Skip to main content

Featured

Getting Nessus Results Into Burp With a Tiny Shell Script

My post today is about a useful little bash script I made that extracts http and https targets from Nessus scans and generates URLs which can be used with Burp Suite, etc. But first, a word on Nessus scans in offensive engagements.   Although it is a subject of disagreement in this field, in my opinion there are times where running a Nessus scan during a penetration test or even sometimes a Red Team engagement is not a bad idea. For instance, I often start out Red Team engagements stealthily, only checking for open ports with Shodan, etc. But after full compromise, it's important to me to go back and make sure I've found as many vulnerabilities as possible. Other times, if it seems a target is not well guarded, I will run a Nessus scan just to see what I can get away with. It can be amusing how little defenses are in place, often even for high value targets. At no time, however, do I ever deliver a glorified Nessus report to a client for an offensive engagement. In nearly every

Using Error Codes When Password Spraying Citrix NetScalers

In a previous blog post, I outlined some of my successes and failures with password spraying against Citrix NetScalers. It can be difficult to get a parsable response from NetScalers, meaning that it is challenging to know if a given credential set resulted in a successful login or a failed login. I've recently had more success with this type of attack though, due to new information I've discovered.

I noticed recently that some NetScalers respond to logon attempts with a cookie which contains an error code, though it wasn't immediately possible to interpret the meaning of the code. The error codes I observed in responses were as follows:

NSC_VPNERR=4001
NSC_VPNERR=4009

This led me to dig around further, at which time I discovered the following XML file on the target:

https://example.com/logon/themes/Default/resources/en.xml

I was happy to find that this file contains the definitions of the error codes:



Using these codes I was able to confirm that invalid usernames yielded 4009, allowing me to determine valid usernames and confirm the account naming convention. Once I refined my attack, I was able to crack credentials using Burp Suite Intruder, by observing that valid usernames yielded the following response:

HTTP/1.1 302 Object Moved
Location: /cgi/setclient?wica
Set-Cookie: <redacted>
POSTLOGINFLAGS : 1
Set-Cookie: <redacted>
Server:NS11.0.70.16
Connection: close
Content-Length: 0
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html

This was a notable breakthrough for me regarding password spraying against Citrix NetScalers, which had previously been problematic and is now quite trivial. I'm not yet able to confirm which versions of the NetScaler behave in this way, but the header in the response seems to indicate the version is 11.0.70.16. I'll continue to test this during penetration test projects and hope to determine exactly which versions this attack is successful against. Feel free to chime in with your findings, as well.



Comments

  1. Found this resource helpful...

    https://www.citrix.com/blogs/2014/06/11/enhanced-authentication-feedback/

    ReplyDelete

Post a Comment

Popular Posts