Lucene search

K
nmapPatrik KarlssonNMAP:CITRIX-ENUM-APPS-XML.NSE
HistoryDec 14, 2009 - 7:30 a.m.

citrix-enum-apps-xml NSE Script

2009-12-1407:30:38
Patrik Karlsson
nmap.org
93

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Extracts a list of applications, ACLs, and settings from the Citrix XML service.

The script returns more output with higher verbosity.

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script=citrix-enum-apps-xml -p 80,443,8080 <host>

Script Output

PORT     STATE SERVICE
8080/tcp open  http-proxy
| citrix-enum-apps-xml:
|   Application: Notepad; Users: Anonymous
|   Application: iexplorer; Users: Anonymous
|_  Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*

PORT     STATE SERVICE
8080/tcp open  http-proxy
| citrix-enum-apps-xml:
|   Application: Notepad
|     Disabled: false
|     Desktop: false
|     On Desktop: false
|     Encryption: basic
|     Encryption enforced: true
|     In start menu: false
|     Publisher: labb1farm
|     SSL: false
|     Remote Access: false
|     Users: Anonymous
|   Application: iexplorer
|     Disabled: false
|     Desktop: false
|     On Desktop: false
|     Encryption: basic
|     Encryption enforced: true
|     In start menu: false
|     Publisher: labb1farm
|     SSL: false
|     Remote Access: false
|     Users: Anonymous
|   Application: registry editor
|     Disabled: false
|     Desktop: false
|     On Desktop: false
|     Encryption: basic
|     Encryption enforced: true
|     In start menu: false
|     Publisher: labb1farm
|     SSL: false
|     Remote Access: false
|     Users: WIN-B4RL0SUCJ29\Joe
|_    Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*

Requires


local citrixxml = require "citrixxml"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Extracts a list of applications, ACLs, and settings from the Citrix XML
service.

The script returns more output with higher verbosity.
]]

---
-- @usage
-- nmap --script=citrix-enum-apps-xml -p 80,443,8080 <host>
--
-- @output
-- PORT     STATE SERVICE
-- 8080/tcp open  http-proxy
-- | citrix-enum-apps-xml:
-- |   Application: Notepad; Users: Anonymous
-- |   Application: iexplorer; Users: Anonymous
-- |_  Application: registry editor; Users: WIN-B4RL0SUCJ29\Joe; Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*
--
-- PORT     STATE SERVICE
-- 8080/tcp open  http-proxy
-- | citrix-enum-apps-xml:
-- |   Application: Notepad
-- |     Disabled: false
-- |     Desktop: false
-- |     On Desktop: false
-- |     Encryption: basic
-- |     Encryption enforced: true
-- |     In start menu: false
-- |     Publisher: labb1farm
-- |     SSL: false
-- |     Remote Access: false
-- |     Users: Anonymous
-- |   Application: iexplorer
-- |     Disabled: false
-- |     Desktop: false
-- |     On Desktop: false
-- |     Encryption: basic
-- |     Encryption enforced: true
-- |     In start menu: false
-- |     Publisher: labb1farm
-- |     SSL: false
-- |     Remote Access: false
-- |     Users: Anonymous
-- |   Application: registry editor
-- |     Disabled: false
-- |     Desktop: false
-- |     On Desktop: false
-- |     Encryption: basic
-- |     Encryption enforced: true
-- |     In start menu: false
-- |     Publisher: labb1farm
-- |     SSL: false
-- |     Remote Access: false
-- |     Users: WIN-B4RL0SUCJ29\Joe
-- |_    Groups: WIN-B4RL0SUCJ29\HR, *CITRIX_BUILTIN*\*CITRIX_ADMINISTRATORS*

-- Version 0.2
-- Created 11/26/2009 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 12/02/2009 - v0.2 - Use stdnse.format_ouput for output
-- Revised 12/16/2014 - v0.3 - Detect if encryption settings are minimum requirements

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}


portrule = shortport.portnumber({8080,80,443}, "tcp")

--- Creates a table which is suitable for use with stdnse.format_output
--
-- @param appdata table with results from parse_appdata_response
-- @param mode string short or long, see usage above
-- @return table suitable for stdnse.format_output
function format_output(appdata, mode)

  local result = {}
  local setting_titles = { {appisdisabled="Disabled"}, {appisdesktop="Desktop"}, {AppOnDesktop="On Desktop"},
    {Encryption="Encryption"}, {EncryptionEnforced="Encryption enforced"}, {AppInStartmenu="In start menu"},
    {PublisherName="Publisher"}, {SSLEnabled="SSL"}, {RemoteAccessEnabled="Remote Access"} }


  if mode == "short" then
    for app_name, AppData in ipairs(appdata) do
      local line = "Application: " .. AppData.FName

      if AppData.AccessList then

        if AppData.AccessList.User then
          line = line .. "; Users: " ..  table.concat(AppData.AccessList.User, ", ")
        end

        if AppData.AccessList.Group then
          line = line .. "; Groups: " .. table.concat(AppData.AccessList.Group, ", ")
        end

        table.insert(result, line)
      end
    end

  else

    for app_name, AppData in ipairs(appdata) do
      local result_part = {}

      result_part.name = "Application: " .. AppData.FName

      local settings = AppData.Settings

      for _, setting_pairs in ipairs(setting_titles) do
        for setting_key, setting_title in pairs(setting_pairs) do
          local setting_value = settings[setting_key] and settings[setting_key] or ""
          table.insert(result_part, setting_title .. ": " .. setting_value )
        end
      end


      if AppData.AccessList then
        if AppData.AccessList.User then
          table.insert(result_part, "Users: " .. table.concat(AppData.AccessList.User, ", ") )
        end

        if AppData.AccessList.Group then
          table.insert(result_part, "Groups: " .. table.concat(AppData.AccessList.Group, ", ") )
        end

        table.insert(result, result_part)
      end

    end

  end

  return result

end


action = function(host,port)

  local response = citrixxml.request_appdata(host, port, {ServerAddress="",attr={addresstype="dot"},DesiredDetails={"all","access-list"} })
  local appdata = citrixxml.parse_appdata_response(response)

  local response = format_output(appdata, (nmap.verbosity() > 1 and "long" or "short"))

  return stdnse.format_output(true, response)

end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:CITRIX-ENUM-APPS-XML.NSE