Hacking CITRIX - the forceful way
Yesterday I briefly covered how CITIRX hacking works by performing simple enumeration exercises. Today, I will show you how to drill.

As ways, I prepared a video that demonstrates the attack in more visual way. BTW, 90% of test I’ve done are subjected this type of attack.
As always, I did some coding as well. The following script can be used to bruteforce the Windows/Netware logon. With a few mods you can make it work for CITRIX SSLs auth as well.
http://www.gnucitizen.org/blog/hacking-citrix-the-forceful-way/bforce.js
I have another script, which I use to fine tune connections - very suitable when you don’t want to deal with ICA but you want to tryout different citrix communication mechanisms and connection options.
http://www.gnucitizen.org/blog/hacking-citrix-the-forceful-way/connect.js
This is it. I hope that you enjoy the demo.


comments
amazing again :)
Hello, first thank you for a great site, it is very nice and informative. I have one remark though, the resolutions of your videos, the text is too small, one can not follow the commands even if the youtube window is maxed.
Thanks.
slasher, yes… that’s why I included the wmv files at the bottom of this article. They should give you a lot better idea of what’s going on.
I love the themesong.. is the same that the film “Oceans eleven” yeah.
yep, that’s the one.
what about enum.js…? any clues as to where that can be found?
radi,
the enum.js can be found in the other article named CITRIX: Owning the Legitimate Backdoor
NIX, thanks… the file can be found over here.
*hides head in shame* oopps…. sorry about that guys!!! :) my bad i should have read the other article more carefully…..
You should note that you are demonstrating exploiting a poorly implemented security model. When implemented correctly using existing Citrix security features and Microsoft Security Features your attacks would not work at all.
This was an attack against a poorly implemented Citrix environment.
Nice work either way!
Anthony D., yes you are right. The reason I came up with the script is mainly because I wasn’t aware of any other CITRIX authentication bruteforcer.
pdp : How do you account for domains? I am working on password “grinding” or brute-force… and don’t quite get how to append the Domain name into your script… would be a nice pen-test tool…
RX8volution, I forgot to include that. Give me some time and I will come with an updated script, or you can do that yourself if you want to.
Folk, apparently CITRIX has removed the YouTube videos due to some copyright violation. This is strange and the same time not the right way to handle security advisories. Still haven’t got any response from them around the issue and I seriously doubt that this will ever happen. However, I am going to keep the POC private for now and give them a chance to react on the in sensible way.
It’s strange that Citrix should be able to do this. Does your video:
1. breach the copyright of Citrix, or
2. describe a method for illegally circumventing copyright protection?
If not, then perhaps you could file a “counter-take-down” notice to YouTube, as described here: http://www.youtube.com/t/dmca_policy.
This approach was famously used by Christopher Knight:
http://theknightshift.blogspot.....right.html
Keep on hacking!
Jonathan
Jonathan, thanks. I am not very sure. I guess it has something to do with the CITRIX logo, which appears on the screen when a connection is established. But, that would mean that no one can make tutorials or screenshot their products. Anyway, the videos are still available from GC.
I’m wondering what FREE features Citrix has for deploying apps to the internet in a secure manner. The only thing I could find was the Citrix Secure Gateway 3.0 (is this still supported or maintained?) from which the admin guide and checklist is no longer avaiable so forget about the documentation.
So as it would seem, you maybe required to purchase a Citrix Access Gateway to secure your Citrix environment am I correct..? If so, this would mean that making Citrix apps available across the web would not be secure out of the box without buying additional hardware.
This is not a statement but more a question I have…
curious mind, I have no idea how CITRIX is shipped but I believe that you are on the right track. However, it is up to the administrator to export applications that does not require authentication. In case your ICA is in the DMZ and you have one of these application hanging out in there, then you are in a big trouble. Unfortunately, this is what we see.
pdp, I totally agree…applications without authentication is asking for trouble..but as you showed that even with authentication you’re not really safe that’s why I hope somebody can answer my questions..
Where are the videos? seems youtube has removed them.
check the bottom of the post
thanks pdp, found them