Nmap Development mailing list archives
Re: [RFC] Detect certain Citrix application browsing services
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Mon, 16 Nov 2009 16:45:24 -0600
David Fifield wrote:
I would feel better if we knew exactly what this packet is doing. Is it a harmless server ping, is it requesting a connection, is it allocating some server resources? Maybe try different remote desktop dissectors in Wireshark.
Fair enough. I'll try to get access to a test system and do some more detailed research on what's going on.
What do you know about port 1494? It is citrix-ica in nmap-services. The Wikipedia article on ICA says it runs on port 1494 but doesn't mention 1604 (http://en.wikipedia.org/wiki/Independent_Computing_Architecture). What happens if you run this payload on port 1494?
My understanding is that port 1494 is the port used for the actual remote desktop/application presentation aspects of Citrix. So when you connect to a Citrix server to start an application, port 1494 is used for authentication and authorization, and then for communication between the client and the server during the remote application session.
The service on UDP port 1604 seems to be more of an application browsing service, similar to the UDP-based SQL Server Browser Service that is part of Microsoft SQL Server systems. In the case of MS SQL, clients can query the service to determine what instances of SQL Server are available, and how to connect to them (either via TCP ports, or named pipes). In Citrix, it seems that clients can query the service to determine what applications are being published by the main Citrix server (which runs on port 1494). Hopefully this analogy clears up the picture a bit.
Thanks, Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 13)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 23)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)