HACKIN G CITRIX.

Slides:



Advertisements
Similar presentations
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Advertisements

Enabling Secure Internet Access with ISA Server
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ASP.NET Web Application Security Hannes Preishuber ppedv AG
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Smart Card Single Sign On with Access Gateway Enterprise Edition
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Session 11: Security with ASP.NET
Access Gateway Operation
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Copyright 2000 eMation SECURITY - Controlling Data Access with
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Enabling Embedded Systems to access Internet Resources.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
User Access to Router Securing Access.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Module 11: Securing a Microsoft ASP.NET Web Application.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Integrating and Troubleshooting Citrix Access Gateway.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
ArcGIS for Server Security: Advanced
Enumeration.
Installing TMG & Choosing a Client Type
Instructor Materials Chapter 5 Providing Network Services
World Wide Web policy.
Module Overview Installing and Configuring a Network Policy Server
Radius, LDAP, Radius used in Authenticating Users
Networks Problem Set 1 Due Oct 3 Bonus Date Oct 2
Introduction to SQL Server 2000 Security
FTP - File Transfer Protocol
Implementing TMG Server Publishing
Introduction to Networking
NFX Q-Port on-boarding guide
WI / XA Integration with NetScaler Gateway: How it works
Configuring Internet-related services
Windows desktop sharing
Chapter 7 Network Applications
Computer Networks Protocols
Presentation transcript:

HACKIN G CITRIX

Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix Components Server farm Citrix XML service ICA client device Nfuse Web server STA – Secure Ticketing Authority

NFuse Classic Different Interfaces Browser accessible http://server/Citrix/AccessPlatform/auth/login.aspx Program neighbourhood http://server/Citrix/PNAgent/config.xml Gateway for Citrix Conferencing Manager http://server/Citrix/cmguest

NFuse Network NFuse Displays Application List NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm Browser Enters Credentials Into NFuse Web Page User Selects Application And Receives An ICA File ICA Client Loads ICA File And Connects To Citrix Farm ICA Client Device ICA Client Doesn’t NEED NFuse To Connect To Server Farm Browser ICA Client

NFuse Network Common Basic Deployment For Remote Network Application Exposure XML Service Can Sit On The Nfuse Server XML Service Can Sit On One Of The App Servers XML Service Can Sit On Independent Web Server Holes In Firewall Please ICA Client Device Browser ICA Client

Citrix Secure Gateway ICA Client Device Browser ICA Client User Selects Application And NFuse Requests Ticket From STA If Valid, XML Service Retrieves Application List From Farm CSG Verifies Ticket Against STA NFuse Sends Credentials To XML Service To Validate Ticket Returned To Browser As Part Of ICA File If Verified Then Access Is Provided To Server Farm More Secure As Server Farm Not Exposed. Firewalls In Between Segments ICA Client Connects To CSG (SSL) And Sends Ticket Browser Enters Credentials Into NFuse Web Page ICA File And Ticket Format Explained Later

HTTP Traffic Between Browser And Nfuse Places To Sniff USE HTTPS Cleartext credentials posted to login form Web Cookie ICA file returned from NFuse HTTP Traffic Between Browser And Nfuse ICA Client Device Browser ICA Client

HTTP Traffic Between NFuse And XML Service Places To Sniff a -> M E G B b -> M H G C c -> M G G D d -> M B G E e -> M A G F f -> M D G G g -> M C G H h -> M N G I i -> M M G J j -> M P G K k -> M O G L l -> M J G M m -> M I G N n -> M L G O o -> M K G P USE HTTPS USE SSLRelay HTTP Traffic Between NFuse And XML Service Cleartext XML contains ‘encoded’ credentials Password t N B H E te N B H E L E B B tes N B H E L E B B M H G C test N B H E L E B B M H G C L D B G In deployments that do not support running the SSL Relay, run the NFuse Web server on your Citrix server

ICA Traffic From Client Or CSG Places To Sniff ICA protocol is not encrypted by default USE SecureICA USE SSL/TLS USE SSLRelay ICA Traffic From Client Or CSG ICA Client Device Browser ICA Client

Connection Data Between ICA Client And Server .ini type layout ICA File Format Connection Data Between ICA Client And Server .ini type layout Doesn’t contain clear text credentials [ApplicationServers] Calc= [Calc] Address = 192.168.237.101:1494 BrowserProtocol = HTTPonTCP ClearPassword = 0674F0F9BD3B0D Domain = \DB247117DF8EC22A InitialProgram = #calc SSLProxyHost = CSG Address Username = Whoami

Apparently it has an expiry time Ticketing Nfuse Ticket Apparently it has an expiry time XOR credentials and send to XML server Get Ticket in response Split ticket prepend \ and place into domain:password STA Ticketing Is not server authentication Places ticket in the address field of .ica file 40;STA47;AFA4ABD7741BB4306079BAC6AB2BDAF4 If I can talk to the STA server I can create STA tickets Uses pseudo-random number generation to produce a 16-byte hex string. For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters UNIQUE TICKET STA MACHINE ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES

Shadowing Allows Snooping On Other Sessions On by default Prompts user

Controls access to the Web Application Authentication NFuse Web Application Controls access to the Web Application

Published application setting Authentication Citrix Server Farm Published application setting Controls access to the application

Password set on each use Anonymous Access Easy to use Anonymous Accounts Anon001 – Anon014 Created upon install Password set on each use Anonymous Access Easy to use Used for ‘temporary’ application use

Installed By Default On Port 80 ISAPI extension under IIS Citrix XML Service Installed By Default On Port 80 ISAPI extension under IIS Can be set for different port Sensitive Operations Require Auth Unless turned off for smartcard passthru Used by Nfuse and PNAgent Validate Credentials STA Requests Server Enumeration

Brute force the NFuse login page Brute Force ICA File Gaining Access Brute Force Web Page Brute force the NFuse login page Brute Force ICA File Will attempt to connect to Citrix application server ActiveX and API makes this easy Ask The IMA Service Sits on UDP port 1604 Unauthenticated requests will respond with application list Ask The XML Service By default sits on TCP port 80 If you ask politely it tell you

Anonymous vs Standard Internal User Breaking The Citrix Sandbox Demonstration Gaining Access Anonymous vs Standard Internal User Breaking The Citrix Sandbox Weak security settings Uploading Tools Alternative file transfer methods Privilege Escalation Third party or windows vulnerability Token Theft Full domain control

No Citrix Vulnerability Exploited Weak / default configuration Recap No Citrix Vulnerability Exploited Weak / default configuration Anonymous Application Access Was only part of the issue Pretty Common Scenario Most citrix reviews involve gaining ‘shell’ access

Enabled ‘run only published applications’ Securing Lockdown Citrix Disable file sharing Enabled ‘run only published applications’ Turn on encryption and use SSL Lockdown OS Use group policy to enforce restrictions Disable the runas service Lockdown File System Restrict users access to directories and commands Understand The Weaknesses Hopefully this demonstration has helped

www.insomniasec.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.