In 2010, a mysterious computer worm called Stuxnet made history by compromising Iran’s nuclear facilities through an ingeniously simple vector: USB drives. The malware spread through USB devices plugged into air-gapped systems, demonstrating how even the most secure facilities could be breached through trusted peripheral devices.
Over a decade later, USB devices remain a critical attack vector, but the techniques have evolved. BadUSB attacks don’t need complex malware – they can capture authentication credentials within seconds by exploiting the trust operating systems place in Human Interface Devices (HID). Using tools like the Bash Bunny, an attacker can simultaneously emulate a keyboard and network adapter, bypassing standard security controls with remarkable efficiency.
Today we will look at a modern USB-based attack chain, from initial credential capture to password cracking techniques. Giving us access to the system in less than a minute.
Technical Overview: Dual Trust Exploitation
This attack leverages two critical trust relationships in modern operating systems: USB HID (Human Interface Device) and network adapter trust.
Key Attack Vectors:
- HID Trust Exploitation
- OS inherently trusts keyboard input devices
- HID devices bypass standard USB security controls
- Allows privileged command execution via keystroke emulation
- RNDIS Network Trust
- Windows automatically accepts USB network adapters
- Creates direct network connection outside normal segmentation
- Enables network protocol interception via Responder
- Bypasses 802.1x port security controls
Authentication Capture
- The attack uses NTLM authentication flows:
- Avoids triggering account lockouts or security alerts
- System auto-initiates authentication via Windows network discovery
- Responder intercepts broadcast protocols
- Captures NTLM hash for offline password recovery
The following diagram illustrates the complete attack chain, from initial deployment through offline password cracking options:
Setting up our bash bunny for the attack
This attack chain is based on the BashBunny payload developed by rf_bandit and is named BunnyPicker. The implementation has been analyzed and documented for educational purposes in controlled lab environments.
Prerequisites
- Responder – For NTLM hash interception
- Current version recommended: v3.0.6.0
- GitHub Repository
- Password Cracking Tool (default is john the ripper):
- John the Ripper – For initial on-device password cracking
- hashcat – Alternative option for on-device cracking
- Word list – Ideally a smaller or targeted word list for the sake of speed and saving disk space on the bash bunny
- Recommended: Targeted lists from SecLists based on your environment
- Alternative: Truncated version of larger lists (e.g., top 100k passwords)
Understanding the Attack Script
After setting up the required tools, let’s break down how the BunnyPicker payload actually works. Walking through each component of the script and explaining its role in the attack chain.
Initial Configuration
The script begins by setting up essential parameters:
RESPONDER_OPTIONS="-w -r -d -P"
LOOTDIR=/root/udisk/loot/bunnypickerThese lines establish:
- Responder’s configuration for hash capture
- A designated directory for storing captured credentials
The Responder flags are chosen to:
- Intercept Windows authentication attempts
- Handle NetBIOS redirection
- Provide detailed logging
- Avoid interference from WPAD
Hardware Configuration
ATTACKMODE HID RNDIS_ETHERNETThis line configures the Bash Bunny to present itself as two devices simultaneously:
- A Human Interface Device (keyboard)
- A network adapter
HID Emulation Bypass
When the device presents as HID:
- Most systems inherently trust keyboard devices due to accessibility requirements
- Even with USB device control policies, HID devices often remain allowed
- DLP (Data Loss Prevention) systems typically can’t block keyboard input
- The device can simulate keystrokes that would require elevated privileges
RNDIS Network Bypass
The RNDIS configuration:
- Presents as a standard Windows networking adapter
- Often bypasses 802.1x port security since it’s not using the physical NIC
- Creates a direct network connection that exists outside normal network segmentation
- Can still capture local authentication attempts even if blocked from broader network access
Directory Structure
mkdir -p $LOOTDIR/$HOST-$COUNT<br>mkdir -p /root/loot/bunnypicker/$HOST-$COUNTThe script creates organized directories for:
- Storing captured hashes
- Maintaining attack session data
- Ensuring data redundancy
Attack Flow
# Run Responder
python Responder.py -I usb0 $RESPONDER_OPTIONS &
# Wait for hash capture
until [ -f logs/*NTLM* ]
do
sleep 1
done- Launches Responder to capture NTLM hashes
- Waits until hash capture is successful
What is responder?
Responder is a network analysis tool that operates by exploiting how Windows systems handle name resolution and authentication. Here’s how it works technically:
- Sets up rogue services (SMB, HTTP, LDAP, etc.) that listen for broadcast requests
- When Windows systems attempt name resolution, Responder answers their queries
- Forces NTLM authentication by responding with prompts that require Windows authentication
- Captures and logs the NTLM challenge/response exchanges
Key mechanisms:
Capturing authentication attempts and storing hashed credentials
Poisoning common protocols like LLMNR, NBT-NS, and MDNS
Spoofing network services to seem legitimate to Windows clients
Password Cracking
./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt
- Uses John the Ripper with specified wordlist to crack captured hashes
- Stores results in a .pot file
John the ripper?
John the Ripper (JtR) is a powerful password cracking tool that handles many hash types, including NTLM. After capturing hashes from Windows systems (like through Responder or from SAM dumps), you can use JtR to attempt cracking them through various methods including dictionary attacks, brute force, or rule-based approaches
System Access
QUACK ESC
DELAY 100
QUACK $SWITCH_POSITION/pass.txt
QUACK ENTER- Uses the cracked password to attempt system access
- Simulates keyboard input using QUACK commands
Attack in action
Technical Details to Note
- LED Indicators
- Uses different LED colors to indicate attack stages:
- SETUP: Initial configuration
- ATTACK: Active hash capture
- STAGE1: Password cracking
- STAGE2: Credential deployment
- FINISH: Successful completion
- Error Handling
if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
LED FAIL3
exit 1
fi
- Checks for empty pot file (failed crack)
- Exits with failure indication if cracking unsuccessful
Even if the password crack was unsuccessful (typically should not use a very large word list, it’s not the fastest computer and is mostly for quick wins) but can then be taken to a more powerful computer.
- Initial word list is limited due to time/storage constraints
- Offline allows use of:
- Much larger dictionaries
- Multiple specialized word lists
- Custom word lists based on target organization
- Combined/hybrid attack modes
Limitations and Scope
Windows Systems
- Fully functional on Windows 10 and Windows 11
- Requires an active user session
- Works regardless of screen lock state
Unix/Linux Systems
Limited functionality, but can capture hashes if the system uses:
- Active Directory integration
- Samba file sharing
- NTLM-authenticated web services
Key Limitations
User Session Requirements
- Requires an active user session on the target machine
- Will not work on:
- Completely logged out systems
- Fresh boot scenarios
- Systems with no active users
Additional Resources
For those interested in learning more about these techniques or practicing in controlled environments, here are some valuable resources:
HackTheBox
- Responder Machine
- Hands-on practice with NTLM relay attacks
- Experience with Responder in a realistic environment
TryHackMe
- Breaching Active Directory
- Learn Active Directory attack vectors
- Practice credential capture techniques
- Learn Active Directory attack vectors
- Crack the Hash Level 2
- Advanced password cracking techniques
- Practice with various hash types
- Advanced password cracking techniques
Professional Equipment
- Hak5 Shop
- Source for BashBunny and other security tools
- Professional-grade penetration testing hardware
DIY Alternatives
- Poor Man’s Bash Bunny
- Build your own USB attack platform
- Learn hardware basics while creating tools