9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Extracts a list of applications, ACLs, and settings from the Citrix XML service.
The script returns more output with higher verbosity.
See the documentation for the slaxml library.
See the documentation for the http library.
See the documentation for the smbauth library.
nmap --script=citrix-enum-apps-xml -p 80,443,8080 <host>
PORT STATE SERVICE
8080/tcp open http-proxy
| citrix-enum-apps-xml:
| Application: Notepad; Users: Anonymous
| Application: iexplorer; Users: Anonymous
|_ Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
PORT STATE SERVICE
8080/tcp open http-proxy
| citrix-enum-apps-xml:
| Application: Notepad
| Disabled: false
| Desktop: false
| On Desktop: false
| Encryption: basic
| Encryption enforced: true
| In start menu: false
| Publisher: labb1farm
| SSL: false
| Remote Access: false
| Users: Anonymous
| Application: iexplorer
| Disabled: false
| Desktop: false
| On Desktop: false
| Encryption: basic
| Encryption enforced: true
| In start menu: false
| Publisher: labb1farm
| SSL: false
| Remote Access: false
| Users: Anonymous
| Application: registry editor
| Disabled: false
| Desktop: false
| On Desktop: false
| Encryption: basic
| Encryption enforced: true
| In start menu: false
| Publisher: labb1farm
| SSL: false
| Remote Access: false
| Users: WIN-B4RL0SUCJ29\Joe
|_ Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
local citrixxml = require "citrixxml"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
description = [[
Extracts a list of applications, ACLs, and settings from the Citrix XML
service.
The script returns more output with higher verbosity.
]]
---
-- @usage
-- nmap --script=citrix-enum-apps-xml -p 80,443,8080 <host>
--
-- @output
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- | citrix-enum-apps-xml:
-- | Application: Notepad; Users: Anonymous
-- | Application: iexplorer; Users: Anonymous
-- |_ Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
--
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- | citrix-enum-apps-xml:
-- | Application: Notepad
-- | Disabled: false
-- | Desktop: false
-- | On Desktop: false
-- | Encryption: basic
-- | Encryption enforced: true
-- | In start menu: false
-- | Publisher: labb1farm
-- | SSL: false
-- | Remote Access: false
-- | Users: Anonymous
-- | Application: iexplorer
-- | Disabled: false
-- | Desktop: false
-- | On Desktop: false
-- | Encryption: basic
-- | Encryption enforced: true
-- | In start menu: false
-- | Publisher: labb1farm
-- | SSL: false
-- | Remote Access: false
-- | Users: Anonymous
-- | Application: registry editor
-- | Disabled: false
-- | Desktop: false
-- | On Desktop: false
-- | Encryption: basic
-- | Encryption enforced: true
-- | In start menu: false
-- | Publisher: labb1farm
-- | SSL: false
-- | Remote Access: false
-- | Users: WIN-B4RL0SUCJ29\Joe
-- |_ Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
-- Version 0.2
-- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 12/02/2009 - v0.2 - Use stdnse.format_ouput for output
-- Revised 12/16/2014 - v0.3 - Detect if encryption settings are minimum requirements
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
portrule = shortport.portnumber({8080,80,443}, "tcp")
--- Creates a table which is suitable for use with stdnse.format_output
--
-- @param appdata table with results from parse_appdata_response
-- @param mode string short or long, see usage above
-- @return table suitable for stdnse.format_output
function format_output(appdata, mode)
local result = {}
local setting_titles = { {appisdisabled="Disabled"}, {appisdesktop="Desktop"}, {AppOnDesktop="On Desktop"},
{Encryption="Encryption"}, {EncryptionEnforced="Encryption enforced"}, {AppInStartmenu="In start menu"},
{PublisherName="Publisher"}, {SSLEnabled="SSL"}, {RemoteAccessEnabled="Remote Access"} }
if mode == "short" then
for app_name, AppData in ipairs(appdata) do
local line = "Application: " .. AppData.FName
if AppData.AccessList then
if AppData.AccessList.User then
line = line .. "; Users: " .. table.concat(AppData.AccessList.User, ", ")
end
if AppData.AccessList.Group then
line = line .. "; Groups: " .. table.concat(AppData.AccessList.Group, ", ")
end
table.insert(result, line)
end
end
else
for app_name, AppData in ipairs(appdata) do
local result_part = {}
result_part.name = "Application: " .. AppData.FName
local settings = AppData.Settings
for _, setting_pairs in ipairs(setting_titles) do
for setting_key, setting_title in pairs(setting_pairs) do
local setting_value = settings[setting_key] and settings[setting_key] or ""
table.insert(result_part, setting_title .. ": " .. setting_value )
end
end
if AppData.AccessList then
if AppData.AccessList.User then
table.insert(result_part, "Users: " .. table.concat(AppData.AccessList.User, ", ") )
end
if AppData.AccessList.Group then
table.insert(result_part, "Groups: " .. table.concat(AppData.AccessList.Group, ", ") )
end
table.insert(result, result_part)
end
end
end
return result
end
action = function(host,port)
local response = citrixxml.request_appdata(host, port, {ServerAddress="",attr={addresstype="dot"},DesiredDetails={"all","access-list"} })
local appdata = citrixxml.parse_appdata_response(response)
local response = format_output(appdata, (nmap.verbosity() > 1 and "long" or "short"))
return stdnse.format_output(true, response)
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%