I was performing some tests recently against a Citrix XenDesktop implementation and came across this. This was tested against Citrix XenDesktop, XenServer, Receiver 5.6 SP2. This could affect other versions as well.
The Citrix Receiver application connects to a Citrix Web Interface to provide a virtual desktop to a user. The authentication between the Receiver and the Web Interface is done in an XML call over HTTP. By default, the authentication is not configured to use SSL. I would venture to guess that many businesses would not configure SSL on an internal implementation, but thats a conversation for another time.
The Receiver app sends a POST request to enum.aspx and launch.aspx which contains the username and an encoded password amongst other information. Now, instead of trying to crack the encoded password, an attacker can just use it just as if they had the actual password. If an attacker can capture the authentication transaction traffic, an attacker can "pass-the-hash" with the captured username and encoded password and gain access to the account and any virtual applications and desktops as that user.
To perform the attack:
- Capture the victims authentication traffic when they login with the Receiver app.
- Extract the username and encoded password from the POST request to enum.aspx (shown below).
POST /Citrix/XDPNAgent/enum.aspx HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: C:\PROGRA~1\Citrix\ICACLI~1\PNAMain.exeHost: xxx.xxx.xxx.xxxContent-Length: 705Connection: Keep-AliveCache-Control: no-cache
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE NFuseProtocol SYSTEM "NFuse.dtd"><NFuseProtocol version="4.6"><RequestAppData><Scope traverse="onelevel" type="PNFolder">$PRELAUNCH$</Scope><DesiredDetails>permissions</DesiredDetails><DesiredDetails>icon-info</DesiredDetails><DesiredDetails>all</DesiredDetails><ServerType>x</ServerType><ServerType>win32</ServerType><ClientType>ica30</ClientType><ClientType>content</ClientType><Credentials><UserName>domain\myuser</UserName><Password encoding="ctx1">ENCODEDPASSWORDHERE</Password><Domain type="NT"></Domain></Credentials><ClientName>COMPUTER01</ClientName><ClientAddress>xxx.xxx.xxx.xxx</ClientAddress></RequestAppData></NFuseProtocol>
- Launch a local proxy tool such as Burp and go into Internet Explorer and configure it to proxy through Burp. This is usually your loopback address, 127.0.0.1 port 8080.
- Open the Receiver app and log in with the username and a blank password.
- Burp will then intercept the POST request that looks like above.
- Copy the captured encoded password and paste it into the "Password" XML field and then forward the request on. There will be several of these requests that you will have to do it for.
- Voila! Now you are logged into the Receiver app as the victim. Now you can launch whatever virtual desktop is associated to that user.
- Here is a little tricky part. When you launch the virtual desktop, it will again send a similar authentication request where you will paste the encoded password into, but you CANNOT leave the connection running through the local proxy or the virtual desktop will not launch.
- Open Internet Explorer and prep the configuration to not use any proxy, but don't click OK yet.
- Click on a virtual desktop through the Receiver to launch it.
- Burp will then intercept the authentication request to launch.aspx. Paste the encoded password into the "Password" XML field again.
- After you forward the request in Burp, IMMEDIATELY switch over to Internet Explorer and apply the proxy settings so that it does not use a proxy anymore.
- If you did it quick enough, the virtual desktop will launch and you will be logged in as the victim and have complete access to their account, desktop, files, etc...
Wow! That's just awesome! Thanks for the detailed post.
ReplyDeleteIt is truly a nice and helpful piece of info. I am happy that you simply shared this helpful info with us. Please keep us informed like this. Thanks for sharing.
ReplyDeleteThin Client Software & RDP Thin Client
This is a good information of the computer softwares detail articles and really like your site.
ReplyDeleteThin Client & Zero Client
Hi,
ReplyDeleteVery nice blog thanks for sharing. An your blog is very helpful and Citrix Receiver the Web Interface. Suggest for This empowers IT Operations to proactively anticipate, resolve, and prevent performance issues in the most complex Citrix xenapp and XenDesktop environments.
xendesktop
Thank You
An application in hosted in citrix environment.........I need an proxy setting set up so that , The request has to be captured in my system..
ReplyDeleteExample : Citrix environment is in USA no COS.....
Php Institute in Gurgaon
ReplyDeletePhp Course in Gurgaon
Php Training in Gurgaon
Java Institute in Gurgaon
Java Course in Gurgaon
Java Training in Gurgaon
C++ Institute in Gurgaon
C++ Course in Gurgaon
<a href="https://www.acil.in/courses/best
Nice blog Content.It is very informative and helpful. Please share more content. Thanks.
ReplyDeletePHP Training in Gurgaon
nice information.
ReplyDeleteDigital Marketing Institute
Digital Marketing Course in Delhi
Coupondunia
best matrimonial site
redbus ticket online booking
ecommerce website design
Faballey
aşk kitapları
ReplyDeleteyoutube abone satın al
cami avizesi
cami avizeleri
avize cami
no deposit bonus forex 2021
takipçi satın al
takipçi satın al
takipçi satın al
takipcialdim.com/tiktok-takipci-satin-al/
instagram beğeni satın al
instagram beğeni satın al
btcturk
tiktok izlenme satın al
sms onay
youtube izlenme satın al
no deposit bonus forex 2021
tiktok jeton hilesi
tiktok beğeni satın al
binance
takipçi satın al
uc satın al
sms onay
sms onay
tiktok takipçi satın al
tiktok beğeni satın al
twitter takipçi satın al
trend topic satın al
youtube abone satın al
instagram beğeni satın al
tiktok beğeni satın al
twitter takipçi satın al
trend topic satın al
youtube abone satın al
takipcialdim.com/instagram-begeni-satin-al/
perde modelleri
instagram takipçi satın al
instagram takipçi satın al
takipçi satın al
instagram takipçi satın al
betboo
marsbahis
sultanbet
شركة تنظيف افران بالاحساء
ReplyDeleteشركة تنظيف افران
bayrampaşa
ReplyDeletegüngören
hakkari
izmit
kumluca
0UN
resimli magnet
ReplyDeleteresimli magnet
çerkezköy çatı ustası
silivri çatı ustası
dijital kartvizit
7NİKNH
شركة كشف تسربات المياه بالقطيف MRe9c1patn
ReplyDeleteمكافحة حشرات 6kjit31Sqz
ReplyDelete