:orphan: :py:mod:`dissect.target.plugins.os.unix.linux.fortios._os` ========================================================== .. py:module:: dissect.target.plugins.os.unix.linux.fortios._os Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.unix.linux.fortios._os.FortiOSPlugin dissect.target.plugins.os.unix.linux.fortios._os.ConfigNode dissect.target.plugins.os.unix.linux.fortios._os.FortiOSConfig Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.unix.linux.fortios._os.parse_version dissect.target.plugins.os.unix.linux.fortios._os.local_groups_to_users dissect.target.plugins.os.unix.linux.fortios._os.decrypt_password dissect.target.plugins.os.unix.linux.fortios._os.key_iv_for_kernel_hash dissect.target.plugins.os.unix.linux.fortios._os.decrypt_rootfs dissect.target.plugins.os.unix.linux.fortios._os.get_kernel_hash Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.unix.linux.fortios._os.HAS_CRYPTO dissect.target.plugins.os.unix.linux.fortios._os.FortiOSUserRecord .. py:data:: HAS_CRYPTO :value: True .. py:data:: FortiOSUserRecord .. py:class:: FortiOSPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugins.os.unix.linux._os.LinuxPlugin` FortiOS plugin for various Fortinet appliances. .. py:method:: detect(target: dissect.target.target.Target) -> Optional[dissect.target.filesystem.Filesystem] :classmethod: Provide detection of this OSPlugin on a given filesystem. :param fs: :class:`~dissect.target.filesystem.Filesystem` to detect the OS on. :returns: The root filesystem / sysvol when found. .. py:method:: create(target: dissect.target.target.Target, sysvol: dissect.target.filesystem.Filesystem) -> FortiOSPlugin :classmethod: Initiate this OSPlugin with the given target and detected filesystem. :param target: The :class:`~dissect.target.target.Target` object. :param sysvol: The filesystem that was detected in the ``detect()`` function. :returns: An instantiated version of the OSPlugin. .. py:method:: hostname() -> str | None Return configured hostname. .. py:method:: ips() -> list[str] Return IP addresses of configured interfaces. .. py:method:: dns() -> list[str] Return configured WAN DNS servers. .. py:method:: version() -> str Return FortiOS version. .. py:method:: users() -> Iterator[Union[FortiOSUserRecord, dissect.target.helpers.record.UnixUserRecord]] Return local users of the FortiOS system. .. py:method:: os() -> str Return a slug of the target's OS name. :returns: A slug of the OS name, e.g. 'windows' or 'linux'. .. py:method:: architecture() -> Optional[str] Return architecture FortiOS runs on. .. py:class:: ConfigNode Bases: :py:obj:`dict` dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object's (key, value) pairs dict(iterable) -> new dictionary initialized as if via: d = {} for k, v in iterable: d[k] = v dict(**kwargs) -> new dictionary initialized with the name=value pairs in the keyword argument list. For example: dict(one=1, two=2) .. py:method:: set(path: list[str], value: str) -> None .. py:method:: __getattr__(attr: str) -> ConfigNode | str .. py:class:: FortiOSConfig Bases: :py:obj:`ConfigNode` dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object's (key, value) pairs dict(iterable) -> new dictionary initialized as if via: d = {} for k, v in iterable: d[k] = v dict(**kwargs) -> new dictionary initialized with the name=value pairs in the keyword argument list. For example: dict(one=1, two=2) .. py:method:: from_fh(fh: TextIO) -> FortiOSConfig :classmethod: .. py:function:: parse_version(input: str) -> str Attempt to parse the config FortiOS version to a readable format. The input ``FGVM64-7.4.1-FW-build2463-230830:opmode=0:vdom=0`` would return the following output: ``FortiGate VM 7.4.1 (build 2463, 2023-08-30)``. Resources: - https://support.fortinet.com/Download/VMImages.aspx .. py:function:: local_groups_to_users(config_groups: dict) -> dict Map FortiOS groups to a dict with usernames as key. .. py:function:: decrypt_password(input: str) -> str Decrypt FortiOS encrypted secrets. Works for FortiGate 5.x, 6.x and 7.x (CVE-2019-6693). .. note:: - FortiManager uses a 16-byte IV and is not supported (CVE-2020-9289). - FortiGate 4.x uses DES and a static 8-byte key and is not supported. Returns decoded plaintext or original input ciphertext when decryption failed. Resources: - https://www.fortiguard.com/psirt/FG-IR-19-007 .. py:function:: key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes] Return decryption key and IV for a specific sha256 kernel hash. The decryption key and IV are used to decrypt the ``rootfs.gz`` file. :param kernel_hash: SHA256 hash of the kernel file. :returns: Tuple with decryption key and IV. :raises ValueError: When no decryption keys are available for the given kernel hash. .. py:function:: decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO Attempt to decrypt an encrypted ``rootfs.gz`` file with given key and IV. FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files. This function attempts to decrypt a ``rootfs.gz`` file using a static key and IV which can be found in the kernel. Known keys can be found in the ``_keys.py`` file. Resources: - https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices - Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd) :param fh: File-like object to the encrypted rootfs.gz file. :param key: ChaCha20 key. :param iv: ChaCha20 iv. :returns: File-like object to the decrypted rootfs.gz file. :raises ValueError: When decryption failed. :raises RuntimeError: When PyCryptodome is not available. .. py:function:: get_kernel_hash(sysvol: dissect.target.filesystem.Filesystem) -> Optional[str] Return the SHA256 hash of the (compressed) kernel.