Skip to content

Commit

Permalink
Merge pull request #1 from jaredhendrickson13/v2
Browse files Browse the repository at this point in the history 
V2
  • Loading branch information
@jaredhendrickson13
jaredhendrickson13 committed Dec 17, 2020
2 parents ae20302 + 2d59091 commit 2844cb0
Show file tree
Hide file tree
Showing 6 changed files with 622 additions and 559 deletions.
3 changes: 2 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ build*
*.DS_Store
*__pycache__*
*pfsense_vshell.egg*
dist*
dist*
venv*
136 changes: 117 additions & 19 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,76 @@
# Introduction
pfSense vShell is a command line tool that enables users to remotely enter shell commands without enabling `sshd`.
This allows administrators to automate installation of packages, enable `sshd`, and make other backend changes out of
the box.
pfSense vShell is a command line tool and Python module that enables users to remotely enter shell commands on a pfSense
host without enabling `sshd`. This allows administrators to automate installation of packages, enable `sshd`, and make other backend
changes out of the box.

# Installation
pfSense vShell requires Python3/Pip3 for installation<br>

To install:<br>
`pip3 install pfsense-vshell`
`pip install pfsense-vshell`

To uninstall:<br>
`pip3 uninstall pfsense-vshell`
`pip uninstall pfsense-vshell`

# Examples
Below are some examples of common use cases for pfsense-vshell. Please note, authentication may be passed in via inline
argument (specify `-u` followed by your username, and `-p` followed by your password), or interactive prompt (if `-u`
or `-p` are not specified). Inline authentication allows commands to be scripted easily, whereas interactive
authentication will secure password input and allow users to specify multiple commands (like an actually shell)<br>
# Command Line

## Usage & Syntax
```
usage: pfsense-vshell [-h] --host HOST [--virtual-shell] [--command COMMAND] [--check_auth COMMAND] --username USERNAME --password PASSWORD [--scheme {http,https}] [--port PORT] [--timeout TIMEOUT] [--shell_timeout SHELL_TIMEOUT] [--no_verify] [--version] [--verbose]
```

| Command | Shorthand | Required | Description | Example Usage |
|-----------------|-----------|---------------------------------------|------------------------------------------------------------------------------------------------|-------------------------|
| --host | -i | Yes (except with --help or --version) | Set the IP or hostname of the remote pfSense host | --host HOST |
| --command | -c | No | Run a single shell command | --command COMMAND |
| --virtual-shell | -s | No | Start a interactive virtual shell | --virtual-shell |
| --help | -h | No | Display the help page | --help |
| --version | -V | No | Display the current version | --version |
| --username | -u | Yes (except with --help or --version) | Set the username to login with | --username USERNAME |
| --password | -p | Yes (except with --help or --version) | Set the password to login with | --password PASSWORD |
| --port | -P | No | Set the TCP port of pfSense's webConfigurator | --port PORT |
| --scheme | -w | No | Set the HTTP protocol scheme. `http` or `https` | --scheme SCHEME |
| --no_verify | -k | No | Disable SSL certificate verification | --no_verify |
| --timeout | -t | No | Set the connection timeout value (in seconds) | --timeout TIMEOUT |
| --shell_timeout | -z | No | Set the virtual shell session timeout value (in seconds). Only available with --virtual-shell. | --shell_timeout TIMEOUT |
| --verbose | -v | No | Enable verbose logging | --verbose |

## Examples
Below are some examples of common use cases for pfsense-vshell:<br>

1: Run a single shell command (with inline authentication)
```shell script
$ pfsense-vshell 127.0.0.1 --command "cat /etc/version" -u admin -p pfsense
$ pfsense-vshell --host 127.0.0.1 --command "cat /etc/version" --username admin --password pfsense
2.4.5-RELEASE
```
2: Start an interactive virtual shell session to run multiple commands (with interactive authentication)
```shell script
$ pfsense-vshell 127.0.0.1 --virtual-shell
Please enter username: admin
Please enter password:
$ pfsense-vshell --host 127.0.0.1 --virtual-shell --username admin --password pfsense
---Virtual shell established---
[email protected]:/usr/local/www $ uname -a
FreeBSD pfSense.localdomain 11.3-STABLE FreeBSD 11.3-STABLE #236 21cbb70bbd1(RELENG_2_4_5): Tue Mar 24 15:26:53 EDT 2020# [email protected]:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense amd64
[email protected]:/usr/local/www $ exit
---Virtual shell terminated---
```
3: Run a single command to enable `sshd` on pfSense (with interactive password input)
3: Run a single command to enable `sshd` on pfSense
```shell script
$ pfsense-vshell 127.0.0.1 --command "pfSsh.php playback enablesshd" -u admin
$ pfsense-vshell --host 127.0.0.1 --command "pfSsh.php playback enablesshd" --username admin --password pfsense
```

4: Run a single command to install a package on pfSense (with inline authentication)
```shell script
$ pfsense-vshell 127.0.0.1 --command "pkg install -y pfSense-pkg-nmap" -u admin -p pfsense
$ pfsense-vshell --host 127.0.0.1 --command "pkg install -y pfSense-pkg-nmap" --username admin --password pfsense
```

5: Display pfSense vShell version
```shell script
$ pfsense-vshell --version
pfsensevshell v0.0.1 Darwin/x86_64
pfsense-vshell v2.0.0
```
# Restrictions

## Notes
- When using `--virtual-shell`, you may enter the command `history` to display commands executed since the virtual shell
session started.
- Interactive commands cannot be run within pfSense vShell, there is no way to add additional input after you have run
your command. If the command does not return a return code within 90 seconds the command will timeout.
- Some older versions (pre-2.3) may not work properly. Always test functionality for running against production systems.
Expand All @@ -60,4 +81,81 @@ Any file interaction will be relative to this directory if not absolute.
- By default, any command run within pfSense vShell has root access. There is no way to change this so be careful.
- Your pfSense user must have access to the Diagnostics > Command Prompt page within the webConfigurator.

# Python3 Module
After installing the package, the `pfsense_vshell` module will also be made available to your Python3 scripts.

## Classes
```
PFClient(host, username, password, port=443, scheme='https', timeout=30, verify=True)
: Initializes the object at creation
:param host: (string) the IP or hostname of the remote pfSense host
:param username: (string) the pfSense username to authenticate as.
:param password: (string) the password for the pfSense username.
:param port: (int) the remote TCP port of pfSense's webConfigurator. Defaults to 443.
:param scheme: (string) the HTTP scheme to use. http or https. Defaults to https.
:param timeout: (int) the timeout value in seconds for HTTP requests. Defaults to 30.
:param verify: (bool) true to enable certificate verification, false to disable. Defaults to true.
### Static methods
version()
: Provides the current version of pfsense vShell
:return: (string) the current pfSense vShell version
### Methods
authenticate(self)
: Attempts to authenticate using the objects current properties
:return: (bool) true if authentication was successful, false if it wasn't
get_csrf_token(self, uri)
: Retrieves the current CSRF token for a page
:param uri: (string) the URI (e.g. index.php) to retrieve the CSRF token from
:return: (string) the CSRF token
has_dns_rebind_error(self, req=None)
: Checks if the objects host encounters a DNS rebind error when connecting
:param req: (object) optionally provide an existing Response object created by the requests module
:return: (bool) true if a DNS rebind error was found, false if it wasn't
is_host_pfsense(self, req=None)
: Checks if the remote host is running pfSense. This is intended to protect clients from accidentally sending
their login credentials to the wrong host as well as prevent hosts from spamming non-pfSense hosts.
:param req: (object) optionally provide an existing Response object created by the requests module
:return: (bool) true if the host is running pfSense, false if it is not
request(self, uri, method='GET', data=None)
: Makes HTTP requests on behalf of our object
:param uri: (string) the URI (e.g. /index.php) to request on the remote host
:param method: (string) the HTTP method to use in the request (e.g. POST, GET)
:param data: (dict) the request body data to send in the request
:return: (object) the Response object created by the requests module
run_command(self, cmd)
: Executes a shell command on the remote host using pfSense's diag_command.php page
:param cmd: (string) a shell command to execute
:return: (string) output of the shell command
url(self)
: Formats a full URL with the objects current property values
:return: (string) full URL of our object
PFError(code, message)
: Error object used by the PFVShell class
### Ancestors (in MRO)
* builtins.Exception
* builtins.BaseException
```

## Examples
```python
import pfsense_vshell

# Create our PFClient object
vshell = pfsense_vshell.PFClient("127.0.0.1", username="admin", password="password")

# Run command to install package on pfSense
vshell.run_command("pkg install -y pfSense-pkg-sudo")
```
Loading

0 comments on commit 2844cb0

Please sign in to comment.