Hacking CITRIX - the forceful way

Fri, 05 Oct 2007 15:39:03 GMT

Yesterday I briefly covered how CITIRX hacking works by performing simple enumeration exercises. Today, I will show you how to drill.

As ways, I prepared a video that demonstrates the attack in more visual way. BTW, 90% of test I've done are subjected this type of attack. It is insane really.

In case the video does not work, you can download the high-quality version from over here.

I also did some coding as well. The following script can be used to bruteforce the Windows/Netware logon. With a few mods you can make it work for CITRIX SSLs auth as well.

[/files/2007/10/bforce.js](/files/2007/10/bforce.js)

I have [another script](/files/2007/10/connect.js), which I use to fine tune connections - very suitable when you don't want to deal with ICA but you want to tryout different citrix communication mechanisms and connection options.

[/files/2007/10/connect.js](/files/2007/10/connect.js)

This is it. I hope that you enjoyed the demo.

vindicvindic
amazing again :)
slasherslasher
Hello, first thank you for a great site, it is very nice and informative. I have one remark though, the resolutions of your videos, the text is too small, one can not follow the commands even if the youtube window is maxed. Thanks.
pdppdp
slasher, yes... that's why I included the wmv file at the bottom of this article. It should give you a lot better idea of what's going on.
Sirw2pSirw2p
I love the themesong.. is the same that the film "Oceans eleven" yeah.
radiradi
what about enum.js...? any clues as to where that can be found?
NIXNIX
radi, the enum.js can be found in the other article titled CITRIX: Owning the Legitimate Backdoor.
pdppdp
NIX, thanks... the file can be found over here.
radiradi
*hides head in shame* oopps.... sorry about that guys!!! :) my bad i should have read the other article more carefully.....
Anthony D.Anthony D.
You should note that you are demonstrating exploiting a poorly implemented security model. When implemented correctly using existing Citrix security features and Microsoft Security Features your attacks would not work at all. This was an attack against a poorly implemented Citrix environment. Nice work either way!
pdppdp
Anthony D., yes you are right. The reason I came up with the script is mainly because I wasn't aware of any other CITRIX authentication bruteforcer.
RX8volutionRX8volution
pdp : How do you account for domains? I am working on password "grinding" or brute-force... and don't quite get how to append the Domain name into your script... would be a nice pen-test tool...
pdppdp
RX8volution, I forgot to include that. Give me some time and I will come with an updated script, or you can do that yourself if you want to.
pdppdp
Apparently CITRIX has removed the YouTube videos due to a copyright violation. This is strange and the same time not the right way to handle situations like this.
JonathanJonathan
It's strange that Citrix should be able to do this. Does your video: 1. breach the copyright of Citrix, or 2. describe a method for illegally circumventing copyright protection? If not, then perhaps you could file a "counter-take-down" notice to YouTube, as described here: //www.youtube.com/t/dmca_policy. This approach was famously used by Christopher Knight: http://theknightshift.blogspot.com/2007/08/viacom-hits-me-with-copyright.html Keep on hacking! Jonathan
pdppdp
Jonathan, thanks. I am not very sure. I guess it has something to do with the CITRIX logo, which appears on the screen when a connection is established.
curious mindcurious mind
I'm wondering what FREE features Citrix has for deploying apps to the internet in a secure manner. The only thing I could find was the Citrix Secure Gateway 3.0 (is this still supported or maintained?) from which the admin guide and checklist is no longer avaiable so forget about the documentation. So as it would seem, you maybe required to purchase a Citrix Access Gateway to secure your Citrix environment am I correct..? If so, this would mean that making Citrix apps available across the web would not be secure out of the box without buying additional hardware. This is not a statement but more a question I have...
pdppdp
curious mind, I have no idea how CITRIX is shipped but I believe that you are on the right track. However, it is up to the administrator to export applications that does not require authentication. In case your ICA is in the DMZ and you have one of these application hanging out in there, then you are in a big trouble. Unfortunately, this is what I see most of the times.
curious mindcurious mind
pdp, I totally agree...applications without authentication is asking for trouble..but as you showed that even with authentication you're not really safe that's why I hope somebody can answer my questions..
xyyzyxyyzy
Where are the videos? seems youtube has removed them.
pdppdp
check the bottom of the post
xyyzyxyyzy
thanks pdp, found them
jeffjeff
Gone again, the links...
pdppdp
back again :) still moving infrastructures...
infozinfoz
What did you do to get the scripts working in XP? They execute fine from cmd, wscript is installed, .net, etc.. but they never launch the Citrix client (which is also installed) for enum, connect or bforce. I can launch an .ica file to the target server with no issues however running the .js files never launch the client. Any help is appreciated!