dissect.target 3.16.dev41__py3-none-any.whl → 3.16.dev44__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -17,6 +17,7 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor, UnixUserRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
+from dissect.target.plugins.os.unix.linux.fortios._keys import KERNEL_KEY_MAP
 from dissect.target.target import Target
 
 try:
@@ -92,12 +93,14 @@ class FortiOSPlugin(LinuxPlugin):
         except ReadError:
             # The rootfs.gz file could be encrypted.
             try:
-                rfs_fh = decrypt_rootfs(rootfs.open(), get_kernel_hash(sysvol))
+                kernel_hash = get_kernel_hash(sysvol)
+                key, iv = key_iv_for_kernel_hash(kernel_hash)
+                rfs_fh = decrypt_rootfs(rootfs.open(), key, iv)
                 vfs = TarFilesystem(rfs_fh, tarinfo=cpio.CpioInfo)
             except RuntimeError:
                 target.log.warning("Could not decrypt rootfs.gz. Missing `pycryptodome` dependency.")
             except ValueError as e:
-                target.log.warning("Could not decrypt rootfs.gz. Unsupported kernel version.")
+                target.log.warning("Could not decrypt rootfs.gz. Unknown kernel hash (%s).", kernel_hash)
                 target.log.debug("", exc_info=e)
             except ReadError as e:
                 target.log.warning("Could not mount rootfs.gz. It could be corrupt.")
@@ -457,58 +460,60 @@ def decrypt_password(input: str) -> str:
         return "ENC:" + input
 
 
-def decrypt_rootfs(fh: BinaryIO, kernel_hash: str) -> BinaryIO:
-    """Attempt to decrypt an encrypted ``rootfs.gz`` file.
+def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
+    """Return decryption key and IV for a specific sha256 kernel hash.
+
+    The decryption key and IV are used to decrypt the ``rootfs.gz`` file.
+
+    Args:
+        kernel_hash: SHA256 hash of the kernel file.
+
+    Returns:
+        Tuple with decryption key and IV.
+
+    Raises:
+        ValueError: When no decryption keys are available for the given kernel hash.
+    """
+
+    key = bytes.fromhex(KERNEL_KEY_MAP.get(kernel_hash, ""))
+    if len(key) == 32:
+        # FortiOS 7.4.x uses a KDF to derive the key and IV
+        return _kdf_7_4_x(key)
+    elif len(key) == 48:
+        # FortiOS 7.0.13 and 7.0.14 uses a static key and IV
+        return key[:32], key[32:]
+    raise ValueError(f"No known decryption keys for kernel hash: {kernel_hash}")
+
+
+def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
+    """Attempt to decrypt an encrypted ``rootfs.gz`` file with given key and IV.
 
     FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files.
     This function attempts to decrypt a ``rootfs.gz`` file using a static key and IV
     which can be found in the kernel.
 
-    Currently supported versions (each release has a new key):
-        - FortiGate VM 7.0.13
-        - FortiGate VM 7.0.14
-        - FortiGate VM 7.4.1
-        - FortiGate VM 7.4.2
-        - FortiGate VM 7.4.3
+    Known keys can be found in the ``_keys.py`` file.
 
     Resources:
         - https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices
         - Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd)
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: ChaCha20 key.
+        iv: ChaCha20 iv.
+
+    Returns:
+        File-like object to the decrypted rootfs.gz file.
+
+    Raises:
+        ValueError: When decryption failed.
+        RuntimeError: When PyCryptodome is not available.
     """
 
     if not HAS_PYCRYPTODOME:
         raise RuntimeError("PyCryptodome module not available")
 
-    # SHA256 hashes of kernel files
-    KERNEL_KEY_MAP = {
-        # FortiGate VM 7.0.13
-        "25cb2c8a419cde1f42d38fc6cbc95cf8b53db41096d0648015674d8220eba6bf": (
-            bytes.fromhex("c87e13e1f7d21c1aca81dc13329c3a948d6e420d3a859f3958bd098747873d08"),
-            bytes.fromhex("87486a24637e9a66f09ec182eee25594"),
-        ),
-        # FortiGate VM 7.0.14
-        "67d4c913b1ceb7a62e2076ca835ebfdc67e65c7716fc604caa7552512f171197": (
-            bytes.fromhex("9ba00c035bcaa97717d936f8268a973eb1dd64d19388153fad5f7849b8fdf0d8"),
-            bytes.fromhex("9df4ba40dbddcf5ec9d2983681eb1940"),
-        ),
-        # FortiGate VM 7.4.1
-        "a008b47327293e48502a121ee8709f243ad5da4e63d6f663c253db27bd01ea28": _kdf_7_4_x(
-            "366486c0f2c6322ec23e4f33a98caa1b19d41c74bb4f25f6e8e2087b0655b30f"
-        ),
-        # FortiGate VM 7.4.2
-        "c392cf83ab484e0b2419b2711b02cdc88a73db35634c10340037243394a586eb": _kdf_7_4_x(
-            "480767be539de28ee773497fa731dd6368adc9946df61da8e1253fa402ba0302"
-        ),
-        # FortiGate VM 7.4.3
-        "ba0450947e51844588b29bd302d2a1a3802f7718cf6840011c1b34f1c1f0bb89": _kdf_7_4_x(
-            "4cf7a950b99cf29b0343e7ba6c609e49d9766f16c6d2f075f72ad400542f0765"
-        ),
-    }
-
-    if not (key_data := KERNEL_KEY_MAP.get(kernel_hash)):
-        raise ValueError("Failed to decrypt: Unknown kernel hash.")
-
-    key, iv = key_data
     # First 8 bytes = counter, last 8 bytes = nonce
     # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
     # We're interested in updating the position in the ChaCha20 internal state, so to make

dissect/target/tools/reg.py

@@ -3,10 +3,16 @@
 from __future__ import print_function
 
 import argparse
+import itertools
 import logging
 
 from dissect.target import Target
-from dissect.target.exceptions import RegistryError, TargetError
+from dissect.target.exceptions import (
+    RegistryError,
+    RegistryKeyNotFoundError,
+    TargetError,
+)
+from dissect.target.helpers.regutil import RegistryKey
 from dissect.target.tools.utils import (
     catch_sigpipe,
     configure_generic_arguments,
@@ -29,7 +35,8 @@ def main():
     parser.add_argument("targets", metavar="TARGETS", nargs="+", help="Targets to load")
     parser.add_argument("-k", "--key", required=True, help="key to query")
     parser.add_argument("-kv", "--value", help="value to query")
-    parser.add_argument("-d", "--depth", type=int, const=0, nargs="?", default=1)
+    parser.add_argument("-d", "--depth", type=int, const=0, nargs="?", default=1, help="max depth of subkeys to print")
+    parser.add_argument("-l", "--length", type=int, default=100, help="max length of key value to print")
 
     configure_generic_arguments(parser)
     args = parser.parse_args()
@@ -38,34 +45,50 @@ def main():
 
     try:
         for target in Target.open_all(args.targets):
+            if not target.has_function("registry"):
+                target.log.error("Target has no Windows Registry")
+                continue
+
             try:
-                if args.value:
-                    for key in target.registry.keys(args.key):
-                        try:
-                            print(key.value(args.value))
-                        except RegistryError:
-                            continue
-                else:
+                keys = target.registry.keys(args.key)
+                first_key = next(keys)
+
+                print(target)
+
+                for key in itertools.chain([first_key], keys):
                     try:
-                        print(target)
-                        for key in target.registry.keys(args.key):
-                            recursor(key, args.depth, 0)
+                        if args.value:
+                            print(key.value(args.value))
+                        else:
+                            recursor(key, args.depth, 0, args.length)
                     except RegistryError:
                         log.exception("Failed to find registry value")
-            except Exception:
-                log.exception("Failed to iterate key")
+
+            except (RegistryKeyNotFoundError, StopIteration):
+                target.log.error("Key %r does not exist", args.key)
+
+            except Exception as e:
+                target.log.error("Failed to iterate key: %s", e)
+                target.log.debug("", exc_info=e)
     except TargetError as e:
         log.error(e)
         log.debug("", exc_info=e)
         parser.exit(1)
 
 
-def recursor(key, depth, indent):
-    print(" " * indent + f"+ {key.name!r} ({key.ts})")
+def recursor(key: RegistryKey, depth: int, indent: int, max_length: int = 100) -> None:
+    class_name = ""
+    if key.class_name:
+        class_name = f" ({key.class_name})"
+
+    print(" " * indent + f"+ {key.name!r} ({key.ts})" + class_name)
 
     for r in key.values():
         try:
-            print(" " * indent + f"  - {r.name!r} {repr(r.value)[:100]}")
+            value = repr(r.value)
+            if len(value) > max_length:
+                value = value[:max_length] + "..."
+            print(" " * indent + f"  - {r.name!r} {value}")
         except NotImplementedError:
             continue
 
@@ -73,7 +96,7 @@ def recursor(key, depth, indent):
         return
 
     for subkey in key.subkeys():
-        recursor(subkey, depth - 1, indent + 2)
+        recursor(subkey, depth - 1, indent + 2, max_length)
 
 
 if __name__ == "__main__":

{dissect.target-3.16.dev41.dist-info → dissect.target-3.16.dev44.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.16.dev41
+Version: 3.16.dev44
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3
@@ -35,7 +35,7 @@ Requires-Dist: flow.record ~=3.14.0
 Requires-Dist: structlog
 Provides-Extra: cb
 Requires-Dist: dissect.target[full] ; extra == 'cb'
-Requires-Dist: carbon-black-cloud-sdk-python ~=1.4.3 ; extra == 'cb'
+Requires-Dist: carbon-black-cloud-sdk ~=1.4.3 ; extra == 'cb'
 Provides-Extra: full
 Requires-Dist: asn1crypto ; extra == 'full'
 Requires-Dist: dissect.btrfs <2.0.dev,>=1.0.dev ; extra == 'full'

{dissect.target-3.16.dev41.dist-info → dissect.target-3.16.dev44.dist-info}/RECORD

@@ -223,7 +223,8 @@ dissect/target/plugins/os/unix/linux/debian/dpkg.py,sha256=DPBLQiHAF7ZS8IorRsGAi
 dissect/target/plugins/os/unix/linux/debian/vyos/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/debian/vyos/_os.py,sha256=q8qG2FLJhUbpjfwlNCmWAhFdTWMzSWUh7s7H8m4x7Fw,1741
 dissect/target/plugins/os/unix/linux/fortios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=TK5Fcn0CORq-k_Cf3n5UvY1QHQFShry0HdgFALMEibc,19634
+dissect/target/plugins/os/unix/linux/fortios/_keys.py,sha256=jDDHObfsUn9BGoIir9p4J_-rg9rI1rgoOfnL3R3lg4o,123358
+dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=gFFzByku_3qpSrHpnqJv6xIbIe3V4iGXdUxxGD_-EFA,19435
 dissect/target/plugins/os/unix/linux/fortios/generic.py,sha256=tT4-lE0Z_DeDIN3zHrQbE8JB3cRJop1_TiEst-Au0bs,1230
 dissect/target/plugins/os/unix/linux/fortios/locale.py,sha256=VDdk60sqe2JTfftssO05C667-_BpI3kcqKOTVzO3ueU,5209
 dissect/target/plugins/os/unix/linux/redhat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -317,7 +318,7 @@ dissect/target/tools/info.py,sha256=3smHr8I71yj3kCjsQ5nXkOHI9T_N8UwvkVa1CNOxB-s,
 dissect/target/tools/logging.py,sha256=5ZnumtMWLyslxfrUGZ4ntRyf3obOOhmn8SBjKfdLcEg,4174
 dissect/target/tools/mount.py,sha256=L_0tSmiBdW4aSaF0vXjB0bAkTC0kmT2N1hrbW6s5Jow,3254
 dissect/target/tools/query.py,sha256=1LbvUKSmXOCMb4xqP3t86JkOgFzKlc7mLCqcczfLht8,16018
-dissect/target/tools/reg.py,sha256=tII0MLqJ-3lOt7jE-zHUDqYrk0P4euPjiSS_99FT6LE,2378
+dissect/target/tools/reg.py,sha256=FDsiBBDxjWVUBTRj8xn82vZe-J_d9piM-TKS3PHZCcM,3193
 dissect/target/tools/shell.py,sha256=EBRNKiIV3ljaXKAXraA6DmrIw8Cy5h9irAuwlblP3zo,43251
 dissect/target/tools/utils.py,sha256=bhVZ3-8YynpHkBl4m1T4IpSpCArAXnEjjYwAFGW5JPg,10595
 dissect/target/tools/dump/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -332,10 +333,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.16.dev41.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.16.dev41.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.16.dev41.dist-info/METADATA,sha256=FsrZyLCUUmg0r0ffyWK_i0vhYmYxnk2Z_piZijkEGbo,11107
-dissect.target-3.16.dev41.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.16.dev41.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.16.dev41.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.16.dev41.dist-info/RECORD,,
+dissect.target-3.16.dev44.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.16.dev44.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.16.dev44.dist-info/METADATA,sha256=FVsQADibmaOBO3JcCbWI9r2XQ0uXQLKL-yeCztWemQM,11100
+dissect.target-3.16.dev44.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.16.dev44.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.16.dev44.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.16.dev44.dist-info/RECORD,,