Menu

      Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.

      PAYLOAD HUB
      Discover creative payloads from the Hak5 community with filtering by device and category.

      PAYLOAD STUDIO
      Unleash your hacking creativity with this full-featured web-based Payload development environment.

      PAYLOAD AWARDS
      Get your payload in front of thousands and enter to win. Nearly $10,000 in annual Hak5 prizes!

      ADVANCED DUCKYSCRIPT COURSE
      Learn directly from the creators! Unlock your creative potential with this comprehensive online course.

      [PAYLOAD] SERIES
      Join Hak5 hosts and collaborators as we dive into the techniques and code that make great payloads!

      Community developed payloads for Hak5 gear are featured and awarded at PayloadHub — a growing library of currated content.

      Unleash your hacking creativity with the online payload editor: PayloadStudio

      Link to your collections, sales and even external links

      Add up to five columns

      Home  / Bash Bunny

      Remote Triggers for the Bash Bunny Mark II

      One of the greatest new features of the Bash Bunny Mark II is remote triggers. With this, a payload — or multiple stages of a payload — can be triggered from afar. These can be done with any bluetooth low-energy device, including most smartphones. In this article I'll demonstrate how to use this handy new feature.

       

      The Scenario

      Imagine a social engineering engagement where the target is asked to print a document from a flash drive. The Bash Bunny, with ATTACKMODE STORAGE, will present itself as just such a benign device in the first stage of an attack. Then the opportunity presents itself to launch a second stage — emulating a HID device and performing keystroke injection — when the target turns their back to fetch the printout.

       

      The Code

       

      #
# Remote Trigger for Bash Bunny Mark II Example
#
LED SETUP

#
# Stage 1: Benign flash drive
#
ATTACKMODE STORAGE
LED STAGE1
WAIT_FOR_PRESENT myphone

#
# Stage 2: Evil keystroke injection attack
#
ATTACKMODE STORAGE HID
LED STAGE2
QUACK GUI r
QUACK DELAY 200
QUACK STRING cmd /k tree c:\
QUACK ENTER

      Pulling off the Attack

      For this attack to proceed to the second stage, you simply need to advertise the BLE device named "myphone". This can either be the name of a BLE device that advertises whenever it's on — like a bluetooth speaker — or advertisements specifically sent from an app like BLE Tool.

       

      Configuring BLE Tool

      Any bluetooth utility capable of broadcasting BLE advertisements will work. In testing I often times find myself using the highly configurable and aptly named BLE Tool for Android. If you choose to test with it, there are only 3 steps to follow:

      1. Tap GATT Server
      2. Specify a device name from the Advertiser settings (under the [...] menu)
      3. Tap Start Advertising

       

      How Remote Triggers Work

      The WAIT_FOR_PRESENT and WAIT_FOR_NOT_PRESENT extensions work by setting the BLE module to Observation mode (AT+ROLE=2), then continuously saving the scanned airwaves to a temporary file on a 5 second interval (timeout 5s cat /dev/ttyS1 > /tmp/bt_observation). That binary file is then checked for the string value specified with the extension (grep -qao $1 /tmp/bt_observation).

      If you're curious what other advertisements might be found, consider running strings against this file while in observation mode. For faster remote triggers, consider modifying the extension for shorter scan durations. 

       


      Also in Bash Bunny

      Geofencing for the Bash Bunny Mark II
      Geofencing for the Bash Bunny Mark II

      Hotplug attacks are great, until they're not — which is why it's important to limit the scope of engagement. Thankfully the Bash Bunny Mark II can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it's certain to be in the defined area.

      Getting Root on a Bash Bunny from the Serial Console
      Getting Root on a Bash Bunny from the Serial Console

      Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it’s widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we’ve made it convenient as ever – without the need for a serial-to-USB converter.
      Top 5 file stealing
      Top 5 file stealing "exfiltration" payloads for the Bash Bunny

      As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a pentesters know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration with gigs of high speed storage.

      Menu title

      • This section doesn’t currently include any content. Add content to this section using the sidebar.