Home

Awesome

Freedom Fighting Mode (FFM)

FFM is a hacking harness that you can use during the post-exploitation phase of a red-teaming engagement. The idea of the tool was derived from a 2007 conference from @thegrugq.

It was presented at SSTIC 2018 (video) and the accompanying slide deck is available at this url. If you're not familiar with this class of tools, it is strongly advised to have a look at them to understand what a hacking harness' purpose is. All the comments are included in the slides.

This project is distributed under the terms of the GPL v3 License.

Full Documentation

Check out the full documentation for the tool in this repo:

Installation

Docker Install

git clone https://github.com/JusticeRage/FFM.git
cd /FFM

docker build Docker_Install/ -t ffm:ffm

docker image list 
REPOSITORY                TAG         IMAGE ID      CREATED        SIZE
localhost/ffm             ffm         fb6dd17e3b91  9 minutes ago  614 MB
docker.io/library/ubuntu  22.04       3b418d7b466a  2 weeks ago    80.3 MB

#run your new container and drop into a /bin/bash prompt as root
docker run -it --entrypoint /bin/bash -u 0 fb6dd17e3b91

Non Docker Install

 git clone https://github.com/JusticeRage/FFM.git
 cd /FFM
 pip install -r requirements.txt

Usage

The goal of a hacking harness is to act as a helper that automates common tasks during the post-exploitation phase, but also safeguards the user against mistakes they may make.

It is an instrumentation of the shell. Run ./ffm.py to activate it and you can start working immediately. There are two commands you need to know about:

!list tags
List of commands available:
	 enumeration
	 execution
	 help
	 stealth
	 transfer
!list enumeration
List of commands available:
	!backup-hunter: Hunts for backup files
	!info: Returns CPU(s), Architecture, Memory, and Kernel Verison for the current machine.
	!log: Toggles logging the harness' input and output to a file.
	!mtime: Returns files modified in the last X minutes
	!os: Prints the distribution of the current machine.
	!db-hunter: Hunts for .sqlite, .sqlite3, and .db files
	!sshkeys: Hunts for Private and Public SSH keys on the current machine.
	!suid: Finds SUID, SGID binaries on the current machine.
	--snip--

List of features

This hacking harness provides a few features that are described below. As they are described, the design philosophy behind the tool will also be introduced. It is not expected that all the commands implemented in FFM will suit you. Everyone has their own way of doing things, and tuning the harness to your specific need is likely to require you to modify some of the code and/or write a few plugins. A lot of effort went into making sure this is a painless task.

Commands

Enumeration Commands

Transfer Commands

Execution Commands

Stealth Commands

Plugins can be further configured by editing ffm.conf.

Processors

Conceptually, commands (as described above) are used to generate some bash which is forwarded to the shell. They can perform more complex operations by capturing the shell's output and generating additional instructions based on what is returned. Processors are a little different as they are rather used to rewrite data circulating between the user and the underlying bash process. While it is true that any processor could be rewritten as a command, it seemed a little cleaner to separate the two. Input processors work on whatever is typed by the user once they press the ENTER key, and output processors can modify anything returned by the shell.

Known issues

CTRL+R is not implemented yet and we all miss it dearly.

More problematic is the fact that the framework hangs from time to time. In 99% of the cases, this happens when it fails to detect that a command it launched has finished running. Usually, this means that the command prompt of the machine you're logged into could not be recognized as such. In that case, you can try improving the regular expression located at the very beginning of the file ffm.py, or log into that same machine with ssh -T as there won't be any problematic prompt anymore. By default, FFM will give up on trying to read the output of a command after 5 minutes (some plugins may implement different timeouts); so if the framework hangs, you'll need to wait until you see an error message (though if the underlying process is still running, you may still not be able to type in commands).

Closing statement

I think I've covered everything about this tool. Again, it's a little different from what I usually release as most people will probably need to modify it before it can be valuable to them.

Many plugins have yet to be written, so be sure to share back any improvements you make to FFM. Feel free to open issues not only for bugs, but also if you're trying to do something and can't figure out how; this way I'll be able to improve the documentation for everyone.

To Do

Contact