Bash Bunny

The Bash Bunny by Hak5 is the world's most advanced USB attack platform. Pull off covert pentest attacks and IT automation tasks in mere seconds with simple payload scripts.

By mimicking trusted devices like serial, storage, keyboards and Ethernet, the Bash Bunny exploits multiple attack vectors – from keystroke injection to network hijacking.

With multiple payloads at the flick of a switch, just imagine compromising a locked computer – scanning the system and capturing credentials with your favorite pentest tools like nmap, responder, impacket and metasploit.

Or intelligently exfiltrate documents directly to the Bash Bunny. No traversing the firewall. No triggering intrusion detection systems. Just plug to pwn in 7 seconds, so when the light turns green it's a hacked machine.

Getting started is easy with a huge library of payloads that blend the power of Bash with the simplicity of Ducky Script. Just flip the switch and it turns into a flash drive, so you can copy over a payload.txt file. Even drop into a root shell on this fully equipped quad-core Linux box.

When the light turns green, it's a hacked machine.

With the Bash Bunny, compromising a system is as quick and easy as hopping on a box.

Getting Root on a Bash Bunny from the Serial Console

Getting Root on a Bash Bunny from the Serial Console

Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it’s widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we’ve made it convenient as ever – without the need for a serial-to-USB converter.
Top 5 file stealing

Top 5 file stealing "exfiltration" payloads for the Bash Bunny

As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a pentesters know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration with gigs of high speed storage.
Writing Keystroke Injection payloads for the Bash Bunny

Writing Keystroke Injection payloads for the Bash Bunny

Computers trust humans. Humans interact with keyboards. Hence the Human Interface Device or HID standard used by all modern USB keyboards. To a computer, if the device says it’s a keyboard — it’s a keyboard. So when our Bash Bunny says 'I'm a Keyboard'... You can see where this is going.
The Hottest Bash Bunny Hot Plug Attack: Network Hijacking

The Hottest Bash Bunny Hot Plug Attack: Network Hijacking

Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. This network of two (the Bash Bunny and your target) provides direct access to the target – bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.

Sign up for sales, new releases, payloads and more…

Sign up today