dissect.target.plugins.os.unix.linux.fortios._os

Module Contents

Classes

FortiOSPlugin	FortiOS plugin for various Fortinet appliances.
ConfigNode	dict() -> new empty dictionary
FortiOSConfig	dict() -> new empty dictionary

Functions

parse_version	Attempt to parse the config FortiOS version to a readable format.
local_groups_to_users	Map FortiOS groups to a dict with usernames as key.
decrypt_password	Decrypt FortiOS encrypted secrets.
key_iv_for_kernel_hash	Return decryption key and IV for a specific sha256 kernel hash.
decrypt_rootfs	Attempt to decrypt an encrypted rootfs.gz file with given key and IV.
get_kernel_hash	Return the SHA256 hash of the (compressed) kernel.

Attributes

HAS_CRYPTO
FortiOSUserRecord

dissect.target.plugins.os.unix.linux.fortios._os.HAS_CRYPTO = True

dissect.target.plugins.os.unix.linux.fortios._os.FortiOSUserRecord

class dissect.target.plugins.os.unix.linux.fortios._os.FortiOSPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.os.unix.linux._os.LinuxPlugin

FortiOS plugin for various Fortinet appliances.

classmethod detect(target: dissect.target.target.Target) → dissect.target.filesystem.Filesystem | None

Provide detection of this OSPlugin on a given filesystem.

Parameters:

fs – Filesystem to detect the OS on.

Returns:

The root filesystem / sysvol when found.

classmethod create(target: dissect.target.target.Target, sysvol: dissect.target.filesystem.Filesystem) → FortiOSPlugin

Initiate this OSPlugin with the given target and detected filesystem.

Parameters:

• target – The Target object.

• sysvol – The filesystem that was detected in the detect() function.

Returns:

An instantiated version of the OSPlugin.

hostname() → str | None

Return configured hostname.

ips() → list[str]

Return IP addresses of configured interfaces.

dns() → list[str]

Return configured WAN DNS servers.

version() → str

Return FortiOS version.

users() → Iterator[FortiOSUserRecord | dissect.target.helpers.record.UnixUserRecord]

Return local users of the FortiOS system.

os() → str

Return a slug of the target’s OS name.

Returns:

A slug of the OS name, e.g. ‘windows’ or ‘linux’.

architecture() → str | None

Return architecture FortiOS runs on.

class dissect.target.plugins.os.unix.linux.fortios._os.ConfigNode

Bases: dict

dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s

(key, value) pairs

dict(iterable) -> new dictionary initialized as if via:

d = {} for k, v in iterable:

d[k] = v

dict(**kwargs) -> new dictionary initialized with the name=value pairs

in the keyword argument list. For example: dict(one=1, two=2)

set(path: list[str], value: str) → None

__getattr__(attr: str) → ConfigNode | str

class dissect.target.plugins.os.unix.linux.fortios._os.FortiOSConfig

Bases: ConfigNode

dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s

(key, value) pairs

dict(iterable) -> new dictionary initialized as if via:

d = {} for k, v in iterable:

d[k] = v

dict(**kwargs) -> new dictionary initialized with the name=value pairs

in the keyword argument list. For example: dict(one=1, two=2)

classmethod from_fh(fh: TextIO) → FortiOSConfig

dissect.target.plugins.os.unix.linux.fortios._os.parse_version(input: str) → str

Attempt to parse the config FortiOS version to a readable format.

The input FGVM64-7.4.1-FW-build2463-230830:opmode=0:vdom=0 would return the following output: FortiGate VM 7.4.1 (build 2463, 2023-08-30).

Resources:

• https://support.fortinet.com/Download/VMImages.aspx

dissect.target.plugins.os.unix.linux.fortios._os.local_groups_to_users(config_groups: dict) → dict

Map FortiOS groups to a dict with usernames as key.

dissect.target.plugins.os.unix.linux.fortios._os.decrypt_password(input: str) → str

Decrypt FortiOS encrypted secrets.

Works for FortiGate 5.x, 6.x and 7.x (CVE-2019-6693).

Note

• FortiManager uses a 16-byte IV and is not supported (CVE-2020-9289).

• FortiGate 4.x uses DES and a static 8-byte key and is not supported.

Returns decoded plaintext or original input ciphertext when decryption failed.

Resources:

• https://www.fortiguard.com/psirt/FG-IR-19-007

dissect.target.plugins.os.unix.linux.fortios._os.key_iv_for_kernel_hash(kernel_hash: str) → tuple[bytes, bytes]

Return decryption key and IV for a specific sha256 kernel hash.

The decryption key and IV are used to decrypt the rootfs.gz file.

Parameters:

kernel_hash – SHA256 hash of the kernel file.

Returns:

Tuple with decryption key and IV.

Raises:

ValueError – When no decryption keys are available for the given kernel hash.

dissect.target.plugins.os.unix.linux.fortios._os.decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) → BinaryIO

Attempt to decrypt an encrypted rootfs.gz file with given key and IV.

FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted rootfs.gz files. This function attempts to decrypt a rootfs.gz file using a static key and IV which can be found in the kernel.

Known keys can be found in the _keys.py file.

Resources:

• https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices

• Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd)

Parameters:

• fh – File-like object to the encrypted rootfs.gz file.

• key – ChaCha20 key.

• iv – ChaCha20 iv.

Returns:

File-like object to the decrypted rootfs.gz file.

Raises:

• ValueError – When decryption failed.

• RuntimeError – When PyCryptodome is not available.

dissect.target.plugins.os.unix.linux.fortios._os.get_kernel_hash(sysvol: dissect.target.filesystem.Filesystem) → str | None

Return the SHA256 hash of the (compressed) kernel.