Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

moonlit

[Version 1] Duckhunt Usb Attack Prevention Tool

Recommended Posts

45711564.jpg

DuckHunt 1.1.1:

This application will prevent all keyboard and mouse input when new USB devices are attached and will only allow input again when the device is removed. It will prevent the USB Rubber Duck from functioning and on Vista and higher it will also prevent the use of the Autorun dialog. Requires .net Framework 3.5 and on Vista/7 also requires Administrator privileges.

Changelog:

Version 1.1.1:

Fixed typo on alert screen.

Version 1.1.0:

Fixed detection of non-mass storage devices.

Added VID and PID to alert screen.

Added sound to device removal.

DuckHunt 1.1.1

Share this post


Link to post
Share on other sites

So does it do only new usb devices? What if your using a usb keyboard as your main keyboard?

Share this post


Link to post
Share on other sites

It will not block USB devices which are present before the tool is loaded, it will act only on devices plugged in after the tool becomes active.

Share this post


Link to post
Share on other sites

This wouldn't protect the BIOS from being brute-forced by the Ducky. Nor would it protect the Windows Login unless you have a way of running this before the login screen.

It's also a huge inconvenience for most users who are used to being able to connect USB devices on-the-fly.

Share this post


Link to post
Share on other sites
This wouldn't protect the BIOS from being brute-forced by the Ducky.

No, you're right, but surely this device is intended primarily to interact with the OS itself? That said, you could turn off legacy USB device support in the BIOS which would prevent a USB device brute-force. You could instead use PS/2, but you must then reboot the machine because PS/2 is not hot-pluggable.

Nor would it protect the Windows Login unless you have a way of running this before the login screen.

Right again, however, IIRC the Windows login screen will pause between login attempts if enough incorrect passwords are given which would massively extent the time it takes to brute force a login. If you have enough time to do that, other methods are clearly preferable.

It's also a huge inconvenience for most users who are used to being able to connect USB devices on-the-fly.

Again, you make a good point, but given that the alternative is to get owned, what else would you suggest? I believe it's possible to act only on the insertion of a HID device, but as yet I've not had a chance to test this, it would prevent the app triggering when you attempt to use a USB stick or similar though.

Share this post


Link to post
Share on other sites

you could set it to remember serial numbers so that you can set "trusted" devices

Share this post


Link to post
Share on other sites
you could set it to remember serial numbers so that you can set "trusted" devices

I had also thought of that, but I've not yet got as far as trying to add it. One caveat could be that if you duplicate a device already present you may be able to work around such a method, but the app could then also detect duplicate devices with the same information and you would also have to know the hardware models present on the target machine.

Share this post


Link to post
Share on other sites

In my opinion, the question ultimately becomes: is there any identifying factor that the teensy shows/etc. that we can see as the operating system. If there is no identifying factors, (under hardware details for example) then there is no real defense that is not very VERY inconvenient.

Share this post


Link to post
Share on other sites

The Rubber Duck can carry the IDs of any device, can it not? I'd say catching all HID devices is a pretty fair way to go about blocking it. Anyway, my main intent here was to block it, and that I believe I've done. Since I don't have one of the approriate devices, testers are welcome to tell me if it works.

Share this post


Link to post
Share on other sites

I know, but still, I'm just saying there's a slim chance that there is something that the teensy does that is unique.... maybe- a far shot for sure, but.... Also, Yes, you've easily stopped it, but there is no way that's going to be used by Microsoft/ (most likely anti-virus companies) just because it's so inconvenient for the average user.

Share this post


Link to post
Share on other sites

You're right in saying that there may be some identifiable feature of footprint but I'm not sure how finely you can tune the presentation of the device to the host machine, whether it's entirely customisable or not. If it is, it's likely that it could be made indistinguishable from another device.

Share this post


Link to post
Share on other sites

Yeah, I'm sure there's SOMETHING, but it may be too "low-level" to detect it, so yeah, I'm not sure either- If I get one, i'll look into it & compare all the stuff in Right-click-on-drive > Properties > Hardware > Properties > Details and such stuff, but I actually doubt that there will be something unique, but there might just be something there, you never know..... (I don't like to call something totally blocked unless it's COMPLETELY blocked & isn't too user-inconvenient. {I mean, you can always go farther on security....} )

Share this post


Link to post
Share on other sites

Just some ideas to identify if the new USB could be a rubber ducky attacker:

- First verify if there are already HUID devices aktiv.

- You can set a limit to a number of allowed HUIDs, if the number is exceeded, new interfaces will be blocked.

Combined with your recognition method, it would be a good defense, when the system is already running.

Also you could watch a the input speed and set a limit to allowed keystrokes per second, not that you should watch every keystroke, only a adjustable number in a random time interval, like every x min watch the input speed for 100 strokes. If it is above a human level, disconnect the HUID.

Just some thoughts that quickly rushed through my mind. Sorry for my bad english, i hope you could guess what i mean ;-)

Share this post


Link to post
Share on other sites

password protection to allow installation of new devices would be sweet ;0)

Share this post


Link to post
Share on other sites

Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me.

Other then that, great work. Will be running on my coloed server.

Share this post


Link to post
Share on other sites
Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me.

Other then that, great work. Will be running on my coloed server.

Oh those weird random-letter-no-longer-works bugs... I HATE THEM

Share this post


Link to post
Share on other sites

Interesting concept, but would it work in safe mode/on the login screen? Cool stuff either way.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×