Re: [PEN-TEST] Citrix

[Christopher Winter <cwinter () mentortech com>]

Its been a while since I have worked a lot with Citrix.  Most of my
experience is with Citrix MetaFrame on NT 4.0 Terminal Server Edition, so I
am not sure how much will apply to the newer Windows 2000 based installs of
MetaFrame.  Either way here are some comments:

Citrix access is always done via a Citrix client.  The web based Citrix
access (through an applet) is still using the regular old Citrix
ports/client for access.  Looking at the sniffer traces, a web client
connects to the web server, and then it downloads the appropriate applet
(one for IE, one for Netscape), after this it is done with port 80 or 443
(or whatever http(s) port you are using.)  From there on it uses ICA on TCP
port 1494 (this being the default port, which can and should be changed.)
The Citrix client will also connect up to UDP 1604, to gain access to the
ICA Master Browser, IF published applications and/or Server Farms are being
used.  You can use a bunch of the Citrix Query commands to pull info from
the ICA Master Browser.  The CMD line based utilities are installed with
Metaframe, and require a few DLL's that are present in the Terminal Server
edition of NT 4.0.  They may work on 4.0 if you register the DLL's that they
bark for.  Also it may work from 2000, I have never tried.  I don't recall
if IP addresses can be used with the query commands, if not drop the
ICA-browser IP in your lmhosts file.  The query commands that can be used
are:

QUERY LICENSE /SERVER:<SERVERNAME> /ALL  (this will list all the licensing
info about all of the Citrix servers that this ICA browser knows about.
This is a great way to get info for social engineering, and also a good way
to determine other Citrix servers on the network.)

QUERY SERVER gives a boat load of information.  Browse over to
http://www.citrix.com/support and look in appendix A of the MetaFrame 1.8
administration manual (located in the product documentation section :) for
the exactg syntax, and a description of all of the switches you can use.

Anyway, the QUERY stuff isn't going to break you into a Citrix Server, but
it will give you a lot of net mapping info, and a possible Social
Engineering slant.  After determining where the Citrix servers are, I like
to just try and logon to them.  In the old days of WinFrame the guest
account was usually an easy way to get in, as it was based off of the 3.51
rev of NT, which by default had the guest account enabled with a blank
password (I think they fixed that with a patch later on, but I can't recall
for sure.)

Most of the Servers that I have ever tested belonged to a domain, and the
admins where usually not smart enough to tweak the registry to NOT allow
users to change from the domain logon to a local machine logon at the
initial logon screen.  Many times it is as easy as changing to the local
machine, and trying to logon with administrator and a cheesy password (such
as blank, password, admin...you get the idea) that they used during the
install, prior to adding the machine to the domain.

Another thing that I see quite often is the Microsoft RDP (Remote Desktop
Protocol) port left open (TCP 3389.)  Now any admin worth their salt will
block everything at the firewall, however, some will leave the RDP port
open.  RDP is Microsoft's implementation of the RDP protocol :).  It is
slow, and doesn't have any of the nifty extra's that the ICA protocol has,
that is why you hardly ever see a MS Terminal Server without Metaframe
installed on top.  It often gets overlooked, and all the security in the
world on the ICA sessions is moot if you can make an RDP connection.  The
RDP client can be downloaded from Microsoft's site (the ActiveX IE plugin is
located at http://www.microsoft.com/Windows2000/news/bulletins/tsac.asp .)
Also don't forget that ICA runs over other transports besides TCP/IP, such
as IPX, and even NetBEUI (this may not help from an Internet based pentest,
but it has its uses on the LAN.)

It is also important to remember that NT 4.0 Terminal Server Edition is
usually a few months behind the regular version of NT 4.0 in its service
pack releases.  Currently they are both at SP6 (not sure about hot-fixes
though), however, for the longest time TSE was at SP4, and NT was up to SP5
(possible SP6, I don't recall.)  So if a particularly nasty attack come out
for NT 4, there is fairly good chance that it won't get fixed for TSE for a
few months.

On many Citrix Servers anonymous access is given to certain published
applications.  This is a great place to start trying to 'bust' out of your
current context, to gain admin/console access to the box.  Attack this like
you had been given console guest access to a server, with locked down ACL's.
If you are at the machine, there has got to be a way to elevate your
permissions, or to access data outside of your little sand box.  An easy on
that comes to mind is the system info applet that runs from the help menu
inside MS Office (97 for sure, not sure about other versions.)  This will
allow you to get to a 'run' prompt where you can run possibly run things
like regedit, cmd.com etc.  You get the idea.

I hope this is what you were looking for.  If you have any additional
questions, drop me a line.  If anyone sees anything that looks out of place
here, please let the list know.

Thanks,

Chris Winter

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Beauregard, Claude Q
Sent: Monday, October 09, 2000 12:15 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Citrix


Has anyone done any penetration regarding Citrix and Internet access as
provided by the Citrix servers to internal network resources. Even though
they are now using 128bit encryption for the client the hole in the firewall
is there waiting to be exploited.

Thanks
Claude