dissect.target 3.16.dev44__py3-none-any.whl → 3.17__py3-none-any.whl

dissect/target/plugins/apps/ssh/openssh.py

@@ -1,3 +1,4 @@
+import base64
 import re
 from itertools import product
 from pathlib import Path
@@ -14,6 +15,7 @@ from dissect.target.plugins.apps.ssh.ssh import (
     PrivateKeyRecord,
     PublicKeyRecord,
     SSHPlugin,
+    calculate_fingerprints,
 )
 
 
@@ -143,12 +145,14 @@ class OpenSSHPlugin(SSHPlugin):
                 continue
 
             key_type, public_key, comment = parse_ssh_public_key_file(file_path)
+            fingerprints = calculate_fingerprints(base64.b64decode(public_key))
 
             yield PublicKeyRecord(
                 mtime_ts=file_path.stat().st_mtime,
                 key_type=key_type,
                 public_key=public_key,
                 comment=comment,
+                fingerprint=fingerprints,
                 path=file_path,
                 _target=self.target,
                 _user=user,

dissect/target/plugins/apps/ssh/putty.py

@@ -1,9 +1,16 @@
 import logging
+from base64 import b64decode
 from datetime import datetime
 from pathlib import Path
 from typing import Iterator, Optional, Union
 
-from Crypto.PublicKey import ECC, RSA
+try:
+    from Crypto.PublicKey import ECC, RSA
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
+
 from flow.record.fieldtypes import posix_path, windows_path
 
 from dissect.target.exceptions import RegistryKeyNotFoundError, UnsupportedPluginError
@@ -12,7 +19,11 @@ from dissect.target.helpers.fsutil import TargetPath, open_decompress
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.helpers.regutil import RegistryKey
 from dissect.target.plugin import export
-from dissect.target.plugins.apps.ssh.ssh import KnownHostRecord, SSHPlugin
+from dissect.target.plugins.apps.ssh.ssh import (
+    KnownHostRecord,
+    SSHPlugin,
+    calculate_fingerprints,
+)
 from dissect.target.plugins.general.users import UserDetails
 
 log = logging.getLogger(__name__)
@@ -96,12 +107,15 @@ class PuTTYPlugin(SSHPlugin):
             key_type, host = entry.name.split("@")
             port, host = host.split(":")
 
+            public_key, fingerprints = construct_public_key(key_type, entry.value)
+
             yield KnownHostRecord(
                 mtime_ts=ssh_host_keys.ts,
                 host=host,
                 port=port,
                 key_type=key_type,
-                public_key=construct_public_key(key_type, entry.value),
+                public_key=public_key,
+                fingerprint=fingerprints,
                 comment="",
                 marker=None,
                 path=windows_path(ssh_host_keys.path),
@@ -121,12 +135,15 @@ class PuTTYPlugin(SSHPlugin):
                 key_type, host = parts[0].split("@")
                 port, host = host.split(":")
 
+                public_key, fingerprints = construct_public_key(key_type, parts[1])
+
                 yield KnownHostRecord(
                     mtime_ts=ts,
                     host=host,
                     port=port,
                     key_type=key_type,
-                    public_key=construct_public_key(key_type, parts[1]),
+                    public_key=public_key,
+                    fingerprint=fingerprints,
                     comment="",
                     marker=None,
                     path=posix_path(ssh_host_keys_path),
@@ -197,8 +214,8 @@ def parse_host_user(host: str, user: str) -> tuple[str, str]:
     return host, user
 
 
-def construct_public_key(key_type: str, iv: str) -> str:
-    """Returns OpenSSH format public key calculated from PuTTY SshHostKeys format.
+def construct_public_key(key_type: str, iv: str) -> tuple[str, tuple[str, str, str]]:
+    """Returns OpenSSH format public key calculated from PuTTY SshHostKeys format and set of fingerprints.
 
     PuTTY stores raw public key components instead of OpenSSH-formatted public keys
     or fingerprints. With RSA public keys the exponent and modulus are stored.
@@ -206,9 +223,7 @@ def construct_public_key(key_type: str, iv: str) -> str:
 
     Currently supports ``ssh-ed25519``, ``ecdsa-sha2-nistp256`` and ``rsa2`` key types.
 
-    NOTE:
-        - Sha256 fingerprints of the reconstructed public keys are currently not generated.
-        - More key types could be supported in the future.
+    NOTE: More key types could be supported in the future.
 
     Resources:
         - https://github.com/github/putty/blob/master/contrib/kh2reg.py
@@ -216,21 +231,37 @@ def construct_public_key(key_type: str, iv: str) -> str:
         - https://pycryptodome.readthedocs.io/en/latest/src/public_key/ecc.html
         - https://github.com/mkorthof/reg2kh
     """
+    if not HAS_CRYPTO:
+        log.warning("Could not reconstruct public key: missing pycryptodome dependency")
+        return iv
+
+    if not isinstance(key_type, str) or not isinstance(iv, str):
+        raise ValueError("Invalid key_type or iv")
+
+    key = None
 
     if key_type == "ssh-ed25519":
         x, y = iv.split(",")
         key = ECC.construct(curve="ed25519", point_x=int(x, 16), point_y=int(y, 16))
-        return key.public_key().export_key(format="OpenSSH").split()[-1]
 
     if key_type == "ecdsa-sha2-nistp256":
         _, x, y = iv.split(",")
         key = ECC.construct(curve="NIST P-256", point_x=int(x, 16), point_y=int(y, 16))
-        return key.public_key().export_key(format="OpenSSH").split()[-1]
 
     if key_type == "rsa2":
         exponent, modulus = iv.split(",")
         key = RSA.construct((int(modulus, 16), int(exponent, 16)))
-        return key.public_key().export_key(format="OpenSSH").decode("utf-8").split()[-1]
 
-    log.warning("Could not reconstruct public key: type %s not implemented.", key_type)
-    return iv
+    if key is None:
+        log.warning("Could not reconstruct public key: type %s not implemented", key_type)
+        return iv, (None, None, None)
+
+    openssh_public_key = key.public_key().export_key(format="OpenSSH")
+
+    if isinstance(openssh_public_key, bytes):
+        # RSA's export_key() returns bytes
+        openssh_public_key = openssh_public_key.decode()
+
+    key_part = openssh_public_key.split()[-1]
+    fingerprints = calculate_fingerprints(b64decode(key_part))
+    return key_part, fingerprints

dissect/target/plugins/apps/ssh/ssh.py

@@ -1,3 +1,6 @@
+import base64
+from hashlib import md5, sha1, sha256
+
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
@@ -29,6 +32,7 @@ KnownHostRecord = OpenSSHUserRecordDescriptor(
         ("varint", "port"),
         ("string", "public_key"),
         ("string", "marker"),
+        ("digest", "fingerprint"),
     ],
 )
 
@@ -50,9 +54,45 @@ PublicKeyRecord = OpenSSHUserRecordDescriptor(
         ("datetime", "mtime_ts"),
         *COMMON_ELLEMENTS,
         ("string", "public_key"),
+        ("digest", "fingerprint"),
     ],
 )
 
 
 class SSHPlugin(NamespacePlugin):
     __namespace__ = "ssh"
+
+
+def calculate_fingerprints(public_key_decoded: bytes, ssh_keygen_format: bool = False) -> tuple[str, str, str]:
+    """Calculate the MD5, SHA1 and SHA256 digest of the given decoded public key.
+
+    Adheres as much as possible to the output provided by ssh-keygen when ``ssh_keygen_format``
+    parameter is set to ``True``. When set to ``False`` (default) hexdigests are calculated
+    instead for ``sha1``and ``sha256``.
+
+    Resources:
+        - https://en.wikipedia.org/wiki/Public_key_fingerprint
+        - https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
+        - ``ssh-keygen -l -E <alg> -f key.pub``
+    """
+    if not public_key_decoded:
+        raise ValueError("No decoded public key provided")
+
+    if not isinstance(public_key_decoded, bytes):
+        raise ValueError("Provided public key should be bytes")
+
+    if public_key_decoded[0:3] != b"\x00\x00\x00":
+        raise ValueError("Provided value does not look like a public key")
+
+    digest_md5 = md5(public_key_decoded).digest()
+    digest_sha1 = sha1(public_key_decoded).digest()
+    digest_sha256 = sha256(public_key_decoded).digest()
+
+    if ssh_keygen_format:
+        fingerprint_sha1 = base64.b64encode(digest_sha1).rstrip(b"=").decode()
+        fingerprint_sha256 = base64.b64encode(digest_sha256).rstrip(b"=").decode()
+    else:
+        fingerprint_sha1 = digest_sha1.hex()
+        fingerprint_sha256 = digest_sha256.hex()
+
+    return digest_md5.hex(), fingerprint_sha1, fingerprint_sha256

dissect/target/plugins/apps/vpn/openvpn.py

@@ -1,12 +1,15 @@
+from __future__ import annotations
+
+import io
 import itertools
-import re
-from os.path import basename
-from typing import Iterator, Union
+from itertools import product
+from typing import Iterable, Iterator, Optional, Union
 
-from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.exceptions import ConfigurationParsingError, UnsupportedPluginError
 from dissect.target.helpers import fsutil
+from dissect.target.helpers.configutil import Default, ListUnwrapper, _update_dictionary
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import OperatingSystem, Plugin, export
+from dissect.target.plugin import OperatingSystem, Plugin, arg, export
 
 COMMON_ELEMENTS = [
     ("string", "name"),  # basename of .conf file
@@ -15,6 +18,7 @@ COMMON_ELEMENTS = [
     ("string", "ca"),
     ("string", "cert"),
     ("string", "key"),
+    ("boolean", "redacted_key"),
     ("string", "tls_auth"),
     ("string", "status"),
     ("string", "log"),
@@ -46,7 +50,60 @@ OpenVPNClient = TargetRecordDescriptor(
 )
 
 
-CONFIG_COMMENT_SPLIT_REGEX = re.compile("(#|;)")
+class OpenVPNParser(Default):
+    def __init__(self, *args, **kwargs):
+        boolean_fields = OpenVPNServer.getfields("boolean") + OpenVPNClient.getfields("boolean")
+        self.boolean_field_names = set(field.name.replace("_", "-") for field in boolean_fields)
+
+        super().__init__(*args, separator=(r"\s",), collapse=["key", "ca", "cert"], **kwargs)
+
+    def parse_file(self, fh: io.TextIOBase) -> None:
+        root = {}
+        iterator = self.line_reader(fh)
+        for line in iterator:
+            if line.startswith("<"):
+                key = line.strip().strip("<>")
+                value = self._read_blob(iterator)
+                _update_dictionary(root, key, value)
+                continue
+
+            self._parse_line(root, line)
+
+        self.parsed_data = ListUnwrapper.unwrap(root)
+
+    def _read_blob(self, lines: Iterable[str]) -> str | list[dict]:
+        """Read the whole section between <data></data> sections"""
+        output = ""
+        with io.StringIO() as buffer:
+            for line in lines:
+                if "</" in line:
+                    break
+
+                buffer.write(line)
+            output = buffer.getvalue()
+
+        # Check for connection profile blocks
+        if not output.startswith("-----"):
+            profile_dict = dict()
+            for line in output.splitlines():
+                self._parse_line(profile_dict, line)
+
+            # We put it as a list as _update_dictionary appends data in a list.
+            output = [profile_dict]
+
+        return output
+
+    def _parse_line(self, root: dict, line: str) -> None:
+        key, *value = self.SEPARATOR.split(line, 1)
+        # Unquote data
+        value = value[0].strip() if value else ""
+
+        value = value.strip("'\"")
+
+        if key in self.boolean_field_names:
+            value = True
+
+        _update_dictionary(root, key, value)
 
 
 class OpenVPNPlugin(Plugin):
@@ -61,133 +118,98 @@ class OpenVPNPlugin(Plugin):
     config_globs = [
         # This catches openvpn@, openvpn-client@, and openvpn-server@ systemd configurations
         # Linux
-        "/etc/openvpn/*.conf",
-        "/etc/openvpn/server/*.conf",
-        "/etc/openvpn/client/*.conf",
+        "/etc/openvpn/",
         # Windows
-        "sysvol/Program Files/OpenVPN/config/*.conf",
+        "sysvol/Program Files/OpenVPN/config/",
     ]
 
     user_config_paths = {
-        OperatingSystem.WINDOWS.value: ["OpenVPN/config/*.conf"],
-        OperatingSystem.OSX.value: ["Library/Application Support/OpenVPN Connect/profiles/*.conf"],
+        OperatingSystem.WINDOWS.value: ["OpenVPN/config/"],
+        OperatingSystem.OSX.value: ["Library/Application Support/OpenVPN Connect/profiles/"],
     }
 
     def __init__(self, target) -> None:
         super().__init__(target)
         self.configs: list[fsutil.TargetPath] = []
-        for path in self.config_globs:
-            self.configs.extend(self.target.fs.path().glob(path.lstrip("/")))
+        for base, glob in product(self.config_globs, ["*.conf", "*.ovpn"]):
+            self.configs.extend(self.target.fs.path(base).rglob(glob))
 
         user_paths = self.user_config_paths.get(target.os, [])
-        for path, user_details in itertools.product(user_paths, self.target.user_details.all_with_home()):
-            self.configs.extend(user_details.home_path.glob(path))
+        for path, glob, user_details in itertools.product(
+            user_paths, ["*.conf", "*.ovpn"], self.target.user_details.all_with_home()
+        ):
+            self.configs.extend(user_details.home_path.joinpath(path).rglob(glob))
 
     def check_compatible(self) -> None:
         if not self.configs:
             raise UnsupportedPluginError("No OpenVPN configuration files found")
 
+    def _load_config(self, parser: OpenVPNParser, config_path: fsutil.TargetPath) -> Optional[dict]:
+        with config_path.open("rt") as file:
+            try:
+                parser.parse_file(file)
+            except ConfigurationParsingError as e:
+                # Couldn't parse file, continue
+                self.target.log.info("An issue occurred during parsing of %s, continuing", config_path)
+                self.target.log.debug("", exc_info=e)
+                return None
+
+        return parser.parsed_data
+
     @export(record=[OpenVPNServer, OpenVPNClient])
-    def config(self) -> Iterator[Union[OpenVPNServer, OpenVPNClient]]:
+    @arg("--export-key", action="store_true")
+    def config(self, export_key: bool = False) -> Iterator[Union[OpenVPNServer, OpenVPNClient]]:
         """Parses config files from openvpn interfaces."""
+        # We define the parser here so we can reuse it
+        parser = OpenVPNParser()
 
         for config_path in self.configs:
-            config = _parse_config(config_path.read_text())
-
-            name = basename(config_path).replace(".conf", "")
-            proto = config.get("proto", "udp")  # Default is UDP
-            dev = config.get("dev")
-            ca = _unquote(config.get("ca"))
-            cert = _unquote(config.get("cert"))
-            key = _unquote(config.get("key"))
+            config = self._load_config(parser, config_path)
+
+            common_elements = {
+                "name": config_path.stem,
+                "proto": config.get("proto", "udp"),  # Default is UDP
+                "dev": config.get("dev"),
+                "ca": config.get("ca"),
+                "cert": config.get("cert"),
+                "key": config.get("key"),
+                "status": config.get("status"),
+                "log": config.get("log"),
+                "source": config_path,
+                "_target": self.target,
+            }
+
+            if not export_key and "PRIVATE KEY" in common_elements.get("key"):
+                common_elements.update({"key": None})
+                common_elements.update({"redacted_key": True})
+
             tls_auth = config.get("tls-auth", "")
             # The format of tls-auth is 'tls-auth ta.key <NUM>'.
             # NUM is either 0 or 1 depending on whether the configuration
             # is for the client or server, and that does not interest us
             # This gets rid of the number at the end, while still supporting spaces
-            tls_auth = _unquote(" ".join(tls_auth.split(" ")[:-1]))
-            status = config.get("status")
-            log = config.get("log")
+            tls_auth = " ".join(tls_auth.split(" ")[:-1]).strip("'\"")
+
+            common_elements.update({"tls_auth": tls_auth})
 
             if "client" in config:
                 remote = config.get("remote", [])
-                # In cases when there is only a single remote,
-                # we want to return it as its own list
-                if isinstance(remote, str):
-                    remote = [remote]
 
                 yield OpenVPNClient(
-                    name=name,
-                    proto=proto,
-                    dev=dev,
-                    ca=ca,
-                    cert=cert,
-                    key=key,
-                    tls_auth=tls_auth,
-                    status=status,
-                    log=log,
+                    **common_elements,
                     remote=remote,
-                    source=config_path,
-                    _target=self.target,
                 )
             else:
-                pushed_options = config.get("push", [])
-                # In cases when there is only a single push,
-                # we want to return it as its own list
-                if isinstance(pushed_options, str):
-                    pushed_options = [pushed_options]
-                pushed_options = [_unquote(opt) for opt in pushed_options]
                 # Defaults here are taken from `man (8) openvpn`
                 yield OpenVPNServer(
-                    name=name,
-                    proto=proto,
-                    dev=dev,
-                    ca=ca,
-                    cert=cert,
-                    key=key,
-                    tls_auth=tls_auth,
-                    status=status,
-                    log=log,
+                    **common_elements,
                     local=config.get("local", "0.0.0.0"),
                     port=int(config.get("port", "1194")),
-                    dh=_unquote(config.get("dh")),
+                    dh=config.get("dh"),
                     topology=config.get("topology"),
                     server=config.get("server"),
                     ifconfig_pool_persist=config.get("ifconfig-pool-persist"),
-                    pushed_options=pushed_options,
+                    pushed_options=config.get("push", []),
                     client_to_client=config.get("client-to-client", False),
                     duplicate_cn=config.get("duplicate-cn", False),
-                    source=config_path,
-                    _target=self.target,
                 )
-
-
-def _parse_config(content: str) -> dict[str, Union[str, list[str]]]:
-    """Parses Openvpn config  files"""
-    lines = content.splitlines()
-    res = {}
-    boolean_fields = OpenVPNServer.getfields("boolean") + OpenVPNClient.getfields("boolean")
-    boolean_field_names = set(field.name for field in boolean_fields)
-
-    for line in lines:
-        # As per man (8) openvpn, lines starting with ; or # are comments
-        if line and not line.startswith((";", "#")):
-            key, *value = line.split(" ", 1)
-            value = value[0] if value else ""
-            # This removes all text after the first comment
-            value = CONFIG_COMMENT_SPLIT_REGEX.split(value, 1)[0].strip()
-
-            if key in boolean_field_names and value == "":
-                value = True
-
-            if old_value := res.get(key):
-                if not isinstance(old_value, list):
-                    old_value = [old_value]
-                res[key] = old_value + [value]
-            else:
-                res[key] = value
-    return res
-
-
-def _unquote(content: str) -> str:
-    return content.strip("\"'")

dissect/target/plugins/child/docker.py

@@ -0,0 +1,24 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import ChildTargetRecord
+from dissect.target.plugin import ChildTargetPlugin
+
+
+class DockerChildTargetPlugin(ChildTargetPlugin):
+    """Child target plugin that yields from Docker overlay2fs containers."""
+
+    __type__ = "docker"
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("docker"):
+            raise UnsupportedPluginError("No Docker data root folder(s) found!")
+
+    def list_children(self) -> Iterator[ChildTargetRecord]:
+        for container in self.target.docker.containers():
+            if container.mount_path:
+                yield ChildTargetRecord(
+                    type=self.__type__,
+                    path=container.mount_path,
+                    _target=self.target,
+                )

dissect/target/plugins/filesystem/ntfs/mft.py

@@ -154,7 +154,7 @@ class MftPlugin(Plugin):
                     try:
                         inuse = bool(record.header.Flags & FILE_RECORD_SEGMENT_IN_USE)
                         owner, _ = get_owner_and_group(record, fs)
-                        resident = None
+                        resident = False
                         size = None
 
                         if not record.is_dir():

dissect/target/plugins/filesystem/walkfs.py

@@ -3,7 +3,7 @@ from typing import Iterable
 from dissect.util.ts import from_unix
 
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
-from dissect.target.filesystem import RootFilesystemEntry
+from dissect.target.filesystem import LayerFilesystemEntry
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
@@ -50,7 +50,7 @@ def generate_record(target: Target, path: TargetPath) -> FilesystemRecord:
     stat = path.lstat()
     btime = from_unix(stat.st_birthtime) if stat.st_birthtime else None
     entry = path.get()
-    if isinstance(entry, RootFilesystemEntry):
+    if isinstance(entry, LayerFilesystemEntry):
         fs_types = [sub_entry.fs.__type__ for sub_entry in entry.entries]
     else:
         fs_types = [entry.fs.__type__]

dissect/target/plugins/general/users.py

@@ -1,5 +1,7 @@
+from functools import lru_cache
 from typing import Generator, NamedTuple, Optional, Union
 
+from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import UnixUserRecord, WindowsUserRecord
@@ -16,6 +18,10 @@ class UsersPlugin(InternalPlugin):
 
     __namespace__ = "user_details"
 
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.find = lru_cache(32)(self.find)
+
     def check_compatible(self) -> None:
         if not hasattr(self.target, "users"):
             raise UnsupportedPluginError("Unsupported Plugin")

dissect/target/plugins/os/unix/esxi/_os.py

@@ -97,7 +97,7 @@ class ESXiPlugin(UnixPlugin):
 
         # Create a root layer for the "local state" filesystem
         # This stores persistent configuration data
-        local_layer = target.fs.add_layer()
+        local_layer = target.fs.append_layer()
 
         # Mount all the visor tars in individual filesystem layers
         _mount_modules(target, sysvol, cfg)
@@ -209,7 +209,7 @@ def _mount_modules(target: Target, sysvol: Filesystem, cfg: dict[str, str]):
             tfs = tar.TarFilesystem(cfile, tarinfo=vmtar.VisorTarInfo)
 
         if tfs:
-            target.fs.add_layer().mount("/", tfs)
+            target.fs.append_layer().mount("/", tfs)
 
 
 def _mount_local(target: Target, local_layer: VirtualFilesystem):

dissect/target/plugins/os/unix/linux/debian/vyos/_os.py

@@ -24,7 +24,7 @@ class VyosPlugin(LinuxPlugin):
         self._version, rootpath = latest
 
         # VyOS does some additional magic with base system files
-        layer = target.fs.add_layer()
+        layer = target.fs.append_layer()
         layer.map_file_entry("/", target.fs.root.get(f"/boot/{self._version}/{rootpath}"))
         super().__init__(target)
 

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -23,9 +23,9 @@ from dissect.target.target import Target
 try:
     from Crypto.Cipher import AES, ChaCha20
 
-    HAS_PYCRYPTODOME = True
+    HAS_CRYPTO = True
 except ImportError:
-    HAS_PYCRYPTODOME = False
+    HAS_CRYPTO = False
 
 FortiOSUserRecord = TargetRecordDescriptor(
     "fortios/user",
@@ -113,7 +113,7 @@ class FortiOSPlugin(LinuxPlugin):
 
         # FortiGate
         if (datafs_tar := sysvol.path("/datafs.tar.gz")).exists():
-            target.fs.add_layer().mount("/data", TarFilesystem(datafs_tar.open("rb")))
+            target.fs.append_layer().mount("/data", TarFilesystem(datafs_tar.open("rb")))
 
         # Additional FortiGate or FortiManager tars with corrupt XZ streams
         target.log.warning("Attempting to load XZ files, this can take a while.")
@@ -127,11 +127,11 @@ class FortiOSPlugin(LinuxPlugin):
         ):
             if (tar := target.fs.path(path)).exists() or (tar := sysvol.path(path)).exists():
                 fh = xz.repair_checksum(tar.open("rb"))
-                target.fs.add_layer().mount("/", TarFilesystem(fh))
+                target.fs.append_layer().mount("/", TarFilesystem(fh))
 
         # FortiAnalyzer and FortiManager
         if (rootfs_ext_tar := sysvol.path("rootfs-ext.tar.xz")).exists():
-            target.fs.add_layer().mount("/", TarFilesystem(rootfs_ext_tar.open("rb")))
+            target.fs.append_layer().mount("/", TarFilesystem(rootfs_ext_tar.open("rb")))
 
         # Filesystem mounts can be discovered in the FortiCare debug report
         # or using ``fnsysctl ls`` and ``fnsysctl df`` in the cli.
@@ -442,8 +442,8 @@ def decrypt_password(input: str) -> str:
         - https://www.fortiguard.com/psirt/FG-IR-19-007
     """
 
-    if not HAS_PYCRYPTODOME:
-        raise RuntimeError("PyCryptodome module not available")
+    if not HAS_CRYPTO:
+        raise RuntimeError("Missing pycryptodome dependency")
 
     if input[:3] in ["SH2", "AK1"]:
         raise ValueError("Password is a hash (SHA-256 or SHA-1) and cannot be decrypted.")
@@ -511,8 +511,8 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
         RuntimeError: When PyCryptodome is not available.
     """
 
-    if not HAS_PYCRYPTODOME:
-        raise RuntimeError("PyCryptodome module not available")
+    if not HAS_CRYPTO:
+        raise RuntimeError("Missing pycryptodome dependency")
 
     # First 8 bytes = counter, last 8 bytes = nonce
     # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple

dissect/target/plugins/os/unix/linux/services.py

@@ -63,6 +63,7 @@ class ServicesPlugin(Plugin):
                         for key, value in configuration.items():
                             _value = value or None
                             _key = f"{segment}_{key}"
+                            _key = _key.replace("-", "_")
                             types.append(("string", _key))
                             config.update({_key: _value})
                 except FileNotFoundError: