[THIN] Re: Be aware: RE: Re: Client IP

• From: "Mike Semon" <msemon@xxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Thu, 01 Sep 2005 09:20:42 -0500

Obviously this script will only return a list of client IP's and names. If
there is a problem with spoofed IP addresses or bogus client names then you
have bigger fish to fry. Time for a security assessment.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of ALEX .
Sent: Thursday, September 01, 2005 2:31 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Be aware: RE: Re: Client IP


Be aware that Client IP (provided by either RDP or ICA client to TS or
Citrix server) can be easily faked and cannot be fully trusted.

This can be easily demonstrated for example by running SSH server and SSH
client on your client system where you run RDP or CIA client from by
establishing your connection through a local tunnel.

The most simple ?fake? client IP is 127.0.0.1, or any IP address that you
run your local SSH server on. Event better ? run your SSH server using IP
address as if it is from the target network - any admin that is not familiar
with this possibility will have a heart attack since your client will appear
to be coming from their local network.

Here is an example - http://www.ishadow.com/docs/snaps/ssh_snap.gif

First ? user ?administrator? (any name will do ;) connects to the target
server without local SSH contraption - local client IP address is exposed to
the target server and is 192.168.255.33 (will be reported by either ICA or
RDP, here it is RDP).

Now our user connects to the same server through SSH tunnel (again, SSH
client and server are on the same machine as the RDP client for simplicity
sake). What is the result? We do see the same client name (in this example
it is MSFT), the same user, but... a preset IP address 123.123.123.123.

So, what is the conclusion? Most people will not attempt to do this
exercise, however those that will are of the most interest.

If you plan to buy software for your corporate TS or Citrix implementation
or working on an app or script of your own to be able to prevent this "bad
guys" from hitting your server by using RDP or ICA client provided IP
address or log this data - BE AWARE IT MIGHT  NOT WORK AS DESIRED.

This is true for either MFCOM collected information (as in the original
example below) or APIs (both Microsoft WTSAPI32 or Citrix WFAPI). And of
course, client name can be a fake too.

ALEX


>From: "Mike Semon" <msemon@xxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] Re: Client IP
>Date: Wed, 31 Aug 2005 13:06:58 -0500
>
>You might try the following VB Script
>
>To generate a list of users and their client IP addresses.
>
>Save the following code to a file named users.vbs and run it with the
>command cscript users.vbs. It lists all users in the farm and their IP
>addresses:
>
>Set objFarm = CreateObject("MetaFrameCOM.MetaFrameFarm")
>
>objFarm.Initialize(1)
>
>For Each objSession In objFarm.Sessions
>
>WScript.Echo "User name : " & objSession.UserName
>
>WScript.Echo "IP Address: " & objSession.ClientAddress
>
>-Mike
>
>-----Original Message-----
>From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
>Behalf Of rick.mattingly@xxxxxxxxxx
>Sent: Wednesday, August 31, 2005 12:20 PM
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Client IP
>
>
>Is there anyway to capture a User's client IP upon their logon?  The
>information is there when I look at session information of the user, but
>not sure how to capture it.
>
>My Environment
>
>XPe 1.0 FR3
>VB script for the logon script
>Windows 2003
>
>Thanks,
>Enterprise Server Team
>Rick Mattingly
>
>The information transmitted is intended only for the person or entity to
>which it is addressed and may contain confidential and/or privileged
>material. Any review, re-transmission, dissemination or other use of, or
>taking of any action in reliance upon, this information by persons or
>entities other than the intended recipient is prohibited. If you received
>this in error, please contact the sender and delete the material from any
>computer.
>
>********************************************************
>This Weeks Sponsor: triCerat Inc.
>You need Day Zero Protection!
>Get Proactive with triCerat's Simplify Suite.
>Solve printing, security and profile problems before they occur.
>http://www.tricerat.com/?thethintl2
>**********************************************************
>Useful Thin Client Computing Links are available at:
>http://thin.net/links.cfm
>ThinWiki community - Excellent SBC Search Capabilities!
>http://www.thinwiki.com
>***********************************************************
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thin.net/citrixlist.cfm
>
>
>
>********************************************************
>This Weeks Sponsor: triCerat Inc.
>You need Day Zero Protection!
>Get Proactive with triCerat's Simplify Suite.
>Solve printing, security and profile problems before they occur.
>http://www.tricerat.com/?thethintl2
>**********************************************************
>Useful Thin Client Computing Links are available at:
>http://thin.net/links.cfm
>ThinWiki community - Excellent SBC Search Capabilities!
>http://www.thinwiki.com
>***********************************************************
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thin.net/citrixlist.cfm


********************************************************
This Weeks Sponsor: triCerat Inc.
You need Day Zero Protection!
Get Proactive with triCerat's Simplify Suite.
Solve printing, security and profile problems before they occur.
http://www.tricerat.com/?thethintl2
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm



********************************************************
This Weeks Sponsor: triCerat Inc.
You need Day Zero Protection!
Get Proactive with triCerat's Simplify Suite.
Solve printing, security and profile problems before they occur.
http://www.tricerat.com/?thethintl2
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• Follow-Ups:
  • [THIN] Re: Be aware: RE: Re: Client IP
    • From: ALEX .

• References:
  • [THIN] Be aware: RE: Re: Client IP
    • From: ALEX .

Other related posts:

• » [THIN] Be aware: RE: Re: Client IP
• » [THIN] Re: Be aware: RE: Re: Client IP
• » [THIN] Re: Be aware: RE: Re: Client IP
• » [THIN] Re: Be aware: RE: Re: Client IP

1. Home
2. thin
3. Archive
4. 09-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---