Bash Bunny by Hak5 is a discreet yet very powerful device that looks like a regular USB flash drive but can do much more. Once connected to a computer, Bash Bunny can emulate various types of USB devices, such as a keyboard, network adapter, or storage. Thanks to this, it is possible to automatically launch pre-prepared attacks, extract data from the target computer, install backdoors, or bypass security measures in just a few seconds. Bash Bunny is therefore mainly suited for penetration testing, security audits, or even for automating routine IT tasks that would otherwise take hours of manual work.
Using the Bash Bunny is simple and intuitive. The device has a small switch that lets you select one of three modes. The position closest to the USB connector is called “arming mode,” in which the Bash Bunny connects as a storage device and serial console. In this mode, you can easily upload new scripts, configure the device, or access stored attack results. The other two positions are intended for launching attacks, called payloads. These are always stored in a specific folder, and when the device is inserted into a USB port, they are executed automatically.
The basis of everything are so-called payloads—scripts that determine what the Bash Bunny will do. These scripts are written in a special language called Ducky Script, which is extended with Bash shell commands. Ducky Script is very simple; individual commands are primarily used to simulate keystrokes, which is the foundation of all so-called HID (Human Interface Device) attacks. Bash extensions allow for more complex automation, file handling, or conditional logic based on the situation on the target machine. Scripts are saved as plain text files named payload.txt in the corresponding folder on the Bash Bunny.
To give you an idea of what a payload looks like, just a few lines are enough to, for example, set the device to act as both a keyboard and storage, and then use the QUACK command to “type” a specified command into the victim’s system. The device’s LED changes color depending on its current state, which helps quickly check whether everything is working as intended.
Bash Bunny is not just about typing keystrokes. For example, it can emulate a network card and present itself as a new ethernet adapter. This enables direct attacks on the victim’s local network, such as intercepting network traffic or obtaining login credentials. Another common feature is rapid data exfiltration—automated downloading of files from the computer to the device’s internal memory, or even sending them over the network. Newer versions of Bash Bunny also offer features like remote attack triggers via Bluetooth or geofencing, where the payload is only executed in a specific location.
Getting started with Bash Bunny is not difficult. All you need is a basic knowledge of working with a text editor and some familiarity with the Bash command line. All documentation, example payloads, and more tips can be found at docs.hak5.org or in the official GitHub repository. The simplicity, openness, and wide community around Bash Bunny have made it a popular tool not only among penetration testers but also among IT enthusiasts who want to see how easy it can be to automate tasks or test their own security. Bash Bunny by HAK5 is available HERE.
