dissect.target 3.17.dev34__py3-none-any.whl → 3.17.dev36__py3-none-any.whl

dissect/target/plugins/apps/browser/firefox.py

@@ -18,6 +18,7 @@ from dissect.target.plugin import export
 from dissect.target.plugins.apps.browser.browser import (
     GENERIC_COOKIE_FIELDS,
     GENERIC_DOWNLOAD_RECORD_FIELDS,
+    GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
     GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
@@ -43,6 +44,7 @@ try:
 except ImportError:
     HAS_CRYPTO = False
 
+FIREFOX_EXTENSION_RECORD_FIELDS = [("uri", "source_uri"), ("string[]", "optional_permissions")]
 
 log = logging.getLogger(__name__)
 
@@ -76,6 +78,10 @@ class FirefoxPlugin(BrowserPlugin):
         "browser/firefox/download", GENERIC_DOWNLOAD_RECORD_FIELDS
     )
 
+    BrowserExtensionRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/firefox/extension", GENERIC_EXTENSION_RECORD_FIELDS + FIREFOX_EXTENSION_RECORD_FIELDS
+    )
+
     BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
         "browser/firefox/password", GENERIC_PASSWORD_RECORD_FIELDS
     )
@@ -305,6 +311,72 @@ class FirefoxPlugin(BrowserPlugin):
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
 
+    @export(record=BrowserExtensionRecord)
+    def extensions(self) -> Iterator[BrowserExtensionRecord]:
+        """Return browser extension records for Firefox.
+
+        Yields BrowserExtensionRecord with the following fields::
+            ts_install (datetime): Extension install timestamp.
+            ts_update (datetime): Extension update timestamp.
+            browser (string): The browser from which the records are generated.
+            id (string): Extension unique identifier.
+            name (string): Name of the extension.
+            short_name (string): Short name of the extension.
+            default_title (string): Default title of the extension.
+            description (string): Description of the extension.
+            version (string): Version of the extension.
+            ext_path (path): Relative path of the extension.
+            from_webstore (boolean): Extension from webstore.
+            permissions (string[]): Permissions of the extension.
+            manifest (varint): Version of the extensions' manifest.
+            optional_permissions (string[]): Optional permissions of the extension.
+            source_uri (path): Source path from which the extension was downloaded.
+            source (path): The source file of the download record.
+        """
+        for user, _, profile_dir in self._iter_profiles():
+            extension_file = profile_dir.joinpath("extensions.json")
+
+            if not extension_file.exists():
+                self.target.log.warning(
+                    "No 'extensions.json' addon file found for user %s in directory %s", user, profile_dir
+                )
+                continue
+
+            try:
+                extensions = json.load(extension_file.open())
+
+                for extension in extensions.get("addons", []):
+                    yield self.BrowserExtensionRecord(
+                        ts_install=extension.get("installDate", 0) // 1000,
+                        ts_update=extension.get("updateDate", 0) // 1000,
+                        browser="firefox",
+                        id=extension.get("id"),
+                        name=extension.get("defaultLocale", {}).get("name"),
+                        short_name=None,
+                        default_title=None,
+                        description=extension.get("defaultLocale", {}).get("description"),
+                        version=extension.get("version"),
+                        ext_path=extension.get("path"),
+                        from_webstore=None,
+                        permissions=extension.get("userPermissions", {}).get("permissions"),
+                        manifest_version=extension.get("manifestVersion"),
+                        source_uri=extension.get("sourceURI"),
+                        optional_permissions=extension.get("optionalPermissions", {}).get("permissions"),
+                        source=extension_file,
+                        _target=self.target,
+                        _user=user.user,
+                    )
+
+            except FileNotFoundError:
+                self.target.log.info(
+                    "No 'extensions.json' addon file found for user %s in directory %s", user, profile_dir
+                )
+            except json.JSONDecodeError:
+                self.target.log.warning(
+                    "extensions.json file in directory %s is malformed, consider inspecting the file manually",
+                    profile_dir,
+                )
+
     @export(record=BrowserPasswordRecord)
     def passwords(self) -> Iterator[BrowserPasswordRecord]:
         """Return Firefox browser password records.

dissect/target/plugins/os/windows/credhist.py

@@ -0,0 +1,210 @@
+import hashlib
+import logging
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import BinaryIO, Iterator, Optional
+from uuid import UUID
+
+from dissect.cstruct import cstruct
+from dissect.util.sid import read_sid
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers import keychain
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.general.users import UserDetails
+from dissect.target.plugins.os.windows.dpapi.crypto import (
+    CipherAlgorithm,
+    HashAlgorithm,
+    derive_password_hash,
+)
+from dissect.target.target import Target
+
+log = logging.getLogger(__name__)
+
+
+CredHistRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "windows/credential/history",
+    [
+        ("string", "guid"),
+        ("boolean", "decrypted"),
+        ("string", "sha1"),
+        ("string", "nt"),
+    ],
+)
+
+
+credhist_def = """
+struct entry {
+    DWORD   dwVersion;
+    CHAR    guidLink[16];
+    DWORD   dwNextLinkSize;
+    DWORD   dwCredLinkType;
+    DWORD   algHash;                    // ALG_ID
+    DWORD   dwPbkdf2IterationCount;
+    DWORD   dwSidSize;
+    DWORD   algCrypt;                   // ALG_ID
+    DWORD   dwShaHashSize;
+    DWORD   dwNtHashSize;
+    CHAR    pSalt[16];
+    CHAR    pSid[dwSidSize];
+    CHAR    encrypted[0];
+};
+"""
+
+c_credhist = cstruct()
+c_credhist.load(credhist_def)
+
+
+@dataclass
+class CredHistEntry:
+    version: int
+    guid: str
+    user_sid: str
+    sha1: Optional[bytes]
+    nt: Optional[bytes]
+    hash_alg: HashAlgorithm = field(repr=False)
+    cipher_alg: CipherAlgorithm = field(repr=False)
+    raw: c_credhist.entry = field(repr=False)
+    decrypted: bool = False
+
+    def decrypt(self, password_hash: bytes) -> None:
+        """Decrypt this CREDHIST entry using the provided password hash. Modifies ``CredHistEntry.sha1``
+        and ``CredHistEntry.nt`` values.
+
+        If the decrypted ``nt`` value is 16 bytes we assume the decryption was successful.
+
+        Args:
+            password_hash: Bytes of SHA1 password hash digest.
+
+        Raises:
+            ValueError: If the decryption seems to have failed.
+        """
+        data = self.cipher_alg.decrypt_with_hmac(
+            data=self.raw.encrypted,
+            key=derive_password_hash(password_hash, self.user_sid),
+            iv=self.raw.pSalt,
+            hash_algorithm=self.hash_alg,
+            rounds=self.raw.dwPbkdf2IterationCount,
+        )
+
+        sha_size = self.raw.dwShaHashSize
+        nt_size = self.raw.dwNtHashSize
+
+        sha1 = data[:sha_size]
+        nt = data[sha_size : sha_size + nt_size].rstrip(b"\x00")
+
+        if len(nt) != 16:
+            raise ValueError("Decrypting failed, invalid password hash?")
+
+        self.decrypted = True
+        self.sha1 = sha1
+        self.nt = nt
+
+
+class CredHistFile:
+    def __init__(self, fh: BinaryIO) -> None:
+        self.fh = fh
+        self.entries = list(self._parse())
+
+    def __repr__(self) -> str:
+        return f"<CredHistFile fh='{self.fh}' entries={len(self.entries)}>"
+
+    def _parse(self) -> Iterator[CredHistEntry]:
+        self.fh.seek(0)
+        try:
+            while True:
+                entry = c_credhist.entry(self.fh)
+
+                # determine size of encrypted data and add to entry
+                cipher_alg = CipherAlgorithm.from_id(entry.algCrypt)
+                enc_size = entry.dwShaHashSize + entry.dwNtHashSize
+                enc_size += enc_size % cipher_alg.block_length
+                entry.encrypted = self.fh.read(enc_size)
+
+                yield CredHistEntry(
+                    version=entry.dwVersion,
+                    guid=UUID(bytes_le=entry.guidLink),
+                    user_sid=read_sid(entry.pSid),
+                    hash_alg=HashAlgorithm.from_id(entry.algHash),
+                    cipher_alg=cipher_alg,
+                    sha1=None,
+                    nt=None,
+                    raw=entry,
+                )
+        except EOFError:
+            pass
+
+    def decrypt(self, password_hash: bytes) -> None:
+        """Decrypt a CREDHIST chain using the provided password SHA1 hash."""
+
+        for entry in reversed(self.entries):
+            try:
+                entry.decrypt(password_hash)
+            except ValueError as e:
+                log.warning("Could not decrypt entry %s with password %s", entry.guid, password_hash.hex())
+                log.debug("", exc_info=e)
+                continue
+            password_hash = entry.sha1
+
+
+class CredHistPlugin(Plugin):
+    """Windows CREDHIST file parser.
+
+    Windows XP:         ``C:\\Documents and Settings\\username\\Application Data\\Microsoft\\Protect\\CREDHIST``
+    Windows 7 and up:   ``C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST``
+
+    Resources:
+        - https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#41
+    """
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.files = list(self._find_files())
+
+    def _find_files(self) -> Iterator[tuple[UserDetails, Path]]:
+        hashes = set()
+        for user_details in self.target.user_details.all_with_home():
+            for path in ["AppData/Roaming/Microsoft/Protect/CREDHIST", "Application Data/Microsoft/Protect/CREDHIST"]:
+                credhist_path = user_details.home_path.joinpath(path)
+                if credhist_path.exists() and (hash := credhist_path.get().hash()) not in hashes:
+                    hashes.add(hash)
+                    yield user_details.user, credhist_path
+
+    def check_compatible(self) -> None:
+        if not self.files:
+            raise UnsupportedPluginError("No CREDHIST files found on target.")
+
+    @export(record=CredHistRecord)
+    def credhist(self) -> Iterator[CredHistRecord]:
+        """Yield and decrypt all Windows CREDHIST entries on the target."""
+        passwords = keychain_passwords()
+
+        if not passwords:
+            self.target.log.warning("No passwords provided in keychain, cannot decrypt CREDHIST hashes")
+
+        for user, path in self.files:
+            credhist = CredHistFile(path.open("rb"))
+
+            for password in passwords:
+                credhist.decrypt(hashlib.sha1(password.encode("utf-16-le")).digest())
+
+            for entry in credhist.entries:
+                yield CredHistRecord(
+                    guid=entry.guid,
+                    decrypted=entry.decrypted,
+                    sha1=entry.sha1.hex() if entry.sha1 else None,
+                    nt=entry.nt.hex() if entry.nt else None,
+                    _user=user,
+                    _target=self.target,
+                )
+
+
+def keychain_passwords() -> set:
+    passphrases = set()
+    for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
+        if key.key_type == keychain.KeyType.PASSPHRASE:
+            passphrases.add(key.value)
+    passphrases.add("")
+    return passphrases

{dissect.target-3.17.dev34.dist-info → dissect.target-3.17.dev36.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.17.dev34
+Version: 3.17.dev36
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.17.dev34.dist-info → dissect.target-3.17.dev36.dist-info}/RECORD

@@ -124,7 +124,7 @@ dissect/target/plugins/apps/browser/browser.py,sha256=rBIwcgdl73gm-8APwx2jEUAYXR
 dissect/target/plugins/apps/browser/chrome.py,sha256=hxS8gqpBwoCrPaxNpllIa6K9DtsSGzn6XXcUaHyes6w,3048
 dissect/target/plugins/apps/browser/chromium.py,sha256=1oaQhMN5mJysw0VIVpTEmRCAifgv-mUQxZwrGmGHqAQ,27875
 dissect/target/plugins/apps/browser/edge.py,sha256=woXzZtHPWmfcV8vbxGKHELKru5JRb32MAXs43_b4K4E,2883
-dissect/target/plugins/apps/browser/firefox.py,sha256=Y8QdSgPZktYy4IF36aI1Jfbw_ucysx82PNljnyUCmRY,27025
+dissect/target/plugins/apps/browser/firefox.py,sha256=Msicw-13AJWbXRRF6m_p4L84rXAjsIYGFRve29cPY2M,30806
 dissect/target/plugins/apps/browser/iexplore.py,sha256=MqMonoaM5lj0ZFqGwS4F-P1eLmnLvX7VQGE9S3hxXag,8739
 dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/container/docker.py,sha256=67Eih9AfUbqsP-HlnlwoHi4rSAnVCZWM76sEyO_1m18,15316
@@ -260,6 +260,7 @@ dissect/target/plugins/os/windows/amcache.py,sha256=ZZNOs3bILTf0AGkDkhoatndl0j39
 dissect/target/plugins/os/windows/catroot.py,sha256=eSfVqXvWWZpXoxKB1FT_evjXXNmlD7wHhA3lYpfQDeQ,11043
 dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
 dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
+dissect/target/plugins/os/windows/credhist.py,sha256=FX_pW-tU9esdvDTSx913kf_CpGE_1jbD6bkjDb-cxHk,7069
 dissect/target/plugins/os/windows/datetime.py,sha256=tuBOkewmbCW8sFXcYp5p82oM5RCsVwmtC79BDCTLz8k,9472
 dissect/target/plugins/os/windows/defender.py,sha256=Vp_IP6YKm4igR765WvXJrHQ3RMu7FJKM3VOoR8AybV8,23737
 dissect/target/plugins/os/windows/env.py,sha256=-u9F9xWy6PUbQmu5Tv_MDoVmy6YB-7CbHokIK_T3S44,13891
@@ -339,10 +340,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.17.dev34.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.17.dev34.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.17.dev34.dist-info/METADATA,sha256=dCuOpFpGY7DjCc27MwZjfgtTnPx1iobAUR1GrzbpOZI,11300
-dissect.target-3.17.dev34.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-dissect.target-3.17.dev34.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.17.dev34.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.17.dev34.dist-info/RECORD,,
+dissect.target-3.17.dev36.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.17.dev36.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.17.dev36.dist-info/METADATA,sha256=jvQ5nLWplAsNNZMyR1nIBwBQZEe-FnQRkk56_YpDAtw,11300
+dissect.target-3.17.dev36.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+dissect.target-3.17.dev36.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.17.dev36.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.17.dev36.dist-info/RECORD,,