WEBVTT

00:00:01.340 --> 00:00:03.580
Welcome to Initial Access with the Bash Bunny.

00:00:04.540 --> 00:00:07.660
My name is FC, and I'll be your instructor on this course.

00:00:08.640 --> 00:00:09.590
In this course,

00:00:09.600 --> 00:00:13.170
I hope to teach you how to use the Bash Bunny in your red team engagements,

00:00:13.540 --> 00:00:17.730
how to modify its payloads, how to load additional tools onto it,

00:00:17.740 --> 00:00:20.950
and even what to do with all the data you manage to exfiltrate.

00:00:22.340 --> 00:00:26.270
Join me as we explore how to gain initial access using the Bash Bunny.

00:00:27.840 --> 00:00:30.750
The Bash Bunny is a hardware device attack platform.

00:00:31.340 --> 00:00:36.170
This device was created by Hak5 and is designed to be an all‑in‑one package.

00:00:36.840 --> 00:00:40.960
It is designed to be easy to use for covert offensive operations against

00:00:40.960 --> 00:00:43.770
multiple target environments at the flick of a switch.

00:00:44.540 --> 00:00:47.290
It allows you to easily load, create,

00:00:47.300 --> 00:00:49.970
and deliver payloads specific to your target.

00:00:50.940 --> 00:00:54.580
It does this by emulating multiple safe devices such as keyboards,

00:00:54.590 --> 00:00:58.350
flash storage, serial, and even network adaptors.

00:01:00.940 --> 00:01:02.470
So what is the Bash Bunny?

00:01:03.040 --> 00:01:05.900
It's an advanced USB‑based attack platform.

00:01:06.060 --> 00:01:09.970
It supports multiple operating systems for both loading and delivery.

00:01:10.540 --> 00:01:13.320
And whilst I'll be using a Mac laptop throughout this course,

00:01:13.540 --> 00:01:16.350
the overall use is the same on any platform.

00:01:16.350 --> 00:01:19.990
The hardware switch on the side of the Bash Bunny allows you to

00:01:19.990 --> 00:01:22.670
select the payload of your choice before the attack,

00:01:23.040 --> 00:01:25.890
depending on your chosen target and the action required.

00:01:27.040 --> 00:01:27.840
For example,

00:01:27.840 --> 00:01:31.010
you may want to attack two different operating systems or maybe

00:01:31.010 --> 00:01:33.250
run one exploit before delivering a second.

00:01:34.040 --> 00:01:35.530
It's easy to use.

00:01:35.540 --> 00:01:38.250
Once set up, anyone can plug the device in,

00:01:38.260 --> 00:01:41.740
watch for the green LED to tell you it's completing an attack,

00:01:41.740 --> 00:01:43.570
and at the flick of a switch,

00:01:43.580 --> 00:01:47.370
it turns even the newest member of your team into a capable resource.

00:01:48.440 --> 00:01:52.160
In these course, we're going to cover the following,

00:01:52.840 --> 00:01:57.070
the initial setup of the Bash Bunny, as well as an overview of its file system,

00:01:58.140 --> 00:02:01.020
loading your first payload into the Bash Bunny,

00:02:01.020 --> 00:02:04.270
how to Use the Bash Bunny as part of a scenario,

00:02:05.340 --> 00:02:08.160
loading additional tools via serial connections,

00:02:09.340 --> 00:02:13.210
modifying existing payloads, and finally,

00:02:13.210 --> 00:02:16.280
how to investigate the loot that you collect from your attacks.

00:02:19.040 --> 00:02:21.410
Let's first take a look at where the Bash Bunny fits

00:02:21.410 --> 00:02:22.850
in relation to the kill chain.

00:02:23.740 --> 00:02:26.350
You will see that it tends to fall right near the start,

00:02:26.360 --> 00:02:28.060
just after the initial recall.

00:02:30.140 --> 00:02:34.000
While some of these payloads can perform other actions such as lateral movement,

00:02:34.010 --> 00:02:36.420
exploitation, and even evasion,

00:02:36.420 --> 00:02:39.970
they rely on the initial access given by the Bash Bunny.

00:02:41.440 --> 00:02:44.250
The Bash Bunny can be utilized alongside other tools,

00:02:44.250 --> 00:02:45.250
such as Empire,

00:02:45.260 --> 00:02:47.270
in order to create persistence and greater

00:02:47.270 --> 00:02:49.150
infiltration of the target environment.

00:02:52.840 --> 00:02:55.760
Let's now take a look at the MITRE ATT&CK framework and

00:02:55.760 --> 00:02:57.370
see where our tool fits into that.

00:02:58.340 --> 00:03:01.070
The MITRE ATT&CK framework lays out the tactics and

00:03:01.070 --> 00:03:04.910
techniques used by attackers, and red teamers to perform their attacks.

00:03:05.640 --> 00:03:09.030
It's important to understand where your tool fits within this framework

00:03:09.040 --> 00:03:11.710
so that you can ensure that your clients are getting the best value for

00:03:11.710 --> 00:03:14.880
money whilst ensuring that all aspects of the kill train have been

00:03:14.880 --> 00:03:17.900
attempted. For the Bash Bunny,

00:03:17.910 --> 00:03:23.560
it falls under initial access, or technique T1200, hardware editions.

00:03:24.640 --> 00:03:28.260
A common attack vector uses the Bash Bunny to exfiltrate data,

00:03:28.440 --> 00:03:31.270
so it also falls under exfiltration, or technique.

00:03:31.280 --> 00:03:38.890
T1052, exfiltration over physical medium with a subtechnique of T1052.001

00:03:38.890 --> 00:03:45.890
exfiltration over USB. Depending on the payloads created or utilized by

00:03:45.890 --> 00:03:49.720
the Bash Bunny, we can almost touch every single section of the MITRE

00:03:49.720 --> 00:03:54.130
framework. But for this course, we'll focus on just the initial access and

00:03:54.130 --> 00:03:55.670
the exfiltration of data.

00:03:57.640 --> 00:04:01.240
A great way to understand the usage of the Bash Bunny is to show it in

00:04:01.250 --> 00:04:04.600
action as part of a scenario that may already be a familiar sight to

00:04:04.600 --> 00:04:07.150
some of you or a simple example for the rest.

00:04:07.800 --> 00:04:10.780
The scenario we will use in this course is one of attacking

00:04:10.780 --> 00:04:12.660
a small corporate office environment.

00:04:15.540 --> 00:04:18.709
So let's go into this scenario a bit more detail so you

00:04:18.709 --> 00:04:21.200
can understand the role that the Bash Bunny plays in part

00:04:21.200 --> 00:04:22.350
of your red team assessment.

00:04:23.240 --> 00:04:27.040
Here, we see a typical office network that's reflective of a small to medium

00:04:27.040 --> 00:04:30.050
enterprise company that has requested your red team services.

00:04:30.840 --> 00:04:34.470
We have an internet connection with the normal firewalls and routers in place.

00:04:35.040 --> 00:04:38.400
We have multiple departments such as sales, HR,

00:04:38.410 --> 00:04:41.550
the executives, finance, and even software engineering.

00:04:42.340 --> 00:04:45.970
Additionally, all of their data is stored within the on‑site data center.

00:04:46.340 --> 00:04:48.690
Here, we have the types of files and folders that an

00:04:48.690 --> 00:04:50.360
attacker would consider valuable.

00:04:51.340 --> 00:04:54.070
Your red team has to discover a way into the company

00:04:54.070 --> 00:04:56.050
network and exfiltrate that data.

00:04:56.840 --> 00:05:00.350
This course is going to focus on gaining the initial access onto the network

00:05:00.350 --> 00:05:04.680
devices and exfiltrating information that we can use to gain further

00:05:04.680 --> 00:05:11.400
information and compromise more of the network. In a normal red team

00:05:11.400 --> 00:05:14.550
engagement, initial access may be attempted via the internet.

00:05:14.940 --> 00:05:18.580
This requires a large range of tools and techniques in order to pull off,

00:05:18.590 --> 00:05:21.780
as well as bypassing protection mechanisms in place to protect

00:05:21.780 --> 00:05:25.280
the perimeter. With all red team engagements,

00:05:25.290 --> 00:05:27.360
the first step is always recon.

00:05:27.840 --> 00:05:28.870
In this scenario,

00:05:28.870 --> 00:05:31.500
the red team has identified several members that work

00:05:31.500 --> 00:05:33.360
in the HR and finance department.

00:05:34.440 --> 00:05:38.010
One of these employees often works at a local coffee shop and leaves their

00:05:38.010 --> 00:05:41.070
laptop unattended whilst collecting their lunch from the counter.

00:05:42.240 --> 00:05:45.330
The red team has also discovered that with some social engineering,

00:05:45.340 --> 00:05:49.170
they're able to get an interview with HR manager for a potential job.

00:05:50.140 --> 00:05:52.600
The team member will have limited time to access the

00:05:52.600 --> 00:05:54.250
HR laptop during the interview,

00:05:54.840 --> 00:05:57.500
and either of these devices can be easily breached

00:05:57.500 --> 00:05:58.770
with the use of the Bash Bunny.

00:06:00.940 --> 00:06:04.370
Once the team member has been able to gain access to the target's laptop,

00:06:04.370 --> 00:06:07.570
it's simply a case of plugging in the preloaded Bash Bunny,

00:06:07.580 --> 00:06:09.070
and it will run its attacks.

00:06:09.940 --> 00:06:14.270
It can either obtain credentials, or install a persistent backdoor, or even a

00:06:14.270 --> 00:06:19.070
reverse shell. Once the machine has been compromised, the Bash Bunny visually

00:06:19.070 --> 00:06:22.460
indicates that the attack that was completed and can be safely removed.

00:06:23.840 --> 00:06:27.670
Depending on the payload used by the red team member, they'll be able to move

00:06:27.670 --> 00:06:31.190
laterally across the network or obtain legitimate access to the files and

00:06:31.190 --> 00:06:32.960
folders held within the data center.

00:06:34.540 --> 00:06:37.670
This style of attack was used by a European threat group called

00:06:37.680 --> 00:06:40.960
DarkVishnya against several banks in order to gain access into

00:06:40.960 --> 00:06:42.850
their networks and to extract out money.

00:06:43.740 --> 00:06:47.600
These attacks takes seconds, but can have long lasting effects.

00:06:49.340 --> 00:06:52.270
Before we begin with the demonstrations, let's have a quick

00:06:52.270 --> 00:06:54.170
overview of the hardware we're using.

00:06:55.140 --> 00:06:58.590
The Bash Bunny is a slightly wider than average USB device.

00:06:58.600 --> 00:07:01.100
On the top is an RGB LED,

00:07:01.440 --> 00:07:04.860
which can be programmed to give visual indications as to what is happening.

00:07:06.040 --> 00:07:08.710
There is a three position selector switch on the side.

00:07:09.140 --> 00:07:13.860
The nearest position to the USB connector is position three, and it is used to

00:07:13.860 --> 00:07:17.730
turn the Bash Bunny into a mass storage device, to load payloads onto the

00:07:17.730 --> 00:07:22.660
device, and to collect any loot that your attacks have gathered. Positions 1

00:07:22.660 --> 00:07:26.200
and 2 allow you to select which payload you wish to run when you insert the

00:07:26.200 --> 00:07:29.400
device into your target. By default,

00:07:29.400 --> 00:07:33.330
the LED status lights are as follows, green blinking is

00:07:33.330 --> 00:07:37.170
booting up, blue blinking is arming mode,

00:07:37.840 --> 00:07:42.500
red blinking recovery mode or firmware flashing mode for version 1,

00:07:42.500 --> 00:07:46.900
red, or blue, or alternating LED is the recovery mode or firmware

00:07:46.900 --> 00:07:49.450
flashing mode for version 1.1 and above.

00:07:50.240 --> 00:07:52.740
You should never unplug during the recovery or firmware

00:07:52.740 --> 00:07:54.710
upgrades whilst the LED is flashing.