Bash Bunny
  • Bash Bunny by Hak5
  • Getting Started
    • Switch Positions
    • Mass Storage Structure
    • LED Status Indications
    • Installing Additional Tools
    • Installing Additional Languages
    • Considerations for Mark II
  • Writing Payloads
    • Payload Development Basics
    • DuckyScript™ on the Bash Bunny
    • QUACK
    • Extensions
    • ATTACKMODE
      • VID, PID, MAN, PROD, SN
    • LED
    • Working with the File System
    • CPU Control
    • Contributing Best Practices
    • Submitting Payloads
    • WAIT_FOR_PRESENT
  • Internet Connectivity
    • Getting the Bash Bunny Online
    • Sharing an Internet connection from Windows
    • Sharing an Internet connection from Linux
    • Sharing an Internet connection from MacOS
  • Software Updates
    • Updating the Bash Bunny Firmware
  • Troubleshooting
    • Factory Reset
    • Password Reset
  • Beginner Guides
    • Writing Keystroke Injection Payloads for the Bash Bunny
    • Network Hijacking Attacks with the Bash Bunny
    • Top 5 Bash Bunny Exfiltration Payloads to "steal files"
    • Getting Root on a Bash Bunny from the Serial Console
    • Remote Triggers for the Bash Bunny Mark II
    • Geofencing for the Bash Bunny Mark II
  • Video Guides
    • Bash Bunny Primer
    • Bash Bunny Phishing Attack with Hamsters
    • Password Grabber Bash Bunny Payload
    • Operating System Detection with the Bash Bunny
    • Bash Bunny Extensions
    • Reverse Shells on Linux with Bash Bunny
    • Bash Bunny Payload - Sudo Bashdoor on Linux
    • Bash Bunny Payload - 1990's Prank
    • Bash Bunny Dev - Behind the Scenes
    • Concealed Exfiltration - Pocket Network Attacks with the Bash Bunny
    • How to write Bash Bunny payloads and contribute on GitHub
Powered by GitBook
On this page
  • THE SCENARIO
  • THE CODE
  • PULLING OFF THE ATTACK
  • HOW GEOFENCING WORKS
  1. Beginner Guides

Geofencing for the Bash Bunny Mark II

Last updated 3 years ago

Once upon a time a friend of mine robbed the wrong bank. True story. Turns out he got the directions wrong on a physical engagement.

Hotplug attacks are great, until they're not — which is why it's important to limit the scope of engagement. Thankfully the can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it's certain to be in the defined area.

THE SCENARIO

Imagine an engagement where you want to exfiltrate loot from the boss' home office. You know she has IoT gear all around her house — voice assistants, wireless lamps, bluetooth speakers. You also know that you definitely don't want the payload to run if by chance the Bash Bunny walks. Geofencing time!

It's easy — just prefix your payload with this:

WAIT_FOR_PRESENT name-of-btle-device

Now the payload is paused until the Bluetooth low energy device specified is seen. Similarly the geofencing feature can be used to exclude a certain area — only running when Bluetooth devices are not visible.

WAIT_FOR_NOT_PRESENT name-of-btle-device

THE CODE

# Title:       Bluetooth Geofence Profiler
# Description: Saves bluetooth scan in loot folder for geofenced payloads
# Author:      Hak5Darren
# Version:     1.0
# Category:    General

#
# Enable serial BTLE module
#
LED SETUP
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost 
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost 
sleep 1

#
# Set BTLE module to observation mode
#
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1

#
# Copy strings from 10 second observation scan to file in loot folder
#
LED ATTACK
timeout 10s cat /dev/ttyS1 > /tmp/bt_observation
strings /tmp/bt_observation > /root/udisk/loot/btle-profile.txt

#
# Sync file system and finish
#
LED CLEANUP
sync
LED FINISH

Load this payload to your switch position of choosing and execute while in the vicinity you wish to wirelessly profile. It'll create a new btle-profile.txt file in the loot folder. In it you'll find strings from the BTLE wireless landscape. For example, at my place I find the following:

Ld+x
LE-Bose SoundLink Micro
Ld+x
MBAudio

PULLING OFF THE ATTACK

Armed with the Bluetooth Low Energy landscape of our target, we can populate our payload with WAIT_FOR_PRESENT commands to prevent the payload from further executing until, as the Ducky Script command implies, they're present.

Double up on the devices to even further the specificity!

WAIT_FOR_PRESENT SoundLink WAIT_FOR_PRESENT MBAudio

Even if the Bash Bunny finds its way into an area where another Bose SoundLink Micro device lives, the payload will continue to halt until MBAudio is also seen. The more devices are specified, the greater the geofence.

HOW GEOFENCING WORKS

So, how do we know which devices are where? I'm glad you asked. Enter the .

The accepts a single parameter ($1) — in our case SoundLink or MBAudio — and continues looping over a scan of the BTLE landscape until the string specified is found via grep.

This is the same extension that can be used for for multi-stage payloads.

Bluetooth Geofence Profiler payload
WAIT_FOR_PRESENT extension
remote triggers
Bash Bunny Mark II