dissect.target.plugins.apps.ssh.putty

Module Contents

Classes

PuTTYPlugin

Extract artifacts from the PuTTY client.

Functions

parse_host_user	Parse host and user from PuTTY hostname component.
construct_public_key	Returns OpenSSH format public key calculated from PuTTY SshHostKeys format and set of fingerprints.

Attributes

HAS_CRYPTO
log
PuTTYUserRecordDescriptor
PuTTYSessionRecord

dissect.target.plugins.apps.ssh.putty.HAS_CRYPTO = True

dissect.target.plugins.apps.ssh.putty.log

dissect.target.plugins.apps.ssh.putty.PuTTYUserRecordDescriptor

dissect.target.plugins.apps.ssh.putty.PuTTYSessionRecord

class dissect.target.plugins.apps.ssh.putty.PuTTYPlugin(target)

Bases: dissect.target.plugins.apps.ssh.ssh.SSHPlugin

Extract artifacts from the PuTTY client.

Note

• Does not parse $HOME/.putty/randomseed (GNU/Linux) and HKCU\Software\SimonTatham\PuTTY\RandSeedFile (Windows)

Resources:

• http://www.chiark.greenend.org.uk/~sgtatham/putty/0.78/puttydoc.txt

• http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-settings

__namespace__ = 'putty'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

known_hosts() → Iterator[dissect.target.plugins.apps.ssh.ssh.KnownHostRecord]

Parse PuTTY saved SshHostKeys.

sessions() → Iterator[PuTTYSessionRecord]

Parse PuTTY saved session configuration files.

dissect.target.plugins.apps.ssh.putty.parse_host_user(host: str, user: str) → tuple[str, str]

Parse host and user from PuTTY hostname component.

dissect.target.plugins.apps.ssh.putty.construct_public_key(key_type: str, iv: str) → tuple[str, tuple[str, str, str]]

Returns OpenSSH format public key calculated from PuTTY SshHostKeys format and set of fingerprints.

PuTTY stores raw public key components instead of OpenSSH-formatted public keys or fingerprints. With RSA public keys the exponent and modulus are stored. With ECC keys the x and y prime coordinates are stored together with the curve type.

Currently supports ssh-ed25519, ecdsa-sha2-nistp256 and rsa2 key types.

NOTE: More key types could be supported in the future.

Resources:

• https://github.com/github/putty/blob/master/contrib/kh2reg.py

• https://pycryptodome.readthedocs.io/en/latest/src/public_key/rsa.html

• https://pycryptodome.readthedocs.io/en/latest/src/public_key/ecc.html

• https://github.com/mkorthof/reg2kh