Copy Files from an Unlocked Computer In Seconds w/ the Bash Bunny | HakByte

Подписаться 928 тыс.

Просмотров 68 тыс.

50% 1

Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
In this episode of HakByte, Alex Lynd demonstrates how to use the Bash Bunny to copy photos from an open computer in just seconds, by emulating a USB keyboard.
Links:
File Exfiltration Code: github.com/AlexLynd/Bash-Bunn...
Bash Bunny Scripting: docs.hak5.org/hc/en-us/articl...
Ducky Script: docs.hak5.org/hc/en-us/articl...
Alex Lynd's website: alexlynd.com
Follow Alex on Twitter: / alexlynd
Chapters:
Intro: 00:00
What is the Bash Bunny?: 00:15
Keystrokes Injection Attacks: 00:30
Tools You'll Need: 00:55
Arming the Bash Bunny: 01:01
Setting up Your Environment: 01:25
Payload Preparation: 01:56
Bash Bunny Scripting: 02:16
KeyStroke Injection w/ DuckyScript 03:19
Code Overview: 04:02
Keyboard Shortcuts: 05:38
Copying Files in Linux 06:22
Saving to a Mounted Drive: 07:44
Automating Data Exfiltration 09:24
LED Indicators: 10:22
Data Exfiltration Demo: 11:25
12:06 Outro
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
Our Site → www.hak5.org
Shop → hakshop.myshopify.com/
Subscribe → ru-vid.com...
Support → / threatwire
Contact Us → / hak5
Threat Wire RSS → shannonmorse.podbean.com/feed/
Threat Wire iTunes → itunes.apple.com/us/podcast/t...
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.

Наука

Опубликовано:

7 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 55

@nicolaslutchman7266 2 года назад

if there are a lot of pictures to copy the terminal will stay open for a long time before exiting because it exists after the cp command is executed. also instead of using && you should use ; because && works only if the previous command didn't get any errors. if there is an error while copying one of the files it won't do the exit part

@gouthamvirigineni348 2 года назад

Been waiting for this from so long 😍😉🔥❤️

@juliusrowe9374 2 года назад

Great tutorial Alex!

@garygipson237 2 года назад

Great job you've really taught me a lot of cool things, Thanks keep the Videos coming!

@Acid741981 2 года назад

Nice explanation 👍 next time it would be a good addition to show how to set up the micro SD for looting more data and simultaneously for the bunny to show up on the victims PC as a normal USB stick. While the victim is copying FROM the "USB Drive" the script has more time to loot larger amounts of files... Great demo anyway 👍

@lawabidingcitizen5032 2 года назад

Please do some videos with Wi-Fi Pineapple...... There aren't many good ones out there

@ElTelBaby 2 года назад

Very neat...

@CokesAndTokes 2 года назад

Yes ok but is your store fixed? Last time I couldn't check out with card or Amazon pay

@jeffl8915 2 года назад

Thank you!!

@manaskumarberiha5157 2 года назад

AWESOME !!!

@pathfindercod4638 2 года назад

Awesome!

@mitchellvaraonbha8449 2 года назад

I remember there being custom firmware for the usb rubber ducky that allowed a payload to be run while it was in mass storage mode. is there any advantage in using the bash bunny over a solution like that?

@brianconlogue7665 Год назад

if this is all you want to do the ducky will work and actually works faster. the bash bunny is a computer, you have have an SMB server on it which is amazing for servers that dont allow usb file transfers. the bashbunny can act as an ethernet adapter, HID device, can run nmap scans. it does a lot more than the ducky

@brianconlogue7665 Год назад

the firmware you are referring to is twin ducky, but the new duck you dont need that firmware. AT the top of your payload.bin file you can put ATTACKMODE HID STORAGE . a normal attack mode would just be HID but you are saying you want the ducky to act as HID and SOTRAGE

@McDonaldGlover 2 года назад

LETS GOOOO!!!!!

@sk8erfreak540 2 года назад

Good video

@TrollingAround 2 года назад

Hoodie worn for warmth - good. Hoodie hood not worn = okay, not too cold.

@jarredelijah6803 3 месяца назад

Can this thing be used on Iphones? (And if from 1-15, which are the ones that are exploitable and the ones that can defend?) Pls try it on androids. (Yup, a nice vid for RU-vid too)

@thehotdog1221 2 года назад

how is this diffrent than a rubber duckey?

@greob 2 года назад

9:33 "it leaves no trace"? It does leave a trace in the shell command history...

@letsgetto1millwithoutvids 2 года назад

That can be wiped I have it on my bad usb scripts

@hokuspokus8570 2 года назад

start command with space and command don't show up in history

@pabloiranzo7859 2 года назад

@@hokuspokus8570 fr?

@pushpaohe7786 2 года назад

More videos on Bash Bunny

@kpopempire1475 2 года назад

The only thing this device gives you is speed. On an insecure computer you can do the same thing with a regular usb drive and just manually typing in the commands. What can it do on a screen locked PC?

@Terraphice 9 месяцев назад

Totally incorrect, and it can do quite a lot against a locked device. This video showed off the 'Rubber Ducky'-esque features of the device, which isn't the main selling point or purpose. (It's actually slower than cheaper Rubber Duckies, because it has to initialize a Linux environment before running Ducky Script.) This device can be left plugged into the back of a computer for remote exfil operations, can execute commands remotely when receiving a Bluetooth signal, can transfer files over WiFi, can run programs like Metasploit on it's own ENV and export certain processes to the host, etc. The Bash Bunny can emulate much more HID devices. It can be a serial device, an Ethernet device, a mass storage media device (a regular USB), etc. all while providing the speed of a superhuman, and keeping your hands away from the keyboard. Someone would be much more comfortable with 'borrowing your USB' than letting you open a terminal at their computer and type in commands manually, for example.

@erinescobar9167 9 месяцев назад

Is this a mubix attack?

@Bossboi_viper 2 года назад

Nice

@tamilhuntergaming6094 2 года назад

Bash Bunny Is the Cool gadget🤩🤩🤩🤩🤩🤩🤩

@mattplaygamez 2 года назад

When is Darren kitchen comming back

@liononline84 2 года назад

Yeah okay that's cool, but that's not really a big thing when you need know the file path exactly!! Thanks for the explanation.

@Das_Unterstrich 2 года назад

You could "generalize" it with copying everything in like the $USER path (like Documents, Images, Videos, etc), or on Windows everything in like the C: directory and making it loop through other directories shouldn't be that hard either. Additionally, even when knowing the path already its still a lot faster than doing it manually with having to do like a dozen clicks/keystrokes.

@ronnyarellano4943 2 года назад

This is where having the basic knowledge of file structures in each type of OS is important.

@liononline84 2 года назад

@@Das_Unterstrich yeah but most of the times, these files are empty 🌚

@Das_Unterstrich 2 года назад

@@liononline84 This is why I suggested to basically just "bruteforce" the files with simply scanning through a bigger file-set and/or other storage locations

@__--JY-Moe--__ 2 года назад

🐿🦖

@MrRobot222 2 года назад

"google Sh*t" 🤣

@bigfrankfraser1391 Год назад

as a private detective, i have used devices similar to this (legally speaking im unable to disclose actual brands and makes) once i had been hired to prove a husband was cheating on his wife, so while he was at home on his pc, i had his wife distract him, went into his office and cloned his files to find any digital evidence, instead, he got arrested as his office computer contained some disturbing media involving "non adults"

@molotov5000 11 месяцев назад

@Terraphice 9 месяцев назад

This is a crock. Private detectives aren't above the law like that. Even actual detectives can't do this under most scenarios, without a strict warrant for the contents of his computer. Making using one of these unnecessary and even potentially illegal depending on what data it collects. (As warrants limit the search to *searching*, and copying files or data can only be done for very specific reasons. It would also make you guilty of distribution and dissemination of **.) Using any device like this to breach someone's privacy would be committing a numerous amount of felonies, and all evidence collected in this manner is inadmissible in court, as it would be obtained through a violation of your 4th amendment rights against unreasonable search & seizures. If you were a private detective, or even a real detective, disclosing the brands and makes of similar devices would be irrelevant, as you would have submitted these details to the public in court already. If you want to say that you did this and didn't report it, but had his wife report it later to skirt the 4th amendment protections? Then you committed more crimes, and a good appeals attorney would be able to get this (entirely made up) man out of prison.

@bigfrankfraser1391 9 месяцев назад

@@Terraphice 4th amendment? what makes you think im a bloody yank, you do realise other countries have private detectives as well, just so you know, america doesnt run the planet, so stop acting like you have authority to speak

@JarppaGuru 2 года назад

yes unlocked computer where you can do it anyway

@16.077 2 года назад

@innerfire369 2 года назад

Hey, but you don't need to know the path, right? ^

@macewatson3647 2 года назад

!meow

@bartlx 2 года назад

A 12 minute video for information you could read of a notepad in under a minute. But hey, that's just how it is these days, I guess.

@davidjhon5668 2 года назад

fail doesnt work

@thepast2007 2 года назад

How to enter to wifi but in selint mode with out knowing any user And hacking devices Android 👺 Pleas Creat big video for this topic

@Desenrad 2 года назад

Getting into coding and hacking sounds fun. But it ends up not being so fun when you can’t legally do any of this.

@teogorqui7061 2 года назад

True 😂

@TheRossMadness 2 года назад

You can. There's whole sections of cybersecurity that do this exact thing. Pentesters are authorized hackers and are contracted to attempt to infiltrate a client network or systems. There are even physical pentesters who are hired to break into physical locations and use devices like the Bash Bunny or Ducky.