dissect.target 3.18.dev15__py3-none-any.whl → 3.19__py3-none-any.whl

Sign up to get free protection for your applications and to get access to all the features.
Files changed (95) hide show
  1. dissect/target/filesystem.py +44 -25
  2. dissect/target/filesystems/config.py +32 -21
  3. dissect/target/filesystems/extfs.py +4 -0
  4. dissect/target/filesystems/itunes.py +1 -1
  5. dissect/target/filesystems/tar.py +1 -1
  6. dissect/target/filesystems/zip.py +81 -46
  7. dissect/target/helpers/config.py +22 -7
  8. dissect/target/helpers/configutil.py +69 -5
  9. dissect/target/helpers/cyber.py +4 -2
  10. dissect/target/helpers/fsutil.py +32 -4
  11. dissect/target/helpers/loaderutil.py +26 -7
  12. dissect/target/helpers/network_managers.py +22 -7
  13. dissect/target/helpers/record.py +37 -0
  14. dissect/target/helpers/record_modifier.py +23 -4
  15. dissect/target/helpers/shell_application_ids.py +732 -0
  16. dissect/target/helpers/utils.py +11 -0
  17. dissect/target/loader.py +1 -0
  18. dissect/target/loaders/ab.py +285 -0
  19. dissect/target/loaders/libvirt.py +40 -0
  20. dissect/target/loaders/mqtt.py +14 -1
  21. dissect/target/loaders/tar.py +8 -4
  22. dissect/target/loaders/utm.py +3 -0
  23. dissect/target/loaders/velociraptor.py +6 -6
  24. dissect/target/plugin.py +60 -3
  25. dissect/target/plugins/apps/browser/chrome.py +1 -0
  26. dissect/target/plugins/apps/browser/chromium.py +7 -5
  27. dissect/target/plugins/apps/browser/edge.py +1 -0
  28. dissect/target/plugins/apps/browser/firefox.py +82 -36
  29. dissect/target/plugins/apps/remoteaccess/anydesk.py +70 -50
  30. dissect/target/plugins/apps/remoteaccess/remoteaccess.py +8 -8
  31. dissect/target/plugins/apps/remoteaccess/teamviewer.py +46 -31
  32. dissect/target/plugins/apps/ssh/openssh.py +1 -1
  33. dissect/target/plugins/apps/ssh/ssh.py +177 -0
  34. dissect/target/plugins/apps/texteditor/__init__.py +0 -0
  35. dissect/target/plugins/apps/texteditor/texteditor.py +13 -0
  36. dissect/target/plugins/apps/texteditor/windowsnotepad.py +340 -0
  37. dissect/target/plugins/child/qemu.py +21 -0
  38. dissect/target/plugins/filesystem/ntfs/mft.py +132 -45
  39. dissect/target/plugins/filesystem/unix/capability.py +102 -87
  40. dissect/target/plugins/filesystem/walkfs.py +32 -21
  41. dissect/target/plugins/filesystem/yara.py +144 -23
  42. dissect/target/plugins/general/network.py +82 -0
  43. dissect/target/plugins/general/users.py +14 -10
  44. dissect/target/plugins/os/unix/_os.py +19 -5
  45. dissect/target/plugins/os/unix/bsd/freebsd/_os.py +3 -5
  46. dissect/target/plugins/os/unix/esxi/_os.py +29 -23
  47. dissect/target/plugins/os/unix/etc/etc.py +5 -8
  48. dissect/target/plugins/os/unix/history.py +3 -7
  49. dissect/target/plugins/os/unix/linux/_os.py +15 -14
  50. dissect/target/plugins/os/unix/linux/android/_os.py +15 -24
  51. dissect/target/plugins/os/unix/linux/redhat/_os.py +1 -1
  52. dissect/target/plugins/os/unix/locale.py +17 -6
  53. dissect/target/plugins/os/unix/shadow.py +47 -31
  54. dissect/target/plugins/os/windows/_os.py +4 -4
  55. dissect/target/plugins/os/windows/adpolicy.py +4 -1
  56. dissect/target/plugins/os/windows/catroot.py +1 -11
  57. dissect/target/plugins/os/windows/credential/__init__.py +0 -0
  58. dissect/target/plugins/os/windows/credential/lsa.py +174 -0
  59. dissect/target/plugins/os/windows/{sam.py → credential/sam.py} +5 -2
  60. dissect/target/plugins/os/windows/defender.py +6 -3
  61. dissect/target/plugins/os/windows/dpapi/blob.py +3 -0
  62. dissect/target/plugins/os/windows/dpapi/crypto.py +61 -23
  63. dissect/target/plugins/os/windows/dpapi/dpapi.py +127 -133
  64. dissect/target/plugins/os/windows/dpapi/keyprovider/__init__.py +0 -0
  65. dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py +21 -0
  66. dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py +17 -0
  67. dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py +20 -0
  68. dissect/target/plugins/os/windows/dpapi/keyprovider/keyprovider.py +8 -0
  69. dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py +38 -0
  70. dissect/target/plugins/os/windows/dpapi/master_key.py +3 -0
  71. dissect/target/plugins/os/windows/jumplist.py +292 -0
  72. dissect/target/plugins/os/windows/lnk.py +96 -93
  73. dissect/target/plugins/os/windows/regf/shellbags.py +8 -5
  74. dissect/target/plugins/os/windows/regf/shimcache.py +2 -2
  75. dissect/target/plugins/os/windows/regf/usb.py +179 -114
  76. dissect/target/plugins/os/windows/task_helpers/tasks_xml.py +1 -1
  77. dissect/target/plugins/os/windows/wua_history.py +1073 -0
  78. dissect/target/target.py +4 -3
  79. dissect/target/tools/fs.py +53 -15
  80. dissect/target/tools/fsutils.py +243 -0
  81. dissect/target/tools/info.py +11 -4
  82. dissect/target/tools/query.py +2 -2
  83. dissect/target/tools/shell.py +505 -333
  84. dissect/target/tools/utils.py +23 -2
  85. dissect/target/tools/yara.py +65 -0
  86. dissect/target/volumes/md.py +2 -2
  87. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/METADATA +11 -7
  88. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/RECORD +94 -75
  89. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/WHEEL +1 -1
  90. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/entry_points.txt +1 -0
  91. dissect/target/helpers/ssh.py +0 -177
  92. /dissect/target/plugins/os/windows/{credhist.py → credential/credhist.py} +0 -0
  93. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/COPYRIGHT +0 -0
  94. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/LICENSE +0 -0
  95. {dissect.target-3.18.dev15.dist-info → dissect.target-3.19.dist-info}/top_level.txt +0 -0
@@ -1,177 +0,0 @@
1
- import base64
2
- import binascii
3
-
4
- from dissect.cstruct import cstruct
5
-
6
- rfc4716_def = """
7
- struct ssh_string {
8
- uint32 length;
9
- char value[length];
10
- }
11
-
12
- struct ssh_private_key {
13
- char magic[15];
14
-
15
- ssh_string cipher;
16
- ssh_string kdf_name;
17
- ssh_string kdf_options;
18
-
19
- uint32 number_of_keys;
20
-
21
- ssh_string public;
22
- ssh_string private;
23
- }
24
- """
25
-
26
- c_rfc4716 = cstruct(endian=">").load(rfc4716_def)
27
-
28
- RFC4716_MARKER_START = b"-----BEGIN OPENSSH PRIVATE KEY-----"
29
- RFC4716_MARKER_END = b"-----END OPENSSH PRIVATE KEY-----"
30
- RFC4716_MAGIC = b"openssh-key-v1\x00"
31
- RFC4716_PADDING = b"\x01\x02\x03\x04\x05\x06\x07"
32
- RFC4716_NONE = b"none"
33
-
34
- PKCS8_MARKER_START = b"-----BEGIN PRIVATE KEY-----"
35
- PKCS8_MARKER_END = b"-----END PRIVATE KEY-----"
36
- PKCS8_MARKER_START_ENCRYPTED = b"-----BEGIN ENCRYPTED PRIVATE KEY-----"
37
- PKCS8_MARKER_END_ENCRYPTED = b"-----END ENCRYPTED PRIVATE KEY-----"
38
-
39
- PEM_MARKER_START_RSA = b"-----BEGIN RSA PRIVATE KEY-----"
40
- PEM_MARKER_END_RSA = b"-----END RSA PRIVATE KEY-----"
41
- PEM_MARKER_START_DSA = b"-----BEGIN DSA PRIVATE KEY-----"
42
- PEM_MARKER_END_DSA = b"-----END DSA PRIVATE KEY-----"
43
- PEM_MARKER_START_EC = b"-----BEGIN EC PRIVATE KEY-----"
44
- PEM_MARKER_END_EC = b"-----END EC PRIVATE KEY-----"
45
- PEM_ENCRYPTED = b"ENCRYPTED"
46
-
47
-
48
- class SSHPrivateKey:
49
- """A class to parse (OpenSSH-supported) SSH private keys.
50
-
51
- OpenSSH supports three types of keys:
52
- * RFC4716 (default)
53
- * PKCS8
54
- * PEM
55
- """
56
-
57
- def __init__(self, data: bytes):
58
- self.key_type = None
59
- self.public_key = None
60
- self.comment = ""
61
-
62
- if is_rfc4716(data):
63
- self.format = "RFC4716"
64
- self._parse_rfc4716(data)
65
-
66
- elif is_pkcs8(data):
67
- self.format = "PKCS8"
68
- self.is_encrypted = data.startswith(PKCS8_MARKER_START_ENCRYPTED)
69
-
70
- elif is_pem(data):
71
- self.format = "PEM"
72
- self._parse_pem(data)
73
-
74
- else:
75
- raise ValueError("Unsupported private key format")
76
-
77
- def _parse_rfc4716(self, data: bytes) -> None:
78
- """Parse OpenSSH format SSH private keys.
79
-
80
- The format:
81
- "openssh-key-v1"0x00 # NULL-terminated "Auth Magic" string
82
- 32-bit length, "none" # ciphername length and string
83
- 32-bit length, "none" # kdfname length and string
84
- 32-bit length, nil # kdf (0 length, no kdf)
85
- 32-bit 0x01 # number of keys, hard-coded to 1 (no length)
86
- 32-bit length, sshpub # public key in ssh format
87
- 32-bit length, keytype
88
- 32-bit length, pub0
89
- 32-bit length, pub1
90
- 32-bit length for rnd+prv+comment+pad
91
- 64-bit dummy checksum? # a random 32-bit int, repeated
92
- 32-bit length, keytype # the private key (including public)
93
- 32-bit length, pub0 # Public Key parts
94
- 32-bit length, pub1
95
- 32-bit length, prv0 # Private Key parts
96
- ... # (number varies by type)
97
- 32-bit length, comment # comment string
98
- padding bytes 0x010203 # pad to blocksize (see notes below)
99
-
100
- Source: https://coolaj86.com/articles/the-openssh-private-key-format/
101
- """
102
-
103
- key_data = decode_rfc4716(data)
104
- private_key = c_rfc4716.ssh_private_key(key_data)
105
-
106
- # RFC4716 only supports 1 key at the moment.
107
- if private_key.magic != RFC4716_MAGIC or private_key.number_of_keys != 1:
108
- raise ValueError("Unexpected number of keys for RFC4716 format private key")
109
-
110
- self.is_encrypted = private_key.cipher.value != RFC4716_NONE
111
-
112
- self.public_key = base64.b64encode(private_key.public.value)
113
- public_key_type = c_rfc4716.ssh_string(private_key.public.value)
114
- self.key_type = public_key_type.value
115
-
116
- if not self.is_encrypted:
117
- private_key_data = private_key.private.value.rstrip(RFC4716_PADDING)
118
-
119
- # We skip the two dummy uint32s at the start.
120
- private_key_index = 8
121
-
122
- private_key_type = c_rfc4716.ssh_string(private_key_data[private_key_index:])
123
- private_key_index += 4 + private_key_type.length
124
- self.key_type = private_key_type.value
125
-
126
- private_key_fields = []
127
- while private_key_index < len(private_key_data):
128
- field = c_rfc4716.ssh_string(private_key_data[private_key_index:])
129
- private_key_index += 4 + field.length
130
- private_key_fields.append(field)
131
-
132
- # There is always a comment present (with a length field of 0 for empty comments).
133
- self.comment = private_key_fields[-1].value
134
-
135
- def _parse_pem(self, data: bytes) -> None:
136
- """Detect key type and encryption of PEM keys."""
137
- self.is_encrypted = PEM_ENCRYPTED in data
138
-
139
- if data.startswith(PEM_MARKER_START_RSA):
140
- self.key_type = "ssh-rsa"
141
-
142
- elif data.startswith(PEM_MARKER_START_DSA):
143
- self.key_type = "ssh-dss"
144
-
145
- # This is not a valid SSH key type, but we currently do not detect the specific ecdsa variant.
146
- else:
147
- self.key_type = "ecdsa"
148
-
149
-
150
- def is_rfc4716(data: bytes) -> bool:
151
- """Validate data is a valid looking SSH private key in the OpenSSH format."""
152
- return data.startswith(RFC4716_MARKER_START) and data.endswith(RFC4716_MARKER_END)
153
-
154
-
155
- def decode_rfc4716(data: bytes) -> bytes:
156
- """Base64 decode the private key data."""
157
- encoded_key_data = data.removeprefix(RFC4716_MARKER_START).removesuffix(RFC4716_MARKER_END)
158
- try:
159
- return base64.b64decode(encoded_key_data)
160
- except binascii.Error:
161
- raise ValueError("Error decoding RFC4716 key data")
162
-
163
-
164
- def is_pkcs8(data: bytes) -> bool:
165
- """Validate data is a valid looking PKCS8 SSH private key."""
166
- return (data.startswith(PKCS8_MARKER_START) and data.endswith(PKCS8_MARKER_END)) or (
167
- data.startswith(PKCS8_MARKER_START_ENCRYPTED) and data.endswith(PKCS8_MARKER_END_ENCRYPTED)
168
- )
169
-
170
-
171
- def is_pem(data: bytes) -> bool:
172
- """Validate data is a valid looking PEM SSH private key."""
173
- return (
174
- (data.startswith(PEM_MARKER_START_RSA) and data.endswith(PEM_MARKER_END_RSA))
175
- or (data.startswith(PEM_MARKER_START_DSA) and data.endswith(PEM_MARKER_END_DSA))
176
- or (data.startswith(PEM_MARKER_START_EC) and data.endswith(PEM_MARKER_END_EC))
177
- )