Nmap Citrix script re-written

So, I took the time to re-write and change the Citrix scripts I published earlier. The scripts now work both against the Citrix ICA Browser service and the Citrix XML Service.

Querying the Citrix XML Service is much more fun as it’s documented for starters! It exposes some great functionality and allows an unauthenticated user to extract a lot of useful information. As an example the service can be queried for a list of all published applications available through anonymous authentication. This could be an interesting regular scan to perform in order to make sure no such applications ever pop-up. It’s obviously also a great starting point when performing penetration-tests.

Here’s a sample output from the citrix-enum-applications-xml.nse script:

The XML service is accessible through a library called citrixxml.lua which is to be placed into the nselibs folder of nmap. This library does all communication with the XML service and also attempts to do some limited parsing of responses.

The following files and functionality is released and available for download.

citrix-enum-apps-xml.nse
– A script that queries the Citrix XML Service for a list of applications

citrix-enum-apps.nse
– A script that queries the ICA Browser for a list of applications

citrix-enum-servers-xml.nse
-A script that queries the Citrix XML Service for a list of Citrix servers

citrix-enum-servers.nse
– A script that queries the ICA Browser for a list of Citrix servers

citrix-brute-xml.nse
– A script that attempts to guess usernames and passwords against the Citrix XML service
– It allows you to perform password guessing against the local Windows server or the AD

citrixxml.lua
– The library containing some of the many XML requests and response parsers