Trevor Carstensen Cybersecurity Portfolio

Silent Hash Snatcher: BadUSB Lock Picker

In 2010, a mysterious computer worm called Stuxnet made history by compromising Iran’s nuclear facilities through an ingeniously simple vector: USB drives. The malware spread through USB devices plugged into air-gapped systems, demonstrating how even the most secure facilities could be breached through trusted peripheral devices.

Over a decade later, USB devices remain a critical attack vector, but the techniques have evolved. BadUSB attacks don’t need complex malware – they can capture authentication credentials within seconds by exploiting the trust operating systems place in Human Interface Devices (HID). Using tools like the Bash Bunny, an attacker can simultaneously emulate a keyboard and network adapter, bypassing standard security controls with remarkable efficiency.

Today we will look at a modern USB-based attack chain, from initial credential capture to password cracking techniques. Giving us access to the system in less than a minute.

Technical Overview: Dual Trust Exploitation

This attack leverages two critical trust relationships in modern operating systems: USB HID (Human Interface Device) and network adapter trust.

Key Attack Vectors:

  1. HID Trust Exploitation
  • OS inherently trusts keyboard input devices
  • HID devices bypass standard USB security controls
  • Allows privileged command execution via keystroke emulation
  1. RNDIS Network Trust
  • Windows automatically accepts USB network adapters
  • Creates direct network connection outside normal segmentation
  • Enables network protocol interception via Responder
  • Bypasses 802.1x port security controls

Authentication Capture

  • The attack uses NTLM authentication flows:
  • Avoids triggering account lockouts or security alerts
  • System auto-initiates authentication via Windows network discovery
  • Responder intercepts broadcast protocols
  • Captures NTLM hash for offline password recovery

The following diagram illustrates the complete attack chain, from initial deployment through offline password cracking options:

Setting up our bash bunny for the attack

This attack chain is based on the BashBunny payload developed by rf_bandit and is named BunnyPicker. The implementation has been analyzed and documented for educational purposes in controlled lab environments.

Prerequisites

  • Responder – For NTLM hash interception
  • Password Cracking Tool (default is john the ripper):
  • Word list – Ideally a smaller or targeted word list for the sake of speed and saving disk space on the bash bunny
    • Recommended: Targeted lists from SecLists based on your environment
    • Alternative: Truncated version of larger lists (e.g., top 100k passwords)

Understanding the Attack Script

After setting up the required tools, let’s break down how the BunnyPicker payload actually works. Walking through each component of the script and explaining its role in the attack chain.

Initial Configuration

The script begins by setting up essential parameters:

RESPONDER_OPTIONS="-w -r -d -P"
LOOTDIR=/root/udisk/loot/bunnypicker

These lines establish:

  • Responder’s configuration for hash capture
  • A designated directory for storing captured credentials

The Responder flags are chosen to:

  • Intercept Windows authentication attempts
  • Handle NetBIOS redirection
  • Provide detailed logging
  • Avoid interference from WPAD

Hardware Configuration

ATTACKMODE HID RNDIS_ETHERNET

This line configures the Bash Bunny to present itself as two devices simultaneously:

  • A Human Interface Device (keyboard)
  • A network adapter

HID Emulation Bypass

When the device presents as HID:

  • Most systems inherently trust keyboard devices due to accessibility requirements
  • Even with USB device control policies, HID devices often remain allowed
  • DLP (Data Loss Prevention) systems typically can’t block keyboard input
  • The device can simulate keystrokes that would require elevated privileges

RNDIS Network Bypass

The RNDIS configuration:

  • Presents as a standard Windows networking adapter
  • Often bypasses 802.1x port security since it’s not using the physical NIC
  • Creates a direct network connection that exists outside normal network segmentation
  • Can still capture local authentication attempts even if blocked from broader network access

Directory Structure

mkdir -p $LOOTDIR/$HOST-$COUNT<br>mkdir -p /root/loot/bunnypicker/$HOST-$COUNT

The script creates organized directories for:

  • Storing captured hashes
  • Maintaining attack session data
  • Ensuring data redundancy

Attack Flow

# Run Responder
python Responder.py -I usb0 $RESPONDER_OPTIONS &

# Wait for hash capture
until [ -f logs/*NTLM* ]
do
     sleep 1
done
  • Launches Responder to capture NTLM hashes
  • Waits until hash capture is successful

What is responder?

Responder is a network analysis tool that operates by exploiting how Windows systems handle name resolution and authentication. Here’s how it works technically:

  1. Sets up rogue services (SMB, HTTP, LDAP, etc.) that listen for broadcast requests
  2. When Windows systems attempt name resolution, Responder answers their queries
  3. Forces NTLM authentication by responding with prompts that require Windows authentication
  4. Captures and logs the NTLM challenge/response exchanges

Key mechanisms:

Capturing authentication attempts and storing hashed credentials

Poisoning common protocols like LLMNR, NBT-NS, and MDNS

Spoofing network services to seem legitimate to Windows clients

Password Cracking

./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt
  • Uses John the Ripper with specified wordlist to crack captured hashes
  • Stores results in a .pot file

John the ripper?

John the Ripper (JtR) is a powerful password cracking tool that handles many hash types, including NTLM. After capturing hashes from Windows systems (like through Responder or from SAM dumps), you can use JtR to attempt cracking them through various methods including dictionary attacks, brute force, or rule-based approaches

System Access

QUACK ESC
DELAY 100
QUACK $SWITCH_POSITION/pass.txt
QUACK ENTER
  • Uses the cracked password to attempt system access
  • Simulates keyboard input using QUACK commands

Attack in action

Technical Details to Note

  1. LED Indicators
  • Uses different LED colors to indicate attack stages:
    • SETUP: Initial configuration
    • ATTACK: Active hash capture
    • STAGE1: Password cracking
    • STAGE2: Credential deployment
    • FINISH: Successful completion
  1. Error Handling
if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
   LED FAIL3
   exit 1
fi
  • Checks for empty pot file (failed crack)
  • Exits with failure indication if cracking unsuccessful

Even if the password crack was unsuccessful (typically should not use a very large word list, it’s not the fastest computer and is mostly for quick wins) but can then be taken to a more powerful computer.

  • Initial word list is limited due to time/storage constraints
  • Offline allows use of:
    • Much larger dictionaries
    • Multiple specialized word lists
    • Custom word lists based on target organization
    • Combined/hybrid attack modes

Limitations and Scope

Windows Systems

  • Fully functional on Windows 10 and Windows 11
  • Requires an active user session
  • Works regardless of screen lock state

Unix/Linux Systems

Limited functionality, but can capture hashes if the system uses:

  • Active Directory integration
  • Samba file sharing
  • NTLM-authenticated web services

Key Limitations

User Session Requirements

  • Requires an active user session on the target machine
  • Will not work on:
  • Completely logged out systems
  • Fresh boot scenarios
  • Systems with no active users

Additional Resources

For those interested in learning more about these techniques or practicing in controlled environments, here are some valuable resources:

HackTheBox

  • Responder Machine
    • Hands-on practice with NTLM relay attacks
    • Experience with Responder in a realistic environment

TryHackMe

Professional Equipment

  • Hak5 Shop
    • Source for BashBunny and other security tools
    • Professional-grade penetration testing hardware

DIY Alternatives