From e827cccd480f8dd4c39135755a9a9e54b8184c98 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Wed, 27 Nov 2024 16:21:01 +0000 Subject: [PATCH 1/2] Improve TeamCity Login Scanner --- .../framework/login_scanner/teamcity.rb | 37 +++++++++++++++---- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/teamcity.rb b/lib/metasploit/framework/login_scanner/teamcity.rb index a950bee07ec7..cca9b3804ea6 100644 --- a/lib/metasploit/framework/login_scanner/teamcity.rb +++ b/lib/metasploit/framework/login_scanner/teamcity.rb @@ -122,7 +122,11 @@ def encrypt_data(text, public_key) DEFAULT_PORT = 8111 LIKELY_PORTS = [8111] - LIKELY_SERVICE_NAMES = ['skynetflow'] # Comes from nmap 7.95 on MacOS + LIKELY_SERVICE_NAMES = [ + # Comes from nmap 7.95 on MacOS + 'skynetflow', + 'teamcity' + ] PRIVATE_TYPES = [:password] REALM_KEY = nil @@ -134,9 +138,26 @@ class TeamCityError < StandardError; end class StackLevelTooDeepError < TeamCityError; end class NoPublicKeyError < TeamCityError; end class PublicKeyExpiredError < TeamCityError; end - class DecryptionException < TeamCityError; end + class DecryptionError < TeamCityError; end class ServerNeedsSetupError < TeamCityError; end + # Checks if the target is JetBrains TeamCity. The login module should call this. + # + # @return [Boolean] TrueClass if target is TeamCity, otherwise FalseClass + def check_setup + request_params = { + 'method' => 'GET', + 'uri' => normalize_uri(@uri.to_s, LOGIN_PAGE) + } + res = send_request(request_params) + + if res && res.code == 200 && res.body&.include?('Log in to TeamCity') + return false + end + + "Unable to locate \"Log in to TeamCity\" in headers. (Is this really TeamCity?)" + end + # Extract the server's public key from the server. # @return [Hash] A hash with a status and an error or the server's public key. def get_public_key @@ -209,17 +230,19 @@ def try_login(username, password, public_key, retry_counter = 0) # Currently, those building blocks are not available, so this is the approach I have implemented. timeout = res.body.match(/login only in (?\d+)s/)&.named_captures&.dig('timeout')&.to_i if timeout - framework_module.print_status "User '#{username}' locked out for #{timeout} seconds. Sleeping, and retrying..." - sleep(timeout + 1) # + 1 as TeamCity is off-by-one when reporting the lockout timer. - result = try_login(username, password, public_key, retry_counter + 1) - return result + framework_module.print_status "#{@host}:#{@port} - User '#{username}:#{password}' locked out for #{timeout} seconds. Sleeping, and retrying..." if framework_module + sleep(timeout + 1) + return try_login(username, password, public_key, retry_counter + 1) end return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res } if res.body.match?('Incorrect username or password') - raise DecryptionException, 'The server failed to decrypt the encrypted password' if res.body.match?('DecryptionFailedException') + raise DecryptionError, 'The server failed to decrypt the encrypted password' if res.body.match?('DecryptionFailedException') raise PublicKeyExpiredError, 'The server public key has expired' if res.body.match?('publicKeyExpired') + # After filtering out known failures, default to retuning the credential as working. + # This way, people are more likely to notice any incorrect credential reporting going forward and report them, + # the scenarios for which can then be correctly implemented and handled similar to the above. { status: :success, proof: res } end From 76c93f4d33eb9351cca48aeab2141f3771bab64b Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Mon, 2 Dec 2024 22:04:56 +0000 Subject: [PATCH 2/2] Log search for TeamCity in body instead of headers --- lib/metasploit/framework/login_scanner/teamcity.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/metasploit/framework/login_scanner/teamcity.rb b/lib/metasploit/framework/login_scanner/teamcity.rb index cca9b3804ea6..f4cc52f0702d 100644 --- a/lib/metasploit/framework/login_scanner/teamcity.rb +++ b/lib/metasploit/framework/login_scanner/teamcity.rb @@ -155,7 +155,7 @@ def check_setup return false end - "Unable to locate \"Log in to TeamCity\" in headers. (Is this really TeamCity?)" + "Unable to locate \"Log in to TeamCity\" in body. (Is this really TeamCity?)" end # Extract the server's public key from the server.