Re: [RFC] Detect certain Citrix application browsing services

[Thomas Buchanan <tbuchanan () thecompassgrp net>]

David Fifield wrote:
> On Fri, Nov 13, 2009 at 04:54:35PM -0600, Thomas Buchanan wrote:
>  > Hello.  Here is a trio of patches that improve detection of a Citrix 
>  > MetaFrame application browsing service.  This is a UDP-based service, 
>  > typically (always?) found on port 1604, which can be used to enumerate 
>  > remote applications provided by certain Citrix servers.  For more 
>  > information, reference the following paper and tools:
>  >
>  > http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt
>  > http://sh0dan.org/oldfiles/pubappbrute.tar.gz
>  >
>  > I'm really not that familiar with Citrix environments, but these patches 
>  > were useful for me recently, so I thought I'd see if there was further 
>  > interest in them.
>  >
>  > The patches are as follows:
>  >
>  > citrix-payload.patch - adds a UDP payload definition to payload.cc for 
>  > port 1604
>
> I compared this patch to the one from payloads.conf in Unicornscan. Can
> you comment on the difference? What do each of the payloads do and what
> kind of response if expected?
>
> The Unicornscan payload is
> "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>
> And yours is
> "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>
> The match line is
> "\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8"
>
> Would you provide packet disassemblies of these?

David,

Thanks for taking a look at these patches.  The difference between the 
Unicornscan payload and the one I provided appears to be limited to the 
number of padding bytes added at the end of the packet, and the first 
byte of the packet, which appears to be part of the packet length field.

As far as I know, the format of these packets is not fully documented 
anywhere online.  Wireshark doesn't seem to have a dissector for them, 
so I'm not sure precisely what the packet fields consist of.  I took 
them from a file named README.pabrute, which is part of the 
pubappbrute.tar.gz file that I posted a link for previously.  Here is 
how the author explains the initial packet and the server response:

"Packet 1: Valid Connection
Client ->
The first packet sent is a 'hello are you out there' type packet. This 
will invoke a response from the citrix server.  This packet payload 
*never* changes and you will always see this (packet) first.

Packet 2: Valid Connection
<- Server
This packet is the response from the server, it is also static and will 
never change."

These are accompanied by hex printouts of the packet contents, which is 
where I got the probe for payload.cc and nmap-service-probes, as well as 
the initial corresponding match line.  I did some testing against three 
Citrix servers that were on the network I was working on a couple of 
weeks ago, and found that each server sent back a slightly different 
response, but did send back the same response each time.  I took the 
common portion of the response (the first 14 bytes were the same from 
all the servers) and made that the final match line that I submitted.  I 
can't say for sure what the remaining portion of the server response 
include, but if anybody has a pointer to information that could help 
decode the responses more completely, I'd be happy to look into it further.

Thanks,

Thomas
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/