The Bash Bunny is an advanced USB attack tool from Hak5 that looks like an ordinary USB stick. Unlike the simpler Rubber Ducky, it can simultaneously impersonate multiple devices: keyboard, network adapter, and USB storage. A physical switch on the device lets you preload up to two attack payloads and activate them instantly. Particularly dangerous: as a network adapter, it can trick Windows into automatically transmitting credentials – without the user noticing anything.
The Bash Bunny poses as an Ethernet adapter. Windows automatically tries to authenticate on the network and sends the NTLM password hash – which the attacker intercepts.
Simultaneously or alternatively, it can act as a keyboard and inject commands – just like a Rubber Ducky, but with more control and combination payloads.
As USB storage, it can copy files, browser passwords, or SSH keys from the target machine – fully automatically upon insertion.
The Bash Bunny's strength lies in combination: network adapter + keyboard simultaneously allows complex attacks that simpler devices cannot perform.
Hundreds of ready-made payloads are available on GitHub – from password dumps to backdoor installations. No programming knowledge required.
In the third switch position, the device enters development mode and appears as a normal drive – making it easy to upload new payloads.
Simulate how the Bash Bunny intercepts Windows credentials as a network adapter. Plug in the device and watch the attack unfold.
Automatic Windows authentication: Windows automatically tries to authenticate with every new network adapter. This mechanism was designed for convenience, not security.
Hash = password substitute: A captured NTLM hash can be used directly for Pass-the-Hash attacks – without knowing the plaintext password.
No user interaction required: The attack runs fully automatically. The user needs to click nothing, confirm nothing.
1. Never plug in unknown USB devices: No foreign USB devices, even those that look like normal sticks.
2. Lock USB ports: Device control via Windows Group Policy or endpoint security software.
3. Disable NTLM (Enterprise): In modern Windows environments, NTLM can be disabled in favor of Kerberos.
4. Network segmentation: Stolen hashes are less valuable when the network is segmented and access is restricted.
5. Lock your computer: The attack requires physical access. Always lock when you leave your workstation.