Re: [RFC] Detect certain Citrix application browsing services

[David Fifield <david () bamsoftware com>]

On Fri, Nov 13, 2009 at 04:54:35PM -0600, Thomas Buchanan wrote:
> Hello.  Here is a trio of patches that improve detection of a Citrix  
> MetaFrame application browsing service.  This is a UDP-based service,  
> typically (always?) found on port 1604, which can be used to enumerate  
> remote applications provided by certain Citrix servers.  For more  
> information, reference the following paper and tools:
>
> http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt
> http://sh0dan.org/oldfiles/pubappbrute.tar.gz
>
> I'm really not that familiar with Citrix environments, but these patches  
> were useful for me recently, so I thought I'd see if there was further  
> interest in them.
>
> The patches are as follows:
>
> citrix-payload.patch - adds a UDP payload definition to payload.cc for  
> port 1604

I compared this patch to the one from payloads.conf in Unicornscan. Can
you comment on the difference? What do each of the payloads do and what
kind of response if expected?

The Unicornscan payload is
"\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

And yours is
"\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

The match line is
"\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8"

Would you provide packet disassemblies of these?

> I'm looking for feedback on a couple of aspects of the patches.  First,  
> how should one determine the frequency values when adding entries to  
> nmap-services?  I used a value from the next closest port, but that  
> seems pretty arbitrary.

We have a record for port 1604/udp in the master nmap-services-all file,
but because it has a frequency of 0 it is left out of the smaller
nmap-services file.

unknown           1604/udp      0/3027

> Second, the service name I chose for port  1604/udp is the same as
> that found in Wireshark's services file, but if  another name is
> preferred, that's fine too.

icabrowser is fine and I've added it to the nmap-services-all file, but
with a frequency of 0, it won't be added when nmap-services is
regenerated. We could modify the generation script to include ports that
are named even if their frequency is too small.

I tried this, and it results in 302 additional lines in nmap-services,
bringing the total number of lines to 20,192. Although the number of
added lines is small, most of them are just where a TCP port shares the
same name as a UDP port, even when a service commonly runs on only one
or the other. Fyodor, what do you think about adding these named ports
to the distributed nmap-services, even if their frequency is below the
inclusion threshold?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/