Imagine that you just found the new job of your dreams: You are now a system administrator in a large enterprise. Everything is going like clockwork, except for one major problem: There are 5 different versions of Presentation Server in use and there is no documentation for any system. Now imagine you are a consultant ready to do an assessment of Citrix infrastructure, but nobody in the company knows how many farms and servers exist, or how they are configured. (Wanting a new imaginary job yet?) In this session, Denis Gundarev will share tips on how to document infrastructure and tricks on how to find all components or users that are "forgotten." Attendees will learn several methods for elevating permissions and taking ownership of forgotten systems.

1. Welcome
BriForum | © TechTarget

2. So, You Just Inherited Someone
Else's Citrix Environment. How
Do You Figure out What's What?
Denis Gundarev
Consultant
Entisys Solutions
BriForum | © TechTarget

3. About presenter
C:>whoami /all
USER INFORMATION
----------------
User Name Twitter Name E-Mail
============== ============ ==================
ENTISYSdenisg @fdwl DenisG@entisys.com
GROUP INFORMATION
-----------------
Group Name Type SID
============================== ================ =================
Citrix Technology Professional Well-known group S-1-5-32-544
Citrix Certified Instructor Hobby S-1-5-32-545
Microsoft Certified Trainer Hobby S-1-5-32-546
BriForum | © TechTarget 3

4. Disclaimer
● Information in this presentation is intended for
educational purposes only. Some topics in this
presentation may contain the information related to
“Hacking Passwords” or “Elevating permissions” (Or
Similar terms). This topics provide information about the
legal ways of retrieving the passwords. You shall not
misuse the information to gain unauthorized access.
However you may try out these hacks on your own
computer at your own risk.
● Some of the stuff that you will learn is dangerous, playing
with this knowledge on your production environment can
make you very unhappy
BriForum | © TechTarget 4

5. Agenda
● Why you need to hack your Citrix environment?
● How to find your servers?
● pwn Windows boxes
● pwn Windows-based Citrix products
● pwn *NIX-based Citrix products
● How to find your clients
BriForum | © TechTarget 5

6. Why do you need to hack your Citrix
environment?
1. Install 10 XenApp Servers
2. Wait for one year
3. Try to remember the ODBC password to add more
servers
1. Change your password on Friday
2. Go to the night club
3. …
4. PROFIT!!
BriForum | © TechTarget 6

7. How to start your investigation
BriForum | © TechTarget 7

8. How to find at least one XenApp Server
● Use ipscan to find at least one server with open ports
1494 and 2598
● Open ICA file downloaded from the
WebInterface/PNAgent site
BriForum | © TechTarget

9. How to Find Other Servers
● CTX101810 - Communication Ports Used By Citrix
Technologies – 20 pages
● VMware KB 1012382
● Microsoft - http://technet.microsoft.com/en-
us/library/cc875824.aspx & KB832017
BriForum | © TechTarget

10. Thank you, Captain Obvious
BriForum | © TechTarget 10

11. Find all servers in the farm using XML
● Use XmlServiceDigger/XmlServiceExplorer from Nicholas
Dille (sepago)
BriForum | © TechTarget 11

12. Find all servers in the farm using ICA Client
1. set client = WScript.CreateObject("Citrix.ICAClient")
2. client.SetProp "HTTPBrowseraddress", WScript.Arguments(0)
3. WScript.Echo("Farm:" +client.GetEnumNameByIndex(client.EnumerateFarms(), 0))
4. servers = client.EnumerateServers()
5. do while j < client.GetEnumNameCount(servers)
6. WScript.Echo("SERVER:" +client.GetEnumNameByIndex(servers, j))
7. j=j+1
8. Loop
BriForum | © TechTarget 12

13. Find All HTTP clients
● On XenApp server – change XML Service to be shared
with IIS
● Look for the IIS logs, all http clients will be there
BriForum | © TechTarget 13

14. What can be a HTTP Client?
● WebInterface
● NetScaler
● Program Neighborhood
● ICA files with HTTPBrowserAddress
- TCP/UDP browser is not supported from ICA Client 11.1
BriForum | © TechTarget 14

15. Physical or Virtual?
● Why we need this info?
- To get administrative access in most cases you need the
“physical” access to the server
● Get MAC address, lookup it using MAC address DB:
- http://www.coffer.com/mac_find
- 00-15-5D – Hyper-V
- 00-50-56 – VMWare
- Random – XenServer
● Find hypervisor host
- Hyper-V – HKLMSOFTWAREMicrosoftVirtual
MachineGuestParametersPhysicalHostNameFullyQualified
- Vmware, XenServer – packet capture
BriForum | © TechTarget 15

16. Breaking into hypervisor
● XenServer - CTX116019
● VMware ESX - KB1317898, same procedure as for
XenServer
● VMware ESXi – password reset not supported, but
possible http://tinyurl.com/ResetESXiPass
● Hyper-V – just a Windows, next topic
BriForum | © TechTarget 16

17. Get Access to the Windows Box
● Use domain admin account or GPO to get access (if
possible)
● Sometimes you need to reset local admin password
- Access to non-domain servers
- “broken” Provisioning services .vhd
- Domain controllers
BriForum | © TechTarget 17

18. Get Access to the Windows Box
● Requirements:
- Access to the physical console
- Offline NT Password and Registry editor
(http://pogostick.net/~pnh/ntpasswd/)
● Bonus – reset domain admin account password
- SrvAny from resource kit
BriForum | © TechTarget 18

19. Get Access to the Windows Box - Demo
BriForum | © TechTarget 19

20. XenApp ODBC Password
● SQL Server name and database name is stored in
MF20.dsn
● Username and password Stored in
HKEY_LOCAL_MACHINESOFTWAREWow6432Node
CitrixIMADatastore
● L$ImaDBPassword and L$ImaDBUsername are
encrypted
● DSMAINT CONFIG is able to encrypt this data
BriForum | © TechTarget 20

21. XenApp ODBC Password - DEMO
BriForum | © TechTarget 21

22. XenApp ODBC Password - DEMO
● CryptoAPI tracer http://tinyurl.com/CryptoAPITracer
!sym quiet;
bp Crypt32!CryptUnprotectData "bp /t @$thread poi(@esp) "; du poi(poi(@esp-4)+4); G;";
G;";
!sym quiet;
*.srcnoisy 0;
sxi ld
.outmask- 0xFFFFFFEE $$ .outmask /d restores the output mask to default
* Create the log and begin
*
.logopen "c:log.txt";
G
g
q
• Run debugger:
• cdb -cf c:showpass.txt dsmaint config /user:<username>
BriForum | © TechTarget 22

23. SlimJim
● Deletes all Citrix administrators from the data store to
allow control of the farm by the local administrator.
● Works only on the CPS/XA5
● Directly execute the SQL commands that delete any
administrators configured
● Doesn’t work on XA6/6.5 because of new DB schema
BriForum | © TechTarget 23

24. SlimJim for XenApp 6.5
1. delete indextable FROM KEYTABLE INNER JOIN
INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid
WHERE (KEYTABLE.parentid = 42)
2. go
3. delete KEYTABLE from KEYTABLE where parentid=42
4. go
● Where this “42” is coming from?
- DSView from supportdebug folder on XenApp CD
- Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cid
BriForum | © TechTarget 24

25. SlimJim for XenApp 6.5
BriForum | © TechTarget 25

26. SlimJim for XenApp 6.5 - Easiest way
● Download SlimJim for XenApp 6 from
http://citrixtechs.com/blog/?p=56 (thanks to Carl
Lenocker!)
● Install Windows Debugging tools
● Run Batch file
BriForum | © TechTarget 26

27. SlimJim for XenApp 6.5 - Easiest way (Cont..)
● What it actually do?
1. start ntsd -pn imasrv.exe -pd -c "bu
ImaRass!CtxSecurityCheck;r $t0 = %loopcount%;.while(@$t0){r
$t0 = @$t0-1;pa @$ra;r eax=0x00000001;g};pa @$ra;r
eax=0x00000001;.detach;q"
- Attaches debugger to the IMA Service and bypass security check
2. cscript addadmin-mod.wsf:
- Set theFarm = CreateObject("XenappCOM.XenappFarm")
- Set NewAdmin = theFarm.AddAdmin
- NewAdmin.AdminType = MFAdminPermissionFullAccess
- NewAdmin.Enable = 1
- NewAdmin.AAType = MFAccountAuthorityNTDomain
- NewAdmin.AAName = computername
- NewAdmin.AccountType = MFAccountLocalGroup
- NewAdmin.AccountName = "Administrators"
- NewAdmin.SaveData
BriForum | © TechTarget 27

28. Get access to the SQL DB
● By default, NT AUTHORITYSYSTEM has a sysadmin
role
BriForum | © TechTarget 28

29. BriForum | © TechTarget 29

30. XenDesktop
BriForum | © TechTarget 30

31. XenDesktop
● Add-PSSnapin citrix.*
● New-BrokerAdministrator -Name corptest -FullAdmin 1
● New-AcctAdministrator -Account corptest
● New-PvsVmAdministrator -Account corptest
● New-ConfigAdministrator -Account corptest
● New-HypAdministrator -Account corptest
● New-ProvAdministrator -Account corptest
BriForum | © TechTarget 31

32. Provisioning Services
1. INSERT INTO [AuthGroup]
2. ([authGroupId]
3. ,[authGroupName]
4. ,[authGroupGuidName]
5. ,[description])
6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA'
7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users'
8. ,N'de56c6b1-06ef-4ed6-85b8-a130f036d075'
9. ,'')
10. GO
11. INSERT INTO [AuthGroupFarm]
12. ([authGroupId])
13. VALUES ('UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA')
14. GO
● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsiedit
BriForum | © TechTarget 32

33. Find your clients
BriForum | © TechTarget

34. XenApp
● Configure Resource Manager, then use SQL Report
Builder to create reports (or just export data to Excel )
● Install EdgeSight, use reports
● OR…
● Use Event Logs
- Windows 2003 – Security log
- Windows 2008
BriForum | © TechTarget

35. XenApp on Windows 2003
● Use security log
● Schedule a simple script:
- Set objFarm = CreateObject("MetaFrameCOM.MetaFrameFarm")
- objFarm.Initialize(1)
- For Each objSession In objFarm.Sessions
- WScript.Echo objSession.UserName &"," & objSession.ClientAddress
- Next
BriForum | © TechTarget 35

36. XenApp on Windows 2008
● Use dedicated log Microsoft-Windows-TerminalServices-
LocalSessionManager/Operational
● Attach the same script to event
● OR read registry:
● HKEY_LOCAL_MACHINESOFTWARECitrixIcaSession<sessionN>Connection
BriForum | © TechTarget 36

37. XenDesktop
● Configure retention period for a connection log entries
- HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerL
oggingConnectionLogLifetimeHours
- Default period is 2 days
● Use Desktop Director to analyze connections
● OR
● Use Get-BrokerConnectionLog powershell command to
export log and analyze using excel
BriForum | © TechTarget 37

38. NetScaler
● Configure Web Logging on Windows box (or Linux, if you
like ) to get logs in standard W3C or NCSA formats
- http://support.citrix.com/article/CTX123504
- http://support.citrix.com/article/CTX123977
BriForum | © TechTarget 38

39. What else?
● XenServer – try to run “xe secret-list ” at home
● Licensing Server – Just edit configuration files
● XenServer WLB – reset Postgres password, google it
● Task Manager -> Dump process -> strings – look for
username -> look around
BriForum | © TechTarget 39

40. Conclusion
● 1. Use Goggle
● 2. Explore SQL databases
● 3. Learn how to use Windows Debugger
● 4. Read SDK documentation
● 5. Don’t forget about physical security
BriForum | © TechTarget 40

41. TBD: put some funny picture on the last slide
BriForum | © TechTarget 41