#!/bin/bash
#===============================================================================
#
# DIRECTORY:
#   /home/*/.local/share/nautilus/scripts/05b_macOS/
# OR
#   /home/*/.gnome2/nautilus-sctipts/05b_macOS/ (deprecated)
#
# FILE:
#   03_credentials
#
# USAGE:
#   Right klick on an EWF image (.E01) and
#   choose this nautilus script from the context menu.
#
# OPTIONS:
#   none
#
# DESCRIPTION:
#   Shows password hints, configured autoLoginUser and
#   recalculated kcpassword (if present).
#
# REQUIREMENTS:
#   bash, zenity, sleuthkit, awk, grep, libplist-util, print_plist_entry.py,
#     kcpass.py, vim and coreutils
#
# BUGS:
#   ---
#
# NOTES:
#   Tested on
#   - Debian 8+
#   - Arch Linux
#
# AUTHOR:
#   Patrick Neumann, patrick@neumannsland.de
#
# COMPANY:
#   (privately)
#
# VERSION:
#   0.9 (beta)
#
# LINK TO THE MOST CURRENT VERSIONS:
#   https://
#
# CREATED:
#   23.03.2016
#
# COPYRIGHT (C):
#   2015-2020 - Patrick Neumann
#
# LICENSE:
#   This program is free software: you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation, either version 3 of the License, or
#   (at your option) any later version.
#
# WARRANTY:
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# TODO:
#   ---
#
# HISTORY:
#   0.9 - Patrick Neumann - Initial (public) release
#===============================================================================

#-------------------------------------------------------------------------------
# Additional supported Distribution(s) (add before Library!).
#-------------------------------------------------------------------------------
SUPPORTED_OSR="arch"

#-------------------------------------------------------------------------------
# Check for library (casualscripter_nautilus-scripts_functions.sh).
#-------------------------------------------------------------------------------
readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh"
if [ ! -f "${LIBRARY}" ] ; then
  zenity --error \
         --text \
         "ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!"
  exit 1
fi

source "${LIBRARY}"

#-------------------------------------------------------------------------------
# Checks (see library "casualscripter_nautilus-scripts_functions.sh").
#-------------------------------------------------------------------------------
check_dep "${AWK_BIN}" "awk"
check_dep "${FLS_BIN}" "sleuthkit"
check_dep "${FSSTAT_BIN}" "sleuthkit"
check_dep "${GREP_BIN}" "grep"
check_dep "${ICAT_BIN}" "sleuthkit"
check_dep "${IFIND_BIN}" "sleuthkit"
check_dep "${MMLS_BIN}" "sleuthkit"
check_dep "${PLUTIL_BIN}" "libplist-utils"
check_dep "${RM_BIN}" "coreutils"
check_dep "${XXD_BIN}" "vim-common"

# https://github.com/casualscripter/mac-osx-forensics
# (forked from https://github.com/moxilo/mac-osx-forensics)
check_dep "${KCPPY_BIN}" "kcpass.py"

# https://raw.githubusercontent.com/casualscripter/debian-stuff
check_dep "${PPEPY_BIN}" "print_plist_entry.py"

# actually only working correct with EWF images!
check_ext "${SOURCE}" "[eE]01"

check_tmp

#-------------------------------------------------------------------------------
# A little bit of configuration before the magic.
#-------------------------------------------------------------------------------
readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )"

readonly CREDENTIALS="${TMP}/${OFFSET}_credentials.txt"

#-------------------------------------------------------------------------------
# The wonder...
#-------------------------------------------------------------------------------
if ${FSSTAT_BIN} -o "${OFFSET}" "${SOURCE}" > /dev/null 2>&1 ; then
  (
	  echo -e -n "Partition (mmls line):\n  " >> "${CREDENTIALS}"
	  ${MMLS_BIN} -aM "${SOURCE}" \
	  | ${AWK_BIN} '$3=="'"${OFFSET}"'" { print $0; }' \
	  >> "${CREDENTIALS}"  

	  users="$( ${IFIND_BIN} -o "${OFFSET}" \
	                         -n "/private/var/db/dslocal/nodes/Default/users" \
	                         "${SOURCE}" )"
	  if [ "${users}" != "File not found" ] ; then
	    echo -e "\n  Some contents from the OpenDirectory (users):\n" \
	    >> "${CREDENTIALS}"
	    users_ls="$( ${FLS_BIN} -o "${OFFSET}" "${SOURCE}" "${users}" \
	                 | ${GREP_BIN} --extended-regexp \
	                               --invert-match \
	                               ".*[[:space:]](Guest|_.*|daemon|nobody|root)\.plist" \
	                 | ${AWK_BIN} '{ sub( /:/, "", $2 ); print $2; }' )"
	    for user in ${users_ls} ; do
	      if [ ! -f "${user}.plist" ] ; then
	        if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${user}" > "/tmp/${user}.plist" ; then
	          echo "  During the execution of icat an error occurred." >> "${CREDENTIALS}"
		  		fi
	        ${PLUTIL_BIN} -i "/tmp/${user}.plist" -o "${TMP}/${user}.plist"
	     	  ${RM_BIN} "/tmp/${user}.plist"
				fi
	      echo -e -n "  " >> "${CREDENTIALS}"
	      ${PPEPY_BIN} "${TMP}/${user}.plist" "name" >> "${CREDENTIALS}"
	      echo -e -n "  " >> "${CREDENTIALS}"
	      ${PPEPY_BIN} "${TMP}/${user}.plist" "hint" >> "${CREDENTIALS}"
	      echo >> "${CREDENTIALS}"
	    done
	  else
	    echo -e "  Directory \"/private/var/db/dslocal/nodes/Default/users\" not found.\n" \
	    >> "${CREDENTIALS}"
	  fi

	  calp="$( ${IFIND_BIN} -o "${OFFSET}" \
	                        -n "/Library/Preferences/com.apple.loginwindow.plist" \
	                        "${SOURCE}" )"
	  if [ "${calp}" != "File not found" ] ; then
	    if [ ! -f "${calp}.plist" ] ; then
	      if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${calp}" > "/tmp/${calp}.plist" ; then
	        echo "  During the execution of icat an error occurred." \
	        >> "${CREDENTIALS}"
	      fi
	      ${PLUTIL_BIN} -i "/tmp/${calp}.plist" -o "${TMP}/${calp}.plist"
	      ${RM_BIN} "/tmp/${calp}.plist"
	    fi
	    echo -e -n "  Some content from com.apple.loginwindow.plist:\n  " \
	    >> "${CREDENTIALS}"
	    ${PPEPY_BIN} "${TMP}/${calp}.plist" "lastUserName" \
	    >> "${CREDENTIALS}"
	    echo -e -n "  " >> "${CREDENTIALS}"
	    ${PPEPY_BIN} "${TMP}/${calp}.plist" "autoLoginUser" \
	    >> "${CREDENTIALS}"
			echo >> "${CREDENTIALS}"
	  else
	    echo -e "  File \"/Library/Preferences/com.apple.loginwindow.plist\" not found.\n" \
			>> "${CREDENTIALS}"
	  fi

	  kcpw="$( ${IFIND_BIN} -o "${OFFSET}" -n "/private/etc/kcpassword" "${SOURCE}" )"
	  if [ "${kcpw}" != "File not found" ] ; then
	    echo -e "\nPassword (kcpass.py CREDENTIALS):" >> "${CREDENTIALS}"
	    if ! ${KCPPY_BIN} "$( ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${kcpw}" \
	         | ${XXD_BIN} -p )" \
	         >> "${CREDENTIALS}" ; then
	      echo "During the execution of kcpass.py an error occurred." \
	      >> "${CREDENTIALS}"
	    fi
	  else
	    echo -e "  File \"/private/etc/kcpassword\" not found.\n" \
	    >> "${CREDENTIALS}"
	  fi
  ) | ${ZENITY_BIN} --progress \
                    --title="credentials" \
                    --text="Please wait..." \
                    --pulsate
else
  echo -e "  ? (The Sleuth Kit does not support the filesystem!)\n" \
  >> "${CREDENTIALS}"
fi

#-------------------------------------------------------------------------------
# Display content of the resultfile "credentials.txt".
#-------------------------------------------------------------------------------
display_resultfile "${CREDENTIALS}"

exit 0
