justicerage / ffm Goto Github PK

View Code? Open in Web Editor NEW

331.0 15.0 49.0 267 KB

Freedom Fighting Mode: open source hacking harness

License: GNU General Public License v3.0

Python 99.47% Dockerfile 0.53%

hacking-harness information-security offensive-security

ffm's People

Contributors

Stargazers

Watchers

ffm's Issues

Feature Request: Client Side Logging

It would be pretty neat to have a client-side logging functionality. I can already do this with script, on the client, but perhaps something baked into FFM? When freedom fighting, it might be useful to do !log on /path/to/hacklog.txt and !log off to enable/disable logging of freedom fighting activities locally.

More opsec stuff...

The following presentation has a bunch of hints on stuff we should look at doing (in the same vein as the SSH processor) to prevent target-side logging of various stuff. I'll have a go myself, but I'm still stuck trying to get the thing from #9 working.

https://github.com/wvu/talks/blob/master/defcon/26/One-Liners%20to%20Rule%20Them%20All.pdf

Notably the less, wget, vim... stuff to prevent logging on the pwned box of your activities.

Terminal hangs after !elf or !elf3 module is run successfully

Steps to reproduce

!elf3 /tmp/payload
100%|████████████████████████████████████████| 336/336 [00:00<00:00, 3.20Mo/s]
Timeout reached; giving up on trying to capture the output.

!info
System Info:

Shell hangs until time out at which time the control is returned to the user, however the user looses the ability to run further modules and or system commands.
Need a way to give control back to the user.
This issue does not prevent !elf or !elf3 from running successfully, they payloads are loaded and executed just fine

meterpreter > sysinfo
Computer     : 10.0.0.39
OS           : Ubuntu 22.04 (Linux 5.15.0-72-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

I suppose you could just kill the ssh connection that is now hung if you have a tool like a C2, however this is still not ideal behavior and should be corrected.
Assigning to myself to fix, submitting issue for self awareness

Feature Request: !sh / local shell script in-memory on remote

Going to try implement this myself, but if someone else gets there first, that would be neat. While sure, you could just paste them in, we want efficiency, and pasting stuff into a root shell elsewhere is an amazing way to go from "freedom fighting" to "no freedom" if your clipboard buffer hygiene isn't on point every single time.

Basically recreating !py except for shell scripts. We could also have this for Ruby/Perl/etc scripts quite easily, I think?

Upload freeze

I've got a upload freeze for both Debian & CentOS. I use docker to make test, but also real remote server.
I guess it's an issue from my client, but I cannot debug it easily.

Create a server (172.18.0.2):

$ docker run -it --rm debian /bin/bash
apt-get update
apt-get install netcat -y
nc.traditional -lvvp 7777 -e /bin/bash

On my client :

$ ls
ffm.py
$ nc 172.18.0.2 7777 !bypass
$ !upload
Usage: !upload [local file] [remote destination]
Received 1 argument(s), expected 3.
$ !upload test.py test.py
Usage: !upload [local file] [remote destination]
test.py not found!
$ !upload ffm.py test.py
<FREEZE>

hi,is the function performe normal?

HI，
When I try to use !download from remote machine(my ubuntu18.04) to local machine(Kali),it return this error, also the !upload is the same. Which step is wrong?

Traceback (most recent call last):
  File "ffm.py", line 167, in <module>
    main()
  File "ffm.py", line 117, in main
    context.active_session.input_driver.handle_input(typed_char)
  File "/root/Tools/FFM/model/driver/input.py", line 87, in handle_input
    self.state(c)
  File "/root/Tools/FFM/model/driver/input.py", line 584, in _state_ground
    if parse_commands(self.input_buffer):
  File "/root/Tools/FFM/commands/command_manager.py", line 43, in parse_commands
    command_instance = c(*args)
  File "/root/Tools/FFM/commands/download_file.py", line 42, in __init__
    if not check_command_existence("xxd") and not check_command_existence("od"):
  File "/root/Tools/FFM/model/driver/input_api.py", line 182, in check_command_existence
    return int(output) == 0
ValueError: invalid literal for int() with base 10: 'command -v xxd >/dev/null ; echo $?\r\necho -n ihxYcJZQkfBctzLVDBDMrMhgqiiNkuGF\r\n0'

Better way to pop a TTY

Replace the Python invocation with script /dev/null, it is far more portable, and doesn't leave obvious python processes hanging about.

https://github.com/JusticeRage/FFM/blob/master/commands/replacement_commands.py#L66

Feature Request: Block SSH from sending a default SSH key

Just remembered that OpenSSH will often try use $HOME/.ssh/id_rsa key to auth, which leads to you being identifiable thanks to this. It might be worthwhile to block this (how?) by forcing some SSH arguments unless a specific -i keyfile flag is set.

echo -n end_marker being printed to stdout

I've seen the end marker being printed to stdout during my testing.
I found end_marker in the input_api.py file.
After forking and starting work I thought it was potentially something I introduced but cloned a fresh untouched copy and the issue persists.
Opening an issue because I am not sure exactly how to fix this or what is causing it to print to stdout.
Using terminator and zsh and terminator and bash on another host. Tested on both, see below.

Steps to reproduce

Occurs both sshed to a machine w/o a pty and in a pty on a local kali system with zsh
In pty on local system (kali)

python3 ffm.py
!os
cat /etc/*release*
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION="2023.1"
VERSION_ID="2023.1"
VERSION_CODENAME="kali-rolling"
ID=kali
ID_LIKE=debian
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
ANSI_COLOR="1;31"
                                                                                                                                      
┌──(kali㉿kali)-[/opt/justice-ffm/FFM]
echo -n
IJVzPmNFQumMGiuPRRpyZMPFRUVkHHeo

I did not enter the echo -n command

SSH'ed with no `pty`

!os
cat /etc/*release*
echo -n WNGwrqHpyzOhRwRghOvenIHUzGXWNsVk
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Happy to assist you trying to fix this issue. Cheers.

SSH automatically adding "-T" not firing/working.

Taking the functions for a walk, noticed this... Basically I am not using the -T flag, so it should raise an alert and add it. Instead, it doesn't. Seems the regex doesn't fire or something?

user@box:~/FFM$ torsocks ssh -lroot [redacted]
root@[redacted]'s password: [redacted]
[redacted]
root@[redacted]:~#

Bug: False Positive/missing check on "username not specified" SSH protection

TL;DR you should also check for the "-l username" / "-lusername" option.

user@box:~/tools/FFM$ torsocks ssh -lroot redacted
FFM blocked a command that may leak your local username. Please specify the remote user explicitly.
user@box:~/tools/FFM$ torsocks ssh -l root redacted
FFM blocked a command that may leak your local username. Please specify the remote user explicitly.

TypeError: Can't instantiate abstract class RunShScript with abstract method _get_output_cleaner

Steps to reproduce:

!sh /home/neo/linpeas.sh
Traceback (most recent call last):
  File "/opt/FFM/ffm.py", line 167, in <module>
    main()
  File "/opt/FFM/ffm.py", line 117, in main
    context.active_session.input_driver.handle_input(typed_char)
  File "/opt/FFM/model/driver/input.py", line 87, in handle_input
    self.state(c)
  File "/opt/FFM/model/driver/input.py", line 584, in _state_ground
    if parse_commands(self.input_buffer):
  File "/opt/FFM/commands/command_manager.py", line 43, in parse_commands
    command_instance = c(*args)
TypeError: Can't instantiate abstract class RunShScript with abstract method _get_output_cleaner

Alternative steps to reproduce
just !sh with no args and it will throw the TypeError

justicerage / ffm Goto Github PK

ffm's People

Contributors

Stargazers

Watchers

Forkers

ffm's Issues

Steps to reproduce

SSH'ed with no pty

Recommend Projects

Recommend Topics

Recommend Org

SSH'ed with no `pty`