dissect.target.plugins.os.unix.history#

Module Contents#

Classes#

CommandHistoryPlugin

Base class for plugins.

Attributes#

dissect.target.plugins.os.unix.history.CommandHistoryRecord#
dissect.target.plugins.os.unix.history.RE_EXTENDED_BASH#
dissect.target.plugins.os.unix.history.RE_EXTENDED_ZSH#
dissect.target.plugins.os.unix.history.RE_FISH#
class dissect.target.plugins.os.unix.history.CommandHistoryPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

COMMAND_HISTORY_RELATIVE_PATHS = (('bash', '.bash_history'), ('fish', '.local/share/fish/fish_history'), ('mongodb', '.dbshell'),...#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

bashhistory()#

Deprecated, use commandhistory function.

commandhistory()#

Return shell history for all users.

When using a shell, history of the used commands is kept on the system. It is kept in a hidden file named “.$SHELL_history” and may expose commands that were used by an adversary.

parse_generic_history(file, user: dissect.target.helpers.record.UnixUserRecord, shell: str) Iterator[CommandHistoryRecord]#

Parse bash_history contents.

Regular .bash_history files contain one plain command per line. An extended .bash_history file may look like this: ` #1648598339 echo "this is a test" `

Resources:
parse_zsh_history(file, user: dissect.target.helpers.record.UnixUserRecord) Iterator[CommandHistoryRecord]#

Parse zsh_history contents.

Regular .zsh_history lines are just the plain commands. Extended .zsh_history files may look like this: ` : 1673860722:0;sudo apt install sl : :; `

Resources:
parse_fish_history(history_file: dissect.target.helpers.fsutil.TargetPath, user: dissect.target.helpers.record.UnixUserRecord) Iterator[CommandHistoryRecord]#

Parses the history file of the fish shell.

The fish history file is formatted as pseudo-YAML. An example of such a file: ``` - cmd: ls

when: 1688642435

  • cmd: cd home/ when: 1688642441 paths:

    • home/

  • cmd: echo “test: test” when: 1688986629

```

Note that the last - cmd: echo “test: test” is not valid YAML, which is why we cannot safely use the Python yaml module.

Resources: