Ffm (Freedom Fighting Mode) - Opened Upward Rootage Hacking Harness


FFM is a hacking harness that y'all tin occupation during the post-exploitation stage of a red-teaming engagement. The see of the tool was derived from a 2007 conference from @thegrugq.
It was presented at SSTIC 2018 as well as the accompanying slide deck is available at this url. If you're non familiar amongst this flat of tools, it is strongly advised to conduct maintain a seem at them to empathise what a hacking harness' role is. All the comments are included inwards the slides.

Usage
The goal of a hacking harness is to deed equally a helper that automates mutual tasks during the post-exploitation phase, but also safeguards the user against mistakes they may make.
It is an instrumentation of the shell. Run ./ffm.py to activate it as well as y'all tin start working immediately. There are 2 commands y'all demand to know about:
  • Type !list to display the commands provided past times the harness.
  • Type SHIFT+TAB to perform tab completion on the local machine. This may last useful if you're ssh'd into a remote figurer but demand to reference a file that's located on your box.

List of features
This hacking harness provides a few features that are described below. As they are described, the blueprint philosophy behind the tool volition also last introduced. It is non expected that all the commands implemented inwards FFM volition adjust you. Everyone has their ain way of doing things, as well as tuning the harness to your specific demand is probable to require y'all to alter some of the code and/or write a few plugins. H5N1 lot of endeavour went into making certain this is a painless task.

Commands
  • !os is an extremely uncomplicated ascendency that only runs cat /etc/*release* to demonstrate what OS the electrical flow machine is running. It is likely most valuable equally a demonstration that inwards the context of a hacking harness, y'all tin define aliases that operate across machine boundaries. SSH into whatsoever computer, type !os as well as the ascendency volition last run. This plugin is located inwards commands/replacement_commands.py as well as is a adept house to start when y'all desire to larn close writing plugins.
  • !download [remote file] [local path] gets a file from the remote machine as well as copies it locally through the terminal. This ascendency is a trivial to a greater extent than complex because to a greater extent than stringent error checking is required but it's some other plugin y'all tin easily read to acquire started. You tin bring out it inwards commands/download_file.py. Note that it requires xxd or od on the remote machine to business office properly.
  • !upload [local file] [remote path] industrial plant precisely the same equally the previous command, except that a local file is set on the remote machine.
  • !pty spawns a TTY, which is something y'all don't desire inwards most cases because it tends to travel out forensics evidence. However, some commands (sudo) or exploits require a TTY to run inwards as well as therefore this is provided equally a convenience. UNSET HISTFILE is passed to it equally shortly equally it spawns.
  • !py [local script] executes a local Python script on the remote machine, as well as does as well as therefore entirely inwards memory. Check out my other repository for scripts y'all mightiness desire to use. This commands uses a multiline syntax amongst <<, which agency that pseudo-shells that don't back upwards it (Weevely is a adept instance of that) volition interruption this ascendency quite badly.
Plugins tin last farther configured past times editing ffm.conf.

Processors
Conceptually, commands (as described above) are used to generate some bash which is forwarded to the shell. They tin perform to a greater extent than complex operations past times capturing the shell's output as well as generating additional instructions based on what is returned. Processors are a trivial dissimilar equally they are rather used to rewrite information circulating betwixt the user as well as the underlying bash process. While it is truthful that whatsoever processor could last rewritten equally a command, it seemed a trivial cleaner to carve upwards the two. Input processors operate on whatever is typed past times the user i time they press the ENTER key, as well as output processors tin alter anything returned past times the shell.
  • A adept processor instance tin last flora inwards processors/ssh_command_line.py. All it does is add together the -T selection to whatsoever SSH ascendency it sees if it is missing. Be certain to depository fiscal establishment gibe out its uncomplicated code if y'all are interested inwards writing a processor.
  • Another input processor nowadays inwards the framework, processors/assert_torify.py, contains a blacklist of networking commands (ssh, nc) as well as blocks them if they don't seem to last proxied through a tool such equally torify. The harness does its best to only bother the user if it seems similar the ascendency is beingness run on the local machine. Obviously this should non last your only safeguard against leaking your domicile IP address.
  • Finally, processors/sample_output_processor.py is a really uncomplicated output processor that highlights inwards blood-red whatsoever occurrence of the give-and-take "password". As it's quite useless, it's non enabled inwards the framework but y'all tin all the same occupation it equally a starting indicate if y'all desire to practise something to a greater extent than sophisticated.

Known issues
CTRL+R is non implemented yet as well as nosotros all girlfriend it dearly.
There is currently no way to run ELFs inwards retention on a remote machine. This is high on the ToDo list.
More problematic is the fact that the framework hangs from fourth dimension to time. In 99% of the cases, this happens when it fails to notice that a ascendency it launched has finished running. Usually, this agency that the ascendency prompt of the machine you're logged into could non last recognized equally such. In that case, y'all tin seek improving the regular seem located at the really showtime of the file ffm.py, or log into that same machine amongst ssh -T equally at that spot won't last whatsoever problematic prompt anymore. By default, FFM volition surrender on trying to read the output of a ascendency afterwards v minutes (some plugins may implement dissimilar timeouts); as well as therefore if the framework hangs, you'll demand to hold off until y'all run across an error message (though if the underlying procedure is all the same running, y'all may all the same non last able to type inwards commands).

Closing statement
I recall I've covered everything close this tool. Again, it's a trivial dissimilar from what I unremarkably release equally most people volition likely demand to alter it earlier it tin last valuable to them.
Many plugins conduct maintain yet to last written, as well as therefore last certain to portion dorsum whatsoever improvements y'all brand to FFM. Feel gratis to opened upwards issues non only for bugs, but also if you're trying to practise something as well as can't figure out how; this way I'll last able to amend the documentation for everyone.