Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Citrix ClearPassword (launch.ica)

From: "wirepair" <wirepair () roguemail net>
Date: Tue, 25 Feb 2003 05:17:22 -0800
Yeah I researched that site before I posted, I know this is not the actual password because I retreived about 16 total ica files from users. They are all 16 bytes, and, per user they do not differ. User1 has launch[1].ica launch[2].ica ect. So this rules out a 'session' based hash (each file had different creation dates). I believe this must be generated by the nFuse server, but unfortunately my citrix eval expired (doh). heh, thanks again to everyone who responded. -wire On Tue, 25 Feb 2003 11:15:22 +0100 
 miguel.dilaj () pharma novartis com wrote:

Hello wirepair
In http://www.dabcc.com/nfuse/Docs/ica_file_explained.htm you've this:
Password= Specifies the password for the user account. This is an optional field. The password, if used, must be encrypted. To enter an encrypted password into the ICA file, use the Citrix ICA Client Remote Application Manager New Entry Wizard to create a remote application entry. When you are prompted for the username and password, enter the password that you want to use in the ICA file. Finish the New Entry wizard. Open the file APPSRV.INI in the Windows directory and locate the entry you just created. Copy the password value and paste it into your ICA file. ClearPassword= Specifies the clear text (unencrypted) password for the user account. This is an optional field. To use a clear text password, the Password field must be set to a null value (for example: Password=).
From this information, it seems that the string 'D4239AF390DB09' isn't a hash, but the password itself (sounds strange, isn't it? But 
worth trying...).
I haven't found info on the encryption algorithm used, but, alas, I didn't search too much ;-) 
Cheers,
Miguel
aka Nekromancer






"wirepair" <wirepair () roguemail net>
24/02/2003 20:05
To: vuln-dev () securityfocus com, pen-test () securityfocus com cc: Subject: Citrix ClearPassword (launch.ica)
while doing a pen-test I noticed after stealing launch.ica files from a users IE cache directory, they have a different ClearPassword= field. It appears of AutologonAllowed is set to ON this will be saved after using nFUSE to login to the citrix metaframe. These fields are as follows: 
AutologonAllowed=ON
Username=test
Domain=\25A43DEFACEDCODE   (16 bytes, hash)
ClearPassword=D4239AF390DB09 (16 bytes, hash..)
This obviously is an issue, the ClearPassword worries me, unfortunately I'm not a cipher kid so I'm not exactly sure what type of hash this is, or how it was created. I tried after researching how the password is kept in the APPSRV.INI file and tried to mimic the length but alas it did not work. If you have any information regarding what cipher this is or how its created please let me know so I can add this to my hackingcitrix.txt. Thanks 
-wire
P.S: I tried to just use the launch ica but it tries to log in to the metaframe host itself and not the domain so the login attempt fails and the ***** is erased. This is why i'm in need of knowing how to get the password from this hash. 
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>


----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? 
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core";> http://www.securityfocus.com/core</A> 






_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>


----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core";> http://www.securityfocus.com/core</A>
Previous By Date Next
Previous By Thread Next

Current thread: