moonlit Posted April 16, 2010 Share Posted April 16, 2010 DuckHunt 1.1.1: This application will prevent all keyboard and mouse input when new USB devices are attached and will only allow input again when the device is removed. It will prevent the USB Rubber Duck from functioning and on Vista and higher it will also prevent the use of the Autorun dialog. Requires .net Framework 3.5 and on Vista/7 also requires Administrator privileges. Changelog: Version 1.1.1: Fixed typo on alert screen. Version 1.1.0: Fixed detection of non-mass storage devices. Added VID and PID to alert screen. Added sound to device removal. DuckHunt 1.1.1 Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 16, 2010 Share Posted April 16, 2010 So does it do only new usb devices? What if your using a usb keyboard as your main keyboard? Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 16, 2010 Author Share Posted April 16, 2010 It will not block USB devices which are present before the tool is loaded, it will act only on devices plugged in after the tool becomes active. Quote Link to comment Share on other sites More sharing options...
Sitwon Posted April 16, 2010 Share Posted April 16, 2010 This wouldn't protect the BIOS from being brute-forced by the Ducky. Nor would it protect the Windows Login unless you have a way of running this before the login screen. It's also a huge inconvenience for most users who are used to being able to connect USB devices on-the-fly. Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 16, 2010 Author Share Posted April 16, 2010 This wouldn't protect the BIOS from being brute-forced by the Ducky. No, you're right, but surely this device is intended primarily to interact with the OS itself? That said, you could turn off legacy USB device support in the BIOS which would prevent a USB device brute-force. You could instead use PS/2, but you must then reboot the machine because PS/2 is not hot-pluggable. Nor would it protect the Windows Login unless you have a way of running this before the login screen. Right again, however, IIRC the Windows login screen will pause between login attempts if enough incorrect passwords are given which would massively extent the time it takes to brute force a login. If you have enough time to do that, other methods are clearly preferable. It's also a huge inconvenience for most users who are used to being able to connect USB devices on-the-fly. Again, you make a good point, but given that the alternative is to get owned, what else would you suggest? I believe it's possible to act only on the insertion of a HID device, but as yet I've not had a chance to test this, it would prevent the app triggering when you attempt to use a USB stick or similar though. Quote Link to comment Share on other sites More sharing options...
Jerico_Tyler Posted April 16, 2010 Share Posted April 16, 2010 you could set it to remember serial numbers so that you can set "trusted" devices Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 16, 2010 Author Share Posted April 16, 2010 you could set it to remember serial numbers so that you can set "trusted" devices I had also thought of that, but I've not yet got as far as trying to add it. One caveat could be that if you duplicate a device already present you may be able to work around such a method, but the app could then also detect duplicate devices with the same information and you would also have to know the hardware models present on the target machine. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 17, 2010 Share Posted April 17, 2010 In my opinion, the question ultimately becomes: is there any identifying factor that the teensy shows/etc. that we can see as the operating system. If there is no identifying factors, (under hardware details for example) then there is no real defense that is not very VERY inconvenient. Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 17, 2010 Author Share Posted April 17, 2010 The Rubber Duck can carry the IDs of any device, can it not? I'd say catching all HID devices is a pretty fair way to go about blocking it. Anyway, my main intent here was to block it, and that I believe I've done. Since I don't have one of the approriate devices, testers are welcome to tell me if it works. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 17, 2010 Share Posted April 17, 2010 I know, but still, I'm just saying there's a slim chance that there is something that the teensy does that is unique.... maybe- a far shot for sure, but.... Also, Yes, you've easily stopped it, but there is no way that's going to be used by Microsoft/ (most likely anti-virus companies) just because it's so inconvenient for the average user. Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 17, 2010 Author Share Posted April 17, 2010 You're right in saying that there may be some identifiable feature of footprint but I'm not sure how finely you can tune the presentation of the device to the host machine, whether it's entirely customisable or not. If it is, it's likely that it could be made indistinguishable from another device. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 17, 2010 Share Posted April 17, 2010 Yeah, I'm sure there's SOMETHING, but it may be too "low-level" to detect it, so yeah, I'm not sure either- If I get one, i'll look into it & compare all the stuff in Right-click-on-drive > Properties > Hardware > Properties > Details and such stuff, but I actually doubt that there will be something unique, but there might just be something there, you never know..... (I don't like to call something totally blocked unless it's COMPLETELY blocked & isn't too user-inconvenient. {I mean, you can always go farther on security....} ) Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 17, 2010 Author Share Posted April 17, 2010 Updated to 1.1.1, see first post for info. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted April 17, 2010 Share Posted April 17, 2010 Awesome, despite limitations, truly awesome. Quote Link to comment Share on other sites More sharing options...
Nescire Posted April 17, 2010 Share Posted April 17, 2010 Just some ideas to identify if the new USB could be a rubber ducky attacker: - First verify if there are already HUID devices aktiv. - You can set a limit to a number of allowed HUIDs, if the number is exceeded, new interfaces will be blocked. Combined with your recognition method, it would be a good defense, when the system is already running. Also you could watch a the input speed and set a limit to allowed keystrokes per second, not that you should watch every keystroke, only a adjustable number in a random time interval, like every x min watch the input speed for 100 strokes. If it is above a human level, disconnect the HUID. Just some thoughts that quickly rushed through my mind. Sorry for my bad english, i hope you could guess what i mean ;-) Quote Link to comment Share on other sites More sharing options...
Trip Posted April 20, 2010 Share Posted April 20, 2010 (edited) password protection to allow installation of new devices would be sweet ;0) Edited April 20, 2010 by Trip Quote Link to comment Share on other sites More sharing options...
Somken Posted April 21, 2010 Share Posted April 21, 2010 Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me. Other then that, great work. Will be running on my coloed server. Quote Link to comment Share on other sites More sharing options...
AndrewFaulds Posted April 22, 2010 Share Posted April 22, 2010 Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me. Other then that, great work. Will be running on my coloed server. Oh those weird random-letter-no-longer-works bugs... I HATE THEM Quote Link to comment Share on other sites More sharing options...
xeemo Posted April 26, 2010 Share Posted April 26, 2010 Interesting concept, but would it work in safe mode/on the login screen? Cool stuff either way. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.