Skip to content

Commit

Permalink
Merge pull request #5 from kai9987kai/master
Browse files Browse the repository at this point in the history 
Thanks for the additions and sorry for the insane delay! ✌️
  • Loading branch information
@pmsosa
pmsosa authored Aug 6, 2020
2 parents 06bce8d + d26c5a4 commit f431157
Show file tree
Hide file tree
Showing 5 changed files with 378 additions and 75 deletions.
15 changes: 11 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
<h1>DuckHunter</h1>
<h3>Prevent RubberDucky (or other keystroke injection) attacks</h3>
<hr>
<h3>Try Out the new setup GUI it helps you to setup the software and we have just released a new feature that allows you to run the script every time your computer starts automatically<h3>

**Read this program's postmortem at my [blog](http://konukoii.com/blog/2016/10/26/duckhunting-stopping-automated-keystroke-injection-attacks/)**

<h3>Intro</h3>


![](https://raw.githubusercontent.com/kai9987kai/kai9987kai.github.io/master/screenshot.PNG)


**Read this program's postmortem at my [blog](http://konukoii.com/blog/2016/10/26/duckhunting-stopping-automated-keystroke-injection-attacks/)**
<h3>Intro</h3>
[Rubberduckies](https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe) are small usb devices that pretend to be usb keyboards and can type on their own at very high speeds. Because most -if not all- OS trust keyboards automatically, it is hard to protect oneself from these attacks.

**DuckHunt** is a small efficient script that acts as a daemon consistently monitoring your keyboard usage (right now, speed and selected window) that can catch and prevent a rubber ducky attack. (Technically it helps prevent any type of automated keystroke injection attack, so things like Mousejack injections are also covered.)
Expand Down Expand Up @@ -44,13 +48,16 @@
- [PyWin32](http://starship.python.net/~skippy/win32/Downloads.html)
- [PyHook](https://sourceforge.net/projects/pyhook/)
- [Py2Exe](http://py2exe.org/)
- [webbrowser](https://docs.python.org/2/library/webbrowser.html)




<h3>Advanced Setup</h3>

- Step 1. Customize duckhunt.conf variables to your desire
- You can customize the password, speed threshold, privacy, etc.
- Step 2. Turn the duckhunt**.py** to a duckhunt**.pyw** so that the console doesn't show up when you run the program
- Step 2. Turn the duckhunt-configurable**.py** to a duckhunt-configurable**.pyw** so that the console doesn't show up when you run the program
- Step 3. (opt) Use Py2Exe to create an executable.
- Step 4. Run the program. You are now protected from RubberDuckies!

Expand Down
172 changes: 172 additions & 0 deletions duckhunt-configurable.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
######################################################
# DuckHunter #
# Pedro M. Sosa #
# Tool to prevent getting attacked by a rubberducky! #
######################################################

from ctypes import *
import pythoncom
import pyHook
import win32clipboard
import win32ui
import os
import shutil
from time import gmtime, strftime
from sys import stdout
import imp
duckhunt = imp.load_source('duckhunt', 'duckhunt.conf')

##### NOTES #####
#
# 1. Undestanding Protection Policy:
# - Paranoid: When an attack is detected, lock down any further keypresses until the correct password is entered. (set password in .conf file). Attack will also be logged.
# - Normal : When an attack is detected, keyboard input will temporarily be disallowed. (After it is deemed that the treat is over, keyboard input will be allowed again). Attack will also be logged.
# - Sneaky: When an attacks is detected, a few keys will be dropped (enough to break any attack, make it look as if the attacker messed up.) Attack will also be logged.
# - LogOnly: When an attack is detected, simply log the attack and in no way stop it.

# 2. How To Use
# - Modify the user configurable vars below. (particularly policy and password)
# - Turn the program into a .pyw to run it as windowless script.
# - (Opt) Use py2exe to build an .exe
#
#################





threshold = duckhunt.threshold # Speed Threshold
size = duckhunt.size # Size of history array
policy = duckhunt.policy.lower() # Designate Policy Type
password = duckhunt.password # Password used in Paranoid Mode
allow_auto_type_software = duckhunt.allow_auto_type_software #Allow AutoType Software (eg. KeyPass or LastPass)
################################################################################
pcounter = 0 # Password Counter (If using password)
speed = 0 # Current Average Keystroke Speed
prevTime = -1 # Previous Keypress Timestamp
i = 0 # History Array Timeslot
intrusion = False # Boolean Flag to be raised in case of intrusion detection
history = [threshold+1] * size # Array for keeping track of average speeds across the last n keypresses
randdrop = duckhunt.randdrop # How often should one drop a letter (in Sneaky mode)
prevWindow = [] # What was the previous window
filename = duckhunt.filename # Filename to save attacks
blacklist = duckhunt.blacklist # Program Blacklist



#Logging the Attack
def log(event):
global prevWindow

x = open(filename,"a+")
if (prevWindow != event.WindowName):
x.write ("\n[ %s ]\n" % (event.WindowName))
prevWindow =event.WindowName
if event.Ascii > 32 and event.Ascii < 127:
x.write(chr(event.Ascii))
else:
x.write("[%s]" % event.Key)
x.close()
return


def caught(event):
global intrusion, policy, randdrop
print "Quack! Quack! -- Time to go Duckhunting!"
intrusion = True;


#Paranoid Policy
if (policy == "paranoid"):
win32ui.MessageBox("Someone might be trying to inject keystrokes into your computer.\nPlease check your ports or any strange programs running.\nEnter your Password to unlock keyboard.", "KeyInjection Detected",4096) # MB_SYSTEMMODAL = 4096 -- Always on top.
return False;
#Sneaky Policy
elif (policy == "sneaky"):
randdrop += 1
#Drop every 5th letter
if (randdrop==7):
randdrop = 0;
return False;
else:
return True;

#Logging Only Policy
elif (policy == "log"):
log(event)
return True;


#Normal Policy
log(event)
return False


#This is triggered every time a key is pressed
def KeyStroke(event):

global threshold, policy, password, pcounter
global speed, prevTime, i, history, intrusion,blacklist

print event.Key;
print event.Message;
print "Injected",event.Injected;

if (event.Injected != 0 and allow_auto_type_software):
print "Injected by Software"
return True;


#If an intrusion was detected and we are password protecting
#Then lockdown any keystroke and until password is entered
if (policy == "paranoid" and intrusion):
print event.Key;
log(event);
if (password[pcounter] == chr(event.Ascii)):
pcounter += 1;
if (pcounter == len(password)):
win32ui.MessageBox("Correct Password!", "KeyInjection Detected",4096) # MB_SYSTEMMODAL = 4096 -- Always on top.
intrusion = False
pcounter = 0
else:
pcounter = 0

return False


#Initial Condition
if (prevTime == -1):
prevTime = event.Time;
return True


if (i >= len(history)): i = 0;

#TypeSpeed = NewKeyTime - OldKeyTime
history[i] = event.Time - prevTime
print event.Time,"-",prevTime,"=",history[i]
prevTime = event.Time
speed = sum(history) / float(len(history))
i=i+1

print "\rAverage Speed:",speed

#Blacklisting
for window in blacklist.split(","):
if window in event.WindowName:
return caught(event)

#Intrusion detected
if (speed < threshold):
return caught(event)
else:
intrusion = False
# pass execution to next hook registered
return True

# create and register a hook manager
kl = pyHook.HookManager()
kl.KeyDown = KeyStroke

# register the hook and execute forever
kl.HookKeyboard()
pythoncom.PumpMessages()
Loading

0 comments on commit f431157

Please sign in to comment.