G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Slides:



Advertisements
Similar presentations
SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Advertisements

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Chapter 17: WEB COMPONENTS
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ASP.NET Web Application Security Hannes Preishuber ppedv AG
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Smart Card Single Sign On with Access Gateway Enterprise Edition
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Session 11: Security with ASP.NET
Access Gateway Operation
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Copyright 2000 eMation SECURITY - Controlling Data Access with
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Enabling Embedded Systems to access Internet Resources.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
User Access to Router Securing Access.
Remote Access Using Citrix Presentation Server December 6, 2006 Matthew Granger IT665.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Five Windows Server 2008 Remote Desktop Services,
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Module 11: Securing a Microsoft ASP.NET Web Application.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Integrating and Troubleshooting Citrix Access Gateway.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Citrix Secure Gateway v1.1 Customer Presentation Aug 2002 Customer Presentation Aug 2002.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
ArcGIS for Server Security: Advanced
Enumeration.
Installing TMG & Choosing a Client Type
Module Overview Installing and Configuring a Network Policy Server
Introduction to SQL Server 2000 Security
Implementing TMG Server Publishing
Introduction to Networking
WI / XA Integration with NetScaler Gateway: How it works
Configuring Internet-related services
Windows desktop sharing
HACKIN G CITRIX.
Chapter 7 Network Applications
Computer Networks Protocols
Presentation transcript:

G CITRIXHACKIN

Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix Components Server farm Citrix XML service ICA client device Nfuse Web server CSG – Citrix Secure Gateway STA – Secure Ticketing Authority

Different Interfaces Browser accessible Program neighbourhood Gateway for Citrix Conferencing Manager NFuse Classic

ICA Client Device NFuse Network BrowserICA Client Browser Enters Credentials Into NFuse Web Page NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm NFuse Displays Application List User Selects Application And Receives An ICA File ICA Client Loads ICA File And Connects To Citrix Farm ICA Client Doesn’t NEED NFuse To Connect To Server Farm

ICA Client Device NFuse Network BrowserICA Client XML Service Can Sit On Independent Web Server XML Service Can Sit On One Of The App Servers XML Service Can Sit On The Nfuse Server Holes In Firewall Please Common Basic Deployment For Remote Network Application Exposure

Citrix Secure Gateway ICA Client Device Browser ICA Client Browser Enters Credentials Into NFuse Web Page NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm User Selects Application And NFuse Requests Ticket From STA Ticket Returned To Browser As Part Of ICA File CSG Verifies Ticket Against STA If Verified Then Access Is Provided To Server Farm ICA File And Ticket Format Explained Later More Secure As Server Farm Not Exposed. Firewalls In Between Segments ICA Client Connects To CSG (SSL) And Sends Ticket

Places To Sniff ICA Client Device BrowserICA Client HTTP Traffic Between Browser And Nfuse Cleartext credentials posted to login form Web Cookie ICA file returned from NFuse USE HTTPS

Places To Sniff Cleartext XML contains ‘encoded’ credentials HTTP Traffic Between NFuse And XML Service a -> M E G B b -> M H G C c -> M G G D d -> M B G E e -> M A G F f -> M D G G g -> M C G H h -> M N G I i -> M M G J j -> M P G K k -> M O G L l -> M J G M m -> M I G N n -> M L G O o -> M K G P USE HTTPS USE SSLRelay Password tN B H E te N B H E L E B B tes N B H E L E B B M H G C testN B H E L E B B M H G C L D B G In deployments that do not support running the SSL Relay, run the NFuse Web server on your Citrix server

Places To Sniff ICA protocol is not encrypted by default ICA Client Device BrowserICA Client ICA Traffic From Client Or CSG USE SecureICA USE SSL/TLS USE SSLRelay

Connection Data Between ICA Client And Server.ini type layout Doesn’t contain clear text credentials ICA File Format [ApplicationServers] Calc= [Calc] Address = :1494 BrowserProtocol = HTTPonTCP ClearPassword = 0674F0F9BD3B0D Domain = \DB247117DF8EC22A InitialProgram = #calc SSLProxyHost = CSG Address Username = Whoami

Nfuse Ticket Apparently it has an expiry time XOR credentials and send to XML server Get Ticket in response Split ticket prepend \ and place into domain:password STA Ticketing Is not server authentication Places ticket in the address field of.ica file 40;STA47;AFA4ABD7741BB BAC6AB2BDAF4 If I can talk to the STA server I can create STA tickets Ticketing STA MACHINE UNIQUE TICKET ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES Uses pseudo-random number generation to produce a 16-byte hex string. For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters

Shadowing Allows Snooping On Other Sessions On by default Prompts user Shadowing

NFuse Web Application Controls access to the Web Application Authentication

Citrix Server Farm Published application setting Controls access to the application Authentication

Anon001 – Anon014 Created upon install Password set on each use Anonymous Access Easy to use Used for ‘temporary’ application use Anonymous Accounts

Installed By Default On Port 80 ISAPI extension under IIS Can be set for different port Sensitive Operations Require Auth Unless turned off for smartcard passthru Used by Nfuse and PNAgent Validate Credentials STA Requests Server Enumeration Citrix XML Service

Brute Force Web Page Brute force the NFuse login page Brute Force ICA File Will attempt to connect to Citrix application server ActiveX and API makes this easy Ask The IMA Service Sits on UDP port 1604 Unauthenticated requests will respond with application list Ask The XML Service By default sits on TCP port 80 If you ask politely it tell you Gaining Access

Anonymous vs Standard Internal User Breaking The Citrix Sandbox Weak security settings Uploading Tools Alternative file transfer methods Privilege Escalation Third party or windows vulnerability Token Theft Full domain control Demonstration

No Citrix Vulnerability Exploited Weak / default configuration Anonymous Application Access Was only part of the issue Pretty Common Scenario Most citrix reviews involve gaining ‘shell’ access Recap

Lockdown Citrix Disable file sharing Enabled ‘run only published applications’ Turn on encryption and use SSL Lockdown OS Use group policy to enforce restrictions Disable the runas service Lockdown File System Restrict users access to directories and commands Understand The Weaknesses Hopefully this demonstration has helped Securing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.