User Data

User data contains key elements of a user account on the remote host. This will include relevant details about their login name, GECOS fields, SSH keys, etc. But it will never include sensitive information like actual hashed passwords.

Sandfly will return values indicating a password is present and what the password hash type is. Plus, it returns a cryptographic hash of the password hash itself which can allow you to search across all hosts for identical hashes without passing around the actual sensitive data.

For instance, instead of returning the password hash and salt, we'll hash the entire entry and that hash represents that identical password hash and salt combination you can use to search.

For SSH authorized_keys, Sandfly will decode the key entries and present them in a list format. We also will provide file attributes on any authorized_keys files found to allow for building signatures not just on keys, but also file attributes of authorized_keys (e.g. file is immutable and has X number of keys or key duplicates). Again also we return the key found and hashes of that key which allows you to quickly search across all hosts for that information.

User Types

{
    "username": "",
    "gid_name": "",
    "group_membership": null,
    "shell": "",
    "uid": 0,
    "gid": 0,
    "gecos": "",
    "home_dir": "",
    "password": {
        "locked": false,
        "disabled": false,
        "empty": false,
        "present": false,
        "type": "",
        "hash": {
            "md5": "",
            "sha1": "",
            "sha256": "",
            "sha512": ""
        },
        "days_since_last_changed": 0,
        "age_min": 0,
        "age_max": 0,
        "warning_period": 0,
        "inactivity_period": 0,
        "days_since_expired": 0,
        "reserved": ""
    },
    "ssh": {
        "authorized_keys": {
            "present": false,
            "duplicate_found": false,
            "total": 0,
            "data": null,
            "file": null
        }
    }
}


User SSH Types

{
    "authorized_keys": {
        "present": false,
        "duplicate_found": false,
        "total": 0,
        "data": null,
        "file": null
    }
}


User SSH authorized_keys Data Types

{
    "entry_num": 0,
    "entry": "",
    "path": "",
    "options": "",
    "type": "",
    "key": "",
    "hash": {
        "md5": "",
        "sha1": "",
        "sha256": "",
        "sha512": ""
    },
    "comment": ""
}


User SSH authorized_keys File Types

{
    "date": {
        "created": "",
        "created_minutes": 0,
        "modified": "",
        "modified_minutes": 0,
        "accessed": "",
        "accessed_minutes": 0
    },
    "inode": 0,
    "device": 0,
    "rdevice": 0,
    "nlink": 0,
    "mode": "",
    "uid": 0,
    "uid_name": "",
    "gid": 0,
    "gid_name": "",
    "size": 0,
    "size_byte_count": 0,
    "size_mismatch": false,
    "blksize": 0,
    "blocks": 0,
    "path": "",
    "path_root": "",
    "path_link": "",
    "name": "",
    "extension": "",
    "flags": {
        "directory": false,
        "regular": false,
        "link": false,
        "suid": false,
        "suid_root": false,
        "sgid": false,
        "sgid_root": false,
        "socket": false,
        "device": false,
        "char_device": false,
        "named_pipe": false,
        "sticky": false,
        "immutable": false,
        "hidden": false,
        "deleted": false
    },
    "entropy": 0,
    "hash": {
        "md5": "",
        "sha1": "",
        "sha256": "",
        "sha512": ""
    },
    "magic_num": {
        "hex": "",
        "text": "",
        "type": "",
        "class": "",
        "expected_extensions": null
    },
    "data": null
}

Did this page help you?