fox-it · Miauwkeru · Jul 18, 2023 · Jul 18, 2023
diff --git a/acquire/acquire.py b/acquire/acquire.py
@@ -1330,6 +1330,7 @@
 @register_module("--home")
 class Home(Module):
     SPEC = [
+        # TODO: Use from_user_home if supported for osx
         ("glob", "/root/.*[akz]sh*"),
         ("dir", "/root/.config"),
         ("glob", "/home/*/.*[akz]sh*"),
@@ -1338,6 +1339,7 @@
         ("glob", "/home/*/*/.config"),
         # OS-X home (aka /Users)
         ("glob", "/Users/*/.*[akz]sh*"),
+        ("glob", "/Users/*/.config"),
         ("glob", "/Users/*/.bash_sessions/*"),
         ("glob", "/Users/*/Library/LaunchAgents/*"),
         ("glob", "/Users/*/Library/Logs/*"),
@@ -1346,6 +1348,36 @@
     ]
 
 
+@register_module("--ssh")
+class SSH(Module):
+    @classmethod
+    def _run(cls, target: Target, collector):
+        user_pattern = ".ssh/*"
+
+        # Gather user paths
+        # TODO: Use from_user_home if supported for osx
+        if target._os.os == "osx":
+            iterator = [f"/Users/*/{user_pattern}"]
+        else:
+            iterator = list(from_user_home(target, user_pattern))
+
+        # Acquire SSH configuration in sshd directories
+        iterator += ["/etc/ssh/*", "sysvol/ProgramData/ssh/*"]
+
+        globbed_path = (path for pattern in iterator for path in target.fs.glob(pattern))
+        for path in globbed_path:
+            if target.fs.path(path).is_dir():
+                collector.collect_dir(path)
+                continue
+
+            with target.fs.path(path).open("rt") as file:
+                if "PRIVATE KEY" in file.readline():
+                    # Detected a private key, skipping.
+                    continue
+
+            collector.collect_file(path, outpath=path)
+
+
 @register_module("--var")
 class Var(Module):
     SPEC = [
@@ -1919,17 +1951,20 @@
             QuarantinedFiles,
             RemoteAccess,
             WindowsNotifications,
+            SSH,
         ],
         "linux": [
             Etc,
             Boot,
             Home,
             History,
+            SSH,
             Var,
         ],
         "bsd": [
             Etc,
             Boot,
+            SSH,
             Home,
             Var,
             BSD,
@@ -1938,13 +1973,15 @@
             Bootbanks,
             ESXi,
             VMFS,
+            SSH,
         ],
         "osx": [
             Etc,
             Home,
             Var,
             OSX,
             History,
+            SSH,
         ],
     },
     "default": {
@@ -1975,19 +2012,22 @@
             Etc,
             Boot,
             Home,
+            SSH,
             Var,
         ],
         "bsd": [
             Etc,
             Boot,
             Home,
+            SSH,
             Var,
             BSD,
         ],
         "esxi": [
             Bootbanks,
             ESXi,
             VMFS,
+            SSH,
         ],
         "osx": [
             Etc,
@@ -2012,18 +2052,21 @@
             Etc,
             Boot,
             Home,
+            SSH,
             Var,
         ],
         "bsd": [
             Etc,
             Boot,
             Home,
+            SSH,
             Var,
             BSD,
         ],
         "esxi": [
             Bootbanks,
             ESXi,
+            SSH,
         ],
         "osx": [
             Etc,