dissect.target.plugins.os.unix.history
#
Module Contents#
Classes#
Base class for plugins. |
Attributes#
- dissect.target.plugins.os.unix.history.CommandHistoryRecord#
- dissect.target.plugins.os.unix.history.RE_EXTENDED_BASH#
- dissect.target.plugins.os.unix.history.RE_EXTENDED_ZSH#
- dissect.target.plugins.os.unix.history.RE_FISH#
- class dissect.target.plugins.os.unix.history.CommandHistoryPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Base class for plugins.
Plugins can optionally be namespaced by specifying the
__namespace__
class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specifiedtest
as namespace and a function calledexample
, you must call your plugin withtest.example
:A
Plugin
class has the following private class attributes:__namespace__
__record_descriptors__
With the following three being assigned in
register()
:__plugin__
__functions__
__exports__
Additionally, the methods and attributes of
Plugin
receive more private attributes by using decorators.The
export()
decorator adds the following private attributes__exported__
__output__
: Set with theexport()
decorator.__record__
: Set with theexport()
decorator.
The
internal()
decorator andInternalPlugin
set the__internal__
attribute. Finally.args()
decorator sets the__args__
attribute.- Parameters:
target – The
Target
object to load the plugin for.
- COMMAND_HISTORY_RELATIVE_PATHS = (('bash', '.bash_history'), ('fish', '.local/share/fish/fish_history'), ('mongodb', '.dbshell'),...#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- bashhistory()#
Deprecated, use commandhistory function.
- commandhistory()#
Return shell history for all users.
When using a shell, history of the used commands is kept on the system. It is kept in a hidden file named “.$SHELL_history” and may expose commands that were used by an adversary.
- parse_generic_history(file, user: dissect.target.helpers.record.UnixUserRecord, shell: str) Iterator[CommandHistoryRecord] #
Parse bash_history contents.
Regular .bash_history files contain one plain command per line. An extended .bash_history file may look like this:
` #1648598339 echo "this is a test" `
- parse_zsh_history(file, user: dissect.target.helpers.record.UnixUserRecord) Iterator[CommandHistoryRecord] #
Parse zsh_history contents.
Regular .zsh_history lines are just the plain commands. Extended .zsh_history files may look like this:
` : 1673860722:0;sudo apt install sl : :; `
- parse_fish_history(history_file: dissect.target.helpers.fsutil.TargetPath, user: dissect.target.helpers.record.UnixUserRecord) Iterator[CommandHistoryRecord] #
Parses the history file of the fish shell.
The fish history file is formatted as pseudo-YAML. An example of such a file: ``` - cmd: ls
when: 1688642435
cmd: cd home/ when: 1688642441 paths:
home/
cmd: echo “test: test” when: 1688986629
Note that the last - cmd: echo “test: test” is not valid YAML, which is why we cannot safely use the Python yaml module.