Nmap Development mailing list archives
[RFC] Detect certain Citrix application browsing services
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Fri, 13 Nov 2009 16:54:35 -0600
Hello. Here is a trio of patches that improve detection of a Citrix MetaFrame application browsing service. This is a UDP-based service, typically (always?) found on port 1604, which can be used to enumerate remote applications provided by certain Citrix servers. For more information, reference the following paper and tools:
http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt http://sh0dan.org/oldfiles/pubappbrute.tar.gzI'm really not that familiar with Citrix environments, but these patches were useful for me recently, so I thought I'd see if there was further interest in them.
The patches are as follows:citrix-payload.patch - adds a UDP payload definition to payload.cc for port 1604 citrix-service-probe.patch - add the same payload to nmap-service-probes, along with a corresponding match line
citrix-services.patch - adds port 1604/udp to nmap-services The effect of these patches is shown in the two scans below: Without the patches: Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-13 16:37 CST <snip> Interesting ports on 192.168.128.86: PORT STATE SERVICE VERSION 1604/udp open|filtered unknown With the patches: Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-13 16:39 CST <snip> Nmap scan report for 192.168.128.86 Host is up (0.0015s latency). PORT STATE SERVICE VERSION 1604/udp open icabrowser Citrix MetaFrameI'm looking for feedback on a couple of aspects of the patches. First, how should one determine the frequency values when adding entries to nmap-services? I used a value from the next closest port, but that seems pretty arbitrary. Second, the service name I chose for port 1604/udp is the same as that found in Wireshark's services file, but if another name is preferred, that's fine too.
Finally, I mentioned earlier that this service can be used to enumerate applications. These patches don't implement that functionality, but if anybody is interested in a quick NSE project, I think this would be a great addition! You can observe the techniqure required by reviewing this tool:
http://packetstormsecurity.org/defcon10/dc10-vitek/citrix-pa-scan.cIf there are any questions, or any ways the patches could be improved, please let me know.
Thanks, Thomas
Index: payload.cc =================================================================== --- payload.cc (revision 16071) +++ payload.cc (working copy) @@ -218,6 +218,12 @@ "Amanda 2.6 REQ HANDLE 000-00000000 SEQ 0\n" "SERVICE noop\n"; +/* Citrix MetaFrame application discovery service + From http://sh0dan.org/oldfiles/hackingcitrix.html */ +static const char payload_citrix[] = + "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + static const char payload_null[] = ""; @@ -276,6 +282,9 @@ SET_PAYLOAD(payload_Sqlping); break; */ + case 1604: + SET_PAYLOAD(payload_citrix); + break; /* RFC 2865: "The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812. */
Index: nmap-service-probes =================================================================== --- nmap-service-probes (revision 16071) +++ nmap-service-probes (working copy) @@ -7427,3 +7427,13 @@ # We don't want to send a bunch more probes that will be printed softmatch hp-pjl m|^| i/hp-pdl probe got something back/ + +##############################NEXT PROBE############################## +# Citrix MetaFrame application discovery service +# http://sh0dan.org/oldfiles/hackingcitrix.html +Probe UDP Citrix q|\x1e\0\x01\x30\x02\xfd\xa8\xe3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| +rarity 5 +ports 1604 + +# Citrix MetaFrame +match icabrowser m|^\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8| p/Citrix MetaFrame/
Index: nmap-services =================================================================== --- nmap-services (revision 16071) +++ nmap-services (working copy) @@ -2451,6 +2451,7 @@ unknown 1599/udp 0.000330 issd 1600/tcp 0.000263 issd 1600/udp 0.000807 +icabrowser 1604/udp 0.000330 unknown 1605/tcp 0.000076 unknown 1605/udp 0.000330 unknown 1606/udp 0.000330
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 13)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 23)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)