Citrix Workspace Enumeration
"Techniques for mapping published applications and identifying weak entry points in virtualized environments."
Citrix Workspace Enumeration
Citrix environments are often the primary gateway for remote employees. Understanding how to enumerate these services is crucial for both attackers and defenders.
Discovering the Portal
The first step is identifying the Citrix Gateway or StoreFront URL. Common paths include:
/Citrix/StoreWeb//vpn/index.html
Mapping Published Applications
Once authenticated (or sometimes even before), we can identify which applications are available to the current user context.
XML Service Enumeration
The Citrix XML Service often provides detailed information about the farm configuration.
# Example query using a common tool
python3 citrix_enum.py -t https://gateway.lab.local -u user1 -p Password123
Common Misconfigurations
1. Anonymous Access
In some legacy configurations, certain applications might be published with "Anonymous" access enabled, allowing anyone to launch them.
2. Information Leaks in Headers
The X-Citrix-Proxy-ID and other custom headers can sometimes leak internal IP addresses or server names.
!WARNING Information disclosure via Citrix headers can provide the internal topography needed to plan lateral movement.
Strengthening the Perimeter
To secure Citrix Workspace:
- Enforce MFA: Multi-factor authentication should be mandatory for all external access.
- Limit Visibility: Only publish the absolute minimum set of applications required for a user's role.
- Regular Patching: Citrix components are frequent targets for critical vulnerabilities (e.g., CVE-2023-3519).