target-shell gives you the ability to access a target using a virtual shell environment. Once a shell is opened
on a target, type
help to list the available commands. To see the documentation of each command,
you can use
Opening a shell on a target is straight-forward. You can do so by specifying a path to a target as follows:
$ target-shell targets/EXAMPLE.vmx EXAMPLE /> help Documented commands (type help <topic>): ======================================== cat disks filesystems help less python save cd exit find hexdump ls readlink stat clear file hash info pwd registry volumes EXAMPLE /> ls c: sysvol
Further interacting with the target can be done using the commands listed above. You can exit the shell by
exit or pressing
target-shell on multiple targets opens a different prompt, this is called “Target Hub”.
Within this hub you have the ability to choose the target you want to interact with.
Listing all targets in the hub can be done by using the
To enter a specific target you can pass the index or hostname of that target to the
$ target-shell targets/* dissect> help Target Hub ========== List and enter targets by using 'list' and 'enter'. Documented commands (type help <topic>): ============================================== enter exit help list python dissect> list 0: EXAMPLE 1: EXAMPLE1 3: EXAMPLE3 4: EXAMPLE4 dissect> enter 0 EXAMPLE /> ls c: sysvol
When exitting a target specific shell, you return to the hub. Here you can enter another shell or re-enter the previous target. Re-entering preserves your current path.
Please refer to Use-cases for more examples of how to use
target-shell - CLI interface#
target-shell [-h] [-p] [-r] [-K KEYCHAIN_FILE] [-Kv KEYCHAIN_VALUE] [-v] [-q] [--plugin-path PLUGIN_PATH [PLUGIN_PATH ...]] [TARGETS ...]
target-shell positional arguments#
TARGETS- Targets to load (default:
target-shell optional arguments#
--registry- Registry shell
KEYCHAIN_FILE- keychain file in CSV format (default:
KEYCHAIN_VALUE- passphrase, recovery key or key file path value (default:
PLUGIN_PATH- a file or directory containing plugins and extensions (default:
For more information on the
--keychain-value arguments, please refer to
Disk encryption (FVE).
--python argument opens an interactive (I)Python shell on one or more targets. This gives you the
ability to programmatically interact with the one or more targets. Within this Python shell the first target is
loaded in the
t variable, all other targets (including the first) are loaded in the
$ target-shell -p targets/EXAMPLE.vmx Python 3.X.X Type 'copyright', 'credits' or 'license' for more information IPython X.X.X -- An enhanced Interactive Python. Type '?' for help. Loaded targets in 'targets' variable. First target is in 't'. In : t, targets Out: (<Target EXAMPLE.tar>, [<Target EXAMPLE.tar>]) In : t.hostname, targets.hostname Out: ('EXAMPLE', 'EXAMPLE')
To directly examine the registry of a Windows target, the shell can be opened in registry mode with the
This registry shell lets you explore the registry as if it was a filesystem. Navigate through the keys with the
command and show the value of a key with the
cat command. Note, however, that to go back up the directory tree,
up command should be used instead of using
cd ... This is because
.. is a valid name for a registry
key or value.
$ target-shell targets/EXAMPLE.E01 -r EXAMPLE/registry > ls HKEY_LOCAL_MACHINE HKEY_USERS EXAMPLE/registry > cd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework EXAMPLE/registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework> cat Enable64Bit value-shows-here