来源

关联漏洞

描述

Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts

介绍

# Citrix ADC (NetScaler) Honeypot
- Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash)
- Logs failed login attempts
- Serves content and headers taken from real appliance in order to increase chance of indexing on search engines (e.g. google, shodan etc.)

![screenshot](https://github.com/x1sec/citrix-honeypot/blob/master/img/screenshot.png)

## Installation

### Precompiled
Precompiled Linux (x64) package available [here](https://github.com/x1sec/citrix-honeypot/releases)

```
mkdir citrix-honeypot
cd citrix-honeypot
wget https://github.com/x1sec/citrix-honeypot/releases/download/v0.02/citrix-honeypot-linux-amd64.tar.gz
tar -xf citrix-honeypot-linux-amd64.tar.gz
```

### go get
If you have a [Go](https://golang.org/) environment ready to go:

```bash
go get github.com/x1sec/citrix-honeypot
```

### Running
Generate self signed certificate:
```
openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
```

It's easy as:
```bash
./citrix-honeypot
```

The honeypot will listen on both port `80` and `443` (so it must be run as `root` user)

Or to detach and run as a background process:
```
nohup ./citrix-honeypot &
```

## Logs
Results / data is written to the `./log` directory. They are:

`hits.log` - Scanning attempts and exploitation attempts with all data (e.g. headers, post body)

`all.log` - All HTTP requests that are observed hitting the server

`logins.log` - Attempted logins to the web interface

`tlsErrors.log` - Often internet scanners will send invalid data to port `443`. HTTPS errors are logged here.

### Examples

Running [the first public released exploit](https://github.com/projectzeroindia/CVE-2019-19781):
```
$ cat logs/hits.log 
2020/01/23 08:27:55 
-------------------
Exploitation detected ...
src: xxx.xxx.xxx.xxx
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
Nsc_nonce: test1337
Nsc_user: /../../../../../../../../../../netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS
User-Agent: curl/7.67.0

url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'id | tee /netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb
```

Scanning attempt:
```
$ cat logs/hits.log 
2020/01/23 08:41:02 
-------------------
Scanning detected ... 
src: xxx.xxx.xxx.xxx
GET /vpn/../vpns/cfg/smb.conf HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
User-Agent: curl/7.67.0
```

Login attempts:
```
$ cat logs/logins.log
2020/01/23 07:26:03 Failed login from xxx.xxx.xxx.xxx user:nsroot pass:nsroot
2020/01/23 08:26:03 Failed login from xxx.xxx.xxx.xxx user:admin pass:admin
```

文件快照

 [4.0K]  /data/pocs/fbb6c8bd651da8200a4c1d14ad0e8f27521bba44
├── [4.0K]  img
│   └── [124K]  screenshot.png
├── [1.0K]  LICENSE
├── [6.5K]  main.go
├── [2.7K]  README.md
└── [4.0K]  static
    ├── [4.0K]  admin_ui
    │   ├── [4.0K]  common
    │   │   ├── [4.0K]  css
    │   │   │   └── [4.0K]  ns
    │   │   │       ├── [3.5K]  button-sprite.png
    │   │   │       ├── [2.7K]  bytemobile_logo_header.png
    │   │   │       ├── [3.1K]  citrix_login_page_logo.png
    │   │   │       ├── [ 765]  company_logo.png
    │   │   │       ├── [ 978]  down_arrow_top.png
    │   │   │       ├── [1.1K]  footer_sprite.png
    │   │   │       ├── [ 14K]  login_footer_background.png
    │   │   │       ├── [1.1K]  pipe.png
    │   │   │       ├── [ 240]  selected_tab_left.gif
    │   │   │       ├── [1.3K]  selected_tab_right.gif
    │   │   │       ├── [ 39K]  ui.css
    │   │   │       ├── [1.4K]  unselected_tab_left.gif
    │   │   │       └── [4.2K]  unselected_tab_right.gif
    │   │   ├── [4.0K]  images
    │   │   │   ├── [ 11K]  dashboard_reporting_sprite_images.png
    │   │   │   └── [2.1K]  dwnloads_docs_sprite_images.png
    │   │   └── [4.0K]  js
    │   │       └── [4.0K]  jquery
    │   │           ├── [1.4K]  jquery.keyfilter.min.js
    │   │           ├── [8.8K]  jquery-migrate.js
    │   │           └── [ 86K]  jquery.min.js
    │   ├── [4.0K]  neo
    │   │   └── [4.0K]  images
    │   │       ├── [1.3K]  nav_down_red.png
    │   │       ├── [1.4K]  nav_down_yellow.png
    │   │       ├── [ 664]  nav_plain_gray.png
    │   │       └── [1.4K]  nav_up_green.png
    │   └── [4.0K]  rdx
    │       └── [4.0K]  core
    │           └── [4.0K]  css
    │               ├── [4.7K]  chrome.png
    │               ├── [826K]  citrix_white_bg.png
    │               ├── [6.6K]  firefox.png
    │               ├── [4.0K]  fonts
    │               │   └── [4.0K]  citrix_sans
    │               │       ├── [ 21K]  citrixsans_bold.eot
    │               │       ├── [ 21K]  citrixsans_bold.eot?
    │               │       ├── [ 72K]  citrixsans_bold.svg
    │               │       ├── [ 43K]  citrixsans_bold.ttf
    │               │       ├── [ 25K]  citrixsans_bold.woff
    │               │       ├── [ 22K]  citrixsans_regular.eot
    │               │       ├── [ 22K]  citrixsans_regular.eot?
    │               │       ├── [ 72K]  citrixsans_regular.svg
    │               │       ├── [ 43K]  citrixsans_regular.ttf
    │               │       └── [ 26K]  citrixsans_regular.woff
    │               ├── [5.7K]  internet-explorer.png
    │               └── [7.7K]  safari.png
    ├── [ 19K]  do_login.html
    └── [ 19K]  index.html

16 directories, 43 files

备注