Nmap Development mailing list archives

[RFC] Detect certain Citrix application browsing services

From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Fri, 13 Nov 2009 16:54:35 -0600

Hello. Here is a trio of patches that improve detection of a CitrixMetaFrame application browsing service. This is a UDP-based service,typically (always?) found on port 1604, which can be used to enumerateremote applications provided by certain Citrix servers. For moreinformation, reference the following paper and tools:


http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt
http://sh0dan.org/oldfiles/pubappbrute.tar.gz

I'm really not that familiar with Citrix environments, but these patcheswere useful for me recently, so I thought I'd see if there was furtherinterest in them.


The patches are as follows:

citrix-payload.patch - adds a UDP payload definition to payload.cc forport 1604citrix-service-probe.patch - add the same payload tonmap-service-probes, along with a corresponding match line

citrix-services.patch - adds port 1604/udp to nmap-services

The effect of these patches is shown in the two scans below:

Without the patches:
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-13 16:37 CST
<snip>
Interesting ports on 192.168.128.86:
PORT     STATE         SERVICE VERSION
1604/udp open|filtered unknown

With the patches:
Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-13 16:39 CST
<snip>
Nmap scan report for 192.168.128.86
Host is up (0.0015s latency).
PORT     STATE SERVICE    VERSION
1604/udp open  icabrowser Citrix MetaFrame

I'm looking for feedback on a couple of aspects of the patches. First,how should one determine the frequency values when adding entries tonmap-services? I used a value from the next closest port, but thatseems pretty arbitrary. Second, the service name I chose for port1604/udp is the same as that found in Wireshark's services file, but ifanother name is preferred, that's fine too.

Finally, I mentioned earlier that this service can be used to enumerateapplications. These patches don't implement that functionality, but ifanybody is interested in a quick NSE project, I think this would be agreat addition! You can observe the techniqure required by reviewingthis tool:


http://packetstormsecurity.org/defcon10/dc10-vitek/citrix-pa-scan.c

If there are any questions, or any ways the patches could be improved,please let me know.


Thanks,

Thomas

Index: payload.cc
===================================================================
--- payload.cc  (revision 16071)
+++ payload.cc  (working copy)
@@ -218,6 +218,12 @@
   "Amanda 2.6 REQ HANDLE 000-00000000 SEQ 0\n"
   "SERVICE noop\n";
 
+/* Citrix MetaFrame application discovery service
+   From http://sh0dan.org/oldfiles/hackingcitrix.html  */
+static const char payload_citrix[] =
+  "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+
 static const char payload_null[] = "";
 
 
@@ -276,6 +282,9 @@
       SET_PAYLOAD(payload_Sqlping);
       break;
     */
+    case 1604:
+      SET_PAYLOAD(payload_citrix);
+      break;
     /* RFC 2865: "The early deployment of RADIUS was done using UDP port number
        1645, which conflicts with the "datametrics" service. The officially
        assigned port number for RADIUS is 1812. */

Index: nmap-service-probes
===================================================================
--- nmap-service-probes (revision 16071)
+++ nmap-service-probes (working copy)
@@ -7427,3 +7427,13 @@
 
 # We don't want to send a bunch more probes that will be printed
 softmatch hp-pjl m|^| i/hp-pdl probe got something back/
+
+##############################NEXT PROBE##############################
+# Citrix MetaFrame application discovery service
+# http://sh0dan.org/oldfiles/hackingcitrix.html
+Probe UDP Citrix q|\x1e\0\x01\x30\x02\xfd\xa8\xe3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
+rarity 5
+ports 1604
+
+# Citrix MetaFrame
+match icabrowser m|^\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8| p/Citrix MetaFrame/

Index: nmap-services
===================================================================
--- nmap-services       (revision 16071)
+++ nmap-services       (working copy)
@@ -2451,6 +2451,7 @@
 unknown        1599/udp        0.000330
 issd   1600/tcp        0.000263
 issd   1600/udp        0.000807
+icabrowser     1604/udp        0.000330
 unknown        1605/tcp        0.000076
 unknown        1605/udp        0.000330
 unknown        1606/udp        0.000330

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 13)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)
  - Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
  - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 23)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
    - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 25)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)