Jump to content

[Version 1] Duckhunt Usb Attack Prevention Tool

moonlit

By moonlit
in Classic USB Rubber Ducky

 Share

Recommended Posts

moonlit Newbie

moonlit

Posted
Posted

45711564.jpg

DuckHunt 1.1.1:

This application will prevent all keyboard and mouse input when new USB devices are attached and will only allow input again when the device is removed. It will prevent the USB Rubber Duck from functioning and on Vista and higher it will also prevent the use of the Autorun dialog. Requires .net Framework 3.5 and on Vista/7 also requires Administrator privileges.

Changelog:

Version 1.1.1:

Fixed typo on alert screen.

Version 1.1.0:

Fixed detection of non-mass storage devices.

Added VID and PID to alert screen.

Added sound to device removal.

DuckHunt 1.1.1

Link to comment
Share on other sites
Sitwon Newbie

Sitwon

Posted
Posted

This wouldn't protect the BIOS from being brute-forced by the Ducky. Nor would it protect the Windows Login unless you have a way of running this before the login screen.

It's also a huge inconvenience for most users who are used to being able to connect USB devices on-the-fly.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted
This wouldn't protect the BIOS from being brute-forced by the Ducky.

No, you're right, but surely this device is intended primarily to interact with the OS itself? That said, you could turn off legacy USB device support in the BIOS which would prevent a USB device brute-force. You could instead use PS/2, but you must then reboot the machine because PS/2 is not hot-pluggable.

Nor would it protect the Windows Login unless you have a way of running this before the login screen.

Right again, however, IIRC the Windows login screen will pause between login attempts if enough incorrect passwords are given which would massively extent the time it takes to brute force a login. If you have enough time to do that, other methods are clearly preferable.

It's also a huge inconvenience for most users who are used to being able to connect USB devices on-the-fly.

Again, you make a good point, but given that the alternative is to get owned, what else would you suggest? I believe it's possible to act only on the insertion of a HID device, but as yet I've not had a chance to test this, it would prevent the app triggering when you attempt to use a USB stick or similar though.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted
you could set it to remember serial numbers so that you can set "trusted" devices

I had also thought of that, but I've not yet got as far as trying to add it. One caveat could be that if you duplicate a device already present you may be able to work around such a method, but the app could then also detect duplicate devices with the same information and you would also have to know the hardware models present on the target machine.

Link to comment
Share on other sites
1n5aN1aC Newbie

1n5aN1aC

Posted
Posted

In my opinion, the question ultimately becomes: is there any identifying factor that the teensy shows/etc. that we can see as the operating system. If there is no identifying factors, (under hardware details for example) then there is no real defense that is not very VERY inconvenient.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted

The Rubber Duck can carry the IDs of any device, can it not? I'd say catching all HID devices is a pretty fair way to go about blocking it. Anyway, my main intent here was to block it, and that I believe I've done. Since I don't have one of the approriate devices, testers are welcome to tell me if it works.

Link to comment
Share on other sites
1n5aN1aC Newbie

1n5aN1aC

Posted
Posted

I know, but still, I'm just saying there's a slim chance that there is something that the teensy does that is unique.... maybe- a far shot for sure, but.... Also, Yes, you've easily stopped it, but there is no way that's going to be used by Microsoft/ (most likely anti-virus companies) just because it's so inconvenient for the average user.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted

You're right in saying that there may be some identifiable feature of footprint but I'm not sure how finely you can tune the presentation of the device to the host machine, whether it's entirely customisable or not. If it is, it's likely that it could be made indistinguishable from another device.

Link to comment
Share on other sites
1n5aN1aC Newbie

1n5aN1aC

Posted
Posted

Yeah, I'm sure there's SOMETHING, but it may be too "low-level" to detect it, so yeah, I'm not sure either- If I get one, i'll look into it & compare all the stuff in Right-click-on-drive > Properties > Hardware > Properties > Details and such stuff, but I actually doubt that there will be something unique, but there might just be something there, you never know..... (I don't like to call something totally blocked unless it's COMPLETELY blocked & isn't too user-inconvenient. {I mean, you can always go farther on security....} )

Link to comment
Share on other sites
Nescire Newbie

Nescire

Posted
Posted

Just some ideas to identify if the new USB could be a rubber ducky attacker:

- First verify if there are already HUID devices aktiv.

- You can set a limit to a number of allowed HUIDs, if the number is exceeded, new interfaces will be blocked.

Combined with your recognition method, it would be a good defense, when the system is already running.

Also you could watch a the input speed and set a limit to allowed keystrokes per second, not that you should watch every keystroke, only a adjustable number in a random time interval, like every x min watch the input speed for 100 strokes. If it is above a human level, disconnect the HUID.

Just some thoughts that quickly rushed through my mind. Sorry for my bad english, i hope you could guess what i mean ;-)

Link to comment
Share on other sites
Somken Newbie

Somken

Posted
Posted

Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me.

Other then that, great work. Will be running on my coloed server.

Link to comment
Share on other sites
AndrewFaulds Newbie

AndrewFaulds

Posted
Posted
Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me.

Other then that, great work. Will be running on my coloed server.

Oh those weird random-letter-no-longer-works bugs... I HATE THEM

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...