Presentation is loading. Please wait.

Presentation is loading. Please wait.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Published byTracey Gray Modified over 9 years ago

Similar presentations

Presentation on theme: "G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix."— Presentation transcript:

1 G CITRIXHACKIN

2 Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix Components Server farm Citrix XML service ICA client device Nfuse Web server CSG – Citrix Secure Gateway STA – Secure Ticketing Authority

3 Different Interfaces Browser accessible http://server/Citrix/AccessPlatform/auth/login.aspx Program neighbourhood http://server/Citrix/PNAgent/config.xml Gateway for Citrix Conferencing Manager http://server/Citrix/cmguest NFuse Classic

4 ICA Client Device NFuse Network BrowserICA Client Browser Enters Credentials Into NFuse Web Page NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm NFuse Displays Application List User Selects Application And Receives An ICA File ICA Client Loads ICA File And Connects To Citrix Farm ICA Client Doesn’t NEED NFuse To Connect To Server Farm

5 ICA Client Device NFuse Network BrowserICA Client XML Service Can Sit On Independent Web Server XML Service Can Sit On One Of The App Servers XML Service Can Sit On The Nfuse Server Holes In Firewall Please Common Basic Deployment For Remote Network Application Exposure

6 Citrix Secure Gateway ICA Client Device Browser ICA Client Browser Enters Credentials Into NFuse Web Page NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm User Selects Application And NFuse Requests Ticket From STA Ticket Returned To Browser As Part Of ICA File CSG Verifies Ticket Against STA If Verified Then Access Is Provided To Server Farm ICA File And Ticket Format Explained Later More Secure As Server Farm Not Exposed. Firewalls In Between Segments ICA Client Connects To CSG (SSL) And Sends Ticket

7 Places To Sniff ICA Client Device BrowserICA Client HTTP Traffic Between Browser And Nfuse Cleartext credentials posted to login form Web Cookie ICA file returned from NFuse USE HTTPS

8 Places To Sniff Cleartext XML contains ‘encoded’ credentials HTTP Traffic Between NFuse And XML Service a -> M E G B b -> M H G C c -> M G G D d -> M B G E e -> M A G F f -> M D G G g -> M C G H h -> M N G I i -> M M G J j -> M P G K k -> M O G L l -> M J G M m -> M I G N n -> M L G O o -> M K G P USE HTTPS USE SSLRelay Password tN B H E te N B H E L E B B tes N B H E L E B B M H G C testN B H E L E B B M H G C L D B G In deployments that do not support running the SSL Relay, run the NFuse Web server on your Citrix server

9 Places To Sniff ICA protocol is not encrypted by default ICA Client Device BrowserICA Client ICA Traffic From Client Or CSG USE SecureICA USE SSL/TLS USE SSLRelay

10 Connection Data Between ICA Client And Server.ini type layout Doesn’t contain clear text credentials ICA File Format [ApplicationServers] Calc= [Calc] Address = 192.168.237.101:1494 BrowserProtocol = HTTPonTCP ClearPassword = 0674F0F9BD3B0D Domain = \DB247117DF8EC22A InitialProgram = #calc SSLProxyHost = CSG Address Username = Whoami

11 Nfuse Ticket Apparently it has an expiry time XOR credentials and send to XML server Get Ticket in response Split ticket prepend \ and place into domain:password STA Ticketing Is not server authentication Places ticket in the address field of.ica file 40;STA47;AFA4ABD7741BB4306079BAC6AB2BDAF4 If I can talk to the STA server I can create STA tickets Ticketing STA MACHINE UNIQUE TICKET ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES Uses pseudo-random number generation to produce a 16-byte hex string. For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters

12 Shadowing Allows Snooping On Other Sessions On by default Prompts user Shadowing

13 NFuse Web Application Controls access to the Web Application Authentication

14 Citrix Server Farm Published application setting Controls access to the application Authentication

15 Anon001 – Anon014 Created upon install Password set on each use Anonymous Access Easy to use Used for ‘temporary’ application use Anonymous Accounts

16 Installed By Default On Port 80 ISAPI extension under IIS Can be set for different port Sensitive Operations Require Auth Unless turned off for smartcard passthru Used by Nfuse and PNAgent Validate Credentials STA Requests Server Enumeration Citrix XML Service

17 Brute Force Web Page Brute force the NFuse login page Brute Force ICA File Will attempt to connect to Citrix application server ActiveX and API makes this easy Ask The IMA Service Sits on UDP port 1604 Unauthenticated requests will respond with application list Ask The XML Service By default sits on TCP port 80 If you ask politely it tell you Gaining Access

18 Anonymous vs Standard Internal User Breaking The Citrix Sandbox Weak security settings Uploading Tools Alternative file transfer methods Privilege Escalation Third party or windows vulnerability Token Theft Full domain control Demonstration

19 No Citrix Vulnerability Exploited Weak / default configuration Anonymous Application Access Was only part of the issue Pretty Common Scenario Most citrix reviews involve gaining ‘shell’ access Recap

20 Lockdown Citrix Disable file sharing Enabled ‘run only published applications’ Turn on encryption and use SSL Lockdown OS Use group policy to enforce restrictions Disable the runas service Lockdown File System Restrict users access to directories and commands Understand The Weaknesses Hopefully this demonstration has helped Securing

21 www.insomniasec.com

Download ppt "G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix."

Similar presentations

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.

Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development Manager Abcd IT Citrix Technical Overview.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition

Similar presentations

Ads by Google