Nmap Development mailing list archives
Re: [RFC] Detect certain Citrix application browsing services
From: David Fifield <david () bamsoftware com>
Date: Sun, 15 Nov 2009 20:13:55 -0700
On Fri, Nov 13, 2009 at 04:54:35PM -0600, Thomas Buchanan wrote:
Hello. Here is a trio of patches that improve detection of a Citrix MetaFrame application browsing service. This is a UDP-based service, typically (always?) found on port 1604, which can be used to enumerate remote applications provided by certain Citrix servers. For more information, reference the following paper and tools: http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt http://sh0dan.org/oldfiles/pubappbrute.tar.gz I'm really not that familiar with Citrix environments, but these patches were useful for me recently, so I thought I'd see if there was further interest in them. The patches are as follows: citrix-payload.patch - adds a UDP payload definition to payload.cc for port 1604
I compared this patch to the one from payloads.conf in Unicornscan. Can you comment on the difference? What do each of the payloads do and what kind of response if expected? The Unicornscan payload is "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" And yours is "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" The match line is "\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8" Would you provide packet disassemblies of these?
I'm looking for feedback on a couple of aspects of the patches. First, how should one determine the frequency values when adding entries to nmap-services? I used a value from the next closest port, but that seems pretty arbitrary.
We have a record for port 1604/udp in the master nmap-services-all file, but because it has a frequency of 0 it is left out of the smaller nmap-services file. unknown 1604/udp 0/3027
Second, the service name I chose for port 1604/udp is the same as that found in Wireshark's services file, but if another name is preferred, that's fine too.
icabrowser is fine and I've added it to the nmap-services-all file, but with a frequency of 0, it won't be added when nmap-services is regenerated. We could modify the generation script to include ports that are named even if their frequency is too small. I tried this, and it results in 302 additional lines in nmap-services, bringing the total number of lines to 20,192. Although the number of added lines is small, most of them are just where a TCP port shares the same name as a UDP port, even when a service commonly runs on only one or the other. Fyodor, what do you think about adding these named ports to the distributed nmap-services, even if their frequency is below the inclusion threshold? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 13)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 23)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
- Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)
- Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)