Penetration Testing mailing list archives
AW: (In)Secure Citrix Configs
From: "!s3grim" <persephane () gmx eu>
Date: Fri, 29 Jun 2012 21:54:44 +0200
Hi Lefteris, this is an amazing, a nice bunch of links. Seems I'll have some nice reading time and some cups of coffee to get through all of them. Thanks alot, to you and also to all other, too. !s3grim ________________________________ Von: lefteris panos [mailto:lefterispanos () gmail com] Gesendet: Freitag, 29. Juni 2012 08:27 An: !s3grim Cc: pen-test () securityfocus com Betreff: Re: (In)Secure Citrix Configs Hey, You can download the audit / hardening guides from DoD here http://iase.disa.mil/stigs/app_security/remote_desktop/remote_desk.html Also you can find an audit guide here from SANS http://it-audit.sans.org/community/papers/security-audit-citrix-nfuse-www-se rver-published-application-infrastructure_159 As Ivan said a great series of guides is in http://synjunkie.blogspot.com.au/2009/03/abusing-citrix-part-1.html A presentation from insomniasec, dated back in 2009 but still relevant http://www.insomniasec.com/publications/Hacking_Citrix.ppt A thorough list is also posted on Penetration Testing Framework here http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html which also has a good list of other resources. A set of tools can be found here http://hackarmoury.com/tools under /infrastructure_tools/windows/citrix_tools and last but not least the excellent work of Paul Craig with Interactive Kiosk Attack Tool in http://ikat.ha.cked.net/ and the taskmanager Excel spreadsheet from Didier Stevens here http://blog.didierstevens.com/2012/05/01/update-taskmanager-xls-v0-1-3-kille r-shellcode/ Hope this info will get you started Lefteris On Thu, Jun 28, 2012 at 8:46 PM, !s3grim <persephane () gmx eu> wrote: Hi guys, does anyone know any ressources about the security of citrix environments? Anything like the basic security model, like configuration places and usual 'misconfigurations'? Maybe there is also a hardening guide or something about config caveats? I'd appreciate any useful information. !s3grim ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- (In)Secure Citrix Configs !s3grim (Jun 28)
- Re: (In)Secure Citrix Configs Ryan Graves (Jun 28)
- Re: (In)Secure Citrix Configs Ivan .Heca (Jun 28)
- Message not available
- AW: (In)Secure Citrix Configs !s3grim (Jun 29)
- Re: (In)Secure Citrix Configs Ryan Graves (Jun 28)