> For the complete documentation index, see [llms.txt](https://documentation.hak5.org/bash-bunny/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii.md). # Geofencing for the Bash Bunny Mark II Once upon a time a friend of mine robbed the wrong bank. True story. Turns out he got the directions wrong on a physical engagement. Hotplug attacks are great, until they're not — which is why it's important to limit the scope of engagement. Thankfully the [Bash Bunny Mark II](https://hak5.org/products/bash-bunny) can do this with a geofencing feature using bluetooth signals to prevent payloads from running unless it's certain to be in the defined area. ![](https://cdn.shopify.com/s/files/1/0068/2142/files/geofencing_535a1462-2eba-4ffc-ae0b-09a35c12f755.jpg?v=1628356700) ### THE SCENARIO Imagine an engagement where you want to exfiltrate loot from the boss' home office. You know she has IoT gear all around her house — voice assistants, wireless lamps, bluetooth speakers. You also know that you definitely don't want the payload to run if by chance the Bash Bunny walks. Geofencing time! It's easy — just prefix your payload with this: > ``` > WAIT_FOR_PRESENT name-of-btle-device > ``` Now the payload is paused until the Bluetooth low energy device specified is seen. Similarly the geofencing feature can be used to exclude a certain area — only running when Bluetooth devices are not visible. > ``` > WAIT_FOR_NOT_PRESENT name-of-btle-device > ``` So, how do we know which devices are where? I'm glad you asked. Enter the [Bluetooth Geofence Profiler payload](https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/general/bluetooth-geofence-profiler/payload.txt). ### THE CODE > ``` > # Title: Bluetooth Geofence Profiler > # Description: Saves bluetooth scan in loot folder for geofenced payloads > # Author: Hak5Darren > # Version: 1.0 > # Category: General > > # > # Enable serial BTLE module > # > LED SETUP > stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost > stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost > sleep 1 > > # > # Set BTLE module to observation mode > # > echo -n -e "AT+ROLE=2" > /dev/ttyS1 > echo -n -e "AT+RESET" > /dev/ttyS1 > > # > # Copy strings from 10 second observation scan to file in loot folder > # > LED ATTACK > timeout 10s cat /dev/ttyS1 > /tmp/bt_observation > strings /tmp/bt_observation > /root/udisk/loot/btle-profile.txt > > # > # Sync file system and finish > # > LED CLEANUP > sync > LED FINISH > ``` Load this payload to your switch position of choosing and execute while in the vicinity you wish to wirelessly profile. It'll create a new btle-profile.txt file in the loot folder. In it you'll find strings from the BTLE wireless landscape. For example, at my place I find the following: > ``` > Ld+x > LE-Bose SoundLink Micro > Ld+x > MBAudio > ``` ### PULLING OFF THE ATTACK Armed with the Bluetooth Low Energy landscape of our target, we can populate our payload with WAIT\_FOR\_PRESENT commands to prevent the payload from further executing until, as the Ducky Script command implies, they're present. Double up on the devices to even further the specificity! `WAIT_FOR_PRESENT SoundLink`\ `WAIT_FOR_PRESENT MBAudio` Even if the Bash Bunny finds its way into an area where another Bose SoundLink Micro device lives, the payload will continue to halt until MBAudio is also seen. The more devices are specified, the greater the geofence. ### HOW GEOFENCING WORKS The [WAIT\_FOR\_PRESENT extension](https://github.com/hak5/bashbunny-payloads/blob/master/payloads/extensions/wait_for_present.sh) accepts a single parameter ($1) — in our case SoundLink or MBAudio — and continues looping over a scan of the BTLE landscape until the string specified is found via grep. This is the same extension that can be used for [remote triggers](https://hak5.org/blogs/bash-bunny/remote-triggers-for-the-bash-bunny-mark-ii) for multi-stage payloads. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.hak5.org/bash-bunny/beginner-guides/geofencing-for-the-bash-bunny-mark-ii.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.