GNUCITIZEN

Hacking CITRIX – the forceful way

published: October 5th, 2007

Yesterday I briefly covered how CITIRX hacking works by performing simple enumeration exercises. Today, I will show you how to drill.

As ways, I prepared a video that demonstrates the attack in more visual way. BTW, 90% of test I’ve done are subjected this type of attack. It is insane really.

In case the video does not work, you can download the high-quality version from over here.

I also did some coding as well. The following script can be used to bruteforce the Windows/Netware logon. With a few mods you can make it work for CITRIX SSLs auth as well.

http://www.gnucitizen.org/static/blog/2007/10/bforce.js

I have another script, which I use to fine tune connections – very suitable when you don’t want to deal with ICA but you want to tryout different citrix communication mechanisms and connection options.

http://www.gnucitizen.org/static/blog/2007/10/connect.js

This is it. I hope that you enjoyed the demo.

Download: hc02.wmv, bforce.js, connect.js

more | comments | comments rss | posted by pdp

vindic says:

October 5, 2007 at 5:14 pm

amazing again :)

slasher says:

October 5, 2007 at 7:04 pm

Hello, first thank you for a great site, it is very nice and informative. I have one remark though, the resolutions of your videos, the text is too small, one can not follow the commands even if the youtube window is maxed.

Thanks.

pdp says:

October 5, 2007 at 7:41 pm

slasher, yes… that’s why I included the wmv file at the bottom of this article. It should give you a lot better idea of what’s going on.

Sirw2p says:

October 6, 2007 at 1:40 pm

I love the themesong.. is the same that the film “Oceans eleven” yeah.

radi says:

October 7, 2007 at 4:21 pm

what about enum.js…? any clues as to where that can be found?

NIX says:

October 9, 2007 at 9:50 am

radi,

the enum.js can be found in the other article titled CITRIX: Owning the Legitimate Backdoor.

pdp says:

October 9, 2007 at 9:55 am

NIX, thanks… the file can be found over here.

radi says:

October 10, 2007 at 8:21 am

*hides head in shame* oopps…. sorry about that guys!!! :) my bad i should have read the other article more carefully…..

Anthony D. says:

October 10, 2007 at 7:26 pm

You should note that you are demonstrating exploiting a poorly implemented security model. When implemented correctly using existing Citrix security features and Microsoft Security Features your attacks would not work at all.

This was an attack against a poorly implemented Citrix environment.

Nice work either way!

pdp says:

October 10, 2007 at 7:28 pm

Anthony D., yes you are right. The reason I came up with the script is mainly because I wasn’t aware of any other CITRIX authentication bruteforcer.

RX8volution says:

October 11, 2007 at 5:54 pm

pdp : How do you account for domains? I am working on password “grinding” or brute-force… and don’t quite get how to append the Domain name into your script… would be a nice pen-test tool…

pdp says:

October 11, 2007 at 7:41 pm

RX8volution, I forgot to include that. Give me some time and I will come with an updated script, or you can do that yourself if you want to.

pdp says:

October 12, 2007 at 9:41 am

Apparently CITRIX has removed the YouTube videos due to a copyright violation. This is strange and the same time not the right way to handle situations like this.

Jonathan says:

October 12, 2007 at 11:25 am

It’s strange that Citrix should be able to do this. Does your video:

1. breach the copyright of Citrix, or
2. describe a method for illegally circumventing copyright protection?

If not, then perhaps you could file a “counter-take-down” notice to YouTube, as described here: http://www.youtube.com/t/dmca_policy.

This approach was famously used by Christopher Knight:
http://theknightshift.blogspot.....right.html

Keep on hacking!
Jonathan

pdp says:

October 12, 2007 at 11:57 am

Jonathan, thanks. I am not very sure. I guess it has something to do with the CITRIX logo, which appears on the screen when a connection is established.

curious mind says:

October 16, 2007 at 7:22 am

I’m wondering what FREE features Citrix has for deploying apps to the internet in a secure manner. The only thing I could find was the Citrix Secure Gateway 3.0 (is this still supported or maintained?) from which the admin guide and checklist is no longer avaiable so forget about the documentation.

So as it would seem, you maybe required to purchase a Citrix Access Gateway to secure your Citrix environment am I correct..? If so, this would mean that making Citrix apps available across the web would not be secure out of the box without buying additional hardware.
This is not a statement but more a question I have…

pdp says:

October 16, 2007 at 7:44 am

curious mind, I have no idea how CITRIX is shipped but I believe that you are on the right track. However, it is up to the administrator to export applications that does not require authentication. In case your ICA is in the DMZ and you have one of these application hanging out in there, then you are in a big trouble. Unfortunately, this is what I see most of the times.

curious mind says:

October 16, 2007 at 8:50 am

pdp, I totally agree…applications without authentication is asking for trouble..but as you showed that even with authentication you’re not really safe that’s why I hope somebody can answer my questions..

xyyzy says:

October 16, 2007 at 11:42 am

Where are the videos? seems youtube has removed them.

pdp says:

October 16, 2007 at 11:44 am

check the bottom of the post

xyyzy says:

October 16, 2007 at 2:17 pm

thanks pdp, found them

jeff says:

January 14, 2009 at 8:59 pm

Gone again, the links…

pdp says:

January 25, 2009 at 8:50 am

back again :) still moving infrastructures…

infoz says:

January 23, 2011 at 1:19 am

What did you do to get the scripts working in XP? They execute fine from cmd, wscript is installed, .net, etc.. but they never launch the Citrix client (which is also installed) for enum, connect or bforce. I can launch an .ica file to the target server with no issues however running the .js files never launch the client. Any help is appreciated!

Navigation

Hacking CITRIX – the forceful way

Respond