dissect.target 3.11.dev36__py3-none-any.whl → 3.11.2.dev1__py3-none-any.whl

dissect/target/plugin.py

@@ -63,6 +63,7 @@ class OperatingSystem(enum.Enum):
     VYOS = "vyos"
     IOS = "ios"
     FORTIGATE = "fortigate"
+    CITRIX = "citrix-netscaler"
 
 
 def export(*args, **kwargs) -> Callable:

dissect/target/plugins/apps/webhosting/cpanel.py

@@ -0,0 +1,72 @@
+import re
+from datetime import datetime
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+
+CPanelLastloginRecord = TargetRecordDescriptor(
+    "application/log/cpanel/lastlogin",
+    [
+        ("datetime", "ts"),
+        ("string", "user"),
+        ("net.ipaddress", "remote_ip"),
+    ],
+)
+
+CPANEL_LASTLOGIN = ".lastlogin"
+CPANEL_LOGS_PATH = "/usr/local/cpanel/logs"
+CPANEL_LASTLOGIN_PATTERN = re.compile(
+    r"([^\s]+) # ([0-9]{4}-[0-9]{2}-[0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) ([+-][0-9]{4})"
+)
+
+
+class CPanelPlugin(Plugin):
+    # TODO: Parse other log files https://support.cartika.com/portal/en/kb/articles/whm-cpanel-log-files-and-locations
+    __namespace__ = "cpanel"
+
+    def check_compatible(self) -> None:
+        if not self.target.fs.path(CPANEL_LOGS_PATH).exists():
+            raise UnsupportedPluginError("No cPanel log path found")
+
+    @export(record=CPanelLastloginRecord)
+    def lastlogin(self) -> Iterator[CPanelLastloginRecord]:
+        """Return the content of the cPanel lastlogin file.
+
+        The lastlogin files tracks successful cPanel interface logons. New logon events are only tracked
+        if the IP-address of the logon changes.
+
+        References:
+            - https://forums.cpanel.net/threads/cpanel-control-panel-last-login-clarification.579221/
+            - https://forums.cpanel.net/threads/lastlogin.707557/
+        """
+        for user_details in self.target.user_details.all_with_home():
+            if (lastlogin := user_details.home_path.joinpath(CPANEL_LASTLOGIN)).exists():
+                try:
+                    for index, line in enumerate(lastlogin.open("rt")):
+                        line = line.strip()
+                        if not line:
+                            continue
+
+                        if events := CPANEL_LASTLOGIN_PATTERN.findall(line):
+                            for event in events:
+                                remote_ip, date, time, utc_offset = event
+
+                                timestamp = datetime.strptime(f"{date} {time} {utc_offset}", "%Y-%m-%d %H:%M:%S %z")
+
+                                yield CPanelLastloginRecord(
+                                    ts=timestamp,
+                                    user=user_details.user.name,
+                                    remote_ip=remote_ip,
+                                    _target=self.target,
+                                )
+                        else:
+                            self.target.log.warning(
+                                "The cPanel lastlogin line number %s is malformed: %s", index + 1, lastlogin
+                            )
+
+                except Exception:
+                    self.target.log.warning(
+                        "An error occurred parsing cPanel lastlogin line number %i in file: %s", index + 1, lastlogin
+                    )

dissect/target/plugins/os/unix/bsd/citrix/_os.py

@@ -0,0 +1,119 @@
+from __future__ import annotations
+
+import re
+from typing import Iterator, Optional
+
+from dissect.target.filesystem import Filesystem, VirtualFilesystem
+from dissect.target.helpers.record import UnixUserRecord
+from dissect.target.plugin import OperatingSystem, export
+from dissect.target.plugins.os.unix.bsd._os import BsdPlugin
+from dissect.target.target import Target
+
+RE_CONFIG_IP = re.compile(r"-IPAddress (?P<ip>[^ ]+) ")
+RE_CONFIG_HOSTNAME = re.compile(r"set ns hostName (?P<hostname>[^\n]+)\n")
+RE_CONFIG_TIMEZONE = re.compile(
+    r'set ns param -timezone "GMT\+(?P<hours>[0-9]+):(?P<minutes>[0-9]+)-.*-(?P<zone_name>.+)"'
+)
+RE_CONFIG_USER = re.compile(r"bind system user (?P<user>[^ ]+) ")
+RE_LOADER_CONFIG_KERNEL_VERSION = re.compile(r'kernel="/(?P<version>.*)"')
+
+
+class CitrixBsdPlugin(BsdPlugin):
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self._ips = []
+        self._hostname = None
+        self.config_usernames = []
+        self._parse_netscaler_configs()
+
+    def _parse_netscaler_configs(self) -> None:
+        ips = set()
+        usernames = set()
+        for config_path in self.target.fs.path("/flash/nsconfig/").glob("ns.conf*"):
+            with config_path.open("rt") as config_file:
+                config = config_file.read()
+                for match in RE_CONFIG_IP.finditer(config):
+                    ips.add(match.groupdict()["ip"])
+                for match in RE_CONFIG_USER.finditer(config):
+                    usernames.add(match.groupdict()["user"])
+                if config_path.name == "ns.conf":
+                    # Current configuration of the netscaler
+                    if hostname_match := RE_CONFIG_HOSTNAME.search(config):
+                        self._hostname = hostname_match.groupdict()["hostname"]
+                    if timezone_match := RE_CONFIG_TIMEZONE.search(config):
+                        tzinfo = timezone_match.groupdict()
+                        self.target.timezone = tzinfo["zone_name"]
+
+        self._config_usernames = list(usernames)
+        self._ips = list(ips)
+
+    @classmethod
+    def detect(cls, target: Target) -> Optional[Filesystem]:
+        newfilesystem = VirtualFilesystem()
+        is_citrix = False
+        for fs in target.filesystems:
+            if fs.exists("/bin/freebsd-version"):
+                newfilesystem.map_fs("/", fs)
+                break
+        for fs in target.filesystems:
+            if fs.exists("/nsconfig") and fs.exists("/boot"):
+                newfilesystem.map_fs("/flash", fs)
+                is_citrix = True
+            elif fs.exists("/netscaler"):
+                newfilesystem.map_fs("/var", fs)
+                is_citrix = True
+        if is_citrix:
+            return newfilesystem
+        return None
+
+    @export(property=True)
+    def hostname(self) -> Optional[str]:
+        return self._hostname
+
+    @export(property=True)
+    def version(self) -> Optional[str]:
+        version_path = self.target.fs.path("/flash/.version")
+        version = version_path.read_text().strip()
+        loader_conf = self.target.fs.path("/flash/boot/loader.conf").read_text()
+        if match := RE_LOADER_CONFIG_KERNEL_VERSION.search(loader_conf):
+            kernel_version = match.groupdict()["version"]
+            return f"{version} ({kernel_version})"
+        self.target.log.warn("Could not determine kernel version")
+        return version
+
+    @export(property=True)
+    def ips(self) -> list[str]:
+        return self._ips
+
+    @export(record=UnixUserRecord)
+    def users(self) -> Iterator[UnixUserRecord]:
+        nstmp_users = set()
+        nstmp_path = "/var/nstmp/"
+
+        nstmp_user_path = nstmp_path + "{username}"
+
+        for entry in self.target.fs.scandir(nstmp_path):
+            if entry.is_dir() and entry.name != "#nsinternal#":
+                nstmp_users.add(entry.name)
+        for username in self._config_usernames:
+            nstmp_home = nstmp_user_path.format(username=username)
+            user_home = nstmp_home if self.target.fs.exists(nstmp_home) else None
+
+            if user_home:
+                # After this loop we will yield all users who are not in the config, but are listed in /var/nstmp/
+                # To prevent double records, we remove entries from the set that we are already yielding here.
+                nstmp_users.remove(username)
+
+            if username == "root" and self.target.fs.exists("/root"):
+                # If we got here, 'root' is present both in /var/nstmp and in /root. In such cases, we yield
+                # the 'root' user as having '/root' as a home, not in /var/nstmp.
+                user_home = "/root"
+
+            yield UnixUserRecord(name=username, home=user_home)
+
+        for username in nstmp_users:
+            yield UnixUserRecord(name=username, home=nstmp_user_path.format(username=username))
+
+    @export(property=True)
+    def os(self) -> str:
+        return OperatingSystem.CITRIX.value

dissect/target/plugins/os/windows/registry.py

@@ -210,7 +210,7 @@ class RegistryPlugin(Plugin):
         Returns a KeyCollection which contains all keys that match
         the query.
         """
-        key = key.strip("\\")
+        key = (key or "").strip("\\")
 
         if not key:
             return KeyCollection([self._root.root()])

{dissect.target-3.11.dev36.dist-info → dissect.target-3.11.2.dev1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.11.dev36
+Version: 3.11.2.dev1
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.11.dev36.dist-info → dissect.target-3.11.2.dev1.dist-info}/RECORD

@@ -3,7 +3,7 @@ dissect/target/container.py,sha256=R8M9EE7DqKq8DeMuekcpR1nxtZ827zuqmTmO4s7PYkg,7
 dissect/target/exceptions.py,sha256=DQVgo6puVBRPBiappL9GU5EA94lrcr3eVta0m56a-ng,2777
 dissect/target/filesystem.py,sha256=Kn9RJtdYUWRXh4hxGnHpN_ttwcslZpwzVtUvX_W7qIQ,49335
 dissect/target/loader.py,sha256=oTpNhmb2abgWuPUqdewLjZz2zcbSYQP5kzZ5yYu7XXg,7100
-dissect/target/plugin.py,sha256=qHFKipJP8sBQbn1HOSJna25Fspt7PZ-i5RoVsdY1cGM,32565
+dissect/target/plugin.py,sha256=fkM_Qn5M0R8DQ7JMeVTHH8h1JbHQ2HDFHjqdUKXHFRc,32597
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
 dissect/target/target.py,sha256=TgDY-yAsReOQOG-Phz_m1vdNucdbk9fUI_RMZpMeYG8,28334
 dissect/target/volume.py,sha256=vHBXdDttpiu-Q_oWycNM7fdJ5N8Ob7-i_UBJK9DEs24,15027
@@ -103,6 +103,8 @@ dissect/target/plugins/apps/ssh/openssh.py,sha256=bOtUj_jrie8ncTmtj_cCmFh169i4eW
 dissect/target/plugins/apps/vpns/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/vpns/openvpn.py,sha256=OP2dUIlAdVpMAW9OQycWQpigmemF1AJKIEUVNgTB7HQ,6622
 dissect/target/plugins/apps/vpns/wireguard.py,sha256=LpGwbABhrViMVUJ-QWS1leLHyjwVtIMIp-dzkvarE0c,5773
+dissect/target/plugins/apps/webhosting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/apps/webhosting/cpanel.py,sha256=OeFQnu9GmpffIlFyK-AR2Qf8tjyMhazWEAUyccDU5y0,2979
 dissect/target/plugins/apps/webservers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/webservers/apache.py,sha256=tEH65kRDzNnRkn_oy9pjGqzvP82gx-G4ZRVjyjY_rU4,7091
 dissect/target/plugins/apps/webservers/caddy.py,sha256=uwrH1pYkKaaa9GGueyCi2QO_4WT0msvm_ju7Ff3YxuU,6306
@@ -157,6 +159,8 @@ dissect/target/plugins/os/unix/packagemanager.py,sha256=-mxNhDjvj497-wBvu3z22316
 dissect/target/plugins/os/unix/services.py,sha256=OEnaenGORK9K3_HfF8Ii5Pp0RsVYBJObEELY-gsnumE,5293
 dissect/target/plugins/os/unix/shadow.py,sha256=7ztW_fYLihxNjS2opFToF-xKZngYDGcTEbZKnodRkc8,3409
 dissect/target/plugins/os/unix/bsd/_os.py,sha256=e5rttTOFOmd7e2HqP9ZZFMEiPLBr-8rfH0XH1IIeroQ,1372
+dissect/target/plugins/os/unix/bsd/citrix/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/os/unix/bsd/citrix/_os.py,sha256=BsmrDOu_izsapi-iGUlxQmcJsiBhN9zUcU3np-PrdZc,4939
 dissect/target/plugins/os/unix/bsd/freebsd/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/bsd/freebsd/_os.py,sha256=Vqiyn08kv1IioNUwpgtBJ9SToCFhLCsJdpVhl5E7COM,789
 dissect/target/plugins/os/unix/bsd/ios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -214,7 +218,7 @@ dissect/target/plugins/os/windows/locale.py,sha256=YlRqFteHGSE-A21flbCKP1jXUTgyX
 dissect/target/plugins/os/windows/notifications.py,sha256=tBgZKnDCXWFtz7chHIo5cKQf2swcTTB3MMcecfTZ-4w,4773
 dissect/target/plugins/os/windows/prefetch.py,sha256=favUyI5Pywi8Ho8fUye3gnXcM9BqEIMhFcSa1idQQBg,10304
 dissect/target/plugins/os/windows/recyclebin.py,sha256=aqp1kc8A6k5UTt6ebycuejPd0QJwNIX1xIu21M0CUGU,4926
-dissect/target/plugins/os/windows/registry.py,sha256=aRIAq7pXtPpdGBxU_WOpOkceu1GE9N51ssriuuW9wfs,12227
+dissect/target/plugins/os/windows/registry.py,sha256=cLv5T5eomc8APn6eXKIx26Ea3Y4i3eledDFGI0Q-q_U,12235
 dissect/target/plugins/os/windows/sam.py,sha256=jFl22o5WhjgdD2fWaebhfnLrx1g_T1BYXodVGSIQzRk,15789
 dissect/target/plugins/os/windows/services.py,sha256=p2v4z4YM-K3G2cnWIHVyPgsJgfrlDpvXz7gUvltIUD4,6059
 dissect/target/plugins/os/windows/sru.py,sha256=4Vybz3_RJYNbLZXKYGOouUKZNWyOUSgSTf4JAGN2O7w,16808
@@ -275,10 +279,10 @@ dissect/target/volumes/bde.py,sha256=gYGg5yF9MNARwNzEkrEfZmKkxyZW4rhLkpdnPJCbhGk
 dissect/target/volumes/disk.py,sha256=95grSsPt1BLVpKwTclwQYzPFGKTkFFqapIk0RoGWf38,968
 dissect/target/volumes/lvm.py,sha256=_kIB1mdRs1OFhRgoT4VEP5Fv8imQnI7oQ_ie4x710tQ,1814
 dissect/target/volumes/vmfs.py,sha256=mlAJ8278tYaoRjk1u6tFFlCaDQUrVu5ZZE4ikiFvxi8,1707
-dissect.target-3.11.dev36.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.11.dev36.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.11.dev36.dist-info/METADATA,sha256=1tL7rKZLxN4x6D0dr57ST9VZ8NiF2Yuoel5b_tTiyDg,10711
-dissect.target-3.11.dev36.dist-info/WHEEL,sha256=5sUXSg9e4bi7lTLOHcm6QEYwO5TIF1TNbTSVFVjcJcc,92
-dissect.target-3.11.dev36.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.11.dev36.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.11.dev36.dist-info/RECORD,,
+dissect.target-3.11.2.dev1.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.11.2.dev1.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.11.2.dev1.dist-info/METADATA,sha256=Bpf8TdpjIStxlBta0fNZO6ytz6f2caTDAgXftEX4pqw,10712
+dissect.target-3.11.2.dev1.dist-info/WHEEL,sha256=5sUXSg9e4bi7lTLOHcm6QEYwO5TIF1TNbTSVFVjcJcc,92
+dissect.target-3.11.2.dev1.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.11.2.dev1.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.11.2.dev1.dist-info/RECORD,,