Re: [RFC] Detect certain Citrix application browsing services

[Thomas Buchanan <tbuchanan () thecompassgrp net>]

David Fifield wrote:
> I would feel better if we knew exactly what this packet is doing. Is it
> a harmless server ping, is it requesting a connection, is it allocating
> some server resources? Maybe try different remote desktop dissectors in
> Wireshark.

Fair enough.  I'll try to get access to a test system and do some more 
detailed research on what's going on.

> What do you know about port 1494? It is citrix-ica in nmap-services. The
> Wikipedia article on ICA says it runs on port 1494 but doesn't mention
> 1604 (http://en.wikipedia.org/wiki/Independent_Computing_Architecture).
> What happens if you run this payload on port 1494?

My understanding is that port 1494 is the port used for the actual 
remote desktop/application presentation aspects of Citrix.  So when you 
connect to a Citrix server to start an application, port 1494 is used 
for authentication and authorization, and then for communication between 
the client and the server during the remote application session.

The service on UDP port 1604 seems to be more of an application browsing 
service, similar to the UDP-based SQL Server Browser Service that is 
part of Microsoft SQL Server systems.  In the case of MS SQL, clients 
can query the service to determine what instances of SQL Server are 
available, and how to connect to them (either via TCP ports, or named 
pipes).  In Citrix, it seems that clients can query the service to 
determine what applications are being published by the main Citrix 
server (which runs on port 1494).  Hopefully this analogy clears up the 
picture a bit.

Thanks,

Thomas
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/