dissect.target 3.16.dev37__py3-none-any.whl → 3.16.dev39__py3-none-any.whl

dissect/target/loaders/velociraptor.py

@@ -19,12 +19,6 @@ WINDOWS_ACCESSORS = ["mft", "ntfs", "lazy_ntfs", "ntfs_vss", "auto"]
 
 
 def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional[list[Path]]]:
-    # As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
-    # Generic.Collectors.File (Unix) uses the accessors file and auto.
-    # Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors
-    # mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader only supports a collection where a single accessor is used.
-    # For Windows usage of the ntfs_vss accessor can be forced by configuring VSSAnalysisAge to be greater than 0.
-
     fs_root = path.joinpath(FILESYSTEMS_ROOT)
 
     # Unix
@@ -43,6 +37,9 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
         if accessor_root.exists():
             # If the accessor directory exists, assume all the subdirectories are volumes
             for volume in accessor_root.iterdir():
+                if not volume.is_dir():
+                    continue
+
                 # https://github.com/Velocidex/velociraptor/blob/87368e7cc678144592a1614bb3bbd0a0f900ded9/accessors/ntfs/vss.go#L82
                 if "HarddiskVolumeShadowCopy" in volume.name:
                     vss_volumes.add(volume)
@@ -60,6 +57,17 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
 class VelociraptorLoader(DirLoader):
     """Load Rapid7 Velociraptor forensic image files.
 
+    As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
+    Generic.Collectors.File (Unix) uses the accessors file and auto. The loader supports the following configuration::
+
+        {"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\\netc/**\\nvar/log/**"}}
+
+    Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs,
+    ntfs_vss and auto. The loader only supports a collection where a single accessor is used, which can be forced by
+    using the following configuration::
+
+        {"Windows.KapeFiles.Targets":{"VSSAnalysisAge":"1000","_SANS_Triage":"Y"}}
+
     References:
         - https://www.rapid7.com/products/velociraptor/
         - https://docs.velociraptor.app/

dissect/target/plugins/apps/vpn/wireguard.py

@@ -1,7 +1,7 @@
 import re
 from collections import OrderedDict
 from configparser import ConfigParser
-from os.path import basename
+from functools import partial
 from pathlib import Path
 from typing import Iterator, Union
 
@@ -34,7 +34,7 @@ WireGuardPeerRecord = TargetRecordDescriptor(
         ("string", "name"),
         ("string", "public_key"),
         ("string", "pre_shared_key"),
-        ("net.ipnetwork", "allowed_ips"),
+        ("net.ipnetwork[]", "allowed_ips"),
         ("string", "endpoint"),
         ("varint", "persistent_keep_alive"),
         ("string", "source"),
@@ -102,37 +102,42 @@ class WireGuardPlugin(Plugin):
 
             config = _parse_config(config_buf)
 
-            for section in config.sections():
+            # Set up an iterator to go through all the sections and pre-set the fallback
+            config_iterator = ((section, partial(config.get, section, fallback=None)) for section in config.sections())
+
+            for section, config_dict in config_iterator:
                 if "Interface" in section:
-                    if address := config.get(section, "Address", fallback=None):
+                    if address := config_dict("Address"):
                         address = address.split("/")[0]
-                    name = basename(config_path)
-                    name = self.TUNNEL_NAME_RE.sub("", name)
+
                     yield WireGuardInterfaceRecord(
-                        name=name,
+                        name=config_path.stem,
                         address=address,
-                        listen_port=config.get(section, "ListenPort", fallback=None),
-                        private_key=config.get(section, "PrivateKey", fallback=None),
-                        fw_mark=config.get(section, "FwMark", fallback=None),
-                        dns=config.get(section, "DNS", fallback=None),
-                        table=config.get(section, "Table", fallback=None),
-                        mtu=config.get(section, "MTU", fallback=None),
-                        preup=config.get(section, "PreUp", fallback=None),
-                        postup=config.get(section, "PostUp", fallback=None),
-                        predown=config.get(section, "PreDown", fallback=None),
-                        postdown=config.get(section, "PostDown", fallback=None),
+                        listen_port=config_dict("ListenPort"),
+                        private_key=config_dict("PrivateKey"),
+                        fw_mark=config_dict("FwMark"),
+                        dns=config_dict("DNS"),
+                        table=config_dict("Table"),
+                        mtu=config_dict("MTU"),
+                        preup=config_dict("PreUp"),
+                        postup=config_dict("PostUp"),
+                        predown=config_dict("PreDown"),
+                        postdown=config_dict("PostDown"),
                         source=config_path,
                         _target=self.target,
                     )
 
                 if "Peer" in section:
+                    if allowed_ips := config_dict("AllowedIPs"):
+                        allowed_ips = [value.strip() for value in allowed_ips.split(",")]
+
                     yield WireGuardPeerRecord(
-                        name=config.get(section, "Name", fallback=None),
-                        public_key=config.get(section, "PublicKey", fallback=None),
-                        pre_shared_key=config.get(section, "PreSharedKey", fallback=None),
-                        allowed_ips=config.get(section, "AllowedIPs", fallback=None),
-                        endpoint=config.get(section, "Endpoint", fallback=None),
-                        persistent_keep_alive=config.get(section, "PersistentKeepAlive", fallback=None),
+                        name=config_dict("Name"),
+                        public_key=config_dict("PublicKey"),
+                        pre_shared_key=config_dict("PreSharedKey"),
+                        allowed_ips=allowed_ips,
+                        endpoint=config_dict("Endpoint"),
+                        persistent_keep_alive=config_dict("PersistentKeepAlive"),
                         source=config_path,
                         _target=self.target,
                     )
@@ -148,6 +153,8 @@ def _parse_config(content: str) -> ConfigParser:
     """
 
     cp = ConfigParser(defaults=None, dict_type=MultiDict, strict=False)
+    # Set to use str so it doesn't do any lower operation on the keys.
+    cp.optionxform = str
     cp.read_string(content)
     return cp
 
@@ -158,7 +165,7 @@ class MultiDict(OrderedDict):
         super().__init__(*args, **kwargs)
 
     def __setitem__(self, key, val):
-        if isinstance(val, dict) and (key == "Peer" or key == "Interface"):
+        if isinstance(val, dict) and (key in ["Peer", "Interface"]):
             self._unique += 1
             key += str(self._unique)
         super().__setitem__(key, val)

{dissect.target-3.16.dev37.dist-info → dissect.target-3.16.dev39.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.16.dev37
+Version: 3.16.dev39
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.16.dev37.dist-info → dissect.target-3.16.dev39.dist-info}/RECORD

@@ -102,7 +102,7 @@ dissect/target/loaders/targetd.py,sha256=sfbn2_j3il2G-rPywAoNT5YPtD5KmKkmBv1zrPD
 dissect/target/loaders/utm.py,sha256=e5x5ZI3HeL0STh4S-CaQb68Rnug4SVZR9zlmHaGFj0M,978
 dissect/target/loaders/vb.py,sha256=CnQcn7bAkMzIB1y-lWLtPPXdIVsyeDaT6hTZEurjkV4,2072
 dissect/target/loaders/vbox.py,sha256=8JD7D8iAY9JRvTHsrosp5ZMsZezuLhZ10Zt8sEL7KBI,732
-dissect/target/loaders/velociraptor.py,sha256=tikJEVCUDloWJNd5J3jJjNcVkOp-OnEe1O79DY2WLWw,4372
+dissect/target/loaders/velociraptor.py,sha256=WPnDIWANIIUPgc-kfXSjXptCQ2pkcy1jdkEydiOvs58,4613
 dissect/target/loaders/vma.py,sha256=AAY5-s-nz6wgvmcFkptJD7nNXhpkdf6SqEKVOrJaIKs,644
 dissect/target/loaders/vmwarevm.py,sha256=1MlKoIuWSwpYmpuLxDuVacvaYHUhAGO1KgZxzrc4fyg,428
 dissect/target/loaders/vmx.py,sha256=o1rYYKu6ReleqqHf2aeRcNrmoRcngWZNhz1h7GlmggQ,962
@@ -137,7 +137,7 @@ dissect/target/plugins/apps/ssh/putty.py,sha256=N8ssjutUVN50JNA5fEIVISbP5sJ7bGTF
 dissect/target/plugins/apps/ssh/ssh.py,sha256=uCaoWlT2bgKLUHA1aL6XymJDWJ8JmLsN8PB1C66eidY,1409
 dissect/target/plugins/apps/vpn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/vpn/openvpn.py,sha256=NZeFSFgGAifevGIQBusdbBRFOPxu0584Th8rKE-XSus,6875
-dissect/target/plugins/apps/vpn/wireguard.py,sha256=45WvCqQQGrG3DVDH5ghcsGpM_BomF4RcTLzcIvnyuNs,6554
+dissect/target/plugins/apps/vpn/wireguard.py,sha256=SoAMED_bwWJQ3nci5qEY-qV4wJKSSDZQ8K7DoJRYq0k,6521
 dissect/target/plugins/apps/webhosting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/webhosting/cpanel.py,sha256=OeFQnu9GmpffIlFyK-AR2Qf8tjyMhazWEAUyccDU5y0,2979
 dissect/target/plugins/apps/webserver/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -332,10 +332,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.16.dev37.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.16.dev37.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.16.dev37.dist-info/METADATA,sha256=Zksa2i_x7GaCd7AE8DnKxPk_uAeWgFPL7FrzDkvp4qE,11107
-dissect.target-3.16.dev37.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.16.dev37.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.16.dev37.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.16.dev37.dist-info/RECORD,,
+dissect.target-3.16.dev39.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.16.dev39.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.16.dev39.dist-info/METADATA,sha256=ngLz4XeexsGKv4urTocePElt3tx1Jpc0yxVHs1FcGWU,11107
+dissect.target-3.16.dev39.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.16.dev39.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.16.dev39.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.16.dev39.dist-info/RECORD,,