Forem: Monazir Muhammad Doha

Build a $10 DIY Wi-Fi USB Keylogger with ESP32-S3 and MicroPython (DuckLogger)

Monazir Muhammad Doha — Sun, 01 Mar 2026 15:02:38 +0000

Have you ever wanted to build your own hardware keylogger but were deterred by the high cost or the need to design custom PCBs? Meet DuckLogger, an open-source, ESP32-S3–based USB Key Logger that you can build yourself for under $10 using off-the-shelf parts.

In this guide, we'll cover what DuckLogger is, the hardware you need, and how you can assemble and program it yourself in a few simple steps.

What is DuckLogger?

DuckLogger is a MicroPython-powered DIY hardware hacking project. It silently intercepts and logs USB keystrokes into a text file and hosts a built-in Wi-Fi access point, allowing you to easily and wirelessly download your logs through a sleek web UI.

Key Features

Internal Storage Logging: Records keystrokes and safely saves them to the ESP32's internal flash storage.
Wireless Access: Automatically spins up a Wi-Fi Access Point when plugged in.
Web UI: Download your log files directly from your browser by navigating to http://192.168.4.1/.
Zero Custom PCBs Required: Built entirely with widely available breakout boards.

(Upcoming features include sending Ducky scripts directly from the web UI and remote keyboard control via your browser!)

Hardware Requirements

To build this DIY keylogger, you only need three easily obtainable components (which can be easily found on AliExpress or Amazon):

ESP32-S3 SuperMini: A tiny but powerful microcontroller that handles the Wi-Fi, storage, and logic.
CH9350 HID Module: A specialized module that converts USB keyboard inputs into serial data.
4 Female Jumper Wires: For connecting the modules together.

Total cost? Less than $10.

How to Build Your DuckLogger

Ready to build your own? Let's walk through the setup process.

Step 1: Wiring and Schematics

Connecting the ESP32-S3 to the CH9350 module is incredibly straightforward. You only need to make four connections using your jumper wires.

ESP32-S3 Pin	CH9350 Pin	Description
`5V`	`5V`	Power
`GND`	`GND`	Ground
`GP1`	`TX`	Receive Keystrokes
`GP2`	`RX`	Send Commands

Step 2: Configure the CH9350 Module

The CH9350 supports multiple operating modes. For our keylogger to intercept USB keystrokes, we need to set it to USB Host Mode.

On the onboard DIP switches:

Set S0 to the GND position (0).
Keep all other switches in the opposite position (1).

This converts the USB keyboard inputs into serial data sent via UART at a default baud rate of 115200.

Step 3: Flash MicroPython to the ESP32-S3

DuckLogger runs on Python. If your board isn't already running it, you'll need to flash the latest MicroPython firmware.
You can find the official ESP32-S3 Generic flashing instructions on the MicroPython website.

Once flashed, disconnect and reconnect the board via USB.

Step 4: Install Dependencies

On your computer, install mpremote, a handy CLI tool for interacting with MicroPython devices:

pip install mpremote

Verify your board is detected:

mpremote connect list

Next, install the required USB packages directly onto the ESP32-S3:

mpremote mip install usb-device
mpremote mip install usb-device-keyboard

Step 5: Upload the DuckLogger Code

Clone the official DuckLogger repository to your computer:

git clone https://github.com/Itsmmdoha/duckLogger.git
cd duckLogger

With your board connected via USB, copy the project files over to the microcontroller:

1. Copy all library files to the /lib directory on the device:

mpremote cp lib/*.py :/lib/

2. Copy the main execution file to the root of the device:

mpremote cp main.py :

3. Reboot the board to start DuckLogger:

mpremote reset

How to Use Your New Keylogger

Plug the target USB keyboard directly into the CH9350 HID module.
Connect the ESP32-S3 SuperMini to the target computer using a USB-C to USB-A cable.

The device will automatically power on, pass through the keystrokes to the computer (so the computer behaves normally), and simultaneously save those keystrokes to its internal flash memory.

To retrieve your logs:
From your smartphone or laptop, look for the newly created Wi-Fi Access Point.

Connect to the Wi-Fi Network (Default Password: duckPass1234)
Open your browser and navigate to: http://192.168.4.1/

Boom! You now have a low-cost, stealthy, Wi-Fi enabled hardware keylogger.

Final Thoughts

DuckLogger is an awesome example of how accessible hardware hacking and cybersecurity projects have become. Using MicroPython and cheap microcontrollers, you can build testing tools that previously cost hundreds of dollars.

Check out the full source code, contribute, or drop a star on the DuckLogger GitHub Repository!

Disclaimer: This project is strictly for educational purposes, security research, and personal use on your own devices. Always ensure you have explicit, documented permission before using keystroke logging tools.

How to Integrate bKash Payment Gateway in Python (The Easy Way)

Monazir Muhammad Doha — Fri, 27 Feb 2026 13:14:45 +0000

If you are building a web application for the Bangladeshi market, integrating bKash is an absolute necessity. As the largest mobile financial service (MFS) in Bangladesh, bKash is the go-to payment method for millions of users.

However, integrating the bKash API using Python has historically been a headache. Developers often have to write boilerplate code, manually handle token expiration, and deal with raw HTTP requests. Whether you are using Django, Flask, or FastAPI, you just want a clean, Pythonic way to accept payments.

That’s where pybkash comes in. pybkash is a modern, fully-typed Python SDK for the bKash payment gateway that handles all the heavy lifting for you. It covers the entire bKash API surface and uniquely supports both synchronous (Django/Flask) and asynchronous (FastAPI) operations out of the box.

In this tutorial, we will walk through how to easily integrate the bKash payment gateway into your Python application using pybkash.

Prerequisites

Before we start writing code, you will need:

Python 3.x installed on your system.
bKash Sandbox/Merchant Credentials: You need a username, password, app_key, and app_secret. You can get these by registering on the bKash Developer Portal

Step 1: Installation

Installing the package is straightforward. Open your terminal and run:

pip install pybkash

Step 2: Authenticating with the bKash API

To communicate with bKash, you need to generate an authentication token. Traditionally, you would have to request a token and manage its lifecycle. With pybkash, you just pass your credentials into a Token object, and the Client handles the rest automatically.

from pybkash import Client, Token

# 1. Initialize the Token with your bKash credentials
token = Token(
    username="your_username",
    password="your_password", 
    app_key="your_app_key",
    app_secret="your_app_secret",
    sandbox=True  # Important: Set to False when moving to production!
)

# 2. Create the bKash Client
client = Client(token)

Note: Always keep your credentials safe using environment variables (e.g., using python-dotenv). Never hardcode them in your production codebase!

Step 3: Creating a Payment (Redirecting the User)

The bKash checkout process follows a redirect-based flow: Create → Execute → Query. First, you create a payment intent on your server. bKash will return a secure URL. You then redirect your customer to this URL to enter their bKash number, OTP, and PIN.

Here is how you create that payment URL:

# 3. Create the payment intent
payment = client.create_payment(
    callback_url="https://yoursite.com/api/bkash/callback", # Where bKash sends the user after paying
    payer_reference="CUSTOMER_001",  # Optional: Pre-populates the bKash number on the checkout page
    amount=1000  # The amount to charge in BDT
)

print(f"Payment ID: {payment.payment_id}")
print(f"Redirect User To: {payment.bkash_url}")

What happens here?

payment.payment_id: Store this ID in your database. You will need it to verify the payment later.
payment.bkash_url: Return this URL to your frontend or issue an HTTP redirect so the user can complete the payment.

Step 4: Handling the Callback & Executing the Payment

After the user completes, fails, or cancels the transaction on the bKash page, bKash redirects the user back to the base callback_url you provided in Step 3, appending several query parameters.

For example, a successful redirection looks like this:
https://yoursite.com/api/bkash/callback?paymentID=TR0011...&status=success&signature=...

These query parameters act as a signal indicating that the user has finished interacting with the bKash page.

⚠️ Crucial Security Warning: The callback redirection alone should not be treated as final confirmation of a successful transaction, as malicious users can manipulate URLs. You must execute the payment server-side to actually deduct the funds and securely verify the final state.

When the user hits your callback endpoint, extract the status and paymentID from the URL query parameters, and execute the payment:

# 4. Extract query parameters from your web framework's request object
status_from_url = "success" # Extracted from ?status=success
payment_id_from_url = "payment_id_received_from_query_params" 

if status_from_url == "success":
    # 5. Execute the payment server-side to finalize the transaction
    execution = client.execute_payment(payment_id_from_url)

    # 6. Verify if the execution was successful
    if execution.is_complete():
        print(f"Payment successful! Transaction ID (TrxID): {execution.trx_id}")
        # TODO: Update your database, mark the order as paid, and send a receipt!
    else:
        print(f"Execution failed. Status: {execution.status}")
else:
    print(f"User cancelled or failed the payment. Status: {status_from_url}")

And that's it! You've successfully integrated bKash into your Python application.

Bonus: Asynchronous Support for FastAPI Developers

If you are building a high-performance web API using FastAPI or Starlette, blocking synchronous calls can slow down your application. pybkash was built with modern Python in mind and provides first-class async support.

You can simply import the asynchronous client and await your payment methods for non-blocking I/O:

from pybkash import AsyncClient, AsyncToken
import asyncio

async def process_bkash_payment():
    token = AsyncToken(
        username="your_username",
        password="your_password", 
        app_key="your_app_key",
        app_secret="your_app_secret",
        sandbox=True
    )

    # Initialize the Async client
    async_client = AsyncClient(token)

    # Create payment asynchronously
    payment = await async_client.create_payment(
        callback_url="https://yoursite.com/api/bkash/callback",
        amount=500
    )

    print(f"Redirect to: {payment.bkash_url}")

# Run the async function
asyncio.run(process_bkash_payment())

Wrapping Up

Integrating the bKash payment gateway in Python doesn't have to be complicated. By using the pybkash SDK, you can implement secure, production-ready payment flows in just a few lines of code, whether you are using Django, Flask, or FastAPI.

Beyond basic payments, pybkash also supports advanced features like Agreement Creation (Tokenized Checkout), Refunds, and Transaction Searching.

📖 Dive Deeper into the Documentation

This tutorial covered the standard checkout flow, but there is much more! For an in-depth look at all available methods, return types, and operational rules, check out the Detailed Usage Documentation directly in the repository.

🌟 Call to Action

If this guide helped you save time, please consider dropping a star (⭐) on the pybkash GitHub Repository.

If you find any bugs, have feature requests, or want to contribute to making the best bKash Python SDK even better, feel free to open an issue or submit a pull request!

Happy coding! 🚀

ipasnmatcher - Python Package for Fast IP-to-ASN Matching

Monazir Muhammad Doha — Mon, 08 Sep 2025 13:33:57 +0000

Recently, an idea popped into my head. It’s about a website, and this site will have some features that are exclusive to BRACU students.
Upon looking for ways to restrict the rest of the world from accessing those features, I figured I could limit them to people connected to the University WiFi. But then again, how do I do that? I can’t host things locally on the University network.

But what if I could distinguish IP addresses from BRACU’s internet? Then I could allow just those IPs and block the rest of the world.
After digging a little deeper into networking, I found out that every organization connected to the internet has something called an ASN number—think of it like an ID. This ID is then used to distinguish organizations by whoever runs the internet, and every organization is given a range of IP addresses.

For example:

Organization A with ASN 1234 has the IP range 192.168.0.9–27.
That means this organization is allowed to have 192.168.0.9, 192.168.0.10, 192.168.0.11 up to 192.168.0.27, but not 192.168.0.28.

In reality, this is a little more complex, but you get the idea.
ASN numbers and their IP ranges for every organization are public information—you can look them up easily. For instance, just Google “BRACU ASN” and you’ll find it!

Based on this logic, I made a simple Python package that takes the ASN number of an organization and lets you check if any given IP address falls within its IP range.

Hope you like this! I’d really appreciate a fork or a star on GitHub—the.

Features

Fast IP-to-ASN matching with optimized network ranges
Built-in caching to minimize API requests
Optional strict mode to consider only active prefixes
Uses accurate data from RIPE NCC

Installation

pip install ipasnmatcher

Usage

from ipasnmatcher import ASN

# Creating an ASN object fetches prefix data from the RIPEstat API and caches it locally
asn = ASN(asn="AS151981")

# Check if an IP belongs to this ASN
print(asn.match("153.53.148.45"))  # True or False

Advanced Usage

asn = ASN(
    asn="AS15169",      # ASN (e.g., Google)
    strict=True,        # Only consider active prefixes
    cache_max_age=7200  # Cache duration in seconds (2 hours)
)

Combine ASN objects

Merge multiple ASNs with + to check IPs against all their prefixes:

from ipasnmatcher import ASN

google = ASN("AS15169")      # Google
cloudflare = ASN("AS13335")  # Cloudflare

combined = google + cloudflare
print(combined.match("8.8.8.8"))   # True (Google)
print(combined.match("1.1.1.1"))   # True (Cloudflare)

repr() shows the full combination:

ASN(asn='AS15169', strict=False, cache_max_age=3600) + ASN(asn='AS13335', strict=False, cache_max_age=3600)

Parameters

ASN(asn: str, strict: bool = False, cache_max_age: int = 3600)

asn: ASN identifier in format "AS12345"
strict: If True, only prefixes currently active are considered (default: False)
cache_max_age: Cache lifetime in seconds (default: 3600)

How it works

On initialization, the ASN object fetches announced prefixes from the RIPEstat API and caches them locally in .ipasnmatcher_cache/{asn}.json.
Subsequent uses load data from cache if it is fresh (not older than cache_max_age).
Matching IPs against ASN prefixes is done efficiently using Python's ipaddress module.

Use Cases

Network security and traffic validation
CDN traffic routing based on ASN ownership
IP classification by network operators
Compliance monitoring of network connections

GitHub

Star or fork this project on GitHub.