Top 5 file stealing "exfiltration" payloads for the Bash Bunny

As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It’s perfect for binary injection, staged payloads and more.

It’s also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it’s simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the “loot” folder. It couldn’t be more straightforward.

Top 5 Exfiltration Payloads

These are just some of our favorite exfiltration payloads. For the complete listing, check out the Bash Bunny payload repository.

1.USB Exfiltrator

USB Exfiltrator payload on github

Exfiltrates files from the users Documents folder Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.

2. Faster SMB Exfiltrator

Faster SMB Exfiltrator payload on github

Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME

This payload is a rewrite of a previous SMB exfiltration attack which uses a robocopy method to quickly exfiltrate loot in a multithreaded fashion. Further, a EXFILTRATION_COMPLETE file is used to indicate when the attack is finished.

3. Optical Exfiltration

Optical Exfiltration payload on github

This is a quick HID only attack to write an HTML/JS file to target machine and open a browser, to exfiltrate data Using QR Codes and a video recording device.

It's based on QR Extractor, which converts a selected file to base64, then chunks up the string based on the specified qr_string_size (Note: the larger the chunk size, the larger you'll need to set the qr_image_size, or you wont be able to read the QR Code). These Chunks are then converted into QR Codes and displayed in the browser and can be played back at a speed specified by the playback_delay setting.

We love this payload because it uses freespace optics to exfiltrate data in such a way that no meaningful mass storage or network logs would be created. Check out the video on this novel attack!

4. Dropbox Exfiltrator

Dropbox Exfiltrator payload on github

This is a proof-of-concept payload using a stager. That means the staged powershell payload will download and execute an exfil.ps1 from dropbox which compresses the users documents folder and uploads it to dropbox.



It uses a powershell IWR/IEX method to compress and exfiltrate documents using a public Dropbox share. We love it because to any network traffic analyzer, it's just your ordinary encrypted Dropbox traffic.

5. Powershell TCP extractor

Powershell TCP extractor payload on github

This payload copies data to temp directory, compresses the data as a zip file, and uses powershell tcp socket to extract to a listener on remote machine.

The netcat listener IP address and port is configurable. This can be adapted to use an off-site machine as the receiver, or even the Bash Bunny itself. 

 



Also in Bash Bunny

Getting Root on a Bash Bunny from the Serial Console
Getting Root on a Bash Bunny from the Serial Console

Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it’s widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we’ve made it convenient as ever – without the need for a serial-to-USB converter.
Writing Keystroke Injection payloads for the Bash Bunny
Writing Keystroke Injection payloads for the Bash Bunny

Computers trust humans. Humans interact with keyboards. Hence the Human Interface Device or HID standard used by all modern USB keyboards. To a computer, if the device says it’s a keyboard — it’s a keyboard. So when our Bash Bunny says 'I'm a Keyboard'... You can see where this is going.
The Hottest Bash Bunny Hot Plug Attack: Network Hijacking
The Hottest Bash Bunny Hot Plug Attack: Network Hijacking

Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. This network of two (the Bash Bunny and your target) provides direct access to the target – bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.

Sign up for sales, new releases, payloads and more…

Sign up today