Yeah I researched that site before I posted, I know this is not the actual password because I retreived about 16 total ica files from users. They are all 16 bytes, and, per user they do not differ. User1 has launch[1].ica launch[2].ica ect. So this rules out a 'session' based hash (each file had different creation dates). I believe this must be generated by the nFuse server, but unfortunately my citrix eval expired (doh). heh, thanks again to everyone who responded. -wire On Tue, 25 Feb 2003 11:15:22 +0100 miguel.dilajat_private wrote: >Hello wirepair > >In http://www.dabcc.com/nfuse/Docs/ica_file_explained.htm >you've this: > >Password= >Specifies the password for the user account. This is an >optional field. >The password, if used, must be encrypted. To enter an >encrypted password >into the ICA file, use the Citrix ICA Client Remote >Application Manager >New Entry Wizard to create a remote application entry. >When you are >prompted for the username and password, enter the >password that you want >to use in the ICA file. Finish the New Entry wizard. Open >the file >APPSRV.INI in the Windows directory and locate the entry >you just created. >Copy the password value and paste it into your ICA file. > >ClearPassword= >Specifies the clear text (unencrypted) password for the >user account. This >is an optional field. To use a clear text password, the >Password field >must be set to a null value (for example: Password=). > >>From this information, it seems that the string >>'D4239AF390DB09' isn't a hash, but the password itself >>(sounds strange, isn't it? But >worth trying...). >I haven't found info on the encryption algorithm used, >but, alas, I didn't >search too much ;-) >Cheers, >Miguel >aka Nekromancer > > > > > > >"wirepair" <wirepairat_private> >24/02/2003 20:05 > > > To: vuln-devat_private, >pen-testat_private > cc: > Subject: Citrix ClearPassword >(launch.ica) > > >while doing a pen-test I noticed after stealing >launch.ica >files from a users IE cache directory, they have a >different ClearPassword= field. It appears of >AutologonAllowed is set to ON this will be saved after >using nFUSE to login to the citrix metaframe. These >fields >are as follows: >AutologonAllowed=ON >Username=test >Domain=\25A43DEFACEDCODE (16 bytes, hash) >ClearPassword=D4239AF390DB09 (16 bytes, hash..) >This obviously is an issue, the ClearPassword worries me, >unfortunately I'm not a cipher kid so I'm not exactly >sure what type of hash this is, or how it was created. I >tried after researching how the password is kept in >the APPSRV.INI file and tried to mimic the length but >alas >it did not work. If you have any information regarding >what cipher this is or how its created please let me know >so I can add this to my hackingcitrix.txt. Thanks >-wire > >P.S: I tried to just use the launch ica but it tries to >log in to the metaframe host itself and not the domain so >the login attempt fails and the ***** is erased. This is >why i'm in need of knowing how to get the password from >this hash. >_____________________________ >For the best comics, toys, movies, and more, >please visit <http://www.tfaw.com/?qt=wmf> > > >---------------------------------------------------------------------------- ><Pre>Do you know the base address of the Global Offset >Table (GOT) on a >Solaris 8 box? >CORE IMPACT does.</Pre> ><A href="http://www.securityfocus.com/core"> >http://www.securityfocus.com/core> > > > > _____________________________ For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf> ---------------------------------------------------------------------------- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core>
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 10:35:07 PST