The Bash Bunny is a professional-grade USB pentesting tool designed for cybersecurity specialists, red teamers, and IT auditors who need powerful, automated payload execution from a tiny USB device. Developed by Hak5, this platform revolutionized physical penetration testing by introducing multi-vector USB attacks in a single, easy-to-use form factor.

Note: This product is intended for authorized security testing and IT purposes only. Compliance with local laws and ethical use is the responsibility of the user.

What It Is

A compact yet formidable USB attack platform, the Bash Bunny disguises itself as trusted devices — storage, keyboard, network interface, or serial console — to execute scripts and payloads automatically when plugged in. With a simple flick of the built-in three-position mode switch, it goes from idle to operational in under 7 seconds.

Whether capturing credentials, exfiltrating data, installing backdoors, or automating IT tasks, it’s built to handle advanced operations reliably and efficiently.

Features

Multi-Vector USB Attacks

• Emulates multiple device types — storage, HID (keyboard), Ethernet, serial — simultaneously.

• Ideal for comprehensive attack strategies, like keystroke injection, network hijacking, and stealth payload launches.

Powerful Hardware

• Robust Linux-based platform with quad-core processing power and high-speed internal SSD.

• Fast boot times (~7 seconds), ensuring payloads execute with minimal delay.

• Expandable via high-capacity MicroSD (up to 2 TB on Mark II).

Wireless & Remote Control

• Bluetooth Low Energy (BLE) support enables geofencing and remote triggers.

• Advanced control lets payloads run only in specific environments or on command, enhancing stealth and safety.

Simple Scripting with Ducky Script™

• Create or modify payloads using the well-known Ducky Script language.

• Combine traditional scripted keystrokes with Bash logic and powerful Linux tools for custom operations.

Intelligent Exfiltration

• The Bash Bunny’s storage mode doubles as payload repository and “loot” capture device.

• Store captured files, logs, and outputs effortlessly, then retrieve them like a regular flash drive.

Ideal Suited For

• Red Team Engagements — Execute covert assessments with physical access.

• Security Audits & Training — Demonstrate real-world USB attack vectors.

• Automation Tasks — Perform routine scripting or IT operations with a plug-and-run solution.

Technical Specs

• Boot Time: ~7 seconds

• Internal Storage: 8 GB desktop-class SSD

• Expandable Storage: MicroSD XC support

• Connectivity: USB, Bluetooth LE

• Mode Switch: 3-position selector with RGB LED status indicator

• Console Access: Dedicated serial shell interface

The Bash Bunny turns complex attack workflows into simple text-based payloads that can be reused, shared, and executed across environments. Its blend of power, flexibility, and simplicity makes it a standout tool for seasoned security professionals and advanced hobbyists alike.