
Penetration Testing mailing list archives
Re: [PEN-TEST] Citrix
From: Christopher Winter <cwinter () mentortech com>
Date: Tue, 10 Oct 2000 13:29:45 -0400
Its been a while since I have worked a lot with Citrix. Most of my experience is with Citrix MetaFrame on NT 4.0 Terminal Server Edition, so I am not sure how much will apply to the newer Windows 2000 based installs of MetaFrame. Either way here are some comments: Citrix access is always done via a Citrix client. The web based Citrix access (through an applet) is still using the regular old Citrix ports/client for access. Looking at the sniffer traces, a web client connects to the web server, and then it downloads the appropriate applet (one for IE, one for Netscape), after this it is done with port 80 or 443 (or whatever http(s) port you are using.) From there on it uses ICA on TCP port 1494 (this being the default port, which can and should be changed.) The Citrix client will also connect up to UDP 1604, to gain access to the ICA Master Browser, IF published applications and/or Server Farms are being used. You can use a bunch of the Citrix Query commands to pull info from the ICA Master Browser. The CMD line based utilities are installed with Metaframe, and require a few DLL's that are present in the Terminal Server edition of NT 4.0. They may work on 4.0 if you register the DLL's that they bark for. Also it may work from 2000, I have never tried. I don't recall if IP addresses can be used with the query commands, if not drop the ICA-browser IP in your lmhosts file. The query commands that can be used are: QUERY LICENSE /SERVER:<SERVERNAME> /ALL (this will list all the licensing info about all of the Citrix servers that this ICA browser knows about. This is a great way to get info for social engineering, and also a good way to determine other Citrix servers on the network.) QUERY SERVER gives a boat load of information. Browse over to http://www.citrix.com/support and look in appendix A of the MetaFrame 1.8 administration manual (located in the product documentation section :) for the exactg syntax, and a description of all of the switches you can use. Anyway, the QUERY stuff isn't going to break you into a Citrix Server, but it will give you a lot of net mapping info, and a possible Social Engineering slant. After determining where the Citrix servers are, I like to just try and logon to them. In the old days of WinFrame the guest account was usually an easy way to get in, as it was based off of the 3.51 rev of NT, which by default had the guest account enabled with a blank password (I think they fixed that with a patch later on, but I can't recall for sure.) Most of the Servers that I have ever tested belonged to a domain, and the admins where usually not smart enough to tweak the registry to NOT allow users to change from the domain logon to a local machine logon at the initial logon screen. Many times it is as easy as changing to the local machine, and trying to logon with administrator and a cheesy password (such as blank, password, admin...you get the idea) that they used during the install, prior to adding the machine to the domain. Another thing that I see quite often is the Microsoft RDP (Remote Desktop Protocol) port left open (TCP 3389.) Now any admin worth their salt will block everything at the firewall, however, some will leave the RDP port open. RDP is Microsoft's implementation of the RDP protocol :). It is slow, and doesn't have any of the nifty extra's that the ICA protocol has, that is why you hardly ever see a MS Terminal Server without Metaframe installed on top. It often gets overlooked, and all the security in the world on the ICA sessions is moot if you can make an RDP connection. The RDP client can be downloaded from Microsoft's site (the ActiveX IE plugin is located at http://www.microsoft.com/Windows2000/news/bulletins/tsac.asp .) Also don't forget that ICA runs over other transports besides TCP/IP, such as IPX, and even NetBEUI (this may not help from an Internet based pentest, but it has its uses on the LAN.) It is also important to remember that NT 4.0 Terminal Server Edition is usually a few months behind the regular version of NT 4.0 in its service pack releases. Currently they are both at SP6 (not sure about hot-fixes though), however, for the longest time TSE was at SP4, and NT was up to SP5 (possible SP6, I don't recall.) So if a particularly nasty attack come out for NT 4, there is fairly good chance that it won't get fixed for TSE for a few months. On many Citrix Servers anonymous access is given to certain published applications. This is a great place to start trying to 'bust' out of your current context, to gain admin/console access to the box. Attack this like you had been given console guest access to a server, with locked down ACL's. If you are at the machine, there has got to be a way to elevate your permissions, or to access data outside of your little sand box. An easy on that comes to mind is the system info applet that runs from the help menu inside MS Office (97 for sure, not sure about other versions.) This will allow you to get to a 'run' prompt where you can run possibly run things like regedit, cmd.com etc. You get the idea. I hope this is what you were looking for. If you have any additional questions, drop me a line. If anyone sees anything that looks out of place here, please let the list know. Thanks, Chris Winter -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Beauregard, Claude Q Sent: Monday, October 09, 2000 12:15 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Citrix Has anyone done any penetration regarding Citrix and Internet access as provided by the Citrix servers to internal network resources. Even though they are now using 128bit encryption for the client the hole in the firewall is there waiting to be exploited. Thanks Claude
Current thread:
- [PEN-TEST] Citrix Beauregard, Claude Q (Oct 09)
- Re: [PEN-TEST] Citrix van der Kooij, Hugo (Oct 10)
- Re: [PEN-TEST] Citrix Peter Van Epp (Oct 10)
- Re: [PEN-TEST] Citrix Ryan Russell (Oct 10)
- Re: [PEN-TEST] Citrix Christopher Winter (Oct 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Citrix Beauregard, Claude Q (Oct 10)
- Re: [PEN-TEST] Citrix van der Kooij, Hugo (Oct 10)
- Re: [PEN-TEST] Citrix van der Kooij, Hugo (Oct 10)