dissect.target.plugins.os.unix.history

Module Contents

Classes

CommandHistoryPlugin

Unix command history plugin.

Attributes

CommandHistoryRecord
RE_EXTENDED_BASH
RE_EXTENDED_ZSH
RE_FISH

dissect.target.plugins.os.unix.history.CommandHistoryRecord

dissect.target.plugins.os.unix.history.RE_EXTENDED_BASH

dissect.target.plugins.os.unix.history.RE_EXTENDED_ZSH

dissect.target.plugins.os.unix.history.RE_FISH

class dissect.target.plugins.os.unix.history.CommandHistoryPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Unix command history plugin.

COMMAND_HISTORY_RELATIVE_PATHS = (('bash', '.bash_history'), ('fish', '.local/share/fish/fish_history'), ('mongodb', '.dbshell'),...

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

commandhistory() → Iterator[CommandHistoryRecord]

Return shell history for all users.

When using a shell, history of the used commands is kept on the system. It is kept in a hidden file named “.$SHELL_history” and may expose commands that were used by an adversary.

parse_generic_history(file, user: dissect.target.helpers.record.UnixUserRecord, shell: str) → Iterator[CommandHistoryRecord]

Parse bash_history contents.

Regular .bash_history files contain one plain command per line. Extended .bash_history files look like this:

#1648598339
echo "this is a test"

Resources:

• http://git.savannah.gnu.org/cgit/bash.git/tree/bashhist.c

parse_zsh_history(file, user: dissect.target.helpers.record.UnixUserRecord) → Iterator[CommandHistoryRecord]

Parse zsh_history contents.

Regular .zsh_history lines are just the plain commands. Extended .zsh_history files look like this:

: 1673860722:0;sudo apt install sl
: :;

Resources:

• https://sourceforge.net/p/zsh/code/ci/master/tree/Src/hist.c

parse_fish_history(history_file: dissect.target.helpers.fsutil.TargetPath, user: dissect.target.helpers.record.UnixUserRecord) → Iterator[CommandHistoryRecord]

Parses the history file of the fish shell.

The fish history file is formatted as pseudo-YAML. An example of such a file:

- cmd: ls
when: 1688642435
- cmd: cd home/
when: 1688642441
paths:
    - home/
- cmd: echo "test: test"
when: 1688986629

Note that the last - cmd: echo “test: test” is not valid YAML, which is why we cannot safely use the Python yaml module.

Resources:

• https://github.com/fish-shell/fish-shell/blob/master/src/history.cpp