Menu
0
    0

    Your Cart is Empty

    Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.

    PAYLOAD HUB
    Discover creative payloads from the Hak5 community with filtering by device and category.

    PAYLOAD STUDIO
    Unleash your hacking creativity with this full-featured web-based Payload development environment.

    PAYLOAD AWARDS
    Get your payload in front of thousands and enter to win. Nearly $10,000 in annual Hak5 prizes!

    ADVANCED DUCKYSCRIPT COURSE
    Learn directly from the creators! Unlock your creative potential with this comprehensive online course.

    [PAYLOAD] SERIES
    Join Hak5 hosts and collaborators as we dive into the techniques and code that make great payloads!

    Community developed payloads for Hak5 gear are featured and awarded at PayloadHub — a growing library of currated content.

    Unleash your hacking creativity with the online payload editor: PayloadStudio

    Link to your collections, sales and even external links

    Add up to five columns

    Home  / Bash Bunny

    Geofencing for the Bash Bunny Mark II

    Once upon a time a friend of mine robbed the wrong bank. True story. Turns out he got the directions wrong on a physical engagement.

    Hotplug attacks are great, until they're not — which is why it's important to limit the scope of engagement. Thankfully the Bash Bunny Mark II can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it's certain to be in the defined area.

     

    THE SCENARIO

    Imagine an engagement where you want to exfiltrate loot from the boss' home office. You know she has IoT gear all around her house — voice assistants, wireless lamps, bluetooth speakers. You also know that you definitely don't want the payload to run if by chance the Bash Bunny walks. Geofencing time!

    It's easy — just prefix your payload with this:

    WAIT_FOR_PRESENT name-of-btle-device

    Now the payload is paused until the Bluetooth low energy device specified is seen. Similarly the geofencing feature can be used to exclude a certain area — only running when Bluetooth devices are not visible.

    WAIT_FOR_NOT_PRESENT name-of-btle-device

    So, how do we know which devices are where? I'm glad you asked. Enter the Bluetooth Geofence Profiler payload.

     

    THE CODE

    # Title:       Bluetooth Geofence Profiler
# Description: Saves bluetooth scan in loot folder for geofenced payloads
# Author:      Hak5Darren
# Version:     1.0
# Category:    General

#
# Enable serial BTLE module
#
LED SETUP
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost 
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost 
sleep 1

#
# Set BTLE module to observation mode
#
echo -n -e "AT+ROLE=2" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1

#
# Copy strings from 10 second observation scan to file in loot folder
#
LED ATTACK
timeout 10s cat /dev/ttyS1 > /tmp/bt_observation
strings /tmp/bt_observation > /root/udisk/loot/btle-profile.txt

#
# Sync file system and finish
#
LED CLEANUP
sync
LED FINISH

    Load this payload to your switch position of choosing and execute while in the vicinity you wish to wirelessly profile. It'll create a new btle-profile.txt file in the loot folder. In it you'll find strings from the BTLE wireless landscape. For example, at my place I find the following:

    Ld+x
LE-Bose SoundLink Micro
Ld+x
MBAudio

     

    PULLING OFF THE ATTACK

    Armed with the Bluetooth Low Energy landscape of our target, we can populate our payload with WAIT_FOR_PRESENT commands to prevent the payload from further executing until, as the Ducky Script command implies, they're present.

    Double up on the devices to even further the specificity!

    WAIT_FOR_PRESENT SoundLink
    WAIT_FOR_PRESENT MBAudio

    Even if the Bash Bunny finds its way into an area where another Bose SoundLink Micro device lives, the payload will continue to halt until MBAudio is also seen. The more devices are specified, the greater the geofence.

     

    HOW GEOFENCING WORKS

    The WAIT_FOR_PRESENT extension accepts a single parameter ($1) — in our case SoundLink or MBAudio — and continues looping over a scan of the BTLE landscape until the string specified is found via grep.

    This is the same extension that can be used for remote triggers for multi-stage payloads. 


    Also in Bash Bunny

    Remote Triggers for the Bash Bunny Mark II
    Remote Triggers for the Bash Bunny Mark II

    One of the greatest new features of the Bash Bunny Mark II is remote triggers. With this, a payload — or multiple stages of a payload — can be triggered from afar. These can be done with any bluetooth low-energy device, including most smartphones. In this article I'll demonstrate how to use this handy new feature.
    Getting Root on a Bash Bunny from the Serial Console
    Getting Root on a Bash Bunny from the Serial Console

    Throughout the history of personal computers, serial has been a mainstay for file transfer and console access. To this day it’s widely used, from headless servers to embedded microcontrollers. With the Bash Bunny, we’ve made it convenient as ever – without the need for a serial-to-USB converter.
    Top 5 file stealing
    Top 5 file stealing "exfiltration" payloads for the Bash Bunny

    As anyone in IT knows, two is one — one is none. It’s important to backup your documents. As a pentesters know, exfiltration is a fancy word for an involuntary backup. To that end, the Bash Bunny features at storage attack mode capable of intelligent exfiltration with gigs of high speed storage.

    Guides

    x