mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-14 08:56:15 +00:00
fe62624541
Added additional RegRipper modules to support STIX data. Stopped RecentActivity IE parser from generating empty user accounts.
110 lines
3.0 KiB
Perl
Executable File
110 lines
3.0 KiB
Perl
Executable File
# ssh_host_keys.pl
|
|
#
|
|
# RegRipper module to extract stored Putty and WinSCP host keys.
|
|
# The keys are found in NTUSER.DAT under:
|
|
#
|
|
# Software\Martin Prikryl\WinSCP 2\SshHostKeys
|
|
# Software\SimonTatham\Putty\SshHostKeys
|
|
#
|
|
# Change History
|
|
# 04/02/2013 Added rptMsg for key not found errors by Corey Harrell
|
|
#
|
|
# Presence of a host key indicates a successful connection to a given host,
|
|
# but not necessarily a successful login.
|
|
#
|
|
# RegRipper module author Hal Pomeranz <hal.pomeranz@mandiant.com>
|
|
|
|
package ssh_host_keys;
|
|
|
|
use strict;
|
|
|
|
my %config = ('hive' => 'NTUSER.DAT',
|
|
'hasShortDescr' => 1,
|
|
'hasDescr' => 0,
|
|
'hasRefs' => 0,
|
|
'osmask' => 22,
|
|
'version' => '20120809');
|
|
|
|
sub getConfig { return(%config); }
|
|
sub getShortDescr { return('Extracts Putty/WinSCP SSH Host Keys'); }
|
|
sub getDescr {}
|
|
sub getRefs {}
|
|
sub getHive { return($config{'hive'}); }
|
|
sub getVersion { return($config{'version'}); }
|
|
|
|
my $VERSION = $config{'version'};
|
|
|
|
sub pluginmain {
|
|
my($class, $hive) = @_;
|
|
my($reg, $root, $key) = ();
|
|
|
|
::logMsg("Launching ssh_host_keys v.$VERSION\n");
|
|
::rptMsg("ssh_host_keys v.".$VERSION); # banner
|
|
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
|
|
unless ($reg = Parse::Win32Registry->new($hive)) {
|
|
# ::logMsg("Failed to open $hive: $!");
|
|
return();
|
|
}
|
|
unless ($root = $reg->get_root_key()) {
|
|
# ::logMsg("Failed to get root key from $hive: $!");
|
|
return();
|
|
}
|
|
|
|
if ($key = $root->get_subkey('Software\SimonTatham\Putty\SshHostKeys')) {
|
|
display_key_data($key);
|
|
}
|
|
else {
|
|
# ::logMsg('"Software\SimonTatham\Putty\SshHostKeys" does not exist' . "\n");
|
|
::rptMsg('"Software\SimonTatham\Putty\SshHostKeys" does not exist' . "\n"); # line added on 04/02/2013
|
|
}
|
|
|
|
if ($key = $root->get_subkey('Software\Martin Prikryl\WinSCP 2\SshHostKeys')) {
|
|
display_key_data($key);
|
|
}
|
|
else {
|
|
# ::logMsg('"Software\Martin Prikryl\WinSCP 2\SshHostKeys" does not exist');
|
|
::rptMsg('"Software\Martin Prikryl\WinSCP 2\SshHostKeys" does not exist'); # line added on 04/02/2013
|
|
}
|
|
}
|
|
|
|
|
|
sub display_key_data {
|
|
my($key) = @_;
|
|
|
|
my $path = $key->get_path();
|
|
$path =~ s/.*?\\//;
|
|
|
|
::rptMsg("$path\nLast Updated: " . scalar(gmtime($key->get_timestamp())) . " UTC\n");
|
|
|
|
my(%sort, %host_info) = ();
|
|
my @vals = $key->get_list_of_values();
|
|
foreach my $val (@vals) {
|
|
my $name = $val->get_name();
|
|
my($type, $port, $host) = $name =~ /^([^@]+)@(\d+):(.*)$/;
|
|
my $host_key = $val->get_data();
|
|
|
|
if ($host =~ /^[\d.]+$/) {
|
|
$sort{$name} = sprintf("%03d%03d%03d%03d", split(/\./, $host));
|
|
}
|
|
else { $sort{$name} = $host; }
|
|
|
|
$host_info{$name} = {
|
|
'host' => $host,
|
|
'port' => $port,
|
|
'type' => $type,
|
|
'key' => $host_key
|
|
};
|
|
}
|
|
|
|
foreach my $name (
|
|
sort { $sort{$a} cmp $sort{$b} ||
|
|
$host_info{$a}{'port'} <=> $host_info{$b}{'port'} ||
|
|
$host_info{$a}{'type'} cmp $host_info{$b}{'type'}
|
|
} keys(%host_info)) {
|
|
::rptMsg("$host_info{$name}{'host'}:$host_info{$name}{'port'} ($host_info{$name}{'type'})");
|
|
::rptMsg("$host_info{$name}{'key'}\n");
|
|
}
|
|
}
|
|
|
|
1;
|