From: wirepair (wirepair@roguemail.net)
Date: Tue Feb 25 2003 - 08:17:22 EST
Yeah I researched that site before I posted, I know this
is not the actual password because I retreived about 16
total ica files from users. They are all 16 bytes, and,
per user they do not differ. User1 has launch[1].ica
launch[2].ica ect. So this rules out a 'session' based
hash (each file had different creation dates). I believe
this must be generated by the nFuse server, but
unfortunately my citrix eval expired (doh). heh, thanks
again to everyone who responded.
-wire
On Tue, 25 Feb 2003 11:15:22 +0100
miguel.dilaj@pharma.novartis.com wrote:
>Hello wirepair
>
>In http://www.dabcc.com/nfuse/Docs/ica_file_explained.htm
>you've this:
>
>Password=
>Specifies the password for the user account. This is an
>optional field.
>The password, if used, must be encrypted. To enter an
>encrypted password
>into the ICA file, use the Citrix ICA Client Remote
>Application Manager
>New Entry Wizard to create a remote application entry.
>When you are
>prompted for the username and password, enter the
>password that you want
>to use in the ICA file. Finish the New Entry wizard. Open
>the file
>APPSRV.INI in the Windows directory and locate the entry
>you just created.
>Copy the password value and paste it into your ICA file.
>
>ClearPassword=
>Specifies the clear text (unencrypted) password for the
>user account. This
>is an optional field. To use a clear text password, the
>Password field
>must be set to a null value (for example: Password=).
>
>>From this information, it seems that the string
>>'D4239AF390DB09' isn't a hash, but the password itself
>>(sounds strange, isn't it? But
>worth trying...).
>I haven't found info on the encryption algorithm used,
>but, alas, I didn't
>search too much ;-)
>Cheers,
>Miguel
>aka Nekromancer
>
>
>
>
>
>
>"wirepair" <wirepair@roguemail.net>
>24/02/2003 20:05
>
>
> To: vuln-dev@securityfocus.com,
>pen-test@securityfocus.com
> cc:
> Subject: Citrix ClearPassword
>(launch.ica)
>
>
>while doing a pen-test I noticed after stealing
>launch.ica
>files from a users IE cache directory, they have a
>different ClearPassword= field. It appears of
>AutologonAllowed is set to ON this will be saved after
>using nFUSE to login to the citrix metaframe. These
>fields
>are as follows:
>AutologonAllowed=ON
>Username=test
>Domain=\25A43DEFACEDCODE (16 bytes, hash)
>ClearPassword=D4239AF390DB09 (16 bytes, hash..)
>This obviously is an issue, the ClearPassword worries me,
>unfortunately I'm not a cipher kid so I'm not exactly
>sure what type of hash this is, or how it was created. I
>tried after researching how the password is kept in
>the APPSRV.INI file and tried to mimic the length but
>alas
>it did not work. If you have any information regarding
>what cipher this is or how its created please let me know
>so I can add this to my hackingcitrix.txt. Thanks
>-wire
>
>P.S: I tried to just use the launch ica but it tries to
>log in to the metaframe host itself and not the domain so
>the login attempt fails and the ***** is erased. This is
>why i'm in need of knowing how to get the password from
>this hash.
>_____________________________
>For the best comics, toys, movies, and more,
>please visit <http://www.tfaw.com/?qt=wmf>
>
>
>----------------------------------------------------------------------------
><Pre>Do you know the base address of the Global Offset
>Table (GOT) on a
>Solaris 8 box?
>CORE IMPACT does.</Pre>
><A href="http://www.securityfocus.com/core">
>http://www.securityfocus.com/core>
>
>
>
>
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>
----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT