FlipperZero explained: what a Tamagotchi-like tool is actually capable of


Introduced initially as a Kickstarter campaign seeking to raise $60K towards the end of 2022, the FlipperZero has taken the security world by storm, producing dozens of YouTube videos, write-ups, GitHub repos, and derivative products to extend its capabilities.

Hailed as a ‘Swiss-army knife for geeks and pentesters,’ this handy little multi-tool might be what's missing in your approach to physical and wireless security testing. Capable of assessing and compromising a broad spectrum of radio and wireless signals, this tool, developed by Pavel Zhovner, excels in performing a wide variety of security tasks that have not been commercially possible in a platform of this size until now.

From a cybersecurity perspective, the FlipperZero excels at cloning and replaying access badges, capturing, replaying, or abusing wireless network signals, and leveraging semi-sophisticated scripts to attack enterprise devices like laptops or wireless access points. The infographic below summarizes the core technologies the FlipperZero is capable of interacting with or potentially abusing.

ADVERTISEMENT
Technology categories available for testing using a FlipperZero
The current menu of technology categories available for testing using a FlipperZero.

The FlipperZero firmware is open-source and highly extensible, allowing users to add or expand the core platform features, drastically increasing its effectiveness. Several evolutions of the FlipperZero firmware often referred to as ‘DarkFlippers,’ are available via various GitHub repositories, including the Unleashed, RogueMaster & X-treme firmware editions.

Flashing a new firmware on your FlipperZero may void the warranty or break the functionality and usability of the device. It is generally advised that these actions are avoided and if these actions do occur, that the device is backed up before attempting firmware upgrades or modification. This article will explore high-level examples of how a FlipperZero can aid in physical or wireless penetration testing exercises using the X-treme (aka ClaraCrazy) firmware edition, paired with a Wi-fi Developer Board running Marauder firmware.

The FlipperZero also provides numerous management options via a mobile application and the qFlipper Desktop application, which ease the platform's administration. While not required, the FlipperZero works best with an SD card inserted and configured to serve as storage for the FlipperZero database.

The qFlipper Windows dekstop app interface
The ‘qFlipper’ Windows desktop application allows direct interaction with the FlipperZero device and provides several options to backup or restore firmware, displays the current version of the firmware (Release 0.75.0) and the device name(Orumo).

The FlipperZero can fit into penetration testing exercises in a variety of ways. While this device can assess or manipulate wireless network traffic from a distance, it excels at nearby interactions such as script execution via USB, credential theft, and brute-forcing a variety of other devices such as safes, badge access readers, or even garage door openers.

The infographic below suggests one of many approaches where the FlipperZero could obtain access to a client facility or evaluate other aspects of physical and wireless network security. The FlipperZero must typically be within a few inches of an access badge or other NFC-based authenticator for identification and cloning operations to succeed. The antennas on the FlipperZero device are easily defeated in current models by sleeved badges which protect from RFID scanning or those buried under a few layers of clothing or badges contained within a wallet or purse.

Test workflow that incorporates a FlipperZero
A potential penetration test workflow that incorporates a FlipperZero throughout various phases or objectives. The FlipperZero can be used to gain initial access through cloning badges, then in various phases afterwards.
ADVERTISEMENT

The article will shift to pointed examples demonstrating how to use a FlipperZero directly and effectively, starting with badge cloning, BadUSB script examples, and running the Wi-Fi-Marauder application for wireless assessments. Starting with access badge cloning, this technique is a straightforward affair when access badges are left unattended (you do get lucky often here), hanging loosely on a lanyard, or can be accessed directly through a single layer of an individual’s clothing. From the 125 kHz RFID menu, select “Read” then hold the Flipper antenna over the card as depicted in the image below.

Once cloned successfully, the “Emulate” feature then allows the replaying of cloned badges at any reader, granting the holder of the cloned badge the same access as the original. Replayed credentials cannot be easily distinguished from the original in security logs, allowing the masquerading of users on a large scale. The effectiveness of the FlipperZero badge cloning technique reduces significantly when adopting encrypted communications between readers and access badges, RFID sleeves for employee badges to prevent cloning attempts, and awareness training for employees on the proper use or storage of access badges.

The Flipper Badge Reading feature
The Flipper Badge Reading feature which assess both Amplitude-Shift Keying (ASK) and Phase-Shift Keying (PSK) modulation schemes for digital access badges.

BadUSB is one of the more thrilling features of the FlipperZero due to its versatility in performing a variety of traditional pentesting techniques through script execution. Numerous repositories on GitHub provide field-tested BadUSB scripts out of the box. Some of the more notable repositories include Hak5, FalsePhilosopher, UNC0V3R3D, and I-Am-Jakoby. BadUSB will not typically succeed in sophisticated security environments that enforce the broader set of User Access Control (UAC) policies via Microsoft Group Policy or strong endpoint protections like Windows Defender or Crowdstrike Falcon, where many organizations may remain surprisingly lax.

This article will assume a scenario where an unattended administrator PC is discovered and has several BadUSB scripts executed against it, which succeed in the disablement of key security features such as Windows Firewall or UAC notifications and theft of all known Wi-fi keys on the device. Other BadUSB scripts, such as downloading and running Mimikatz to dump the SAM database, execution of reverse shells using Netcat, and installing backdoors via registry keys or other administrator accounts are also available.

To access, download or modify BadUSB scripts, they are typically located in the BadUSB folder on the onboard SD card, as shown below. Penetration testers or malicious hackers often attempt to disable or circumvent endpoint controls to achieve lateral movement or perform privilege escalation. Several BadUSB scripts executed from a FlipperZero can help realize these goals. Starting with the “disable_uac” script, the FlipperZero can suppress notifications to the user when applications modify computer settings or install the software.

Default storage location for FlipperZero BadUSB
The default storage location for FlipperZero BadUSB scripts is “SD Card/BadUSB”.

A BadUSB script is executed by attaching the FlipperZero to a target machine via USB, navigating to the BadUSB menu option, selecting the script of choice, and running it by clicking the center button. Before execution of the “disable_uac” script, UAC on the target machine starts at the top-most “Always Notify” option and then ends at “Never Notify” following script execution.

Next, the “disable_firewall” BadUSB script is executed, turning off the various protection features offered by the Windows firewall, which assists devices in blocking internet-borne attacks and malicious software installation attempts.

Accessing the "disable_UAC" BadUSB
Accessing the “disable_UAC” BadUSB script from the FlipperZero.
ADVERTISEMENT
Accessing the "disable_UAC" BadUSB 2
The “disable_uac” BadUSB script sets Windows User Account Control to “Never Notify”
Accessing the "disable_UAC" BadUSB 3
The “disable_firewall” BadUSB Script achieves complete disablement of the Windows Defender Firewall.

The following BadUSB script is a little more advanced in its execution. Where the “disable_uac” and “disable_firewall” scripts perform simplistic string and keyboard inputs to achieve their desired outcomes, the “Wifi-Stealer_ORG” script leverages a short series of PowerShell commands that grab all known SSID information and stored W-Fi access keys, separates the data into distinct files, and places them on the targeted machines desktop for extraction.

The files can be easily emailed off the target computer using additional ‘Send-MailMessage’ PowerShell cmdlets or be stored in a less obvious location by altering the file path of the existing script. An example output file from the script output is shown below, revealing valid Wi-fi access keys which could be abused at an attacker's leisure.

The “Wifi-Stealer_ORG” script
The “Wifi-Stealer_ORG” script captures Wi-Fi access key and network information for 5 different networks that the victim device interacted with and separates the data for each saved network into separate files for analysis on the target machine’ Desktop.

Another exciting and highly flexible capability of the FlipperZero is conducting Wi-Fi-focused assessments using a Developer Wi-Fi dev board. After flashing the Marauder firmware onto the Developer board, the FlipperZero becomes a highly capable Wi-Fi penetration testing platform. The Marauder firmware allows the FlipperZero to identify in-range wireless networks, examine connected clients, perform probing attacks, and de-authenticate wireless clients, providing much of the desired capabilities found in traditional Wi-Fi assessment tools like Aircrack-ng.

The below example will demonstrate the identification of wireless networks, how to select networks for assessment, and the result of performing a ”RickRoll” attack against a wireless client. The first step involves selecting the “Wi-Fi Marauder” GPIO application, scanning Wi-Fi access points, selecting a target network, and then flooding the target network with beacon frames adverting false networks named after the song lyrics from “Never Gonna Give You Up” by Rick Astley. These activities measure the potential for ‘Adversary- in-the-Middle’ risks to be realized, aka ‘Evil Twin’ attacks, and will hopefully trigger employees reporting suspicious network activity.

Configuration of Wi-Fi penetration
From the Applications 🡪 GPIO menu, selecting “[ESP32] Wi-Fi Marauder” will provide access to configure Wi-Fi penetration testing features.
Configuration of Wi-Fi penetration 2
Setting the scan type to “access point” (ap) will focus assessments on identified access points directly and not connected stations or devices.
Configuration of Wi-Fi penetration 3
The FlipperZero saves identified networks resulting from the ap scan and allows them to be selectively targeted by referring to their numeric ID in the listed table.
ADVERTISEMENT
Configuration of Wi-Fi penetration 4
After selecting the access point, a ‘rickroll’ attack is performed which sends beacons frames advertising fake networks to wireless clients.
Configuration of Wi-Fi penetration 5
Wireless clients observe fraudulent SSIDs when the ‘rickroll’ attack is active. Attempting to connect will result in no further activity or successful network connectivity.

This article merely skimmed the tip of the iceberg regarding what a FlipperZero is capable of from a signal analysis and security assessment perspective. There are several competing products on the market offering similar features. Still, many are hyper-focused on a lesser selection of capabilities compared to the FlipperZero, are more costly, and lack general flexibility regarding firmware modifications or expanding the solution's capabilities. The article purposefully showcased minor examples of how a FlipperZero can augment the approach and toolsets used during security assessment, aiming to pique the reader's curiosity to try and adapt the significant applications in future testing efforts. The only way a device as small and stealthy as a FlipperZero could be improved was if a fully-fledged penetration testing system like Kali Linux or ParrotOS was also shipped onboard.

As it just so happens, it looks like Flipper Devices Inc is already hard at work to scratch that itch with the FlipperOne, which is currently under development.