Information Security

Flipper Zero BadUSB: Getting Started with DuckyScript

After purchasing my Flipper Zero I found that one of the most useful features it possesses is the badusb function.

After purchasing my Flipper Zero I found that one of the most useful features it possesses is the badusb function. If you're not familiar with the Flipper Zero, you can read my first post about it Here.

Flipper Zero BadUSB

The badusb feature on the Flipper Zero is used to run scripts on a computer by emulating a keyboard. It does this by using DuckyScript, a scripting language developed by Hak5 for their Rubber Ducky device. When you plug your device into an unsuspecting computers USB port you can run scripts to do a wide number of exploits such as breaking computers out of kiosk mode, or copying wifi passwords off of someones computer. You can find plenty of premade scripts online at Hak5’s website or by searching github.

Writing Your Own DuckyScript

You can write your own scripts as well. All you will need to write the scripts for your Flipper Zero is a text editor. Hak5 has a quick reference guide on how to write scripts, you can find it Here. Its worth noting that the Flipper Zero states that it can only supports DuckyScript 1.0.

Lets write our first simple script. I am writing this on my Chromebook, so lets ask Google Assistant to open my website.

REM A simple test script to open my webpage
DELAY 3000
GUI a
DELAY 1000
STRING open https://lincolncyber.com
ENTER

save your text file, I'll save mine as duckytest.txt

Now we need to upload it to our Flipper Zero, I’m going to use the online tool to connect to my Flipper that is available at https://lab.flipper.net/

Connect your Flipper Zero and go to files, and then navigate to the Badusb folder.

Now Upload your new script.

Next Close or disconnect from the Flipper Lab site.

Finally, with your flipper plugged into your computers USB port, you can run your new script.

Code Explanation

So, what does that code mean we just made? Its fairly simple.

REM — This is used to make comments

DELAY — a time delay in milliseconds

GUI — This would be like pressing the Windows key, or in my case the Search Key on my Chromebook

STRING — Inputs a text String

ENTER — Presses the Enter Key

Now that you have the basics down you can start tinkering and building scripts to do some very interesting things.

Hak5 Online IDE

If you want to go farther with building your own DuckyScripts Hak5 offers an online IDE. You can use this to write scripts for their devices and generate the bin file to load onto a Rubber Ducky, or the text file for your Flipper Zero.

The IDE will check your code for errors and and help you with the code syntax.

They offer a free community edition as well as a paid pro version. https://payloadstudio.hak5.org/

Convert DuckyScript to Python

One last useful tool I want to touch on is one I found that will convert DuckyScript to Python.

ducky2python is a tool that will take the DuckyScript and convert it into Python. I think this could be useful for anyone that finds or create a script and would like to implement it in Python without having to rewrite a new Python script from scratch.

Using the script we created earlier, I used this tool to convert it to Python.

# Converted using ducky2python by CedArctic (<https://github.com/CedArctic/ducky2python>) 
import pyautogui
import time
time.sleep(3)
pyautogui.hotkey("win","A")
time.sleep(1)
pyautogui.typewrite("open <https://lincolncyber.com>", interval=0.02)
pyautogui.hotkey("enter")

I will note that this does not work on my Chromebook, but I believe the issue is because I am running Pycharm as my IDE using the Linux development environment in ChromeOS. When I ran the code it did type the string command but did not open Google Assistant.

Other than that issue, I believe the tool would work well for most needs.

I would like to see if this tool will properly covert more complex DuckyScripts to Python, if so I think it would be a great time saving tool allowing you to convert useful Rubber Ducky scripts to be deployed with Python on the fly.

Conclusion

Overall I think the badusb feature on the Flipper Zero is one of its more useful tools. There is a lot that can be achieved with it. The Flipper Zero offers a great easy to use starting point for people wanting to learn how to use these kinds of tools, and it allows the customization for more advanced users to deploy these scripts without necessarily having to carry multiple tools with them.

If you find the Flipper Zero is limited in its capabilities when it comes to deploying the DuckyScripts, then you should upgrade to Hak5’s latest USB Rubber Ducky that offers the latest features with DuckyScript 3.0.