I think you missed your chance to put a rabbit's foot on the key ring. /s With the logic of bash though, This seems like a good tool for IT automation as well in places that don't have better network managed tools for common tasks. Knowing common issues and having a library of scripts to fix them that I can plug into any machine, have it know the OS and the exact steps to fix would be amazing. I would also assume you could set up detection and have Switch 1 change what Switch 2 would do.
Not sure if anyone has posted this yet, but as for the boot time, if there's enough room, you could squeeze in a small rechargeable battery, pre-charge it, boot it in your pocket, and the connect in hot. Then boot could suck and the vector could be hit as soon as you can get it in the jack.
Hi Both, great video as usual, however, I am new to this stuff so learning and making a decision as to what kit to buy. I am gong to for the nano tact kit but then which one between bash bunny, lan turtle or ducky. While you briefly mention the "difference" between these three tools, could please explain in a little ore detail or even a video as to which may useful or why may need all three, please. I just find this stuff so interesting and want to experiment once I get the tools. Thank you.
The idea is to be ridiculously convenient. We've gone as far as to even make it compatible with the ASCII files that Windows notepad makes regardless of its awkward carriage returns. ~Darren
So excited for the Bash Bunny, another awesome tool from those smart guys at Hak5! Mine is going to be here tomorrow and I cant wait to play! The Bunny is going to become the goto Swiss Army Knife for Pentesters...
Can you tell me what camera was used to record the rubber duck drop? I've been looking for something to do those kinds of videos but have come up short on quality hidden cameras.
I don't know for sure -- it was Nat Geo's button camera. I do know it was a custom made job. Something from "a guy in a garage" using a similar SONY chip found in the RX100 line -- IIRC. Could be wrong.
Am I missing something, I see links to RSVP I see links that point to the sales page, but I don't see any link that takes me to this repository they talk about containing the library of code?
Can you do an episode on the Raz Reverse shell. I tried this one on a windows 10 machine I got the solid white color which indicated that the payload completed successfully. However when i ran netstat on the windows box i did not see the open port, nor didi see it on my linux box when i did the netcat. Also the powershell window was supposed to be hidden, well it was not as i saw it open. And could also uses the clean up at the end to remover the powershell code from the run line.
Muchas gracias chicos, Por tanto esfuerzo. Y por hacer que la emoción llegue hasta los que no sabemos. Estoy contento por probarlo en mis equipos. A ver se lo consigo😅
What's the difference in comparison to rubber ducky? Apart from the look and speed mentioned in the video...i feel Bunny is kind of adv version of ducky emulating a variety of trusted devices. Was planning to buy ducky...but now i am confused.
bari khan The Bunny also simulates and LAN-Adapter like the LAN Turtle, so you have many more attack posslibilities, the Ducky, in compatibility, simulates only a Keyboard (the Bunny can so this too) but is way faster than the bunny
At the 11:07 mark, we get a tip from Darren that the Bash Bunny also works as an Ecto-Containment System. Perfect for catching those pesky ghost images.
So I don't work for a bank, but I do work for a company where I need to store sensitive data on my computer, and where my computer has implicit trust on the network for access to sensitive data stored on the network. It's been ingrained in me to lock my work computer whenever I get up from it, like the employee at the bank should have been doing in the clip shown. Locking a computer isn't the be all and end all (a LAN Turtle can still attack a locked computer), but it quickly and easily cuts down on the attack vectors available.
It can do the same things once it's booted up, however it takes longer to boot, and it isn't as covert. The Rubber Ducky is a specialized tool while the Bash Bunny is a general tool that does the same thing slower. That is if you aren't talking exfiltration.
Basically, what he said. Basically, speed, price and form-factor. Also, features. USB Rubber Ducky is HID only - or HID + (slow) flash storage with 3rd party firmware. The Bash Bunny features HID as one of its 5 current attack modes and flash storage is tremendously faster. The USB Rubber Ducky will always execute payloads faster (0.1 seconds vs 7), more economically (less than half the cost), and more covertly (with its generic flash drive case). For social engineering ops, USB drops and attacks which require the target to plug in the drive, the USB Rubber Ducky is still the gold standard. ~Darren
I think I will read the support forums and see just how smooth the ride is for others. Always research a products performance based on end user experiences and not the ADVERTISEMENT.
Absolutely. Feel free to check out our forums at: forums.hak5.org/index.php?/forum/92-bash-bunny/ where the developers have been actively helping out new users.
Dumb question. Do y'all plan on any USB-C variants? Obviously Bash Bunny isn't really made for random drops. Will the rubber ducky ever have a USB-C version because they are awesome for hiding in random cases. Trying to avoid dongle hell with these things.
You should definitely make a NTC Pocket Chip type screen keyboard peripheral for the bash bunny that would be sweet. Great work crazy cool hardware love it.
Nope, it comes in a carrier envelops -- so if you ship via DHL, UPS or USPS it'll come in one of their bubble mailers. The actual product packaging inside the shipping material is a red envelope with a cute Bash Bunny logo.
nice tool butt it would be cool if there was a way to use poisontap with The Bash Bunny.... it looks like there may be since it has a way to ssh in to it.
Would be great to use as a "plug in" VPN client. Just plug it in and it tunnels all traffic through your VPN server. It would be similar to what Darren does with the Pineapple via wifi, but done by just plugging the BB into an open USB port. Instant secure web browsing everywhere you go on any machine with no configuration!
I've seen a TOR/VPN router that uses a RPI and Darrent did cover using a Pineapple to make an openVPN access point. I'm looking more towards having the BB be a "plug in the USB, be on the VPN" type device.
Elliot better have this in the next season.
But there aren't any computers in Fillory
Hack the telephones
this was my first thought as well ;)
Not Elliot From Fillory, the Elliot from Mr. Robot. lol
are you srsly smoking a bong on your avatar pic HAHA
This is totally going to appear in Mr Robot Season 3.
Turns out it didn't
This is beyond evil. I need one.
HHHHHH
Hey guys i'm Indonesia
66 likes, lets keep it that way :)
@@mr.impian2733
Wow! A country on the interwebzz
@@mr.impian2733 Where is Donesia? sorry - I had to ;p
"I heard a great disturbance in the force, as if millions of IT drones had massive coronaries..."
Awwwwww Darren looks like a proud dad (23:22 - 23:39)
I think you missed your chance to put a rabbit's foot on the key ring. /s With the logic of bash though, This seems like a good tool for IT automation as well in places that don't have better network managed tools for common tasks. Knowing common issues and having a library of scripts to fix them that I can plug into any machine, have it know the OS and the exact steps to fix would be amazing. I would also assume you could set up detection and have Switch 1 change what Switch 2 would do.
Adam Morgan Tech support on a keyring
Absolutely. Consider that you have both a DHCP server and TFTP server. There's PXE potential here :) ~Darren
Darren and Seb are legendary. This is insane!!!!!!
Not sure if anyone has posted this yet, but as for the boot time, if there's enough room, you could squeeze in a small rechargeable battery, pre-charge it, boot it in your pocket, and the connect in hot. Then boot could suck and the vector could be hit as soon as you can get it in the jack.
Thanks for the update on Bash Bunny. Just picked one up, can't wait to start hopping with the Bunny.
Hi Both, great video as usual, however, I am new to this stuff so learning and making a decision as to what kit to buy. I am gong to for the nano tact kit but then which one between bash bunny, lan turtle or ducky. While you briefly mention the "difference" between these three tools, could please explain in a little ore detail or even a video as to which may useful or why may need all three, please. I just find this stuff so interesting and want to experiment once I get the tools. Thank you.
WAIT A MINUTE... DID I SEE THAT YOU CAN UPLOAD THE PAYLOADS AS .TXT?!?!?!?!?!? SUCH EASE
The idea is to be ridiculously convenient. We've gone as far as to even make it compatible with the ASCII files that Windows notepad makes regardless of its awkward carriage returns. ~Darren
Hi Darren
my most favorite episode. I love you two!
Awesome, and I was over here simply wanting a way to have multiple payloads on one USB. Awesome work!
first
Lol, friggin troll machine
I kek'd so hard at the bunny glasses
hay snubs
.
Shannon Morse this is the best thing I've ever seen. I love you guys! Keep up this amazing work. :)
So excited for the Bash Bunny, another awesome tool from those smart guys at Hak5!
Mine is going to be here tomorrow and I cant wait to play!
The Bunny is going to become the goto Swiss Army Knife for Pentesters...
yay just purchased mine, can't wait to see what the community develops. yay thank you HAK5
So more colors coming soon, whats in the yellow and orange bags?
Great episode Darren and Shannon! You guys are so awesome!
Can you tell me what camera was used to record the rubber duck drop? I've been looking for something to do those kinds of videos but have come up short on quality hidden cameras.
I don't know for sure -- it was Nat Geo's button camera. I do know it was a custom made job. Something from "a guy in a garage" using a similar SONY chip found in the RX100 line -- IIRC. Could be wrong.
This is nuts, already got my head titling all possible degrees. Preorder complete.
Am I missing something, I see links to RSVP I see links that point to the sales page, but I don't see any link that takes me to this repository they talk about containing the library of code?
Will there be updated Field kits including the BashBunny at some time?
Yes, no specified date yet.
Where do we summit our payloads for the bash bunny competition?
github.com/hak5/bashbunny-payloads
Thank you :)
just ordered one. gotta add this to my bag of tricks. love all your hard work and products!!
I want to trust my technolust... but its telling me to buy twelve and somehow I think thats overkill >.
This is probably the most cyberpunk infomercial ever. 10/10
Can you do an episode on the Raz Reverse shell. I tried this one on a windows 10 machine I got the solid white color which indicated that the payload completed successfully. However when i ran netstat on the windows box i did not see the open port, nor didi see it on my linux box when i did the netcat. Also the powershell window was supposed to be hidden, well it was not as i saw it open. And could also uses the clean up at the end to remover the powershell code from the run line.
couldn't wait so had to order.
like always. you're tools are the best. thanks
Had to order TWO while watching video.. Can't wait!
Muchas gracias chicos, Por tanto esfuerzo. Y por hacer que la emoción llegue hasta los que no sabemos. Estoy contento por probarlo en mis equipos. A ver se lo consigo😅
When will you guys have more to sell, it the keysly be in????
What's the difference in comparison to rubber ducky?
Apart from the look and speed mentioned in the video...i feel Bunny is kind of adv version of ducky emulating a variety of trusted devices.
Was planning to buy ducky...but now i am confused.
bari khan The Bunny also simulates and LAN-Adapter like the LAN Turtle, so you have many more attack posslibilities, the Ducky, in compatibility, simulates only a Keyboard (the Bunny can so this too) but is way faster than the bunny
Vinc viert YT Account thanks... It's only the time of execution that gives ducky the upper hand.. Got it.
At the 11:07 mark, we get a tip from Darren that the Bash Bunny also works as an Ecto-Containment System. Perfect for catching those pesky ghost images.
Loving this little Bunny. I ordered mine. You guys are awesome!!!
There is NO repository on gihub?! I assume that's why there's been no link in the description?
I think the Github repository will be coming live at the release party on 2nd March as they announced in the video.
Correct. March 2nd. ~Darren
Thanks for the information, I misheard the video perhaps
Thanks for the confirmation, will look out for the repo appearing!
So I don't work for a bank, but I do work for a company where I need to store sensitive data on my computer, and where my computer has implicit trust on the network for access to sensitive data stored on the network. It's been ingrained in me to lock my work computer whenever I get up from it, like the employee at the bank should have been doing in the clip shown. Locking a computer isn't the be all and end all (a LAN Turtle can still attack a locked computer), but it quickly and easily cuts down on the attack vectors available.
wait so do you still have to encode the rubber ducky payloads for bash bunny or no?
Sooooo the bash bunny can be used for keyboard scripts like a rubber ducky USB right? so if I get one I no longer need my rubber ducky?
when i try to open the terminal on the bash bunny its a empty blank screen
Wow, just wow. There is much potential with Bash + trust.
for some reason Bashbunny on Device Manager Port com does not show up just says CDC serial but no com port displayed
JUST GOT ONE IN MY HANDS SO HAPPY!!
Buying one right now, you guys are my hero
This looks awesome! Hope more videos on it are coming.
I'M SO EXCITED!! I want to learn so much more about this! Please more vidzzzz!!
How does it not replace the 'Rubber Ducky'?
Speed, Price and formfactor
It can do the same things once it's booted up, however it takes longer to boot, and it isn't as covert. The Rubber Ducky is a specialized tool while the Bash Bunny is a general tool that does the same thing slower. That is if you aren't talking exfiltration.
Chewie They literally explained that in the video.
I was thinking the same thing since it can straight up run ducky script.
Basically, what he said. Basically, speed, price and form-factor. Also, features. USB Rubber Ducky is HID only - or HID + (slow) flash storage with 3rd party firmware. The Bash Bunny features HID as one of its 5 current attack modes and flash storage is tremendously faster.
The USB Rubber Ducky will always execute payloads faster (0.1 seconds vs 7), more economically (less than half the cost), and more covertly (with its generic flash drive case). For social engineering ops, USB drops and attacks which require the target to plug in the drive, the USB Rubber Ducky is still the gold standard. ~Darren
I just bought the elite field kit ughhh. I wish this came with it!
I've never seen Darren so excited.
Wich are the computer models that you are using, and with Wich OS ?
is this a replacement for the rubber ducky?
All you need now is to stick a wifi chipset on the thing, so it can be left in place and exfiltreate/controlled remotely.
Got my Bunny and the new stickers. Much love to Hak5
I think I will read the support forums and see just how smooth the ride is for others. Always research a products performance based on end user experiences and not the ADVERTISEMENT.
Absolutely. Feel free to check out our forums at: forums.hak5.org/index.php?/forum/92-bash-bunny/ where the developers have been actively helping out new users.
Any good books/resources for learning to write scripting languages??
So what is the difference between this and the ducky?
How long did it take you to develop the BashBunny?
The make it look way more exiting than it actually is. Like in an informercial. I guess this is an infomercial.
What is the usb controller speed of the device? I can't find it so I assume it's only 2.0 since I believe you also said it's not usb 1.1
dose it work even when a user is not logged in?
Dumb question. Do y'all plan on any USB-C variants? Obviously Bash Bunny isn't really made for random drops. Will the rubber ducky ever have a USB-C version because they are awesome for hiding in random cases. Trying to avoid dongle hell with these things.
how do you submit the your payload for the competition on GitHub?
root access to the linux stuff... If I were to brick/bork the software, is it possible to re-flash from usb?
It auto-recovers from a special partition if it fails to boot more than 3 times.
So what's the difference between this and rubber ducky? Besides the price
you-are-not-real watch til the end of the episode. We go over this!
SHUT UP AND TAKE MY MONEY! Oh, you already did... SHUT UP AND TAKE MY MONEY AGAIN (cwl)
where is the repo ??
So what im getting is the power of Wi-Fi pinapple + bash bunny = doing attack without being on the physical device?
Can it work as a keylogger?
You should definitely make a NTC Pocket Chip type screen keyboard peripheral for the bash bunny that would be sweet. Great work crazy cool hardware love it.
All I need now money is money to buy it.
i would like get one but you are not shipping in Croatia
I don't see the documentation or the GitHub repository. Am I just blind?
It's at wiki.bashbunny.com
Can it be traced back to owner/attacker if you leave it and it's found by the attackee..
How can I get the bash bunny in Bangladesh?
Hak5 are you guys going to come out with a field kit that include the bash bunny?
Yes
What does the packaging look like? Like is it obvious that it is a hacking device?
Nope, it comes in a carrier envelops -- so if you ship via DHL, UPS or USPS it'll come in one of their bubble mailers. The actual product packaging inside the shipping material is a red envelope with a cute Bash Bunny logo.
Just ordered mine!
anyone else stay up just to watch this? also can you do giveaways plz
yup
What's the difference between this and the USB Rubbery Ducky? Is this better because it's newer?
It can imitate more than just a keyboard, lots of other stuff too ;)
already ordered. great work.
nice tool butt it would be cool if there was a way to use poisontap with The Bash Bunny.... it looks like there may be since it has a way to ssh in to it.
Gishi I am pretty sure someone is going to fork and port it over. Anytime soon!
Is Hak5 in Seattle? I live in Seattle
03:55 - One must have nerves of steel, to pull that off. No mercy
how can I get this bash bunny
what laptop do you use?
Would be great to use as a "plug in" VPN client. Just plug it in and it tunnels all traffic through your VPN server. It would be similar to what Darren does with the Pineapple via wifi, but done by just plugging the BB into an open USB port. Instant secure web browsing everywhere you go on any machine with no configuration!
0150r have u not seen same thing for TOR?
I've seen a TOR/VPN router that uses a RPI and Darrent did cover using a Pineapple to make an openVPN access point. I'm looking more towards having the BB be a "plug in the USB, be on the VPN" type device.
Will it make a good stew
HAHAHAAHAHA
I can see super glue being used as a security measure until your remove the side of the case and go to the pads.
Been working on this with a RpiZ for a little while. I want one.
please please someone tell me that there will be a payload generator tools like they have with the ducky
Indeed. I've been talking to the folks behind the duck toolkit and it's already in the works. ~Darren
any coupon codes?
Custom built hardware or can we build one?
DunJen_Knives They're selling them. It might be worth you checking out the poison tap.
if you want to build one.
Ever since I saw the release i couldn't wait till this came out and when i did it was the most amazing thing i have ever saw awesome job guys.
Can you make an episode on all the really technical details of how the BashBunny works that would be really interesting, thank you!
What is the capacity of the internal memory
just 4 info - 13:49 use the windows command "mode" - its faster
i love looking at you guys
so @ 19:33 you had to wait 11 minutes for the bb to do it's thing? if I look at your computers time 11 minutes went past after you plugged it in?
I can see super glue being used as a security measure until you remove the side of the case and go to the pads.
This is dope af Darren - getting one for sure
looved her description of the cdc