Re: Citrix ClearPassword (launch.ica)

From: miguel.dilaj@pharma.novartis.com
Date: Tue Feb 25 2003 - 05:15:22 EST


Hello wirepair

In http://www.dabcc.com/nfuse/Docs/ica_file_explained.htm you've this:

Password=
Specifies the password for the user account. This is an optional field.
The password, if used, must be encrypted. To enter an encrypted password
into the ICA file, use the Citrix ICA Client Remote Application Manager
New Entry Wizard to create a remote application entry. When you are
prompted for the username and password, enter the password that you want
to use in the ICA file. Finish the New Entry wizard. Open the file
APPSRV.INI in the Windows directory and locate the entry you just created.
Copy the password value and paste it into your ICA file.

ClearPassword=
Specifies the clear text (unencrypted) password for the user account. This
is an optional field. To use a clear text password, the Password field
must be set to a null value (for example: Password=).

>From this information, it seems that the string 'D4239AF390DB09' isn't a hash, but the password itself (sounds strange, isn't it? But
worth trying...).
I haven't found info on the encryption algorithm used, but, alas, I didn't
search too much ;-)
Cheers,
Miguel
aka Nekromancer

"wirepair" <wirepair@roguemail.net>
24/02/2003 20:05

 
        To: vuln-dev@securityfocus.com, pen-test@securityfocus.com
        cc:
        Subject: Citrix ClearPassword (launch.ica)

while doing a pen-test I noticed after stealing launch.ica
files from a users IE cache directory, they have a
different ClearPassword= field. It appears of
AutologonAllowed is set to ON this will be saved after
using nFUSE to login to the citrix metaframe. These fields
are as follows:
AutologonAllowed=ON
Username=test
Domain=\25A43DEFACEDCODE (16 bytes, hash)
ClearPassword=D4239AF390DB09 (16 bytes, hash..)
This obviously is an issue, the ClearPassword worries me,
unfortunately I'm not a cipher kid so I'm not exactly
sure what type of hash this is, or how it was created. I
tried after researching how the password is kept in
the APPSRV.INI file and tried to mimic the length but alas
it did not work. If you have any information regarding
what cipher this is or how its created please let me know
so I can add this to my hackingcitrix.txt. Thanks
-wire

P.S: I tried to just use the launch ica but it tries to
log in to the metaframe host itself and not the domain so
the login attempt fails and the ***** is erased. This is
why i'm in need of knowing how to get the password from
this hash.
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a
Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core>

----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="
http://www.securityfocus.com/core"> http://www.securityfocus.com/core>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT