dissect.target.plugins.apps.ssh.ssh

Module Contents

Classes

SSHPlugin

Base class for plugins.

SSHPrivateKey

A class to parse (OpenSSH-supported) SSH private keys.

Functions

calculate_fingerprints

Calculate the MD5, SHA1 and SHA256 digest of the given decoded public key.

is_rfc4716

Validate data is a valid looking SSH private key in the OpenSSH format.

decode_rfc4716

Base64 decode the private key data.

is_pkcs8

Validate data is a valid looking PKCS8 SSH private key.

is_pem

Validate data is a valid looking PEM SSH private key.

Attributes

dissect.target.plugins.apps.ssh.ssh.rfc4716_def = Multiline-String
Show Value
"""
struct ssh_string {
    uint32 length;
    char value[length];
}

struct ssh_private_key {
    char magic[15];

    ssh_string cipher;
    ssh_string kdf_name;
    ssh_string kdf_options;

    uint32 number_of_keys;

    ssh_string public;
    ssh_string private;
}
"""
dissect.target.plugins.apps.ssh.ssh.c_rfc4716
dissect.target.plugins.apps.ssh.ssh.RFC4716_MARKER_START = b'-----BEGIN OPENSSH PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.RFC4716_MARKER_END = b'-----END OPENSSH PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.RFC4716_MAGIC = b'openssh-key-v1\x00'
dissect.target.plugins.apps.ssh.ssh.RFC4716_PADDING = b'\x01\x02\x03\x04\x05\x06\x07'
dissect.target.plugins.apps.ssh.ssh.RFC4716_NONE = b'none'
dissect.target.plugins.apps.ssh.ssh.PKCS8_MARKER_START = b'-----BEGIN PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PKCS8_MARKER_END = b'-----END PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PKCS8_MARKER_START_ENCRYPTED = b'-----BEGIN ENCRYPTED PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PKCS8_MARKER_END_ENCRYPTED = b'-----END ENCRYPTED PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_MARKER_START_RSA = b'-----BEGIN RSA PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_MARKER_END_RSA = b'-----END RSA PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_MARKER_START_DSA = b'-----BEGIN DSA PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_MARKER_END_DSA = b'-----END DSA PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_MARKER_START_EC = b'-----BEGIN EC PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_MARKER_END_EC = b'-----END EC PRIVATE KEY-----'
dissect.target.plugins.apps.ssh.ssh.PEM_ENCRYPTED = b'ENCRYPTED'
dissect.target.plugins.apps.ssh.ssh.OpenSSHUserRecordDescriptor
dissect.target.plugins.apps.ssh.ssh.COMMON_ELLEMENTS = [('string', 'key_type'), ('string', 'comment'), ('path', 'path')]
dissect.target.plugins.apps.ssh.ssh.AuthorizedKeysRecord
dissect.target.plugins.apps.ssh.ssh.KnownHostRecord
dissect.target.plugins.apps.ssh.ssh.PrivateKeyRecord
dissect.target.plugins.apps.ssh.ssh.PublicKeyRecord
class dissect.target.plugins.apps.ssh.ssh.SSHPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.NamespacePlugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

The alias() decorator populates the __aliases__ private attribute of Plugin methods.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'ssh'

Defines the plugin namespace.

dissect.target.plugins.apps.ssh.ssh.calculate_fingerprints(public_key_decoded: bytes, ssh_keygen_format: bool = False) tuple[str, str, str]

Calculate the MD5, SHA1 and SHA256 digest of the given decoded public key.

Adheres as much as possible to the output provided by ssh-keygen when ssh_keygen_format parameter is set to True. When set to False (default) hexdigests are calculated instead for sha1``and ``sha256.

Resources:
dissect.target.plugins.apps.ssh.ssh.is_rfc4716(data: bytes) bool

Validate data is a valid looking SSH private key in the OpenSSH format.

dissect.target.plugins.apps.ssh.ssh.decode_rfc4716(data: bytes) bytes

Base64 decode the private key data.

dissect.target.plugins.apps.ssh.ssh.is_pkcs8(data: bytes) bool

Validate data is a valid looking PKCS8 SSH private key.

dissect.target.plugins.apps.ssh.ssh.is_pem(data: bytes) bool

Validate data is a valid looking PEM SSH private key.

class dissect.target.plugins.apps.ssh.ssh.SSHPrivateKey(data: bytes)

A class to parse (OpenSSH-supported) SSH private keys.

OpenSSH supports three types of keys: * RFC4716 (default) * PKCS8 * PEM

key_type = None
public_key = None
comment = ''