# Citrix Application Through SOCKS Proxy

## Background

In one of my recent red team engagement, I was in a situation that I had to use their internal Citrix application to access a restricted system which located in an isolated network. However, I didn't find much information about using Citrix applications through SOCKS proxy. Therefore, I am writing this blog to record the way that I used to execute Citrix application over SOCKS proxy.

## Walkthrough

Since all I got was a Cobalt Strike beacon on a compromised user workstation in my scenario, the walkthrough will start with creating a SOCKS proxy in the beacon.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2Fbz1QuUsuIBZpaoPh28ll%2Fimage.png?alt=media\&token=3c56ea0a-5482-4ea6-b47d-9942e8bbbeb2)

To execute applications through SOCKS, I would recommend to use "[Proxifier](https://www.proxifier.com/)" in Windows platform, which I found it reliable and easy to use.

Once the Proxifier is running, you will need to set up the "Proxy Servers" to provide the address and port that can reach the SOCKS proxy.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2Fqo16U2CdV7tC2CmVo2Uf%2Fimage.png?alt=media\&token=b9445ed5-c320-49bb-98bc-6840f0fff145)

Before discussing how to use Citrix application through SOCKS proxy. Lets make sure we can access and login the internal Citrix web application first. All you need to do is go to "Proxification Rules" and select "chrome.exe" to tunnel the traffic of the Chrome application through the SOCKS proxy.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2FeYt23WtKmzIDnTzAjCoP%2Fimage.png?alt=media\&token=5a926c4e-befb-4a9d-9a2c-b896e0f01c2d)

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2F2P3iTSDZV932MAja86Zy%2Fimage.png?alt=media\&token=b63ab890-9778-43f1-9381-d97405184022)

{% hint style="info" %}
Most of the time if you would like to access internal source, you would need to resolve internal host name via the SOCKS proxy. Therefore, It is a good practice to always enable "Resolve hostnames through proxy" in the "Name Resolution".
{% endhint %}

Once all the above configurations are completed, you should be able to access and login the internal Citrix application using your compromised Citrix credential or stolen Citrix web cookies.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2FkERJvA9wVMuh0gWjMx83%2Fimage.png?alt=media\&token=ca591e2e-cfbc-4373-8c5a-883620ecdd10)

{% hint style="info" %}
If you see an error message about confirming your installation of Citrix Receiver, please make sure you have the Citrix Receiver installed. This is a necessary component to allow you to use Citrix server-based applications.
{% endhint %}

Now it comes to the most important part of this blog is to locate the process that is used to establish connection to the published Citrix application (e.g., RDP).

The easier way to confirm is to click the published application icon (e.g., RDP), download and execute the ".ica" file using Citrix Receiver to see which process will be called in the Proxifier.

{% hint style="info" %}
The ICA file contains configuration details on how to connect to Citrix server's application. The technology would allow users to access Citrix server's application without installing them locally. It means when you are using the Citrix RDP application, you are not actually running "mstsc.exe" in your PC.
{% endhint %}

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2FykqMJQvUxyPIw2YIzXps%2Fimage.png?alt=media\&token=27faa41c-3049-4a87-964d-5413bb31c9a4)

There is no doubt that the Citrix Receiver will pop up an error about unreachable server because you are currently not tunnelling any other processes than "chrome.exe" through the SOCKS proxy. However, you should be able to identify a process "wfica32.exe" was called while running the ".ica" file. 

A quick file check on the "wfica32.exe" process located in the folder "C:\Program Files (x86)\Citrix\ICA Client" shows that it is an application for Citrix HDX Engine.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2Fj0IkG3x2IIutmU96X4HM%2Fimage.png?alt=media\&token=dadf0242-7b6f-411f-aed2-31552fd58e37)

A fair guess about the usage of the "wfica32.exe" would be an application to connect to the Citrix server for published applications. To confirm this, I added "wfica32.exe" into the application list in the "Proxification Rule" as below:

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2Fe368kHNQl27WNPsVGwER%2Fimage.png?alt=media\&token=4427cdc6-3782-436d-80df-0df45c19532a)

Now click "OK" to save the setting and you should be able to launch the ".ica" file without having the error message we saw previously.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2F03JkAV4oqwTckhpj2qAs%2Fimage.png?alt=media\&token=625208f3-8572-4f9e-9202-3720791a9b01)

Upon the loading is completed, you should be able to use the Citrix RDP application to access your target system or jump host in the restricted network via the internal Citrix server.

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2Fo8p453rSphIrtdb9eczL%2Fimage.png?alt=media\&token=cba3d7c5-cb7d-4215-8246-f46a285d07fc)

![](https://3629422832-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhc07wjSjeLaJUxQVJfIF%2Fuploads%2FlyDseGqywVbbotTxuBeN%2Fimage.png?alt=media\&token=f48ef248-25fd-41ea-8f09-2dbe15054560)

## Conclusion

This is the way that I make it work to run Citrix applications over SOCKS proxy and I hope people who have similar situation will find it useful.

On the other hand, I would wonder the Citrix Receiver will behave differently if the ICA configuration is different. If you encounter similar situation and my way couldn't help you, please feel free to reach me out and we can brainstorm together.

## Reference

{% embed url="<https://posts.specterops.io/proxy-windows-tooling-via-socks-c1af66daeef3>" %}

{% embed url="<https://www.trustedsec.com/blog/adexplorer-on-engagements/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.netero1010-securitylab.com/red-team/citrix-application-through-socks-proxy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.