Top 5 file stealing "exfiltration" payloads for the Bash Bunny

As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It’s perfect for binary injection, staged payloads and more.

It’s also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it’s simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the “loot” folder. It couldn’t be more straightforward.

Top 5 Exfiltration Payloads

These are just some of our favorite exfiltration payloads. For the complete listing, check out the Bash Bunny payload repository.

1.USB Exfiltrator

USB Exfiltrator payload on github

Exfiltrates files from the users Documents folder Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.

2. Faster SMB Exfiltrator

Faster SMB Exfiltrator payload on github

Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME

This payload is a rewrite of a previous SMB exfiltration attack which uses a robocopy method to quickly exfiltrate loot in a multithreaded fashion. Further, a EXFILTRATION_COMPLETE file is used to indicate when the attack is finished.

3. Optical Exfiltration

Optical Exfiltration payload on github

This is a quick HID only attack to write an HTML/JS file to target machine and open a browser, to exfiltrate data Using QR Codes and a video recording device.

It's based on QR Extractor, which converts a selected file to base64, then chunks up the string based on the specified qr_string_size (Note: the larger the chunk size, the larger you'll need to set the qr_image_size, or you wont be able to read the QR Code). These Chunks are then converted into QR Codes and displayed in the browser and can be played back at a speed specified by the playback_delay setting.

We love this payload because it uses freespace optics to exfiltrate data in such a way that no meaningful mass storage or network logs would be created. Check out the video on this novel attack!

4. Dropbox Exfiltrator

Dropbox Exfiltrator payload on github

This is a proof-of-concept payload using a stager. That means the staged powershell payload will download and execute an exfil.ps1 from dropbox which compresses the users documents folder and uploads it to dropbox.

It uses a powershell IWR/IEX method to compress and exfiltrate documents using a public Dropbox share. We love it because to any network traffic analyzer, it's just your ordinary encrypted Dropbox traffic.

5. Powershell TCP extractor

Powershell TCP extractor payload on github

This payload copies data to temp directory, compresses the data as a zip file, and uses powershell tcp socket to extract to a listener on remote machine.

The netcat listener IP address and port is configurable. This can be adapted to use an off-site machine as the receiver, or even the Bash Bunny itself. 


Also in Bash Bunny

Geofencing for the Bash Bunny Mark II
Geofencing for the Bash Bunny Mark II

Hotplug attacks are great, until they're not — which is why it's important to limit the scope of engagement. Thankfully the Bash Bunny Mark II can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it's certain to be in the defined area.

Remote Triggers for the Bash Bunny Mark II
Remote Triggers for the Bash Bunny Mark II

One of the greatest new features of the Bash Bunny Mark II is remote triggers. With this, a payload — or multiple stages of a payload — can be triggered from afar. These can be done with any bluetooth low-energy device, including most smartphones. In this article I'll demonstrate how to use this handy new feature.
Getting Root on a Bash Bunny from the Serial Console
Getting Root on a Bash Bunny from the Serial Console

Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it’s widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we’ve made it convenient as ever – without the need for a serial-to-USB converter.