pmsosa / duckhunt Goto Github PK

View Code? Open in Web Editor NEW

514.0 39.0 85.0 2.76 MB

:dart: Prevent RubberDucky (or other keystroke injection) attacks

License: MIT License

Python 100.00%

attack protection keyboard rubber-ducky keystroke-injection mousejack

duckhunt's Introduction

DuckHunter

Prevent RubberDucky (or other keystroke injection) attacks

Try Out the new setup GUI it helps you to setup the software and we have just released a new feature that allows you to run the script every time your computer starts automatically

Read this program's postmortem at my blog

Intro

[Rubberduckies](https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe) are small usb devices that pretend to be usb keyboards and can type on their own at very high speeds. Because most -if not all- OS trust keyboards automatically, it is hard to protect oneself from these attacks.

DuckHunt is a small efficient script that acts as a daemon consistently monitoring your keyboard usage (right now, speed and selected window) that can catch and prevent a rubber ducky attack. (Technically it helps prevent any type of automated keystroke injection attack, so things like Mousejack injections are also covered.)

Features

Protection Policy

Paranoid: When an attack is detected, keyboard input is disallowed until a password is input. Attack will also be logged.
Normal: When an attack is detected, keyboard input will temporarily be disallowed. (After it is deemed that the treat is over, keyboard input will be allowed again). Attack will also be logged.
Sneaky: When an attacks is detected, a few keys will be dropped (enough to break any attack, make it look as if the attacker messed up.) Attack will also be logged.
LogOnly: When an attack is detected, simply log the attack and in no way stop it.

Extras

Program Blacklist: If there are specific programs you neve use (cmd, powershell). Consider interactions with them as highly suspecious and take action based on the protection policy.
Support for AutoType software (eg. KeePass, LastPass, Breevy)

Setup

Regular users:

Choose and download one of the two options that best suits you:
- Opt #1: Normal Protection w/ Program Blacklisting for Commandline and Powershell
- Opt #2: Normal Protection (w/o any blacklisting)
Now, copy the .exe above to the startup menu.
- In Windows XP,Vista,7 : This folder should be accessible from your Start Menu
- In Windows 10: Open a directory explorer an go to "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" (copy paste it in without the quotation marks).

Advanced Users

Keep Reading...
Feel Free to contact me, add issues, fork, and get involved with this project :). Together we can make a stronger tool!

Requirements

Advanced Setup

Step 1. Customize duckhunt.conf variables to your desire
- You can customize the password, speed threshold, privacy, etc.
Step 2. Turn the duckhunt-configurable**.py** to a duckhunt-configurable**.pyw** so that the console doesn't show up when you run the program
Step 3. (opt) Use Py2Exe to create an executable.
Step 4. Run the program. You are now protected from RubberDuckies!

TODO

More monitoring features:
Add OSX & Linux support!
Look for certain patterns (eg. "GUI D, GUI R, cmd, ENTER")

Happy Hunting!

duckhunt's People

Contributors

Stargazers

Watchers

Forkers

lucabongiorni wflk patanax grayhats fcavalcantirj ashr michalkoczwara ellipsys minkione javarockstar toshantd595 b1gw00d lexsionlee evil-cluster d4mn4t10n dcmjid jvarahuayta fingerleakers ericmccullough pascal-0x90 refael613 fo0nikens kalevivt zweih y0d4a pyth0n39 siegfried5 indigos33k3r chrisgammade kai9987kai saiyanx martavaqgut yved ltstarbuck prodject mekon64 nutc4k3 uberfix jontargaryen pandapentest duckyrubber kingsolmn hackmeany c0ntr07 sasqwatch bkbuilt keshav-space moham3dom3r ahmedsakrr 4dvn mlynchcogent p-g-krish rakhithjk jthigh ro9ueadmin bellyfat samuelriesz ransomware-book novuscory skynet-05 nbrisola setowibowo82 akhil1136 zcmail freetimefm cybercraftsmanx evil-corp euphorbiacz 5l1v3r1 craftybastard kiwibear av265 jonnybanana tearran alevsk antonkosse cyd3nt sinvex pollockt alphyantony excloudx6 genepoo1 th3mag1c1an yan2013

duckhunt's Issues

File "setup.py", line 13, in <module>

when try to make exe from it, i got dll load failed.

running py2exe *** searching for required modules *** *** parsing results *** *** finding dlls needed *** Traceback (most recent call last): File "setup.py", line 13, in <module> zipfile = None, File "c:\Python27\lib\distutils\core.py", line 152, in setup dist.run_commands() File "c:\Python27\lib\distutils\dist.py", line 953, in run_commands self.run_command(cmd) File "c:\Python27\lib\distutils\dist.py", line 972, in run_command cmd_obj.run() File "c:\Python27\lib\site-packages\py2exe\build_exe.py", line 243, in run self._run() File "c:\Python27\lib\site-packages\py2exe\build_exe.py", line 305, in _run dlls = self.find_dlls(extensions) File "c:\Python27\lib\site-packages\py2exe\build_exe.py", line 389, in find_dlls self.dll_excludes) File "c:\Python27\lib\site-packages\py2exe\build_exe.py", line 1021, in find_dependend_dlls import py2exe_util ImportError: DLL load failed: %1 is not a valid Win32 application.``

where i am wrong? :)

ImportError: MemoryLoadLibrary failed loading win32ui.pyd

When using the 'advanced' install I get the following log.txt content when running dist/duckhunt.exe:

Traceback (most recent call last):
File "duckhunt.pyw", line 11, in
File "zipextimporter.pyc", line 98, in load_module
ImportError: MemoryLoadLibrary failed loading win32ui.pyd

A quick google suggests this might be a py2exe problem. I have a little python knowledge but I'm new to py2exe so I can't confirm this nor know a fix. Feel free to close if I did something wrong.

Can't use powershell anymore.

CMD is fine but I can't type in powershell anymore without it going 'quack quack'. My blacklist is empty.

Alt codes are blocked

Unable to use alt-codes when duckhunt is running. For example Holding Alt and pushing 1 on the numpad (ALT+1) results in this character "☺". With duckhunt running, this is blocked.

Possible Features

Hi there, first of all nice project, i didnt find another way to contact you so i'll post something here.
Have you ever thought about adding something like a pattern recognition ? After working with the rubber ducky for quite some time i came up with the thought that some smart attacker, who knows about this tool, might work very efficitiently with the delay method of the ducky script language and by pass your prevention. My suggestion is to check for odd occurences in the keystrokespeed list like: a suspicous amount of the same entry (e.g. 5x 200ms?) or for entrys which are most likely not possible to happen more often like (..50ms,..20ms, ..00ms)

I dont know if it makes sense, but if an attackers knows about your tool this could be a possible vulnerability. Pls tell me what you think about this.
Best regards, Colin

Pyhook isnt available for greater version than Python 3.7

Make sure you have an earlier version of Python 3.7 or lower to run the script. The pyhook library hasn't been updated since 2008 so make sure you get the correct version of pyhook.
You can get the pyhook from here:
https://www.lfd.uci.edu/~gohlke/pythonlibs/#pyhook
win_amd64 for 64-bit and the win32 for 32-bit make sure to get the downloaded file into the folder you are working in and then:
pip install (file name.whl) , It should install the library of pyhook.

make sure to install all the libraries and add the line for tinkter
from tkinter import ttk (this works better)
than from ttk import * ttk might always stay yellow so you could add that line in order to resolve those errors.

Hope this helps you.

Bypass protection completely

Programs that were not executed with administrator rights cannot detect keyboard inputs when the task manager is in the foreground, so the protection can be easily bypassed. The only way I found to fix this is running the program as administrator.

Here is a demonstration video:
In the video you can see:

Run Duckhunt and execute BadUSB code normal (is blocked)
Run Duckhunt and execute BadUSB code in task manager (is not blocked)
Run Duckhunt with admin and execute BadUSB code in task manager (is blocked)

https://www.youtube.com/watch?v=sRW2ft_cLso

Support for accent marks and other special characters

I think it'd be very convenient to add a filter for allowing some special characters like accent marks and others like (á, é, í, ó, ú, ü, etc).

These characters are very used in some languages other than English and require a fast typing of two consecutive keys, so right now duckhunt is not letting me to do this, as it thinks it is an attack.

Thanks.

On some machines

Hi, i have issue to run this app. after compile, log file say:

Traceback (most recent call last):
File "viphunt.py", line 11, in
File "zipextimporter.pyc", line 98, in load_module
ImportError: MemoryLoadLibrary failed loading win32ui.pyd

yes, i change name :) duck to vip :)