Citrix ClearPassword (launch.ica)

["wirepair" <wirepair () roguemail net>]

while doing a pen-test I noticed after stealing launch.ica 
files from a users IE cache directory, they have a 
different ClearPassword= field. It appears of 
AutologonAllowed is set to ON this will be saved after 
using nFUSE to login to the citrix metaframe. These fields 
are as follows:
AutologonAllowed=ON
Username=test
Domain=\25A43DEFACEDCODE   (16 bytes, hash)
ClearPassword=D4239AF390DB09 (16 bytes, hash..)
This obviously is an issue, the ClearPassword worries me, 
unfortunately I'm not a cipher kid so I'm not exactly
sure what type of hash this is, or how it was created. I 
tried after researching how the password is kept in
the APPSRV.INI file and tried to mimic the length but alas 
it did not work. If you have any information regarding 
what cipher this is or how its created please let me know 
so I can add this to my hackingcitrix.txt. Thanks
-wire

P.S: I tried to just use the launch ica but it tries to 
log in to the metaframe host itself and not the domain so 
the login attempt fails and the ***** is erased. This is 
why i'm in need of knowing how to get the password from 
this hash.
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>


----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core";> http://www.securityfocus.com/core</A>