Citrix and Terminal Services ian VITEK ixsecurity.

Slides:



Advertisements
Similar presentations
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Advertisements

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
11 ADMINISTERING MICROSOFT WINDOWS SERVER 2003 Chapter 2.
Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing
Using the WWW in Teaching and Learning Barbara Watson Andrew Stansfield IT Service.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
COEN 252: Computer Forensics Router Investigation.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Course 201 – Administration, Content Inspection and SSL VPN
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Week 2 File Systems & Unix Commands. File System Hierarchy.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 9 Intermediate TCP/IP/ Access Control Lists (ACLs)
1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
Remote Desktop Services in Windows Server 2008 R2.
Linux Networking and Security
Remote Access Using Citrix Presentation Server December 6, 2006 Matthew Granger IT665.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Remote Controller & Presenter Make education more efficiently
Current Deployment (NT4) n Minimal central infrastructure u DHCP/DNS service (non NT) u WINS service (but not supported) u Software image repository u.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Chapter 9 Cisco IOS Firewall. IOS Firewall  Stateful packet-filter firewall that runs on a router  Provides firewall capabilities and normal routing.
Module 11: Designing Security for Network Perimeters.
Citrix Secure Gateway v1.1 Customer Presentation Aug 2002 Customer Presentation Aug 2002.
Module 10: Windows Firewall and Caching Fundamentals.
Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.
Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Structured Software Systems Ltd (3SL) Suite 2, 22a Duke Street Barrow-in-Furness Cumbria LA14 1HH, UK Tel: +44 (0) Fax: +44 (0)
Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Contents Software components All users in one location:
Working at a Small-to-Medium Business or ISP – Chapter 8
MySQL Exploit with Metasploit
FORTINET Network Security NSE8 Dumps - 100% Success
Penetration Test Debrief
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
SECURING NETWORK TRAFFIC WITH IPSEC
Securing the Network Perimeter with ISA 2004
Kiyoshi Kodama, SE Japan 07-Oct-2008
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Forefront Security ISA
NSE4-5.4 Dumps
REMOTE DESKTOP “Once and For All”
File Transfer Protocol
Digital Pacman: Firewall Edition
Remote Access Services RAS Routing and Remote Access Services RRAS Remote Desktop Terminal Services Virtual Private Networking VPN.
DINA YOGA RIAN HASBI YANA
Lecture 3: Secure Network Architecture
Windows desktop sharing
HACKIN G CITRIX.
Presentation transcript:

Citrix and Terminal Services ian VITEK ixsecurity

Citrix and terminal services  What is Terminal Services  How to abuse Terminal Services  Scanning for non-public published applications. Tool: citrix-pa-scan  Connecting to non-public published applications. Tool: citrix-pa-proxy  Demonstration  Statistics from a large scan

What is terminal services  MS Terminal Services, Citrix, Tarantella and similar  Remote multi-user desktop similar to Unix X  Like “Sitting locally on a PC but over a network”  Citrix can publish a specific application

How to abuse terminal services  Several users are using different desktops on the same server  Elevation of rights  Breaking out from the given environment  Some published applications are not password protected

Published Applications Normal scan:  Where to find published applications  nmap for port 1494/tcp  Google for: citrix demo password nfuse demo password  Use the Citrix client to enumerate published applications

Published applications Dump from normal PA enumerate: CLIENT: > : FD A8 E :1604 -> CLIENT: FD A8 E C1 0B 0C 0D C1 0B 0C 0D CLIENT: > :1604 2C FD A8 E :1604 -> CLIENT:32771 Published Applications

Non public Master Browser scan:  Citrix servers can have non public Master Browsers (NAT or similar)  Citrix client will try to connect to the Master Browser. This will fail.  nmap for port 1494/tcp  Use citrix-pa-scan to enumerate published applications

Published applications Dump non public Master Browser: CLIENT: > : FD A8 E :1604 -> CLIENT: FD A8 E A 0B 0C 0D A 0B 0C 0D CLIENT: > :1604 2C FD A8 E No connection!

Published applications Citrix-pa-scan will just send third packet to the Citrix server: CLIENT: > :1604 2C FD A8 E :1604 -> CLIENT:32771 Published Applications

Connecting Connecting to a published application with a non public Master Browser is “impossible”  Master Browser spoof and application server spoof is needed  Can be done with citrix-pa-proxy

CLIENT: > : FD A8 E :1604 -> CLIENT: FD A8 E A 0B 0C 0D A 0B 0C 0D CLIENT: > :1604 4A FD A8 E D F 00 4D :1604 -> CLIENT: E FD A8 E A 0B 0C 0D AF A 0B 0C 0D

Summary tools Citrix-pa-scan S1 C > S1 # Get PA! C < S1 # One or more packets of PA

Summary tools Citrix-pa-proxy S1 (Non public Master Browser is S2) C > Pr # Master Browser? Pr > S1 # Master Browser? Pr <--- S2 --- S1 # Master Browser is S2! C <--- Pr --- Pr # Master Browser is Proxy! C > Pr # Run PA! Pr > S1 # Run PA! Pr <--- S2 --- S1 # Welcome at S2! C <--- S1 --- Pr # Welcome at S1! C > S1 # 1494/tcp Here we go!

Demonstration  nmap scan  citrix-pa-scan  Connection with citrix-pa-proxy  Break out from the given environment

Statistics  Statistics from a larger scan  How many open 1494/tcp is out there?  How many have public published applications?  How many have non public published applications?  How many of the published applications is not password protected?

statistics Will be released at DEF CON X

Protection?  Do not publish applications  Firewall when needed  VPN  Prevent attackers to break out from given environment  Strong ACL  Regedt32  Appsense  SecureEXE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.