Citrix Application Through SOCKS Proxy
In one of my recent red team engagement, I was in a situation that I had to use their internal Citrix application to access a restricted system which located in an isolated network. However, I didn't find much information about using Citrix applications through SOCKS proxy. Therefore, I am writing this blog to record the way that I used to execute Citrix application over SOCKS proxy.
Since all I got was a Cobalt Strike beacon on a compromised user workstation in my scenario, the walkthrough will start with creating a SOCKS proxy in the beacon.
Once the Proxifier is running, you will need to set up the "Proxy Servers" to provide the address and port that can reach the SOCKS proxy.
Before discussing how to use Citrix application through SOCKS proxy. Lets make sure we can access and login the internal Citrix web application first. All you need to do is go to "Proxification Rules" and select "chrome.exe" to tunnel the traffic of the Chrome application through the SOCKS proxy.
Once all the above configurations are completed, you should be able to access and login the internal Citrix application using your compromised Citrix credential or stolen Citrix web cookies.
Now it comes to the most important part of this blog is to locate the process that is used to establish connection to the published Citrix application (e.g., RDP).
The easier way to confirm is to click the published application icon (e.g., RDP), download and execute the ".ica" file using Citrix Receiver to see which process will be called in the Proxifier.
There is no doubt that the Citrix Receiver will pop up an error about unreachable server because you are currently not tunnelling any other processes than "chrome.exe" through the SOCKS proxy. However, you should be able to identify a process "wfica32.exe" was called while running the ".ica" file.
A quick file check on the "wfica32.exe" process located in the folder "C:\Program Files (x86)\Citrix\ICA Client" shows that it is an application for Citrix HDX Engine.
A fair guess about the usage of the "wfica32.exe" would be an application to connect to the Citrix server for published applications. To confirm this, I added "wfica32.exe" into the application list in the "Proxification Rule" as below:
Now click "OK" to save the setting and you should be able to launch the ".ica" file without having the error message we saw previously.
Upon the loading is completed, you should be able to use the Citrix RDP application to access your target system or jump host in the restricted network via the internal Citrix server.
This is the way that I make it work to run Citrix applications over SOCKS proxy and I hope people who have similar situation will find it useful.
On the other hand, I would wonder the Citrix Receiver will behave differently if the ICA configuration is different. If you encounter similar situation and my way couldn't help you, please feel free to reach me out and we can brainstorm together.