dissect.target.plugins.os.unix.linux.fortios._os
¶
Module Contents¶
Classes¶
FortiOS plugin for various Fortinet appliances. |
|
dict() -> new empty dictionary |
|
dict() -> new empty dictionary |
Functions¶
Attempt to parse the config FortiOS version to a readable format. |
|
Map FortiOS groups to a dict with usernames as key. |
|
Decrypt FortiOS encrypted secrets. |
|
Return decryption key and IV for a specific sha256 kernel hash. |
|
Attempt to decrypt an encrypted |
|
Return the SHA256 hash of the (compressed) kernel. |
Attributes¶
- dissect.target.plugins.os.unix.linux.fortios._os.HAS_CRYPTO = True¶
- dissect.target.plugins.os.unix.linux.fortios._os.FortiOSUserRecord¶
- class dissect.target.plugins.os.unix.linux.fortios._os.FortiOSPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugins.os.unix.linux._os.LinuxPlugin
FortiOS plugin for various Fortinet appliances.
- classmethod detect(target: dissect.target.target.Target) dissect.target.filesystem.Filesystem | None ¶
Provide detection of this OSPlugin on a given filesystem.
- Parameters:
fs –
Filesystem
to detect the OS on.- Returns:
The root filesystem / sysvol when found.
- classmethod create(target: dissect.target.target.Target, sysvol: dissect.target.filesystem.Filesystem) FortiOSPlugin ¶
Initiate this OSPlugin with the given target and detected filesystem.
- Parameters:
target – The
Target
object.sysvol – The filesystem that was detected in the
detect()
function.
- Returns:
An instantiated version of the OSPlugin.
- hostname() str | None ¶
Return configured hostname.
- ips() list[str] ¶
Return IP addresses of configured interfaces.
- dns() list[str] ¶
Return configured WAN DNS servers.
- version() str ¶
Return FortiOS version.
- users() Iterator[FortiOSUserRecord | dissect.target.helpers.record.UnixUserRecord] ¶
Return local users of the FortiOS system.
- os() str ¶
Return a slug of the target’s OS name.
- Returns:
A slug of the OS name, e.g. ‘windows’ or ‘linux’.
- architecture() str | None ¶
Return architecture FortiOS runs on.
- class dissect.target.plugins.os.unix.linux.fortios._os.ConfigNode¶
Bases:
dict
dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s
(key, value) pairs
- dict(iterable) -> new dictionary initialized as if via:
d = {} for k, v in iterable:
d[k] = v
- dict(**kwargs) -> new dictionary initialized with the name=value pairs
in the keyword argument list. For example: dict(one=1, two=2)
- set(path: list[str], value: str) None ¶
- __getattr__(attr: str) ConfigNode | str ¶
- class dissect.target.plugins.os.unix.linux.fortios._os.FortiOSConfig¶
Bases:
ConfigNode
dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s
(key, value) pairs
- dict(iterable) -> new dictionary initialized as if via:
d = {} for k, v in iterable:
d[k] = v
- dict(**kwargs) -> new dictionary initialized with the name=value pairs
in the keyword argument list. For example: dict(one=1, two=2)
- classmethod from_fh(fh: TextIO) FortiOSConfig ¶
- dissect.target.plugins.os.unix.linux.fortios._os.parse_version(input: str) str ¶
Attempt to parse the config FortiOS version to a readable format.
The input
FGVM64-7.4.1-FW-build2463-230830:opmode=0:vdom=0
would return the following output:FortiGate VM 7.4.1 (build 2463, 2023-08-30)
.
- dissect.target.plugins.os.unix.linux.fortios._os.local_groups_to_users(config_groups: dict) dict ¶
Map FortiOS groups to a dict with usernames as key.
- dissect.target.plugins.os.unix.linux.fortios._os.decrypt_password(input: str) str ¶
Decrypt FortiOS encrypted secrets.
Works for FortiGate 5.x, 6.x and 7.x (CVE-2019-6693).
Note
FortiManager uses a 16-byte IV and is not supported (CVE-2020-9289).
FortiGate 4.x uses DES and a static 8-byte key and is not supported.
Returns decoded plaintext or original input ciphertext when decryption failed.
- dissect.target.plugins.os.unix.linux.fortios._os.key_iv_for_kernel_hash(kernel_hash: str) tuple[bytes, bytes] ¶
Return decryption key and IV for a specific sha256 kernel hash.
The decryption key and IV are used to decrypt the
rootfs.gz
file.- Parameters:
kernel_hash – SHA256 hash of the kernel file.
- Returns:
Tuple with decryption key and IV.
- Raises:
ValueError – When no decryption keys are available for the given kernel hash.
- dissect.target.plugins.os.unix.linux.fortios._os.decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) BinaryIO ¶
Attempt to decrypt an encrypted
rootfs.gz
file with given key and IV.FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted
rootfs.gz
files. This function attempts to decrypt arootfs.gz
file using a static key and IV which can be found in the kernel.Known keys can be found in the
_keys.py
file.- Resources:
https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices
Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd)
- Parameters:
fh – File-like object to the encrypted rootfs.gz file.
key – ChaCha20 key.
iv – ChaCha20 iv.
- Returns:
File-like object to the decrypted rootfs.gz file.
- Raises:
ValueError – When decryption failed.
RuntimeError – When PyCryptodome is not available.
- dissect.target.plugins.os.unix.linux.fortios._os.get_kernel_hash(sysvol: dissect.target.filesystem.Filesystem) str | None ¶
Return the SHA256 hash of the (compressed) kernel.