Hak5 – The longest running YouTube show defines Technolust
ThreatWire – News on security, privacy, and internet freedom!
Metasploit Minute – The break down on breaking in with Mubix
HakTip – Essentials for new hackers, enthusiasts, and IT pros
TRUST YOUR TECHNOLUST
Since 2005 we've proclaimed our love for technology with this simple mantra – and we invite you to share in our passion. Welcome!
One of the greatest new features of the Bash Bunny Mark II is remote triggers. With this, a payload — or multiple stages of a payload — can be triggered from afar. These can be done with any bluetooth low-energy device, including most smartphones. In this article I'll demonstrate how to use this handy new feature.
Imagine a social engineering engagement where the target is asked to print a document from a flash drive. The Bash Bunny, with ATTACKMODE STORAGE, will present itself as just such a benign device in the first stage of an attack. Then the opportunity presents itself to launch a second stage — emulating a HID device and performing keystroke injection — when the target turns their back to fetch the printout.
# # Remote Trigger for Bash Bunny Mark II Example # LED SETUP # # Stage 1: Benign flash drive # ATTACKMODE STORAGE LED STAGE1 WAIT_FOR_PRESENT myphone # # Stage 2: Evil keystroke injection attack # ATTACKMODE STORAGE HID LED STAGE2 QUACK GUI r QUACK DELAY 200 QUACK STRING cmd /k tree c:\ QUACK ENTER
For this attack to proceed to the second stage, you simply need to advertise the BLE device named "myphone". This can either be the name of a BLE device that advertises whenever it's on — like a bluetooth speaker — or advertisements specifically sent from an app like BLE Tool.
Any bluetooth utility capable of broadcasting BLE advertisements will work. In testing I often times find myself using the highly configurable and aptly named BLE Tool for Android. If you choose to test with it, there are only 3 steps to follow:
The WAIT_FOR_PRESENT and WAIT_FOR_NOT_PRESENT extensions work by setting the BLE module to Observation mode (
AT+ROLE=2), then continuously saving the scanned airwaves to a temporary file on a 5 second interval (
timeout 5s cat /dev/ttyS1 > /tmp/bt_observation). That binary file is then checked for the string value specified with the extension (
grep -qao $1 /tmp/bt_observation).
If you're curious what other advertisements might be found, consider running
strings against this file while in observation mode. For faster remote triggers, consider modifying the extension for shorter scan durations.
Hotplug attacks are great, until they're not — which is why it's important to limit the scope of engagement. Thankfully the Bash Bunny Mark II can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it's certain to be in the defined area.
Get the inside scoop on the latest releases, events, popular payloads and Hak5 Gear tips!