Jump to content

Crowd funding goodUSB


Polisher
 Share

Recommended Posts

Is anyone interested in me developing OS autodetection?

The firmware will be able to automatically detect the OS it is running on and based of that it will choose the appropriate payload for the OS.

goodUSB will be able to differentiate not only between desktop OS versions but also detect some devices like android phones, Linux STB receivers and IOT devices!

I have a lot of free time in the next two weeks to code this.

You will get running updates on this project, all documentation, fingerprints with unique identifiers and the firmware.

Only 4 - 5 people can join the project. Redistribution of the software or documentation is not allowed.

Edited by Polisher
Link to comment
Share on other sites

I'm not.

Suppose someone is interested, what proof do you even have that you are capable of doing it? Judging by your post elsewhere, you want to use a ducky, which is a seemingly bizarre choice for hardware too...

Link to comment
Share on other sites

Good questions. If anyone else has any questions please ask them here.

what proof do you even have that you are capable of doing it? Judging by your post elsewhere, you want to use a ducky, which is a seemingly bizarre choice for hardware too...

A clear outline and all documentation necessary on how OS Auto detection works will be provided by me.

I have already gathered unique identifiers for 6 different Operating Systems. (More Operating Systems and devices are coming!)

This information is more than enough for me to build goodUSB. A great coder can build it probably in a day or two with the outline and documentation, but I am not the brightest and will need about a week or two.

Regarding why I chose rubber ducky: It already has a correct USB port so there is no need for soldering or using a bulky adapter (like on the teensy) + the thumb drive case.
The ducky has more than enough power to run goodUSB. Nohl's 8 bit usb controller had 12mhz. The ducky uses a great 32-bit controller with 60mhz for which there are many great open source firmware codes.

Link to comment
Share on other sites

nice idea, i will do it. i will fund 50 euros.

Good luck! Hope you can afford the loss. I'd say the chance of this been delivered in "two weeks" is essentially zero (especially if he doesn't even have a ducky yet).

I'd suggest paying after delivery of working code...

Link to comment
Share on other sites

thanks for your kind words Oli. Everything you say makes me smile! :)

The project will cost 240 euros.

You will get constant running updates and every single piece of documentation. You may also get beta versions before you get the final v1!

I will try to deliver in 1 week from the time i get the rubber ducky! 2 weeks though to give me some cushion if code doesn't run the way i want it!

As soon as the crowd fund goal is met no more people will be able to join this project.

Edit: If you all can give me a show of hands who wants in it would be great. You obviously do not pay if the goal has not been met.

Edited by Polisher
Link to comment
Share on other sites

thanks for your kind words Oli. Everything you say makes me smile! :)

The project will cost 240 euros.

You will get constant running updates and every single piece of documentation. You may also get beta versions before you get the final v1!

I will try to deliver in 1 week from the time i get the rubber ducky! 2 weeks though to give me some cushion if code doesn't run the way i want it!

As soon as the crowd fund goal is met no more people will be able to join this project.

Edit: If you all can give me a show of hands who wants in it would be great. You obviously do not pay if the goal has not been met.

I'm in.

Link to comment
Share on other sites

Asking people to buy closed-source software that isn't written yet? Based on nothing but your promises? And you're going to be borrowing heavily from Free and Open Source Software to build your closed-source, commercial project? O_o

I'm with Oli, sounds pretty sketchy to me.

Link to comment
Share on other sites

I do not see a problem giving the source code as part of the documentation.

Actually I am not going to be borrowing heavily from others! No code has been published by anyone for USB OS autodetection unfortunately.

The majority of the code that I am using is published by atmel, as with all firmwares here...

If you guys want to chat feel free to pop into #hak5 or #ducky @ irc.hak5.org

Link to comment
Share on other sites

Code samples will not be provided to the general public. I will not start taking money until I am quite confident that my code will work, or the very least be in such a stage where it will only require some fine tuning.

So a concern of yours is whether I am legitemly developing something or am just going to take the fund money and run? That is a very reasonable concern and I am open to suggestions on how I can be verified.

Btw in my country that kind of fund money could buy me a hotel. See video below.

(Just kidding I am from Germany :) )

Link to comment
Share on other sites

The thing that worries me is that you posted earlier that you thought that the creator of BadUSB was justified in not releasing his source code because it was supposedly "too powerful", or something along those lines. How do we know that your intentions truly are to release said code/devices. I would really love OS detection baked into something like the usb rubber ducky, or a similar device, I just have reservations based on your previous post.

In my opinion, the developer of penetration testing tools should not be held liable for what they create, how else should the pen-testers get their tools for testing network security? Holding out on people because you are unsure of the fallout essentially just reinforces the status quo giving companies little impetus to change.

I can't pay any money right now, but I probably would if I had more money saved up, something low, so there was no real loss of investment if things went south. Good luck. I will definitely buy one if they ever come out, even at full market value.

Edited by overwraith
Link to comment
Share on other sites

Good questions overwraith.

My intentions are not to release the codes/firmware to the public because it will make the ducky and teensy too easy and convenient to use. There is no easy defense against it either if it is used in malicious ways. Not now or the future. Yea I totally agree that developers of pen-testing tools should not be held liable. Unfortunatly in Germany there is a law saying that you can not sell, distribute or give tools that "hack". The official use of goodUSB is for debugging systems and setting up a lot of different devices using one USB stick. What payloads you use with it is up to you though.

I am not doing this project to monetize from, but I do expect a small compensation for my time for which I will share the documentation/code/firmware with you. You will have to agree not to share it with anyone. I think that is a fair approach?

At the moment I just want to see if there is enough interest. I will let you guys know when my code reaches a respectable stage.

Edited by Polisher
Link to comment
Share on other sites

I'm afraid I don't understand your stance on this Polisher.

At first you say:

My intentions are not to release the codes/firmware to the public because it will make the ducky and teensy too easy and convenient to use. There is no easy defense against it either if it is used in malicious ways. Not now or the future.

But then follow on with:

Yea I totally agree that developers of pen-testing tools should not be held liable.

These two statements seem to completely disagree with each other. You don't want to release your work in full because it'd make it too easy to use on the ducky and teensy but you also say that the developers can't be held liable for the use of their tools. If you can't be held responsible for how other people use your work, then why does it matter that it'd be very easy to implement?

Also, I'd like to point out that there are defences against these kinds of attacks such as USB whitelisting and key entry rate limiting that have actually been around since before the Ducky ever came out, its just that these defences aren't implemented very often by corporations.

Finally, I'd advise you to actually devise some kind of license for your work if you do intend to sell it. Sharing your entire project with someone for a small price and a gentleman's agreement that they won't share it with anyone is a terrible idea to go ahead with. Your code would end up publicly online somewhere within a week.

All that said, I wish you luck with the development. I'll be following things to see what comes from it.

Link to comment
Share on other sites

I will only accept 4 or 5 people into the project and you will agree not to share the documentation or firmware with anyone.

As soon as the crowd fund goal is met no more people will be able to join this project.

Hmm...only 4 or 5 people will be allowed to have it, so if 24 people donate 240 only 4 or 5 of them are getting it, but everyone that donates will be allowed into the project.

This information is more than enough for me to build goodUSB.

Is it possible that we can code the duck to have different enumeration properties.
For example it could be coded to register as a webcam class or some other interesting class.

Besides IDs and classes can we change the other address space too?

Is it possible we can record the enumeration traffic between host and device?

So you have the capabilities to build this already but you don't know the capabilities of the Rubber Ducky.

I will try to deliver in 1 week from the time i get the rubber ducky!

Besides, I have not yet bought a rubber ducky yet. I am ready to code it now though!

I will need around 200-240 euros for this project. (56 euros for the rubber duck + shipping and 150 euros to get me through the next two weeks).

So you are able to code this and you KNOW it will work but you are not able to do a POC because you don't have the tools....

I do not have a rubber ducky yet. If anyone is good at C though I can help you with the theory!

If you are good at C please let me know and we can make this hack together.

With that said I have gathered all the necessary info to be able to build a OS detection feature myself. I am not the brightest of people though when it comes to computers though. I am more than sure that you or one of the other guys here will be able to show me how to implement the features with the infos I have obtained.

Again, you KNOW you can do this, but here you are asking other people to program it for you.

And there were even more posts that I just didn't feel like going through and quoting....needless to say my BS meter is lighting up like crazy. Tell you what, I would probably donate $1, at least that way I would be included in the project lmao

Link to comment
Share on other sites

Only an absolute maximum of five can join the project and receive the firmware and documentation.

And no you are not allowed to donate if your donation doesn't contribute towards the goal of 240 euros. (240eur/5 people is 48 euros)... Euros are not the same as dollars either...

Right now I just want to see a show of hands on how many people want to join.

Edited by Polisher
Link to comment
Share on other sites

Only an absolute maximum of five can join the project and receive the firmware and documentation.

And no you are not allowed to donate if your donation doesn't contribute towards the goal of 240 euros. (240eur/5 people is 48 euros)... Euros are not the same as dollars either...

Right now I just want to see a show of hands on how many people want to join.

Only 5 can join, but you're not allowed to donate if it doesn't contribute towards the goal....hmm...I would think that even $1 USD (which is 0.90 EU btw) would contribute towards the goal.

Also, I love the "Euros are not the same as dollars", they are both a standard currency no? Which means you can convert between the two no? lmao

Dude, no one here wants to join the project since you have shown NO proof that you are able to do this, actually you've done the opposite by asking people here to help you because you have said yourself you didn't know how.

EDIT

Want to prove me wrong? Show evidence to the contrary. This is the internet, and most of the people on this forum are more intelligent than the average internet user and will not just trust someone with nothing but their word.

Edited by Sildaekar
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...