Embed Size (px)
Citation preview
G CITRIXHACKIN
Citrix
Presentation Server 4.5New version is called XenApp/Server
Common DeploymentsNfuse classicCSG – Citrix Secure Gateway
Citrix ComponentsServer farm Citrix XML serviceICA client deviceNfuse Web serverCSG – Citrix Secure GatewaySTA – Secure Ticketing Authority
Different InterfacesBrowser accessible
http://server/Citrix/AccessPlatform/auth/login.aspx
Program neighbourhoodhttp://server/Citrix/PNAgent/config.xml
Gateway for Citrix Conferencing Managerhttp://server/Citrix/cmguest
NFuse Classic
ICA Client Device
NFuse Network
Browser ICA Client
Browser Enters Credentials Into NFuse Web Page
NFuse Sends Credentials To XML Service To Validate
If Valid, XML Service Retrieves Application List From Farm
NFuse Displays Application List
User Selects Application And Receives An ICA File ICA Client Loads ICA File And
Connects To Citrix FarmICA Client Doesn’t NEED NFuse To Connect To Server Farm
ICA Client Device
NFuse Network
Browser ICA Client
XML Service Can Sit On Independent Web Server
XML Service Can Sit On One Of The App Servers
XML Service Can Sit On The Nfuse Server
Holes In Firewall Please
Common Basic Deployment For Remote Network Application
Exposure
Citrix Secure Gateway
ICA Client Device
Browser
ICA Client
Browser Enters Credentials Into NFuse Web Page
NFuse Sends Credentials To XML Service To Validate
If Valid, XML Service Retrieves Application List From Farm
User Selects Application And NFuse Requests Ticket From STA
Ticket Returned To Browser As Part Of ICA File
CSG Verifies Ticket Against STAIf Verified Then Access Is Provided
To Server Farm
ICA File And Ticket Format Explained Later
More Secure As Server Farm Not Exposed.
Firewalls In Between SegmentsICA Client Connects To CSG (SSL)
And Sends Ticket
Places To Sniff
ICA Client Device
Browser ICA Client
HTTP Traffic Between Browser
And Nfuse
Cleartext credentials posted to login form
Web Cookie
ICA file returned from NFuse
USE HTTPS
Places To Sniff
Cleartext XML contains ‘encoded’ credentials
HTTP Traffic Between NFuse And
XML Service
a -> M E G Bb -> M H G Cc -> M G G Dd -> M B G Ee -> M A G Ff -> M D G Gg -> M C G Hh -> M N G Ii -> M M G J j -> M P G K k -> M O G Ll -> M J G M m -> M I G N n -> M L G Oo -> M K G P
USE HTTPSUSE SSLRelay
Password t N B H Ete N B H E L E B B tes N B H E L E B B M H G Ctest N B H E L E B B M H G C L D B G
In deployments that do not support running the SSL Relay, run the NFuse Web server on your Citrix server
Places To Sniff
ICA protocol is not encrypted by default
ICA Client Device
Browser ICA Client
ICA Traffic From Client Or CSG
USE SecureICAUSE SSL/TLSUSE SSLRelay
Connection Data Between ICA Client And Server.ini type layout
Doesn’t contain clear text credentials
ICA File Format
[ApplicationServers]Calc=
[Calc]Address = 192.168.237.101:1494BrowserProtocol = HTTPonTCPClearPassword = 0674F0F9BD3B0DDomain = \DB247117DF8EC22AInitialProgram = #calcSSLProxyHost = CSG AddressUsername = Whoami
Nfuse TicketApparently it has an expiry timeXOR credentials and send to XML serverGet Ticket in responseSplit ticket prepend \ and place into domain:password
STA TicketingIs not server authenticationPlaces ticket in the address field of .ica file40;STA47;AFA4ABD7741BB4306079BAC6AB2BDAF4
If I can talk to the STA server I can create STA tickets
Ticketing
STA MACHINE
UNIQUE TICKET
ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES
Uses pseudo-random number generation to produce a 16-byte hex string.
For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters
Shadowing Allows Snooping On Other SessionsOn by defaultPrompts user
Shadowing
NFuse Web Application
Controls access to the Web Application
Authentication
Citrix Server FarmPublished application setting
Controls access to the application
Authentication
Anon001 – Anon014Created upon installPassword set on each use
Anonymous AccessEasy to useUsed for ‘temporary’ application use
Anonymous Accounts
Installed By Default On Port 80ISAPI extension under IISCan be set for different port
Sensitive Operations Require AuthUnless turned off for smartcard passthru
Used by Nfuse and PNAgentValidate CredentialsSTA RequestsServer Enumeration
Citrix XML Service
Brute Force Web PageBrute force the NFuse login page
Brute Force ICA FileWill attempt to connect to Citrix application serverActiveX and API makes this easy
Ask The IMA ServiceSits on UDP port 1604Unauthenticated requests will respond with application list
Ask The XML ServiceBy default sits on TCP port 80If you ask politely it tell you
Gaining Access
Gaining AccessAnonymous vs Standard Internal User
Breaking The Citrix SandboxWeak security settings
Uploading ToolsAlternative file transfer methods
Privilege EscalationThird party or windows vulnerability
Token TheftFull domain control
Demonstration
No Citrix Vulnerability ExploitedWeak / default configuration
Anonymous Application AccessWas only part of the issue
Pretty Common ScenarioMost citrix reviews involve gaining ‘shell’ access
Recap
Lockdown CitrixDisable file sharingEnabled ‘run only published applications’Turn on encryption and use SSL
Lockdown OSUse group policy to enforce restrictionsDisable the runas service
Lockdown File SystemRestrict users access to directories and commands
Understand The WeaknessesHopefully this demonstration has helped
Securing
www.insomniasec.com
