Bash Bunny: Big hacks come in tiny packages

Today’s increasingly miniaturized world is giving rise to all sorts of hardware devices that can hack almost any computer, device, or network. Plug in an item the size of a USB stick and all your hard-won protections could be defeated. If you haven’t been paying attention to this field of attack, what you learn might shock you.

Anyone can create or buy a computer with an operating system that fits in a space smaller than a postage stamp. Most of these have physical USB interfaces, but many are wireless or have interchangeable interfaces. These devices include the following:

• Computers on a stick
• Keyboard man-in-the-middle intercept devices
• Wireless computers
• Plug-in hacking devices

In the interest of defending against this new threat, let’s take a close look at one of the most versatile and popular hardware hacking devices: Bash Bunny by Hak5. I’m offering considerable detail here to show how easy it is to launch malicious attacks that bypass network defenses—and to help white hats who may wish to use the device for simulated red team attacks.

Bash Bunny

Bash Bunny is a Debian Linux computer with a USB interface designed specifically to execute payloads when plugged into a target computer. It can be used against Windows, MacOS, Linux, Unix, and Android computing devices. It features a multicolor RGB LED that indicates various statuses and a three-position selector switch: Two of the positions are used to launch payloads, while the third makes Bash Bunny appear to be a regular USB storage device for copying and modifying files.

Bash Bunny is very powerful. It can run anything a regular Debian Linux distro can run, such as Python scripts or common Linux commands. To infiltrate other computing devices, Bash Bunny can fake its identity as a trusted media device, networking device, keyboard, or other serial device. For example, it can load itself as a keyboard device and mimic keystrokes. You can download dozens of existing payload scripts, create your own, or ask questions in a fairly active user forum.

The basic idea of Bash Bunny is that you can plug it into a computer and run some scripts and programs—then either vamoose with collected data or leave Bash Bunny surreptitiously attached for long-term remote hacking. Existing payloads include scripts for Windows, Android, and Mac. You can emulate keystrokes, grab browser cookies, steal credentials stored on disk and in memory, pilfer Wi-Fi passphrases, gain remote access, launch backdoors, create reverse shells, download remote files, execute programs, piggyback on a new Wi-Fi network segment, become a rogue computer on the network, and more.

Many of the scripts are designed to run even on locked-screen computers. You plug in Bash Bunny, it runs its commands and gathers the target information, then saves that info to an aptly named USB folder called “loot.”

How Bash Bunny works

My Bash Bunny arrived in a timely manner along with an optional, convenient carrying container and some cool swag. The device seems solidly made, although it ran a little hot after hours of testing.

Using this hacking device is absurdly simple. Simply slide the device switch to “arming mode” (that is, standard USB drive mode), plug it into the USB port, and open up one of two payload files. You then type in or copy your scripting text, along with copying and configuring any other needed dependencies and configuration files. On my Windows 10 computer, in arming mode, it showed up in Device Manager as a USB Serial device with a COM port. 

There are two main folders: switch1 and switch2. What you put in switch1 is executed when you boot Bash Bunny when the selector switch is in position 1, and what is in switch2 is executed when you boot with the selector mode switch in position 2. Malicious hackers can rig up two completely different attacks—say, one for Windows and one for Mac hosts.

I began by modifying a simple script that would start notepad.exe and type in text. Getting Notepad (or any default, built-in text editor) to run in a test hack is a good way to affirm that a hack is working well enough to do anything to the target computer. If hackers can run and direct Notepad, they can do lots of devious stuff, though not necessarily with elevated permissions. Getting higher elevation may require more sophisticated scripting and attacks, although Bash Bunny comes with a script to skirt user account control prompts.

Then I ran a bunch of more advanced scripts, each attempting to harvest credentials from the local computer, browser, or Wi-Fi connection. Most of the scripts used PowerShell, as many hacker and malware programs are beginning to do. PowerShell is installed on all supported versions of Windows, so it’s hard for antimalware software to detect and block scripts.

Each credential-harvesting script collected what it could and saved it in a subfolder named after the exploit under the loot folder on the USB drive.

Evaluating a hardware hack

Bash Bunny is truly a one-stop physical hacking tool. The hacking possibilities are endless. 

It’s scary what Bash Bunny can do. It doesn’t enable attackers to do anything they can’t already do, but it puts the whole deal in a small, stealthy form factor. An attacker could even modify Bash Bunny to offer the typical USB storage media view in Windows Explorer, enabling malicious scripts to execute while an unwitting victim thinks it’s a normal USB drive.

Bash Bunny got a “Wow!” from every person I showed it to. If you’re having trouble convincing management to protect against hardware threats, do a little Bash Bunny demo. They’re liable to change their tune in a hurry.