Nmap Development mailing list archives
Re: [RFC] Detect certain Citrix application browsing services
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Mon, 16 Nov 2009 12:08:41 -0600
David Fifield wrote:
On Fri, Nov 13, 2009 at 04:54:35PM -0600, Thomas Buchanan wrote:> Hello. Here is a trio of patches that improve detection of a Citrix > MetaFrame application browsing service. This is a UDP-based service, > typically (always?) found on port 1604, which can be used to enumerate > remote applications provided by certain Citrix servers. For more > information, reference the following paper and tools:> > http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt > http://sh0dan.org/oldfiles/pubappbrute.tar.gz >> I'm really not that familiar with Citrix environments, but these patches > were useful for me recently, so I thought I'd see if there was further > interest in them.> > The patches are as follows: >> citrix-payload.patch - adds a UDP payload definition to payload.cc for > port 1604I compared this patch to the one from payloads.conf in Unicornscan. Can you comment on the difference? What do each of the payloads do and what kind of response if expected? The Unicornscan payload is "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" And yours is "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" The match line is "\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8" Would you provide packet disassemblies of these?
David,Thanks for taking a look at these patches. The difference between the Unicornscan payload and the one I provided appears to be limited to the number of padding bytes added at the end of the packet, and the first byte of the packet, which appears to be part of the packet length field.
As far as I know, the format of these packets is not fully documented anywhere online. Wireshark doesn't seem to have a dissector for them, so I'm not sure precisely what the packet fields consist of. I took them from a file named README.pabrute, which is part of the pubappbrute.tar.gz file that I posted a link for previously. Here is how the author explains the initial packet and the server response:
"Packet 1: Valid Connection Client ->The first packet sent is a 'hello are you out there' type packet. This will invoke a response from the citrix server. This packet payload *never* changes and you will always see this (packet) first.
Packet 2: Valid Connection <- ServerThis packet is the response from the server, it is also static and will never change."
These are accompanied by hex printouts of the packet contents, which is where I got the probe for payload.cc and nmap-service-probes, as well as the initial corresponding match line. I did some testing against three Citrix servers that were on the network I was working on a couple of weeks ago, and found that each server sent back a slightly different response, but did send back the same response each time. I took the common portion of the response (the first 14 bytes were the same from all the servers) and made that the final match line that I submitted. I can't say for sure what the remaining portion of the server response include, but if anybody has a pointer to information that could help decode the responses more completely, I'd be happy to look into it further.
Thanks, Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 13)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 23)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)