`dissect.target.plugins.os.unix.linux.fortios._os`¶

Module Contents¶

Classes¶

`FortiOSPlugin`	FortiOS plugin for various Fortinet appliances.
`ConfigNode`	Generic configuration node implementation.
`FortiOSConfig`	FortiOS configuration parser.

Functions¶

`create_tar_filesystem`	Create appropriate `TarFilesystem` based on file format.
`parse_version`	Attempt to parse the config FortiOS version to a readable format.
`local_groups_to_users`	Map FortiOS groups to a dict with usernames as key.
`decrypt_password`	Decrypt FortiOS encrypted secrets.
`key_iv_for_kernel_hash`	Return decryption key and IV for a specific sha256 kernel hash.
`chacha20_decrypt`	Decrypt file using ChaCha20 with given ChaCha20Key.
`calculate_counter_increment`	Calculate the custom FortiGate CTR increment from IV.
`aes_decrypt`	Decrypt file using a custom AES CTR increment with given AesKey.
`decrypt_rootfs`	Attempt to decrypt an encrypted `rootfs.gz` file with given key and IV.
`get_kernel_hash`	Return the SHA256 hash of the (compressed) kernel.

Attributes¶

`HAS_CRYPTO`
`FortiOSUserRecord`

dissect.target.plugins.os.unix.linux.fortios._os.HAS_CRYPTO = True¶

dissect.target.plugins.os.unix.linux.fortios._os.FortiOSUserRecord¶

dissect.target.plugins.os.unix.linux.fortios._os.create_tar_filesystem(fileobj: BinaryIO) → dissect.target.filesystems.tar.TarFilesystem¶

Create appropriate TarFilesystem based on file format.

Parameters:: fileobj – The file-like object of a tar or cpio file
Returns:: TarFilesystem with cpio handler if cpio format is detected.

class dissect.target.plugins.os.unix.linux.fortios._os.FortiOSPlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugins.os.unix.linux._os.LinuxPlugin

FortiOS plugin for various Fortinet appliances.

classmethod detect(target: dissect.target.target.Target) → dissect.target.filesystem.Filesystem | None¶

Detect a Linux-like filesystem.

These days there is little difference in the filesystem format used by Unix and Linux. Both implementations use the Filesystem Hierarchy Standard (FHS). We can differentiate between Unix and Linux by checking for specific Linux kernel-only files not present on actual Unix filesystems (e.g. BSD, Solaris, IBM AIX and HP-UX).

References

classmethod create(target: dissect.target.target.Target, sysvol: dissect.target.filesystem.Filesystem) → typing_extensions.Self¶

Initiate this OSPlugin with the given target and detected filesystem.

Parameters:

target – The Target object.
sysvol – The filesystem that was detected in the detect() function.

Returns:

An instantiated version of the OSPlugin.

hostname() → str | None¶: Return configured hostname.

ips() → list[str]¶: Return IP addresses of configured interfaces.

dns() → list[str]¶: Return configured WAN DNS servers.

version() → str¶: Return FortiOS version.

users() → collections.abc.Iterator[FortiOSUserRecord | dissect.target.helpers.record.UnixUserRecord]¶: Return local users of the FortiOS system.

os() → str¶

Return a slug of the target’s OS name.

Returns:: A slug of the OS name, e.g. ‘windows’ or ‘linux’.

architecture() → str | None¶: Return architecture FortiOS runs on.

class dissect.target.plugins.os.unix.linux.fortios._os.ConfigNode¶

Bases: dict

Generic configuration node implementation.

set(path: list[str], value: str) → None¶

__getattr__(attr: str) → ConfigNode | str¶

class dissect.target.plugins.os.unix.linux.fortios._os.FortiOSConfig¶

Bases: ConfigNode

FortiOS configuration parser.

classmethod from_fh(fh: TextIO) → typing_extensions.Self¶

dissect.target.plugins.os.unix.linux.fortios._os.parse_version(input: str) → str¶

Attempt to parse the config FortiOS version to a readable format.

The input FGVM64-7.4.1-FW-build2463-230830:opmode=0:vdom=0 would return the following output: FortiGate VM 7.4.1 (build 2463, 2023-08-30).

References

https://support.fortinet.com/Download/VMImages.aspx

dissect.target.plugins.os.unix.linux.fortios._os.local_groups_to_users(config_groups: dict) → dict¶: Map FortiOS groups to a dict with usernames as key.

dissect.target.plugins.os.unix.linux.fortios._os.decrypt_password(input: str) → str¶

Decrypt FortiOS encrypted secrets.

Works for FortiGate 5.x, 6.x and 7.x (CVE-2019-6693).

Note

FortiManager uses a 16-byte IV and is not supported (CVE-2020-9289).
FortiGate 4.x uses DES and a static 8-byte key and is not supported.

Returns decoded plaintext or original input ciphertext when decryption failed.

References

https://www.fortiguard.com/psirt/FG-IR-19-007

dissect.target.plugins.os.unix.linux.fortios._os.key_iv_for_kernel_hash(kernel_hash: str) → dissect.target.plugins.os.unix.linux.fortios._keys.AesKey | dissect.target.plugins.os.unix.linux.fortios._keys.ChaCha20Key¶

Return decryption key and IV for a specific sha256 kernel hash.

The decryption key and IV are used to decrypt the rootfs.gz file.

Parameters:: kernel_hash – SHA256 hash of the kernel file.
Returns:: Tuple with decryption key and IV.
Raises:: ValueError – When no decryption keys are available for the given kernel hash.

dissect.target.plugins.os.unix.linux.fortios._os.chacha20_decrypt(fh: BinaryIO, key: dissect.target.plugins.os.unix.linux.fortios._keys.ChaCha20Key) → bytes¶

Decrypt file using ChaCha20 with given ChaCha20Key.

Parameters:

fh – File-like object to the encrypted rootfs.gz file.
key – ChaCha20Key.

Returns:

Decrypted bytes.

dissect.target.plugins.os.unix.linux.fortios._os.calculate_counter_increment(iv: bytes) → int¶

Calculate the custom FortiGate CTR increment from IV.

Parameters:: iv – 16 bytes IV.
Returns:: Custom CTR increment.

dissect.target.plugins.os.unix.linux.fortios._os.aes_decrypt(fh: BinaryIO, key: dissect.target.plugins.os.unix.linux.fortios._keys.AesKey) → bytes¶

Decrypt file using a custom AES CTR increment with given AesKey.

Parameters:

fh – File-like object to the encrypted rootfs.gz file.
key – AesKey.

Returns:

Decrypted bytes.

dissect.target.plugins.os.unix.linux.fortios._os.decrypt_rootfs(fh: BinaryIO, key: dissect.target.plugins.os.unix.linux.fortios._keys.ChaCha20Key | dissect.target.plugins.os.unix.linux.fortios._keys.AesKey) → BinaryIO¶

Attempt to decrypt an encrypted rootfs.gz file with given key and IV.

FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted rootfs.gz files. This function attempts to decrypt a rootfs.gz file using a static key and IV which can be found in the kernel.

Known keys can be found in the _keys.py file.

References

https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices
Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd)

Parameters:

fh – File-like object to the encrypted rootfs.gz file.
key – ChaCha20Key or AesKey.

Returns:

File-like object to the decrypted rootfs.gz file.

Raises:

ValueError – When decryption failed.
RuntimeError – When PyCryptodome is not available.

dissect.target.plugins.os.unix.linux.fortios._os.get_kernel_hash(sysvol: dissect.target.filesystem.Filesystem) → str | None¶: Return the SHA256 hash of the (compressed) kernel.

dissect.target.plugins.os.unix.linux.fortios._os¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.os.unix.linux.fortios._os`¶