#!/bin/bash
#===============================================================================
#
# DIRECTORY:
#   /home/*/.local/share/nautilus/scripts/05b-macOS/
# OR
#   /home/*/.gnome2/nautilus-sctipts/05b-macOS/ (deprecated)
#
# FILE:
#   05b-E01-dump-SALTED-SHA1-v10.7
#
# USAGE:
#   Right klick on an EWF image (.E01) and
#   choose this nautilus script from the context menu.
#
# OPTIONS:
#   none
#
# DESCRIPTION:
#   Extracts the Hashes out of the last Mac OS X (10.7)
#
# REQUIREMENTS:
#   bash, zenity, sleuthkit, awk, findutils, libplist-utils, sed, grep,
#     coreutils and xxd
#
# BUGS:
#   ---
#
# NOTES:
#   Tested on
#   - Debian 8+
#   - Arch Linux
#
# AUTHOR:
#   Patrick Neumann, patrick@neumannsland.de
#
# COMPANY:
#   (privately)
#
# VERSION:
#   0.9 (beta)
#
# LINK TO THE MOST CURRENT VERSIONS:
#   https://...
#
# CREATED:
#   21.06.2020
#
# COPYRIGHT (C):
#   2015-2020 - Patrick Neumann
#
# LICENSE:
#   This program is free software: you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation, either version 3 of the License, or
#   (at your option) any later version.
#
# WARRANTY:
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# TODO:
#   ----
#
# HISTORY:
#   0.9 - Patrick Neumann - Initial (public) release
#
#===============================================================================

#-------------------------------------------------------------------------------
# Additional supported Distribution(s) (add before Library!).
#-------------------------------------------------------------------------------
# fred-report-templates have to be copied manually to!
SUPPORTED_OSR="arch"

#-------------------------------------------------------------------------------
# Check for library (casualscripter_nautilus-scripts_functions.sh).
#-------------------------------------------------------------------------------
readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh"
if [ ! -f "${LIBRARY}" ] ; then
  zenity --error \
         --text \
         "ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!"
  exit 1
fi

source "${LIBRARY}"

#-------------------------------------------------------------------------------
# Checks (see library "casualscripter_nautilus-scripts_functions.sh").
#-------------------------------------------------------------------------------
check_dep "${IFIND_BIN}" "sleuthkit"
check_dep "${FLS_BIN}" "sleuthkit"
check_dep "${AWK_BIN}" "awk"
check_dep "${ICAT_BIN}" "sleuthkit"
check_dep "${FIND_BIN}" "findutils"
check_dep "${PLUTIL_BIN}" "libplist-utils"
check_dep "${SED_BIN}" "sed"
check_dep "${GREP_BIN}" "grep"
check_dep "${TR_BIN}" "coreutils"
check_dep "${BASE64_BIN}" "coreutils"
check_dep "${XXD_BIN}" "xxd"

check_ext "${SOURCE}" "[eE]01"

check_tmp

#-------------------------------------------------------------------------------
# A little bit of configuration before the magic.
#-------------------------------------------------------------------------------
readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )"

readonly HASHES="${TMP}/${OFFSET}-hashes.txt"

#-------------------------------------------------------------------------------
# Extract user plists and get the password with a little bit of command line
#   kung fu.
# Only HFS+ support is needed.
#-------------------------------------------------------------------------------
if ! [ -f "${HASHES}" ] ; then
  USERS="$( ${IFIND_BIN} -o "${OFFSET}" -n "/private/var/db/dslocal/nodes/Default/users" "${SOURCE}" )"
  for line in $( ${FLS_BIN} -o "${OFFSET}" "${SOURCE}" "${USERS}" | ${AWK_BIN} '$NF !~ /^_/ { print $(NF-1) $NF; }' ) ; do
    ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${line%:*}" > "${TMP}/user-${line#*:}"
  done

  for plist in $( ${FIND_BIN} "${TMP}" -type f -iname "user-*.plist" -size +1k ) ; do
    user="${plist#*user-}"
    user="${user%.plist}"

    ${PLUTIL_BIN} --infile "${plist}" \
      | ${SED_BIN} --silent '/ShadowHashData/,/<\/array>/ p' \
      | ${GREP_BIN} --extended-regexp --invert-match "<.*>" \
      | ${SED_BIN} --regexp-extended 's/[[:space:]]//g' \
      | ${TR_BIN} --delete '\n' \
      | ${BASE64_BIN} --decode \
      > "${TMP}/shadowhashdata-${user}.plist"

    ${PLUTIL_BIN} --infile "${TMP}/shadowhashdata-${user}.plist" \
      | ${SED_BIN} --silent '/SALTED-SHA512/,/<\/data>/ p' \
      | ${GREP_BIN} --extended-regexp --invert-match "<.*>" \
      | ${SED_BIN} --regexp-extended 's/[[:space:]]//g' \
      | ${BASE64_BIN} --decode \
      | ${XXD_BIN} -bits -plain \
      | ${TR_BIN} --delete '\n' \
      >> "${HASHES}"
  done
fi

#-------------------------------------------------------------------------------
# Display content of the resultfile "hashes.txt".
#-------------------------------------------------------------------------------
display_resultfile "${HASHES}"

exit 0