-1

I need to pentest a .ica file [ a citrix file]. I need to log into citrix, download the .ica file. From this point - On launching the .ica file - I need to pentest. Any guidance on how to proceed, tools to use would be much helpful.

Thanks

null
  • 9
  • 1
  • 1
  • Thats a very broad question. Maybe start with this ["Hacking Citrix" PPTX from SyScan09](https://www.insomniasec.com/downloads/publications/Hacking_Citrix.ppt) to get the general idea, then [this question](https://security.stackexchange.com/questions/92441/citrix-security-flaws). Then generally google for "terminalserver kiosk breakout". – StackzOfZtuff Jan 09 '17 at 13:42

1 Answers1

3

I've tested Citrix ICA quite a few times, but I am unaware of any tool which will verify the security (or lack thereof) of a configuration stored within an ICA file.

Usually, when looking at them, I check that the directives within the file have sane security options. There are a few articles (e.g. this one) which explain what the individual options do, so that gives you some context when reading the file contents.

A few pointers:

  • Compression occurs before encryption, which may allow for CRIME-like attacks using compression oracles, in a scenario where an attacker can influence the plaintext content of the messages being sent (e.g. displaying a constantly changing bitmap on the server side in a web page).
  • InitialProgram is dangerous and you should verify that the server does not accept the directive without a hash (#) prefix. Without the hash, it allows you to set an executable to run when the connection starts, instead of the default shell (e.g. Explorer). This may allow you to break out of certain controls and get to a command prompt or PowerShell environment.
  • If logon tickets are used, ensure that an STAv4 ticket is enforced via LogonTicketType.
  • Make sure PersistentCacheEnabled is not set to Enable, to avoid persistent bitmap caching on the client, which may leak information to another user who later uses the same terminal.
  • Make sure that SSLEnable is set to On. The default is off, which leaves the connection completely unsecured (the underlying ICA crypto is broken).
  • Check that there isn't a Password or ClearPassword directive within the ICA file. The ClearPassword directive contains a plaintext password, which means you can just read the password from the file in plaintext with no issues. The Password directive has an encrypted copy of the password, but there are tools to decrypt them and it is not a secure storage format.
  • EncryptionLevelSession sets what type of crypto to use. All of the options are broken against an active attacker because unauthenticated Diffie-Hellman is used for the key exchange. I recommend EncRC5-128 as it is the strongest option, though still entirely insecure against active attackers who man-in-the-middle the connection. The Basic option is some custom Citrix crypto which is garbage and easily defeated. The fact that all options are broken is why SSL is important to enable.
  • It is a good idea to use AD authentication passthrough where possible, so if they have that implemented then check that UseLocalUserAndPassword is set and that disabling this directive doesn't give you access.

Once you've got access, you need to follow a standard restricted environment breakout methodology. There are plenty of these on the internet, mostly published by pentest organisations, so I suggest you have a search around for some to read and follow.

Polynomial
  • 132,208
  • 43
  • 298
  • 379