Unlocking a Phone with a Flipper Zero

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I've made a few videos recently about the flipper zero and y'all seem to really like those and been asking for more so I figured I should try to come up with a few more ideas that I can do with it and one of my favorite types of attacks you can do on a physical pin test or a red team engagement is using bad USB I've talked about bad USBS a few times on this channel before but if you don't know what it is it's basically just a USB device that you trick a computer into thinking is a keyboard and you can program that USB device to type whatever you want it to do and it'll also type much faster than any human could so you can actually program it to type up an entire Powershell script and drop some malware on a computer or something or you can get it to go to a certain website and download something or you can program it to send out an email from that user's email address basically if it's possible to do it if you were sitting at that computer yourself on the keyboard you can pre-program that USB device to do whatever you want it to do on the keyboard much faster than you could type it if you were there yourself and one of the many features included in The Flipper zero is a bad USB and these bad USBS can usually be used for pretty much any sort of machine that you can plug a keyboard into whether that's a Windows machine a Linux a Mac machine or even mobile devices and for this video I'm actually going to use it to Brute Force the PIN to unlock this Android device fortunately there's already a bad USB payload that someone created that's up on GitHub and I'll put the link to this in the description and if we read the comments at the top of the script it says it's the end Android password brute forcer for four-digit pins every fifth attempt the retry waits to work around the 30se second timeout Android implements after five failed login attempts also it's important to note that this is not an exhaustive word list because that would take a very long time probably several hours and there's a decent chance that it would actually run down the battery of the phone before it actually found the correct pin so this is actually only using the top 65 most common four-digit pins which will probably have a pretty good success rate unless there's some sort of very unique pin that the person you're attacking works with and if you look at the bottom of the script they actually have a few extra entries commented out that you can add if you happen to know the date of the birth of the person you're working with or maybe their like anniversary date so if there's any sort of significant number that you know of based on what you know about this person or if you've done any sort of Investigation on them beforehand then you would be able to add those just by removing that remem in the script that would remove the comment and make it an actual active part of the script but we're just going to download this raw file and then we're going to install it on our flipper zero and get started also just a quick disclaimer that I feel like shouldn't need to be said but I'll say it anyway don't do this against a phone that you don't own or have permission to access this is a great thing to know how to do if you do pin testing or do red team engagements maybe you just forgot your pin on an old phone or maybe you need to help one of your family members crack in their old phone that they forgot to pin for but just don't go around stealing people's phones and cracking their pins all right back to the video so now that I've got my bad USB script I'm going to plug in my flipper zero into the USB cable and open up the Q flipper and now I'm going to be able to access the file system of The Flipper zero and add that script onto my device so first I'm going to click the file manager symbol up in the top left corner of the Q flipper and then I'm going to go to the SD card and I'm going to go to bad KB one quick note right here about the difference between bad KB and bad USB typically a bad USB attack is considered an attack that you plug in a device into your PC with a USB cable and then bad KB is an attack that involves Bluetooth where you kind of emulate a Bluetooth keyboard where you actually pair the device with the PC that you're attacking but for whatever reason the extreme firmware which is what I'm working with on my flipper zero right now they have everything both bad USB and bad KB listed under the bad KB menu and they actually have an option in the settings where you can switch between either USB or Bluetooth depending on what kind of attack you're doing so for that reason I'm going to go to the bad KB directory instead of bad USB and you see right now there are just a few demo scripts in there but I'm going to get that script that I just downloaded and I'm just going to drag and drop that file over to Q flipper and now I see that new file top 65 4digit pinb f.txt and that is that file that we just downloaded from GitHub so now that I have my payload installed on my flipper zero I'm just going to take a USBC cable and connect it to my phone now I'm just going to open the phone to the menu where it ask for the pin and then I'm going to go to my flipper zero and I'm going to go over to bad KB scroll down to that payload that we just installed and I'm going to click the middle button and then click run and now you see it's putting those pins in much faster than I could and now you see after that fifth incorrect attempt there's a 30second timeout so there's going to be a little bit of a wait time before it goes to the next next one in the list and depending on the phone you might have to make sure that it just doesn't go to a black screen and you have to reopen it but then it goes to the next one and then finally it gets the correct pin which in this case was 5555 and then I'm going to stop the payload because we already found our pin but now the phone's unlocked and I can do whatever I want to and I can even run a second bad USB payload from my flipper zero for example let's say we want to access a website maybe download something if you remember when we looked earlier in the file system under the SD card and the bad KB you saw these little demos here and you see there's this demo for Android we can right click on that file and download it and now we can actually open that file with a text editor in this case I'm going to use Vim but use whatever you want to use as you can see it's a pretty simple little file all it does is opens a web browser and it goes to this URL which is the GitHub page for the extreme firmware but say we want to edit this and change what website it goes to now I'm going to drag that up updated file over to Q flipper and one thing to know is if you do drag and drop something with the same name it will overwrite the old file with the new one that you drug over so once again now that we have our payload on our flipper zero now we're going to plug that into our phone again and with the phone being unlocked because we already brute forced the four-digit pin now we're going to go to bad KB and we're going to demo Android and run that and we've been rig rolled so those were a couple very simple examples of how you can use the bad USB functionality of The Flipper zero the first example we did was cracking that four-digit pin for an Android device so it's important to know that that example that we worked with was only a four-digit pen and it was a pretty simple one cuz it was also one of the earlier ones in the list that it went through so for the sake of this video it didn't take that long to go through all the combinations but if the phone you were working with was some sort of swipe pattern or if there's some sort of longer key code like a six-digit or a seven digit or if maybe they're using a password that uses numbers and letters and it's also good to figure out if there's any sort of system in place that maybe erases the phone after a certain amount of incorrect attempts in a certain amount of time all these things are important to figure out out during your initial reconnaissance before you ever do any actual hacking but once you know all those things you can edit that payload if you need to add some more combinations to the list and then once you have your payload in place you follow that same process that I just showed and then you can access a phone by cracking that pin and the second one we did was just a Rick Roll But if you wanted to do something like download malware or drop a key logger on the phone any kind of things like that that you would do in a real red team assessment you can very easily see how you would just change that YouTube url to like a GitHub request to download some file maybe to some sort of Cloud Server that you own where you have all kinds of your custom malware installed but everyone who's out there asking me for more flipper zero content I hope you like this I always think bad USB things are cool and I'm just glad that among all the things that are in The Flipper zero the NFC the RFID sub gigahertz the infrared like all those different things I'm glad that also had the bad USB in there because I just have always thought that was a cool kind of physical pinest type of thing that is just a nice thing to have in your toolkit
Info
Channel: CorSecure
Views: 28,637
Rating: undefined out of 5
Keywords: flipper zero, hacking, flipperzero, flipper zero hacking, flipper zero demo, flipper zero review, badusb, bad usb, badkb, bad kb, rickroll, rick roll, android, android hacking, android pin, android unlock, mobile hacking, cyber security, pentesting, pen testing, penetration testing, application security, appsec, app sec, info sec, infosec, information security, ethical hacking
Id: gbJka8KoGec
Channel Id: undefined
Length: 8min 46sec (526 seconds)
Published: Tue Jan 16 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.