I have been looking at the BashBunny from Hak5 for some time, and thought to myself that it was quite expensive. I wanted to play with the same powerful tools, so I decided to build my own cheap-ass version from a Raspberry Pi Zero WiFi.
After some soldering, coding and messing around with other peoples code, I ended up with my Bunny-version with these features:
- A Raspberry Pi you stick into a PC that acts like a keyboard, a mass storage device, a serial device, and an RNDIS-ethernet adapter.
- 16 boot modes that can be set by a 4xDIP switch. Depending on the switches different scripts/payloads will be executed upon boot.
- Two buttons that can launch 2 different scripts in each bootmode.
- Two LED’s (red and green) incorporated into the buttons for signalling. ON/OFF/SLOW BLINK/FAST BLINK.
- Easy BashBunny bash syntax for keyboard strokes, LED’s and attack modes.
The result is not pretty, but it works. If you want to spend the extra money you could make a nice PCB hat.
See it in action here (Demonstration of payload #2):
- Raspberry Pi Zero Wifi
- Pi Zero USB Stem
- 2 x Tactile Push Button Switch With LED lights
- DIP switch with 4 switches
- 2 x 330R resistors
This is so simple that I won’t bother you with diagrams.
- Green button between ground and GPIO13 (internally pulled up)
- Red button between ground and GPIO10 (internally pulled up)
- Green led on GND and with a 330R resistor to GPIO19
- Red led on GND and with a 330R resistor to GPIO11
- DIP 0,1,2,3 to GPIO2, GPIO3, GPIO4, GPIO17 resp. and GND (the pins are internally pulled up inside the Rasp. PI)
You could choose any other IO-pins. These were the ones that were closest in my layout. As shown in the picture I used a piece of vero-board as a hat on top of the Pi.
The USB stem is not needed, but it makes the entire thing into a kind-of clumsy USB stick. Then you don’t need to carry cables with you 🙂
Clone my project from github and install it:
apt install -y git git clone https://github.com/x821938/PoorMansBashBunny.git /bunny cd /bunny ./setup.sh
The inner workings
All the functionality is built around the “/bunny/bin/bunny-launcher.py” script. It’s invoked at boot as a service “bunny-launcher.service”. My script does this:
- When started it looks at the number set on the dip switches in binary. This will give a code X from 0-15.
- It now looks in “/bunny/payloads/X” for an executable file called “boot” and runs it if it exists.
- The script now constantly watches the buttons. If the green button is pressed then the file “/bunny/payloads/X/button_green” is executed. If the red button is pressed then the file “/bunny/payloads/X/button_red” is executed.
- Finally it handles the LED’s blinking.
Have a look in the “/bunny/payloads” directory to see a couple of simple examples. Number two is the most complete.
This tool turns on the different possible USB gadgets like storage, ethernet, serial and keyboard. Examples of usage:
ATTACKMODE STORAGE HID # Act both as a mass storage device and a keyboard ATTACKMODE STOR_RNDIS # Act both as a mass storage device and an ethernet adapter for windows.
When in RNDIS-mode the Pi will have IP 172.16.64.1 and run a dhcp server in order to provide dhcp leases for the target. Target typically gets 172.16.1.11.
Have a look in the ATTACKMODE script to see what kind of USB devices it can emulate.
This is the tool that simulates typing on the keyboard. An example:
QUACK GUI r # Press the windows key and R QUACK DELAY 500 # Wait half a second QUACK STRING cmd # Type the letters "cmd" QUACK ENTER # Press enter
If you don’t use a US keyboard, you might need to change the layout with an environment variable before calling QUACK:
keyboardLayout="DK" export keyboardLayout
Be aware that I only made the DK layout. If you want to do your own language, you have to edit “/bunny/src/rspiducky/duckpi.sh”. The structure of the file should be easy to adapt for your language.
For talking to the two LED’s. Examples:
LED RED ON LED GREEN SLOW LED RED FAST LED GREEN OFF
This should be called before starting the ATTACKMODE in storage mode. This makes sure the payload directory is mirrored to the mass storage device. This makes the payloads available to the target host.
This will keep looking on the mass storage device if the target has written a file called “target_finished”. This is a good way to check if the target is finished doing whatever it was instructed to do. Example:
If the file is found within 60 seconds it will return with exit code 0, otherwise exit code 1.
A good example of the use is found in “/bunny/payloads/2/boot”.
I will take full credit of the code in:
The following is borrowed code with my modifications:
- bin/ATTACKMODE (from PiBunny project). I added the posibility to get RNDIS working under windows without installing drivers.
- bin/storage_rndis (from Gadgetoid). RNDIS under windows. I would like to include it in ATTACKMODE, but ethernet doesn’t work well togeter with the other gadget modes. Any help from the community???
- src/rspiducky/duckpi.sh (from rspiducky project). I changed the basic structure to make it easier to use different keyboard language layouts. I added DK because I needed it, but it would be simple to add your own language.
- src/rspiducky/hid-gadget-test.c. I needed to add an extra key we have on DK-keyboards to make special characters.
You can have a look at the scripts for the real BashBunny. Most of them can easily be ported to my device with very few changes.
I hope you found this small weekend project interesting 🙂 Comments are welcome.