Presentation is loading. Please wait.

Presentation is loading. Please wait.

HACKIN G CITRIX.

Published byEmel Ayral Modified over 5 years ago

Similar presentations

Presentation on theme: "HACKIN G CITRIX."— Presentation transcript:

1 HACKIN G CITRIX

2 Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix Components Server farm Citrix XML service ICA client device Nfuse Web server STA – Secure Ticketing Authority

3 NFuse Classic Different Interfaces Browser accessible Program neighbourhood Gateway for Citrix Conferencing Manager

4 NFuse Network NFuse Displays Application List
NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm Browser Enters Credentials Into NFuse Web Page User Selects Application And Receives An ICA File ICA Client Loads ICA File And Connects To Citrix Farm ICA Client Device ICA Client Doesn’t NEED NFuse To Connect To Server Farm Browser ICA Client

5 NFuse Network Common Basic Deployment For Remote Network Application Exposure XML Service Can Sit On The Nfuse Server XML Service Can Sit On One Of The App Servers XML Service Can Sit On Independent Web Server Holes In Firewall Please ICA Client Device Browser ICA Client

6 Citrix Secure Gateway ICA Client Device Browser ICA Client User Selects Application And NFuse Requests Ticket From STA If Valid, XML Service Retrieves Application List From Farm CSG Verifies Ticket Against STA NFuse Sends Credentials To XML Service To Validate Ticket Returned To Browser As Part Of ICA File If Verified Then Access Is Provided To Server Farm More Secure As Server Farm Not Exposed. Firewalls In Between Segments ICA Client Connects To CSG (SSL) And Sends Ticket Browser Enters Credentials Into NFuse Web Page ICA File And Ticket Format Explained Later

7 HTTP Traffic Between Browser And Nfuse
Places To Sniff USE HTTPS Cleartext credentials posted to login form Web Cookie ICA file returned from NFuse HTTP Traffic Between Browser And Nfuse ICA Client Device Browser ICA Client

8 HTTP Traffic Between NFuse And XML Service
Places To Sniff a -> M E G B b -> M H G C c -> M G G D d -> M B G E e -> M A G F f -> M D G G g -> M C G H h -> M N G I i -> M M G J j -> M P G K k -> M O G L l -> M J G M m -> M I G N n -> M L G O o -> M K G P USE HTTPS USE SSLRelay HTTP Traffic Between NFuse And XML Service Cleartext XML contains ‘encoded’ credentials Password t N B H E te N B H E L E B B tes N B H E L E B B M H G C test N B H E L E B B M H G C L D B G In deployments that do not support running the SSL Relay, run the NFuse Web server on your Citrix server

9 ICA Traffic From Client Or CSG
Places To Sniff ICA protocol is not encrypted by default USE SecureICA USE SSL/TLS USE SSLRelay ICA Traffic From Client Or CSG ICA Client Device Browser ICA Client

10 Connection Data Between ICA Client And Server .ini type layout
ICA File Format Connection Data Between ICA Client And Server .ini type layout Doesn’t contain clear text credentials [ApplicationServers] Calc= [Calc] Address = :1494 BrowserProtocol = HTTPonTCP ClearPassword = 0674F0F9BD3B0D Domain = \DB247117DF8EC22A InitialProgram = #calc SSLProxyHost = CSG Address Username = Whoami

11 Apparently it has an expiry time
Ticketing Nfuse Ticket Apparently it has an expiry time XOR credentials and send to XML server Get Ticket in response Split ticket prepend \ and place into domain:password STA Ticketing Is not server authentication Places ticket in the address field of .ica file 40;STA47;AFA4ABD7741BB BAC6AB2BDAF4 If I can talk to the STA server I can create STA tickets Uses pseudo-random number generation to produce a 16-byte hex string. For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters UNIQUE TICKET STA MACHINE ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES

12 Shadowing Allows Snooping On Other Sessions On by default Prompts user

13 Controls access to the Web Application
Authentication NFuse Web Application Controls access to the Web Application

14 Published application setting
Authentication Citrix Server Farm Published application setting Controls access to the application

15 Password set on each use Anonymous Access Easy to use
Anonymous Accounts Anon001 – Anon014 Created upon install Password set on each use Anonymous Access Easy to use Used for ‘temporary’ application use

16 Installed By Default On Port 80 ISAPI extension under IIS
Citrix XML Service Installed By Default On Port 80 ISAPI extension under IIS Can be set for different port Sensitive Operations Require Auth Unless turned off for smartcard passthru Used by Nfuse and PNAgent Validate Credentials STA Requests Server Enumeration

17 Brute force the NFuse login page Brute Force ICA File
Gaining Access Brute Force Web Page Brute force the NFuse login page Brute Force ICA File Will attempt to connect to Citrix application server ActiveX and API makes this easy Ask The IMA Service Sits on UDP port 1604 Unauthenticated requests will respond with application list Ask The XML Service By default sits on TCP port 80 If you ask politely it tell you

18 Anonymous vs Standard Internal User Breaking The Citrix Sandbox
Demonstration Gaining Access Anonymous vs Standard Internal User Breaking The Citrix Sandbox Weak security settings Uploading Tools Alternative file transfer methods Privilege Escalation Third party or windows vulnerability Token Theft Full domain control

19 No Citrix Vulnerability Exploited Weak / default configuration
Recap No Citrix Vulnerability Exploited Weak / default configuration Anonymous Application Access Was only part of the issue Pretty Common Scenario Most citrix reviews involve gaining ‘shell’ access

20 Enabled ‘run only published applications’
Securing Lockdown Citrix Disable file sharing Enabled ‘run only published applications’ Turn on encryption and use SSL Lockdown OS Use group policy to enforce restrictions Disable the runas service Lockdown File System Restrict users access to directories and commands Understand The Weaknesses Hopefully this demonstration has helped

21

Download ppt "HACKIN G CITRIX."

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.

Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition

Similar presentations

Ads by Google