ./
drwx------ 6 root root 4096 Dec 31 16:00 ../
root@bunny:~# 

I also found that the payload script was run in /tmp do all the other files in the switch folder get coppied to /tmp when said switch is active?

If connection to the bunny over tty then running top I see that the program top itself its using 100% cpu. also the bunny gets very hot very fast. If the bunny is plugged into usb 2.0 port on my computer the bunny will freeze and crash. if the bunny is plugged into usb 3.0 port it will keep running for a undefined amount of time.

Hi! I'm experiencing some issues with the extensions and i dont really know what i'm doing wrong.. According to the documentation of the bash bunny i can just invoke the commands but that leads to no results.

./payloads/switch1/payload.txt
LED Y
FOLDER

./payloads/library/extensions/folder.sh
function FOLDER() {
LED G
}

The led won't turn green. I also tried to do a RUN instead.. also not working.

I'm already seeing divergence in payloads where each author has to figure out how to do things their own way. Loot stored in switch folders, random colors and blink rates for various steps, and different quacks for different locales. Now that there is a growing body of really cool payloads, this is probably a good time to learn from these lessons. I'd like to propose a common settings file, perhaps loaded in by bunnyhelper.sh, that would give developers the assistance they need.

The file would contain the following:

• A generated $loot directory name, perhaps based on the target machine's name and an increasing sequence number, since the bunny has no RTC to provide an accurate date. Maybe it could incorporate an engagement identifier for the pen tester to tag all related tests.
• Defined colors by attack stage. There has already been a pull request for a payload helper that substitutes text names for color codes. Instead of making the tester remember "is this attack done if the light is off, or if the light is green?", there could be a list of attack stages or phases. The attacker would simply include LED RECON when the attack enters the recon phase. (Note these colors and phases are totally arbitrary and imaginary, I'd love someone to replace them with something better):

• INIT - Solid white light indicating the payload is preparing for the attack
• RECON - Solid amber light indicating the payload is actively probing the client
• EXFIL - Solid purple light indicating the loot is being transmitted
• DONE - Solid green light indicating the payload has been delivered and exfiltration is complete.
• USER_INPUT_NEEDED - flashing amber light indicating the tester needs to do something
• ERROR - Solid red light indicating the script encountered an error and the test has been stopped.

• Locale specific quacks: A German machine will expect an <alt>+J to dismiss UAC, while an English machine will expect an <alt>+Y to do the same thing. Putting these common quacks in a config file would let a tester define the language, instead of each payload's author.

I'm sure there are other lessons to be learned from the payloads that have been created so far, too, so this list isn't exhaustive by any means. But just getting payload authors used to bringing in some standardized stuff would go a long way to helping the testers in the field.

I have a file called ducky.txt which contain's
STRING \

When I call it using:

ATTACKMODE HID STORAGE

LANGUAGE='uk'

LED R
QUACK switch1/ducky.txt

This would then output a "#"
I've also tried setting the language to US but the outcome is the same.

These are some thoughts I have about how to better organize the BashBunny repository.

The problem: The issue is that people submit payloads (as they should) but the quality varies drastically. Some people put in serious time, others not so much. Some people have good ideas but don't have the knowledge or time to carry those ideas to completion. I won't mention any specific scripts but just the other day I was reviewing some exploits and I saw that they all pulled the main bit from someone else's github whose script is only partially working. This is really unfortunate; You don't want to go on there with your new bunny looking to try out some of the coolest scripts only to find that they don't work. Now just 30 minutes after you open your bunny you're already doing troubleshooting. That sucks.

The solution: I think creating a second branch (call it "dev" for example) could really help you to maintain a strict quality standard, while still allowing everyone to submit. The dev branch would be the place that all user-submitted scripts would go to and development would be had on. The Hak5 team could appoint a few trusty viewers to oversee PR's made to this branch. And periodically the Hak5 employees could check in here to see what's good and possibly bring it over to master branch. Or alternatively I could see that group of trusty people making the PRs to master for the Hak5 team to review.

Closing thoughts:
This would do a few things:

• Lighten the workload on the Hak5 crew
• Set a tighter quality assurance standard on the repo (at least the front face of it)
  While still allowing everyone to contribute !! This is very important
• By passing some control over the public you are showing even more commitment to open-source and community driven collaboration

I'm using the payload QuickCreds and I'm having issues getting it to work, I installed responder on the BashBunny and it's in the right folder, getting FAIL2, not sure what Target did not aquire IP address means. Sorry I'm new.

If a payload requires executing, by the host, a file either from the internet or the BashBunny, or storing such a file on the host, the readme for the payload should document it, as well as a description of the file and a link to virustotal. Note, this should include not only binaries but also scripts, such as .ps1-files (for example due to AMSI).

For example:

This could help avoid issues pointed out by @hak5darren on Hak5 2305

While developing a payload that creates a webserver on the BB, I noticed it takes 12+ seconds for any request to bind a port on the BB.

Using ECM_ETHERNET attack mode and sshing in, all of the following command are affected:

python -m SimpleHTTPServer 8888
nc -nvlp 8888
ruby -run -e httpd . -p 8888

These same commands work as expected (sub 1 second response) when connected to the bunny in serial mode.

Creating a payload that starts the server on the bunny and then uses HID to make the victim curl the bunny fails because the server hasn't bound to the socket yet.

Recording of the issue - https://asciinema.org/a/arrd1giatg2w5gb8bme0ct7py

The current Ethernet modes are situated behind being faster than the current internet adapters, however doing so tends to cause the target machine to loose connectivity.

Is it possible to add a feature that would set the bunny to have say a dialup connection to allow for attacks to function without dropping internet connectivity.

An example of when this could be helpful is when a has a large amount of data to pull. And the user comes back, you could collect the bunny at another time without the user visibly having connectivity issues.

Another would be when you are using a domain account that you have recovered the password for to attack a machine, however the account is not cached and needs to connect to the domain controller to authenticate. If the connection to the domain is available still, the attack would be possible. As it stands you won't be able to connect to the domain to authenticate.

Special keys like æ ø and å is missing from no.json and dk.json. QUACK is unable to read æ ø and å from script files and responds width this error after my attempt to add the keys to .json file

Traceback (most recent call last):
File "/usr/local/bunny/bin/QUACK", line 182, in
run_script(input_line, language)
File "/usr/local/bunny/bin/QUACK", line 158, in run_script
context = run_ducky_line(context, line, lang_file)
File "/usr/local/bunny/bin/QUACK", line 82, in run_ducky_line
elements = lang_file[char].split(",");
KeyError: '\xc3'

The bunny is also reluctant to accept special characters over serial and ssh.

Due to windows 7 to select network location, QuickCreds Can't Working.

I'm not sure if this is the place for this but it's more of a recommendation than an issue. Most of the payloads in this library use Powershell, but many companies block Powershell from running on most endpoints, or under normal user privilege. Anyone written any solid exfil / system info / loot collection payloads without using Powershell?

Thanks!

Would it be possible to allow the BB to operate the USB device in host mode. This would help facilitate some other attacks on mobile devices, and other devices.

Would it be possible to set the attackmode to read-only storage for computers that will scan/delete files on the storage partition automatically so your payload or other files don't get deleted?

GitBunnyGit payload <-----

followed the instructions precisely:

1. Run bb.sh (pause at main menu)
2. Plug in da bunny
3. Connect (type 'c') 5 seconds after the white light
4. You can now ssh into the bunny (Run tail -f /var/log/git.log to montior progress)

but still gives red led & indicates no internet though i am able to ssh & preform apt-get update with
no problems.

any thoughts ? BTW .. i`m using Debian
thx in adv

I think it's a better design to keep all payload files in their respective switch folders so the root folder doesn't get super cluttered. With something like a switch position #4, it's easier to path to the payload folder. This line in usb_exfiltrator would change

QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'d.cmd')"

to

QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\$SWITCH_POSITION\d.cmd')"

install.sh would no longer be necessary for this payload and the root would no longer be cluttered :)

I accidentally formatted bashbunny, what to do now?