> For the complete documentation index, see [llms.txt](https://documentation.hak5.org/bash-bunny/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii.md). # Remote Triggers for the Bash Bunny Mark II One of the greatest new features of the [Bash Bunny Mark II](https://hak5.org/products/bash-bunny) is remote triggers. With this, a payload — or multiple stages of a payload — can be triggered from afar. These can be done with any bluetooth low-energy device, including most smartphones. In this article I'll demonstrate how to use this handy new feature. ![](https://cdn.shopify.com/s/files/1/0068/2142/files/20210709_203443.jpg?v=1625885066) ### THE SCENARIO Imagine a social engineering engagement where the target is asked to print a document from a flash drive. The Bash Bunny, with `ATTACKMODE STORAGE`, will present itself as just such a benign device in the first stage of an attack. Then the opportunity presents itself to launch a second stage — emulating a `HID` device and performing keystroke injection — when the target turns their back to fetch the printout. ### THE CODE > ``` > # > # Remote Trigger for Bash Bunny Mark II Example > # > LED SETUP > > # > # Stage 1: Benign flash drive > # > ATTACKMODE STORAGE > LED STAGE1 > WAIT_FOR_PRESENT myphone > > # > # Stage 2: Evil keystroke injection attack > # > ATTACKMODE STORAGE HID > LED STAGE2 > QUACK GUI r > QUACK DELAY 200 > QUACK STRING cmd /k tree c:\ > QUACK ENTER > ``` ### PULLING OFF THE ATTACK For this attack to proceed to the second stage, you simply need to advertise the BLE device named "myphone". This can either be the name of a BLE device that advertises whenever it's on — like a bluetooth speaker — or advertisements specifically sent from an app like [BLE Tool](https://play.google.com/store/apps/details?id=com.cozyoz.bletool). ![](/files/bZUONDSQ0lyp5dzwsdPZ) ### **CONFIGURING BLE TOOL** Any bluetooth utility capable of broadcasting BLE advertisements will work. In testing I often times find myself using the highly configurable and aptly named BLE Tool for Android. If you choose to test with it, there are only 3 steps to follow: 1. Tap GATT Server 2. Specify a device name from the Advertiser settings (under the \[...] menu) 3. Tap Start Advertising ### HOW REMOTE TRIGGERS WORK The `WAIT_FOR_PRESENT` and `WAIT_FOR_NOT_PRESENT` extensions work by setting the BLE module to Observation mode (`AT+ROLE=2`), then continuously saving the scanned airwaves to a temporary file on a 5 second interval (`timeout 5s cat /dev/ttyS1 > /tmp/bt_observation`). That binary file is then checked for the string value specified with the extension (`grep -qao $1 /tmp/bt_observation`). If you're curious what other advertisements might be found, consider running `strings` against this file while in observation mode. For faster remote triggers, consider modifying the extension for shorter scan durations. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.hak5.org/bash-bunny/beginner-guides/remote-triggers-for-the-bash-bunny-mark-ii.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.