Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Citrix exploits?
From: "Ben Nell" <enemy.cow () gmail com>
Date: Sun, 13 Aug 2006 22:55:38 -0500

On 11 Aug 2006 22:35:38 -0000, 09Sparky () gmail com <09Sparky () gmail com> wrote:
Does anyone have any good techniques or exploits available for Citrix (web)? I am working on exploiting a citrix server 
with a front end webpage, but am unsuccessful.  Any suggestions/thoughts?

Do you have a valid user name and login for the Citrix farm?  If the
launch.ica files (provided as links, once logged into the web
interface) can be downloaded and opened in a text editor, they will
provide you with information about the connection that the farm is set
up to use.  Is the web interface using SSL?  If the site's running
over SSL, it's possible that they have their farm behind a Citrix
Access Gateway (AG) or MetaFrame Secure Acess Manager (MSAM).  In the
case that an AG or MSAM is deployed, the connection is encrypted on
the backend, otherwise you should be able to capture session
information on the backend.  You can tell if one of these technologies
is in use because ports 1494 (ICA) and 2598 (session reliability) will
not be open in such a setup.

I would also note the type of farm that's set up.  Citrix "best
practice" suggests setting up a farm using the naming convention
"meta01" for the first server in the farm and moving up.  I would
check for additional DNS names using the same convention.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]