Nmap Development mailing list archives

Re: [RFC] Detect certain Citrix application browsing services

From: David Fifield <david () bamsoftware com>
Date: Mon, 16 Nov 2009 14:48:47 -0700

On Mon, Nov 16, 2009 at 12:08:41PM -0600, Thomas Buchanan wrote:

David Fifield wrote:

On Fri, Nov 13, 2009 at 04:54:35PM -0600, Thomas Buchanan wrote:
 > Hello.  Here is a trio of patches that improve detection of a Citrix 
 > MetaFrame application browsing service.  This is a UDP-based 
service,  > typically (always?) found on port 1604, which can be used 
to enumerate  > remote applications provided by certain Citrix servers. 
 For more  > information, reference the following paper and tools:
 >
 > http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt
 > http://sh0dan.org/oldfiles/pubappbrute.tar.gz
 >
 > I'm really not that familiar with Citrix environments, but these 
patches  > were useful for me recently, so I thought I'd see if there 
was further  > interest in them.
 >
 > The patches are as follows:
 >
 > citrix-payload.patch - adds a UDP payload definition to payload.cc 
for  > port 1604

I compared this patch to the one from payloads.conf in Unicornscan. Can
you comment on the difference? What do each of the payloads do and what
kind of response if expected?

The Unicornscan payload is
"\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

And yours is
"\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

The match line is
"\x30\0\x02\x31\x02\xfd\xa8\xe3\x02\0\x06\x44\xc0\xa8"


Thanks for taking a look at these patches.  The difference between the  
Unicornscan payload and the one I provided appears to be limited to the  
number of padding bytes added at the end of the packet, and the first  
byte of the packet, which appears to be part of the packet length field.

As far as I know, the format of these packets is not fully documented  
anywhere online.  Wireshark doesn't seem to have a dissector for them,  
so I'm not sure precisely what the packet fields consist of.  I took  
them from a file named README.pabrute, which is part of the  
pubappbrute.tar.gz file that I posted a link for previously.  Here is  
how the author explains the initial packet and the server response:

"Packet 1: Valid Connection
Client ->
The first packet sent is a 'hello are you out there' type packet. This  
will invoke a response from the citrix server.  This packet payload  
*never* changes and you will always see this (packet) first.

Packet 2: Valid Connection
<- Server
This packet is the response from the server, it is also static and will  
never change."

These are accompanied by hex printouts of the packet contents, which is  
where I got the probe for payload.cc and nmap-service-probes, as well as  
the initial corresponding match line.  I did some testing against three  
Citrix servers that were on the network I was working on a couple of  
weeks ago, and found that each server sent back a slightly different  
response, but did send back the same response each time.  I took the  
common portion of the response (the first 14 bytes were the same from  
all the servers) and made that the final match line that I submitted.  I  
can't say for sure what the remaining portion of the server response  
include, but if anybody has a pointer to information that could help  
decode the responses more completely, I'd be happy to look into it 
further.


I would feel better if we knew exactly what this packet is doing. Is it
a harmless server ping, is it requesting a connection, is it allocating
some server resources? Maybe try different remote desktop dissectors in
Wireshark.

What do you know about port 1494? It is citrix-ica in nmap-services. The
Wikipedia article on ICA says it runs on port 1494 but doesn't mention
1604 (http://en.wikipedia.org/wiki/Independent_Computing_Architecture).
What happens if you run this payload on port 1494?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 13)
- Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 15)
  - Re: [RFC] Detect certain Citrix application browsing services Fyodor (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
  - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 16)
    - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 23)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
    - Re: [RFC] Detect certain Citrix application browsing services Thomas Buchanan (Nov 25)
    - Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)