Hacking Gadgets: Hak5 Bash Bunny

I did a little bit of security and hacking training for my colleagues just before Christmas. The aim was to explain why we have certain (sometimes unpopular) restrictions in place on the network, and at the same time, to show where we still need to put the work in.

We often talk about security with both the colleagues and the customers. The good thing is that everyone understands that there is a need to do things properly and to take care of security. On the other hand, I think they think that those are all theoretical things and virtually no attack is easy to do… so I have decided to do practical training only – I showed them attacks against both the laboratory environment and our production environment … I think that it has worked.

To make it “more fun”, I have ordered some gadgets (Bash Bunny and Packet Squirrel from Hak5). Since both devices will be impeccable for presenting security risks, I would like to share my experience with you. I’m probably going to start with what the gadgets can be used for, because if you’ve never held such a device, then it’s probably going to shock you. So, let’s start with what you can do with Bash Bunny devices.

Even before I start, I would like to point out that it is not my goal to encourage someone to commit criminal offenses or to hurt anyone. Devices are presented for educational purposes only and I use them for demonstration and penetration testing myself. Someone may argue that this information should only be held within professional circles. That, in my opinion, is like sticking a head to sand, nonetheless, it’s too late – just search the word “hacking” on YouTube.

What can you do about that?

If you’re a good admin,

you’ll use it to automate things you do not like. For example, if you have to write a set of commands on a regular basis, you cannot do it in other ways – for example, PCs are not on the network. In this case, you will write all the commands into the text document, upload it and set it to Bash Bunny. Now, once you connect the Bash Bunny to a device, Bash Bunny will act as a keyboard and will send whatever is on the doc to the PC (as if you have connected the real keyboard and wrote it yourself – that is all the stuff the PC sees). Bash Bunny writes everything you want without errors and many times faster than you ever could do yourself.

If you are not a good admin,

you will use Bash Bunny, for example, to connect unlocked PCs to your Metaspoloit framework or to install a backdoor. Just plug Bash Bunny into a PC and within 15 seconds the PC is under your control (videos are always just illustration – similar attacks which I have managed to find on YouTube).

Or you can use it to get passwords from the PC. Connect the Bash Bunny to your PC and connect it as a USB drive and keyboard. Through the keyboard, you type a command to run a program located on your USB drive. This program will download passwords (from the Windows credential manager to all saved Wifi networks, passwords and history from web browsers, passwords and the KeePass password manager database if it is running) and store it on a USB drive. It is all done within 40 seconds, Bash Bunny can be ejected from your PC and one can leave. (built on Lazagne and payload “library/credentials/PasswordGrabber“)

If the PC screen is locked, it does not mean that nothing can be extracted from the PC. Bash Bunny has the ability to emulate a network card. When connected to a PC, Bash Bunny looks like a 2 Gbit card and since it is probably the fastest interface, it will become the default network interface. Through DHCP it assigns the PC with IP address and the PC starts to communicate via this network. Of course, it’s just emulation of the network card – thus the internet or PC network cannot be reached. Bash Bunny, however, will respond to and simulate communications on all PC attempts to connect to other devices – based on this the device can locally store caught passwords, cookies, or “authentication challenges”, (based on attack and payload “library/credentials /QuickCreds/“).

To spice things up, all the attacks work against a fully updated PC with antivirus protection turned on and admin privileges are not a prerequisite (different from antivirus to antivirus and restrictive of PC settings – if you have completely blocked USB ports, it is clear that it will not work ).

What is Bash Bunny

It is a “PC on a stick” – a “microcomputer” (Quad-core ARM Cortex A7, 512 MB DDR3, 8 GB storage) that looks like a larger USB flash drive and includes Debian Linux with Hak5 adjustments.

bash bunny

It is a device suitable for attacking via USB (sometimes called BadUSB attacks). It’s a terror for the users who do not lock the screen when they leave their PC. Bash Bunny can be seen as a keyboard, USB drive and network card when connected to a PC, or any combination of these devices (no PC drivers need to be installed on the PC).

I also insert a video from the manufacturer where the device is presented, and the job is showcased. If you have 20 minutes to spare, it will give you a decent idea.

Bash Bunny has a three-way switch at the top, which selects what happens when connected to a PC. One location is an “arming mode,” in which BashBunny connects only as a USB drive and can be reconfigured. The other two locations are configurable – you will set for yourself what attack to do.

Bash Bunny contains one RGB diode to indicate the phase of the attack (eg boot, phase 1, phase 2, all done).

Practical experience

Unfortunately, I did not have enough time to play with Bash Bunny as much as I have imagined. But I wrote what I came up with:

  • You can write the Bash Bunny attacks yourself or choose from the existing ones. Bash Bunny manages the following repository: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library . Not all attacks in the official repository are flawless – sometimes you need to fix something.
  • Updating your device is very easy. Just connect Bash Bunny to PC in Arming mode. Upload the updater and run it. It will take care of uploading the latest firmware and downloading attacks from the repository (see above).
  • The device boots in about 9 seconds and then immediately starts to perform the selected attack, ie. you just need a moment by the pc.
  • • The disadvantage I have encountered (but it concerns all keyboard emulators) is a keyboard layout issue. For each attack when Bash Bunny emulates a keyboard, you need to set what keyboard layout you want to emulate (for example, English, Czech, Slovak …). The layout set up in Bash Bunny must match that settings on the target PC. If you set the English keyboard layout to Bash Bunny but the PC is currently set to Czech, Bash Bunny will write “z” instead of “y” and “(” instead of “{” etc. The solution is to switch the keyboard layout before the attack (but that is not so sexy because you have to “touch” the PC), or have the attack ready with CZ keyboard layout on the Bash Bunny under the position 1 (of the switch) and under the position 2 the same attack but with the EN keyboard layout.

Where to purchase

If you wish to buy the same gadgets, I have ordered them directly from the USA. I had my gadgets on my desk within 9 days of ordering, so it’s fast. On the other hand, it was quite expensive. Both devices have cost me $160. Unfortunately, I have had to pay another $165 to get them to the Czech Republic ($57 for shipping, $33 USA VAT [in my opinion unjustified] and $75 for customs duty and customs representation). It would be better to order directly from someone in the EU.

As an alternative to Bash Bunny, you can buy a USB Armory, which can be ordered directly from the EU and with shipping it comes to about €152 (but I have not yet had it).

My plans

As soon as time allows it, I’d like to build my own attack library. I would then like to use Bash Bunny with my customers to demonstrate how fragile the security is. Mostly because I think there is a low awareness of the risks associated with USB devices. Most people I know think that the USB is just about connecting USB flash drives and that there is no danger.

This is how I would just insert a Bash Bunny into their PC, which looks like a regular USB drive and disconnect it again in 30 seconds. I would then show them that in those 30 seconds I got their passwords/data / or remote access to their computer (keylogger, screen screenshots, access to data, webcam access).

I think the most “sexy” thing about that is that one does not have to touch the target PC.

Conclusion

In the next article (this is Gadgets for hacking:  Hak5 Packet Squirrel) I will describe the second of the gadgets I’ve acquired for the company, Packet Squirrel. If you wish, leave me an email below and I will let you know as soon as the article comes out.

How do you like the Bash Bunny? Do you have any similar gadgets? Do you somehow demonstrate to the customers how fragile the safety is?

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Discussion

Leave a Reply

Your email address will not be published. Required fields are marked *

Hack The Box OSCP MCSE CHFI ECSA CCNP CCNA