Re: Citrix exploits?

From: Ben Nell (enemy.cow@gmail.com)
Date: Sun Aug 13 2006 - 23:55:38 EDT


On 11 Aug 2006 22:35:38 -0000, 09Sparky@gmail.com <09Sparky@gmail.com> wrote:
> Does anyone have any good techniques or exploits available for Citrix (web)? I am working on exploiting a citrix server with a front end webpage, but am unsuccessful. Any suggestions/thoughts?

Do you have a valid user name and login for the Citrix farm? If the
launch.ica files (provided as links, once logged into the web
interface) can be downloaded and opened in a text editor, they will
provide you with information about the connection that the farm is set
up to use. Is the web interface using SSL? If the site's running
over SSL, it's possible that they have their farm behind a Citrix
Access Gateway (AG) or MetaFrame Secure Acess Manager (MSAM). In the
case that an AG or MSAM is deployed, the connection is encrypted on
the backend, otherwise you should be able to capture session
information on the backend. You can tell if one of these technologies
is in use because ports 1494 (ICA) and 2598 (session reliability) will
not be open in such a setup.

I would also note the type of farm that's set up. Citrix "best
practice" suggests setting up a farm using the naming convention
"meta01" for the first server in the farm and moving up. I would
check for additional DNS names using the same convention.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:42 EDT