Penetration testing of citrix server.

"This was previously published at InfoSec Institute's Resources site."

Here I'll discuss about how I did pentest of a citrix server in lab network.


First let us understand about Windows terminal service.

Windows Terminal Services (or Remote Desktop Services) is a feature of Windows 2003/2008 which allows multiple 'sessions' to be brokered to each enabled server, each running a server desktop or embedded application.

Citrix is layered on top of Terminal Services (2003) or the RDS role (2008) and extend the functionality of this 'session based' access. Additional features such as ICA and it's HDX feature set which provide better application performance for interactive, graphical and WAN based applications, resource metric based load balancing, centralized administration, geographically dispersed 'terminal server farm' design options, application publishing (individual apps as opposed to an app embedded in a desktop session), and a rich set of clients for Windows, MAC, Linux, iOS and many other OS platforms to mention just a few of Xenapp's capabilities.  More Information

Bottom Line :: Above para means accessing a PC over the network.

Capability of Citrix:
Citrix has a feature of publishing the application list that are available on the server.

So I tried to enumerate the list of published application.

Tools that are required for pentesting citrix can be found http://www.vulnerabilityassessment.co.uk/citrix_tools.zip     and  http://www.securiteam.com/exploits/5CP0B1F80S.html 

Step 1: Enumerating applications published by citrix:

Way 1: Using nmap script (citrix-enum-apps) and (citrix-enum-servers)

Way 2:  Using perl citrix-pa-scan.pl script

Step 2: Trying to connect to the published application:

Way 1: This method require authentication. Visiting the Citrix web interface for Metaframe Presentation server.
Login URL is http://10.24.*.*/lan/auth/login.aspx 

After login we get the accessible application list.

When we click on any applicaiton launch.ica file is downloaded. Open the file with notepad and check the file content.

There is a parameter "InitialProgram" pointing to the LIFE UAT application on citrix server.
I manipulated the name to explorer.exe

After manipulating the file. Simply double click it to get the explorer of Citrix server.

That's how I did it.

Way 2: Using pas.pl without first level authentication.

*****************************************pas.pl************************************
#!/usr/bin/perl
$|=1;
open(INDATA, "pas.wri") or die "Cant read data file: $!\n";
open(RESULT, ">pas_results.wri") or die "Cant create result file: $!\n";
while($line=<INDATA>) {
  chomp $line;
  next if( $line!~/^(\d+\.\d+\.\d+\.\d+)\|\d+\.\d+\.\d+\.\d+\|[01]\|(.+)/ );
  $ip=$1;
  @pa=split(';',$2);
  foreach $test_pa (@pa) {
    open(TEMPLATE,"template.ica") or die "Cant open template file: $!\n";
    open(ICA,">ica.ica") or die "Cant create ica file; $!\n";
    while($tline=<TEMPLATE>) {
      $tline=~s/IPIPIP/$ip/;
      $tline=~s/PAPAPA/$test_pa/;
      print ICA $tline;
    }
    close(ICA);
    system('ica.ica');
    $result=0;
    while($result < 1 || $result > 5) {
      print "\nHow did the connect to $test_pa on $ip go?\n";
      print "1: Wery well, anonymous login, but no desktop.\n";
      print "2: Anonymous and vulnerable.\n";
      print "3: Login required.\n";
      print "4: Error. No connection or similar.\n";
      print "\n";
      print "5: Redo\n";
      print "> ";
      $result=<>;
      chomp $result;
    }
    redo if($result==5);
    print RESULT "$ip\|$test_pa|$result\n";
   
  }
}

**********************************************************************************
After checking the code it seems that it deals with the following:
1) pas.wri (Output of citrix-pa-scan.pl).
2) template.ica (To generate connection string with citrix, similar to launch.ica)

template.ica:
(Needed by pas.pl)

 [WFClinet]
 Version=2
 ClientName=testClient

 [ApplicationServers]
 PAPAPA=

 [PAPAPA]
 Address=IPIPIP
 InitialProgram=#PAPAPA
 TransportDriver=TCP/IP
 WinStationDriver=ICA 3.0
 DesiredHRES=800
 DesiredVRES=600

3) The result will be given out in pass_results.wri file

(Note: All the 3 file in same folder)

The logic is that pas.pl will try to connect all the application published by citrix server that is mentioned in pas.wri file(Output of citrix-pa-scan.pl)

First instance:

 

For the Dealing Admin Life UAT authentication was needed. I tried some default passwords but it didn't worked.

Second Instance:

For One application default credentials were accepted and I was In ;) Some time there is no login required for the application as shown in Defcon10 videos.

 Final result of all the published application.

Step 3: Breaking out of the environment.

When we get citrix terminal we have restricted environment. In my case I was shown only the blank screen.

Open the task manager.

Open explorer.exe using the task manager to break out from the environment.

Here I was bit confused, whether I am in my own Windows terminal or on the Citrix server.
I traversed the directory and found all aspx file that were used for login and other purpose, confirming I am in the citrix server.
Now we checkout the URL that we logged in to in step 2) lan/auth/login.aspx and other files on the server.

I always wanted to recreate what I see in Defcon. So I created a setup and performed all the steps presented in Defcon10 on citrix hacking. Unfortunately the Names I used were similar to some financial application so I've hidden it.

Refrences:

https://www.defcon.org/images/defcon-10/dc-10-presentations/dc10-vitek-citrix/dc10-vitek-citrix.pdf

http://www.securiteam.com/exploits/5CP0B1F80S.html

Ultimate resource: http://www.vulnerabilityassessment.co.uk/Citrix.html

https://www.pentestpartners.com/blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/