{"id":93,"date":"2015-05-26T17:18:08","date_gmt":"2015-05-26T16:18:08","guid":{"rendered":"http:\/\/kolbi.cz\/blog\/?p=93"},"modified":"2017-12-15T17:05:16","modified_gmt":"2017-12-15T16:05:16","slug":"fingerprinting-netscaler-gateway-version","status":"publish","type":"post","link":"https:\/\/kolbi.cz\/blog\/2015\/05\/26\/fingerprinting-netscaler-gateway-version\/","title":{"rendered":"Fingerprinting, Netscaler Gateway Version information leaking"},"content":{"rendered":"

recently i wanted to know the running\u00a0version from a remote Netscaler Gateway – but i didnt have an admin login or any other access to the appliance. since Netscaler is a widely used security solution, there should be no way of identifying the version – but it turned out, there is a very simple way.<\/p>\n

anyone who has got a user login to a netscaler might be able to download the Netscaler Gateway plugin and installing it will reveal the exact version of the Netscaler build. but a security analyst or a hacker usually dont have any logins to the remote system and therefore this option will not work.<\/p>\n

but Netscaler Gateway offers the possibility to run endpoint analysis to query certain services or files on the client computer. this can even be configured to run before a user logs in – wait – before a user logs in means also, that the endpoint client must be available for users that dont supplied credentials yet.<\/p>\n

here is the weak point actually. with forceful browsing we can download the\u00a0endpoint analysis client and check the version. this will match the exact build of the Netscaler!<\/p>\n

all you need is the base url for the Netscaler Gateway portal and to download the EPA client, you just add “\/epa\/scripts\/win\/nsepa_setup.exe<\/strong>” to it.<\/p>\n

\"fingerprint\"<\/a><\/p>\n

using 7-zip<\/a> you can extract the files without installing them. just open the\u00a0nsepa_setup.exe in 7zip, select\u00a0nsepa.msi and press ctrl + pagedn<\/p>\n

\"7zipmsi\"\u00a0\"7zipnsepa\"<\/p>\n

now you can extract the\u00a0nsepa.exe and check its properties. the version matches the exact remote Netscaler build!<\/p>\n

\"nsepa\"<\/a><\/p>\n

 <\/p>\n

actually this shouldnt be possible – because this gives an attacker a good start too look for vulnerabilities in certain Netscaler builds!<\/strong><\/p>\n

if you dont need the EPA scan at all, you can simply disable the download with a responder policy using\u00a0HTTP.REQ.URL.ENDSWITH(“\/nsepa_setup.exe”), bind it to the Netscaler Gateway virtual server and select DROP or RESET as action. you will have to do this for the x64 binary (nsepa_setup64.exe) aswell.<\/p>\n

follow up:<\/strong> i have informed citrix security about this issue and they responded:<\/p>\n

The behaviour that you have identified is normal for the current implementations of NetScaler Gateway. We understand that this behaviour may provide a remote user with the ability to determine the appliance firmware version and we are currently considering enhancements to change this behaviour in a future version of the product.\u00a0 In the meantime, it is possible to configure a policy, such as the one you reference in your blog posting, that will prevent the unauthorised download of this binary.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

recently i wanted to know the running\u00a0version from a remote Netscaler Gateway – but i didnt have an admin login or any other access to […]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":97,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9,14],"tags":[],"class_list":["post-93","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-citrix","category-netscaler","category-security"],"_links":{"self":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":15,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"predecessor-version":[{"id":465,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/93\/revisions\/465"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media\/97"}],"wp:attachment":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}