 Välkomna. Vi har talat om Citrix och Terminal servers. Jag har hittat lite mer om publikationer. Och jag vill visa dem hur man kan connecta med de publikationer. Men Citrix kan inte göra det. Först ska jag säga... Men den här presentationen kommer att bli upp i den här webbpläten. I programmet som du har på din CD... ...är det väldigt älskigt... ...3 månader eller sånt. Så det är nytt. Och så är det så. Och jag tror att de här tåget är där. Och om frågor... Om något är verkligen inte klart... Man kan fråga för det. Men det är bättre för dig att komma upp och se mig. Vi har alla dessa t-shirts. Rika är där. Rika i hand. Vi har inte haft att lägga ut det. Jag vill också göra d'Artagnan... ...för att lägga en link från min part. www.devcom.org Vi ska tala om... Vad är Terminal servers? Terminal services? En slag eller sånt. Och hur man ska abuse Terminal services? En skandning för nonpublic published applications. Like there are public applications... ...or public that you could reach, can reach... ...and there are several servers out there... ...that has published applications... ...but you can just see them or connect to them. I will make a demonstration of this machine. This is a freshly installed Citrix server... ...with some published applications. It has two network interfaces. One network interface... ...is a master browser. Citrix master browser. I can't reach it from this computer. I will show you how it can be done. And then I will show statistics from a very large scan. It was a scan for some millions of iPad addresses. I will not tell you how many servers I have found... ...but I will tell you about the statistics about them. So, what is Terminal services? Well, it's like a remote multi-user desktop. It's more or less like X. It's not that fancy for us Unix Freaks. But for Windows it's really weird... ...that it starts an application on one server... ...it runs over at the server... ...and only the changes in the window... ...is going over the network to you, to the client. So it's like sitting locally on a PC... ...but over a network. So everything... ...you have just a client to connect to a server... ...and everything is run on the server. So you have to remember that. And Citrix has a feature called published application. And this means like... ...we will come very much into that... ...but it's like... ...you can execute a program, like Word or something. And you can say to a server... ...what applications do you have that I can run? And it's just like Word. Okay, let's try it. So it's a little bit weird. So... ...everything works fine. It's really beautiful, this terminal services... ...because you no longer have to like... ...download lots of data and programs... ...over your modern line. Because the only thing this goes like... ...changes on the desktop. And it's very fast and very nice. I really like it. But there are some weird things... ...that you really have to know setting this up. There are several people running different desktops... ...on the Citrix server. That means like... ...the Citrix server starts up lots of desktops... ...and then sends the changes of each desktop... ...to the right client. If you own the Citrix server... ...you have access to all these desktops, of course. So that's a little bit weird. So Elevation of Rights... ...and this is done in the 2000s. So I usually use Pipe Up Admin... ...or Pipe Up Sam. There are some different tools... ...for Elevation of Rights on MT. You also, when you're starting up your application... ...your published application like Notepad or something... ...it's just Notepad, nothing there. Or is it? Well, the desktop is there, but it's just hidden. You can start it up and everything. The problem is like breaking out from the given environment that you have. And one more really fun thing about... ...or weird thing about Citrix is like... ...these published applications are anonymous. Okay, this means you're sitting on the internet... ...the Citrix server has published an application... ...that you can connect to anonymously... ...and execute this published application. You break out from that environment... ...and upload your cool new Elevation of Rights stuff to it. Elevation of Rights... ...and you have the server with lots of users... ...and bosses and so on, reading their mail and so on. So it's quite fun. So how do you find these published applications? I think the fastest way to find published applications... ...is to port scan for the TCP port 1494. It's like the Citrix. You always need that port. If you don't have that port, you can't connect. So it's very easy to just scan for it. But it's even easier to just search for published applications... ...som companies are publishing for you... ...like demos and so on. And it's weird how many service is out there... ...just want you to take over their network. If you find a port 1494... ...you can use a Citrix client to enumerate the published application. You start up the Citrix network client... ...or something called Citrix client... ...and make a new connection. So it's like I want to connect to this Citrix server... ...and what kind of published application does it have. So it's like yeah, this and that. You can start checking. Here's a network dump... ...from a normal Citrix client... ...published application enumeration session. It's like the Citrix client is asking the server... ...like what kind of published applications do you have. But the client do this in this way. I don't see if you see the cursor here. But here's the client asking the Citrix server. It's a UDP question on port 1604. So the Citrix client... ...the Citrix client sends a first package asking... ...where is the master browser? And the responsible be like... ...the master browser is C1UBUCUD. C1UBUCUD. Twice. I'm lying a little bit. But more or less. But this C1UBUCUD is an IP address. So if you just... ...from hex to digits. So then the client will ask of course... ...the server, okay. I hope I'm... ...you are the master browser, give me your published applications. And the server will enumerate all the... ...published applications for you. But this is some problems. What happens if the master browser is not public? The client asks first... ...where is the master browser? And he says it's on a TEM network. Like our internal network, it's firewall and everything. And the Citrix server, the Citrix client... ...will try to connect to this TEM address, this private address. But it will fail. So I have written a small tool... ...that just asks the Citrix server directly. The new published applications. Because otherwise, if you use the Citrix client... ...connecting to a Citrix server... ...and ask the server for published applications. Of course the client asks... ...where is the master browser? And the server answers like it's 10.11.12.13. So the client tries to connect to it. And of course, no connection. The little poly script I've written... ...it only works in Unix, because you're using alarm functions. It's using blocking... ...blocking sockets. I only send... ...like give me all your published applications... ...and it works perfectly. It's beautiful. It sends back one or more packages of published applications. It's really cool. I'll show you later. But connecting to this published application. Okay, you have a list now. Here's the published applications. But how should you connect to it? Because the Citrix client is not open source, what I know. And the really weird stuff you have to do to connect. It's not hard stuff, but it's weird stuff. Because the Citrix client... ...you have to spoof the answers from the Citrix server twice. There's the master browser spoof. And the application server spoof. I will show you. It's not that hard. I have written two programs that can connect directly to the... ...published applications on... ...when the non-master... ...when the master browser is not public. I will just show you how the connection to a... ...published application goes. First the client asks... ...give me... ...where is the master browser? And the server will tell you... ...it's a non-public IP address. So I have to spoof that one. And then the client will ask... ...ok, I want to connect to this published application. And the server will ask... ...yeah, you are welcome to do that on a non-public IP address. So the connection will fail. But if you change all the web stuff... ...to the public Citrix server IP address... ...you will get that connection. Do you understand? The master browser is just trying to trick you. The server... ...the Citrix server has these applications. You have... ...you need to connect to this internal IP address. It's usually like... ...they're having a firewall or something. Or a NAT network. I have also written a script... ...that will take the output from the Citrix PSGAM... ...that program that animerates all the applications... ...and step through it and try to connect to all the applications. And after each connect it will ask you how it went... ...how it went and will log these results. I checked thousands of published applications. It's a really fast way to do it. It takes just a few seconds on other published applications. So the Citrix PSGAM takes input... ...an IP address, a minus for standard input... ...or a file... ...or the keyword random... ...when it reads from web slash urandom... ...to get the IP addresses. It just sounds like... ...get me the published applications... ...and the server will give it to you. The proxy is a little bit weirder. You have to borrow me. The client, you start up your proxy. It can be locally on another Linux computer or something. You connect to the proxy... ...and the proxy connects to the server. Like, where is the master browser? The server will respond to the proxy... ...saying like, is this non-public master browser IP address? But the proxy changes it to saying like... ...well, the master browser is the proxy. So your client connects to the proxy next time... ...and says like, oh, I want to run this published application... ...who sends it to the server and the server sends back. Welcome to this non-public master browser address. And the proxy will change it again. Like, okay, okay. We change it again saying like... ...you're welcome to this public IP address. And then it starts the normal TCP connection. You understand that... ...to do this we need UDP 1604 to Citrix server... ...and of course 1494, otherwise we can't connect. Okay? So we'll make a demonstration now. I will do a Nmap scan and sharing the tools. Here it is. Don't sleep. So... So here's my Linux computer. And I set an IP address for it. No, I tried. I tried for like one hour and when it didn't work... ...I'm really sorry. I really tried. Oh, it sucks. What? What do you say? No, no, no. It's a renaware. It's a renaware. I tried to find the font, but it's like not working. Okay, it's... I can tell you a little bit. I'm making a port scan. It says like port scan 1494. And it's just written like three IP addresses I wanted to check. And well, 192.168.100 has an open port. So, okay. We'll try to connect to it with our Citrix client. So, I start up my Citrix client. And I said like, oh, it's way far away. And I call it DMA, it doesn't matter. It's published applications. And here, on the server location... ...I enter the IP address of the server that has this open ad. And it's 192.168.100 for this one. So, and it's just... ...it doesn't work. No, no, no. It shouldn't work. So, I can't enumerera the published applications. Because there are two interfaces. And one interface that I'm not connected to is a master browser. So, I can't really get the published applications right now. And lots of people, I think, like having their Citrix servers... ...and like trying to publish applications. And like, well, I can't get it with the client. So, people can't see my published applications. Well, surprise for you. No running Citrix PS-cab. It's a small proscript that just asks the server right away. Like, what's your published applications? And there it is. It says the output is like the IP address you're connected to. And then it's the master browser IP address. And boot again if you need a proxy or not. And then there comes all the published applications. And there can be hundreds of them, you know? So, we now start up our proxy instead. So, we use our proxy to connect to the Citrix server. So, now I've started up the proxy, okay? It says like, the Citrix server... ...we are proxy for 192.168.100. That one couldn't connect to. And I will listen on this address. Because this is a remote computer that is a proxy. So, I will listen on this IP address and proxy it to the 100 address. Okay? So, I have to change server location of course to the proxy. And okay. And I try to... And I try now to enumerate the published applications from the proxy more or less. And the proxy tries it. But the proxy likes saying like, oh wait a sec. So, the first packages you don't know really what it is. So, the proxy says like, oh stop. I recognize this is the enumeration of PR published applications. So, please try again. Okay? We will do that. So, try again. Oh, there it is. So, thank you. So, we can connect to like notepad or something. And hope it's not passworded. Anonymous. And it's more like, I want to remove desktop windows. More fun. I will see. And that's like default, default, default, finished. And I double click here and make a prayer. Yeah. It's awesome. Every time it works for me. Oh baby. So, we are now connected to the men public, most of us, the public application. And there are like three ways of breaking out of the environment. The easiest way is like file open explorer. I will do that. No, no, it's serious. I have done so many tests on penetration test and so on. And if no one of these three works, it's like taking hours. But you have to learn these three. And that's like F1. Remember F1? If you have like a SAP. SAP L3, like login windows or something. F1 and start breaking out from there. And the third is like the task manager. People believe me. I checked out like thousands of thousands of published applications. And these three works. I will show you a statistics later. So it's more like five open. And then you just take one. Right click, explorer. And then magic starts happening. Like oh, where's the desktop? Where is it? It was hidden. I recognize this. I don't know. Let's see. Do you want me to hack it? No, it's a 100 machine. Well, just one way to do it. I think twice or something. So this was with the proxy. But it takes very, very long time if you have like hundreds of published applications to test. So I've written another script. Called something. It's P-A-S dot pearl. And it's just a small pearl script that makes an ICA file. It takes a template ICA file. Changes stuff in it. And then launches it. Really easy. And I can show the template file. You will not see in this font, I guess. Something like this, bold or something. So it's nothing really. It's not like this P-A-P-A-P-A. Changed to the published application name. And IP, IP, IP. It's like changing to the public IP address. And if you need encryption, you just add this one line here. It's in the readme files. It's not that hard. And then you have the output. The output from the scanner program that enwere it's the published applications. You have to rename it to P-A-S dot V. And this is the output from the scanner program. I can just, oh if you want me, it's not that. This sucks. Something like this, I guess. So it says like my output here. But here it starts like the IP address and everything. And this grid will parse it like taking data from it and step through it. You can show it. So yes, pass appeal. And it just looks up the IP address and the first application. Creates an ICA file. Launches an ICA file. Connects to it. For this application called the policy editor for administrators. You need the password. Don't give a fuck. I just say, and the output here, I just say like, okay, login required. Takes the next one. It's like fax queue program. You need a password. So I just say like login required. And it's like fax cover page editor. Oh, okay, this works. Oh, what a surprise. So usually you can just press F1 to fax cover page editor and try to connect or try to explore something from there. Usually it tries to start up the web page, web help and all of your favorites there. The open explorer is much faster. But I can show you the task manager. In Citrix you press control F3 to get the task manager. And it's just like run, explore. And it says now, okay, this is cool stuff. The Citrix client ask like, the Citrix server won't access to your computer, your file. So local files on your client. Of course I want full access. I will show you why. Because now I can just open my computer and have all my local exploits just drag them over to the computer. Very beautiful. I have to passkort to see her. Back to the presentation somewhere. So how does it look out there? I can't really tell you how many service I tried. But there are a lot. And I will give you some statistics about it. It's not that, wow, thing. But it's some nice facts. You have to remember these statistics, it's not statistical right, of course. It's more like a guideline or something. I'm using so short time-out values on the scans. I met some very, very large server farms. I have hundreds of applications on several IP addresses. So it's the same applications in like 10 IP addresses. And that takes over the statistics. You have to be... Yeah, it's just more like guidelines. What to expect to find. 42% of the servers that had... 42% of the secret servers didn't need a proxy. The master bowser was the public IP address tested. 44% of these servers that you just can connect to and enumerera all the public applications had no public applications. 58% of the secret servers needed proxy. Men there were less percentage that hadn't any public application. Here's the fun stuff. The servers, the secret servers that you didn't need a proxy for and had public applications removed like many. The average were like 12 public applications per server. 5% of all the public applications was anonymous and vulnerable. 5% of all the public applications on these conditions I could just connect to, get the desktop and everything and do what stuff I wanted to do with it. I have to tell you I didn't do anything. I really just tried to connect to it. I did connect to it, it let me in. I check if I can break out from the environment. If you could, I just logged off. If you needed a login, I never tried to log in. I never tried to hide data or something, write to the hard disk and everything. 5% of the public applications are anonymous and vulnerable. About 20% of the service I tested, 20% of the servers was mine more or less. If you just bear check, it's almost every time it's on internal network. Less than 1% of the public application you had anonymous access to but somehow you couldn't break out from the environment. It's good. It's like 2% of the service, it's really nice. 92% of the public applications required login and 3% of the public applications I expected error like licensing problems like yeah, I'm not licensing or something. For the servers that you need a proxy for it's only 2% of the public applications about 10% of the servers that are anonymous and vulnerable. 1% of the public applications had, even less like 1% of the service, had an anonymous application that I couldn't break out from. It could be like a DOS script or something. I tried to break with control C or something and it just quit me out or something. 96% of the public application required login and 2% of the public application I expected errors. I can, for, here's, don't need proxy, need proxy. So the servers that are behind the firewall or something that don't have a public master browser seems to be less vulnerable. Yeah, people that don't have firewalls don't care or something. So what can you do? Yeah, of course you need a firewall. If you really want to have published application or something, try to invest in a VPN or solution or something. So you need to authenticate real good. And the breaking out stuff is also really hard. It's very, very, very, very hard because windows, everything is merged with this other. The explorer is everywhere. Open something, closing something, everything is explorer or web page or something. Open a document, writing URL, and you can click on it. Internet explorer and everything. I learn strong ACLs and reded 32, makes it, and of course CTICs, white papers. You need white papers to connect to checklists and white papers to protect you. If you don't enter reading, you can like buying stuff. And there's two commercial stuff called AppSense and one of them called SecureXA from SecureWave. I think SecureXA Wave doing it is really cool. They have also the website for SecureXA. They have a demonstration site running and anonymous FTP account where you can upload your exploit to Tesla system. I think it's cool. Is this the end? Oh no, just scratching. It's so much more to do. If I sound like I want to connect to this very long published application, name something, what happens with the Citrix server. And lots of more stuff to call things that I really want to go into and not have the time right now. There are probably some vulnerabilities about the Thomas server. I will check it maybe next year. I hope you have enjoyed it and my tools are available. If you need me, I have my business card lying here. If you have questions, you can call me also. I'm leaving Sweden. Central European time there. I've been waiting in the middle of the night. Thank you very much.