FFM - A Free, Open-Source Hacking Harness

yeah thank you very much so thank you guys for being here it's great to be back so thanks to the the besides team for having me again so today I'm going to talk to you about some personal research that I've worked on over the past year which is in the field of objects or operational security so this research has key my accumulated in the development of a tool which is a hacking harness called freedom fighting mode basically I'm not sure if all of you are familiar with what a hacking harnesses and it's even though the concept has been around for some time now it hasn't seen too much development or research so I think the best way to introduce it is

to talk a little bit about the motivation behind the development of this tool explain what's trying to achieve then show you like hopefully how it does and then go back to your you know more theoretical current considerations so the idea the main concept is anti forensics so the idea is that sophisticated attackers will strive to limit the evidence they create on victim machines as much as they can so for instance this can be IP addresses that could be used by the blue team for tribution this can be tools for instance local private local pro ledger it scalation exploits or backdoors word keys which shouldn't fall into the hands of the defenders because they may have

some significant R&D or financial value the attacker is also going to try and hide as much as they can what they're doing on the victims machine because did it can betray what what their final intent is etcetera etcetera so there are basically two ways to achieve this kind of stealth which is the first one try and delete the evidence and if you look at the equations will lead for instance you'll see that there are various tools that are trying to do exactly this they have toast be clean dizzy tech no matter I think it's called the motet cetera which are all various tools that try to perform secure deletion or log wiping or one way or another so I think it shows

how important it is to these kind of these kinds of sophisticated attackers how important is to them to remove the evidence they create the problem with this approach is that it's pretty hard if you miss a single file when you're trying to delete the evidence then you might as well have not erased it at all because the defender only needs one entry in the log files do the other consideration is that possibly the logs are going to be uploading some remote entry that you don't have access to and when when they are and good luck deleting them because this is not something I'm going to be able to do so the the second approach which by the way

is not mutually exclusive with the first one is to try and not create this evidence in the first place so this happens through various techniques like executing as much things as you can from memory etc etc or you know not using the functions that are going to create entries in log files so the reason I've been working a bit in this field is that I felt like red teamers you try to replicate apt procedures as much as they can in order to be able to see what the blue team would be able to actually see the day they they are faced with a real sophisticated attack the thing is entire forensics as I've just said a very

error-prone and if there's a this saying in InfoSec that the attackers have a real edge I think it's true until the point of the breach because the attackers only have to find a single flaw and the defenders IT systems to be able to penetrate the network but once they're in it I think it's also true that the attacker only needs a single mistake before they are found out so the this is a place where the blue team has a real edge in the in this fight we also have at least in the Linux world a very very problem we have a big problem with join if you if you think about wind windows exploitation you have a very

advanced frameworks like partial employ for sport or Empire etc which are very yeah very polished frameworks that allow you to do a lot of things and to perform lateral movement very easily we I don't believe we have such luck in the Linux world so mostly people are going to be doing what the grog is going bareback hacking which means you have a basic shell with no TTY we possibly received on a net cat handler and depending on your conditions you may be struggling to perform if even very simple commands like LS or CD because you have to deal with the absence of features on your terminal like and no tab completion the absence of arrow keys that would allow

you to go back and forth on your combined buffer that's going to be some latency latency issues so if you are running your attack through whereas a various number of proxies then the time that's going to elapse between the moment where you press a key on your keyboard in the moment where it appears on the on the screen might be in the in the order of 10 seconds so this is in my in my opinion a recipe for disaster I think this is the best way you could imagine to help people type wrong things in the wrong terminal so obviously you could deploy an agent like metal praetor or revelation or maybe your your custom

backdoor the problem is it I think deploying the agent kind of defeats the purpose because if you're trying to leave as few traces as you can on the remote machine then starting by uploading more modules from you is the wrong way to go in my opinion so hacking harnesses were is a concept that was developed to to solve the all these issues and it's what the concept was introduced by the drug in 2007 and in the hacking the Box presentation he introduced his own tool which was called hash it was lost for a long time even he had lost the source code but it was found again you can find it a github now but she hasn't work on worked on it for

a while I think basically I highly recommend that you watch this talk because he was right about everything I think and there was only one thing in which she turned out to be wrong is when you said that we should expect to see a lot more development in this field in the future because hiking harnesses are like a crucial part of post exploitation and it turned out that there wasn't so much research done after his prison his own presentation so without further ado I'm going to try and show you how the hacking harness have developed works and how to try to solve all these issues and to do this here I'm going to set up some fake exploitation

scenario where I connect to a machine and with a simple netcat so I don't have screen mirroring so I'm going to have to look at the screen as I type so please bear with my approximate typing because it's something I always struggle to do okay so I'll still happening to VT which is a good thing so what I'm trying to do what I'm going to do is just have a netcat listener okay and here below is going to be my attacker cell above I'm connected to some VPS I own somewhere and below is my attacker machine from from the for the beginning I'm going just to perform a traditional pen testing lasso with a simple and that cat

and see how it goes

so hopefully I'm going to receive a connection soon okay there are there I am so you don't see that if I run some commands they should work okay

okay you know what I'm going to do I'm going to give up on the on the remote thing and try to do it a little locally which is that something I don't like to do but [Music]

come on okay so final solution I'm going to go back to the video it's of course it's very small I

[Music]

think anybody is going to be able to read this can you read this no ok ok it works now well thank that for that so the idea here in the classic Scottish scenario is if I'm if I'm typing commands and I I mistyped then I can go back if I use the cursor keys then things are I just get weird characters inside the shell if I try to press ctrl a to go back to the beginning of the line it's not gonna work if I press tab to try to get some completion it's not their work and at the end I'm going to try to press ctrl C to clear the line and try again and this

is going to happen I lose my shell and I'm very very frustrated so let's try to do the same thing again but except with the hacking harness on this time and before I do this is something that the harness is going to do for me is if for if I try to connect to a remote machine without first using one of those commands like Tory for our proxy chains etc is going to block the connection because it's it is huge that I'm making a mistake because I'm not using any animal the protocol or tool in this instance I'm going to you just bypass this check because I don't want to add tour to the variance of this demonstration okay so

here I am so now if I try too young to type that stuff and if I use the keys everything works fine I can use all the usual come online no shenanigans that you would usually expect there's another thing which is I've implemented tab completion so for instance there's a script that's called sorons that Sh it's my personal box to you to get to download stuff so here i type completion so i think it's a very comfortable way to perform your to perform your post exploitation but this isn't what the interest of the of the harnessed stops here i have implemented a list of commands that i can i can use for instance i think yeah i an something

that's usually needed is to upload and download files to remote machines but this is this is often a problem because if he wants to send a file to the work machine one of the things you may end up doing is to post them to a third-party service which may or may not respect the privacy of the files you send them and in the case of a Red Team engagement you may not want your your backdoors to end up on virustotal the next day so I've implemented a command that's going to allow me to upload and download files directly through the shell I'm gay if you just download the distort script that I just showed here and put it in

/tmp come on yeah so everything is going through the shell I can do the same thing to upload files and finally I can also execute script in memory with life which i think is the is the best part so for instance [Music]

this is a crypt I broke that performs log deletion I'm not going to run it entirely or maybe we can do it at the end if I had some time left the idea is that I'm here I'm referencing a script that exists on my local machine is going to be run on the remote machine entirely in memory so the script is never going to touch the hard drive of the remote machine it's just going to be executed so there we go so we have the help ok maybe I can go launch it before I I go on to the this doesn't make sense okay so this IP address I'm going to clean this one oh by the way if I press up and

down I also get the history of my commands which i think is also useful and there we go so the lock cleaning is going to take a few seconds and there we are and if I go back to the output in the last come on you'll see that this IP has entirely disappeared so this is one of the things that the hacking harness is going to provide you I'm going to show you just another thing oh yeah this is something I forgot if you press ctrl C it's going to ask you to confirm if there is a risk of you closing your terminal then you'll have to press ctrl C again to make sure that you're not by accident going to be

losing a connection that you need I've also implemented a few things related to your the SSH command so if you try to SSH to a machine for instance this is going to be blocked because it's there is a risk of licking my username so if you connect to a machine with that without specifying a username then the estate command is going to send the the current user so which might be Ivan here and which is something I might not want to be logged in on someone else's machine so I have to explicitly put the username and as well you'll see that there are a few options that are added to the document like crab key of equals

no because by default SSH is going to try all your local SSH keys on the remote machines which can be used to identify you as well and it's also going to add the minus T flag automatically which disabled the remote allocation of a TTY so basically it's just an option that causes a lot of logs to be written everywhere on the system so in case you forget to use it it's going to be added automatically plus as well though this safety net for people who tend to forget to use proxy chains etc so back to back to the presentation so now that we've seen what the hacking heart is in action we can try and attempt to define what it

is or what it should be basically the first thing I think I should clarify is that everything absolutely everything is happening locally which means that there is no agent deploy in the remote machine everything is it's just based on commands that I generate generated by my own shell the I question I get asked very often is why not use a classic framework like metal predator or revs etc and the reason for this to it to answer this properly I think we have to go back to how a classical exploitation workflow goes first you find the vulnerability in some application then secondly you exploit that variability and get some form of remote code execution third you send yourself a

reverse shell and finally you persist and move laterally the thing is step three which is sending yourself a reverse shell is increasingly more difficult than I think it should be if if you you have you ended up with a crappy triple w data shell it's very is going to be very difficult for you to send files to the remote machine you're going to struggle I know I've been struggling with it every time I've had to do something like this so if you if you really want to use the graphical frameworks like Metis Metasploit etc the hiking harness is still going to help you it's very very easy to write a hacking harness plugging that's going to start up the meta Preta

shell for you the handler and then it's going to upload the meta protects a key to all two remote machine execute it it only a single command so you don't have to do it manually and struggle with it so the idea is to provide basic TTY emulation so all the tab completion etc and you know provide all the basic functionalities that you would expect of course what I've demonstrated is by no means an indication of how how people should work or what good up psyche is it's just a demonstration of the way hacking harness could be set up it works for me but it's one of those types of tools that has been asked to be

customized to each person's with a personal way of doing things so yeah I I guess the reason why it's called the hacking harness is because of the climbing analogy and the idea is that if you make a mistake while climbing then you're going to you if you fall down and you're going to die whereas if you have a harness then you might have a chance to survive so I'm going to talk a little bit about the tools internals now so I'm not going to go into too much details of how the kernel works basically we'll just assume that from the moment that you press a key to the moment where it arrives to you know used on an

application magic happens and it's not really important how how it works the way this framework works is it intercepts all the the command all the inputs and the outputs that is perfect that is sent to that the terminal so usually there is something called in the kernel there's something called the line discipline I'm not sure if you guys are familiar with it it's basically some line addition in a buffer the idea is when you press you type some some characters and you press backspace the application is not going to see the characters the headman types the characters are going to be deleted and the applications won't see them until you press Enter so this is something the

line discipline does in the kernel what I did is I put the terminal in row mode which means that all this line disappear has been disabled and ivory implemented everything in Python which means that every character that is every key press that comes from the user can be received in the end by the framework and can be reinterpreted to reconstruct the criminal line and this is the reason why I'm able to have all this you know cursor capabilities that the terminal shouldn't have so this is what the line discipline looks like I'm not going to spend too much time on it it's basically a huge state machine yeah so it's not that interesting I think what's more

interesting is the fact that since all the all the command line is handled at the Python level it allows me to do a lot of stuff like intercepting the the commands so for instance if I see an SSH come on I can block it I can rewrite it and then provide it to the underlying shell this is the reason why even though I was on a not so good Wi-Fi connection I was able to have some decent I this is a reason why I was able to see what I was typing is because everything I type is handled locally and it's only when I press the Enter key then the command line is sends to the remote shell this

means that if you go through seven proxies you're not going to suffer from the lag it also means that you can forego PTY location on the road machines because you just don't need it anymore all the features are provided locally as well so yeah of course if you see some interesting output from the from the commands that you generate it's also possible to you will react to it generate more commands and really automate everything that's happening in your shell so here's a quick list of the things that are implemented at the moment basically I have the upload and download capabilities quickly shown earlier the the Python command that allows you to execute local Python scripts on the remote machine

everything in memory I've got the exact same thing for bash scripts plus you know a capability to spawn a ptui as well which is useful when you you have to type some passwords in a shell this is something that's hard to avoid one thing that I don't have at the moment but I would really love to have is the capability to execute local executables in memory as well not just scripts and there is a project on github called net elf I haven't had the time to look into it yet but some this is something I need to implement at some point in the future when it comes to frying plugins not sure this is readable either um so be quick

the idea is that I'm I did my best to make sure that it's easy to customize the the framework to your own needs so this is the even if country this is the whole Python plugging the holes plug-in that runs Python in memory I think it's quite short which is a good thing the idea is that you don't need to understand everything that's happening in the shell to be able to write plug-in all you have to do is write methods that describe what the plug-in does and what do what types of inputs it should it should react so for instance here the the plug-in reacted to everything that starts with exclamation mark py and then

you have an execute method in Python that's going to you know run Python code whenever this command line happens so it's it should be pretty easy in terms of compatibility so I've tested this mostly I'm deep in flavor favorite flavors and it works well I think I'm I've had some a few bug reports in the past where the harness can crash not crash but freeze so if if the harness is expecting some output and it hasn't detected that the remote saw is not sending any more output than its new tank forever which is not good but I think most of these issues have been resolved a problem that may arise is when some of the system tools that the

framework expects are not present on the remote machines so for although upload and download functions are translated into LS or XS DoD base64 commands and if those commands are not available then they're just not going to work yeah piping with and redirection also expected this may not look as much but this is something that's a bits of a hot limitation for some scenarios for instance if you are using the the harness through a weave League which is a PHP web shell the harness is going to mostly work and you'll get tab completion which is very funny but since the the web Sheldon support piping and redirection you'll not be able to to run the Python scripts in memory for

instance so that's that so in conclusion this is a framework that's open source it's release in the terms of gplv3 and it's written Python 3 as well you can find it on github and it's a little bit experimental but I've been using it and I've been able to transfer like you hundreds of megabytes of files so I think it's an important condition there are some features that are missing like control arts you browse through the the command history which would be great but I don't have the moment and I'm always looking for plugging IDs so that's it basically if you have any questions well feel free to let me know and otherwise thank you for attention

awesome - and glad that the demo went well at the end are there any questions in the room nobody not for now okay you can talk to him later on he will be here he will be at the party as well I think last year was it was fun okay we'll see you for the next speaker in a couple of minutes thank you