Citrix Application Through SOCKS Proxy
In one of my recent red team engagement, I was in a situation that I had to use their internal Citrix application to access a restricted system which located in an isolated network. However, I didn't find much information about using Citrix applications through SOCKS proxy. Therefore, I am writing this blog to record the way that I used to execute Citrix application over SOCKS proxy.
Since all I got was a Cobalt Strike beacon on a compromised user workstation in my scenario, the walkthrough will start with creating a SOCKS proxy in the beacon.
To execute applications through SOCKS, I would recommend to use "Proxifier" in Windows platform, which I found it reliable and easy to use.
Once the Proxifier is running, you will need to set up the "Proxy Servers" to provide the address and port that can reach the SOCKS proxy.
Before discussing how to use Citrix application through SOCKS proxy. Lets make sure we can access and login the internal Citrix web application first. All you need to do is go to "Proxification Rules" and select "chrome.exe" to tunnel the traffic of the Chrome application through the SOCKS proxy.
Most of the time if you would like to access internal source, you would need to resolve internal host name via the SOCKS proxy. Therefore, It is a good practice to always enable "Resolve hostnames through proxy" in the "Name Resolution".
Once all the above configurations are completed, you should be able to access and login the internal Citrix application using your compromised Citrix credential or stolen Citrix web cookies.
If you see an error message about confirming your installation of Citrix Receiver, please make sure you have the Citrix Receiver installed. This is a necessary component to allow you to use Citrix server-based applications.
Now it comes to the most important part of this blog is to locate the process that is used to establish connection to the published Citrix application (e.g., RDP).
The easier way to confirm is to click the published application icon (e.g., RDP), download and execute the ".ica" file using Citrix Receiver to see which process will be called in the Proxifier.
The ICA file contains configuration details on how to connect to Citrix server's application. The technology would allow users to access Citrix server's application without installing them locally. It means when you are using the Citrix RDP application, you are not actually running "mstsc.exe" in your PC.
There is no doubt that the Citrix Receiver will pop up an error about unreachable server because you are currently not tunnelling any other processes than "chrome.exe" through the SOCKS proxy. However, you should be able to identify a process "wfica32.exe" was called while running the ".ica" file.
A quick file check on the "wfica32.exe" process located in the folder "C:\Program Files (x86)\Citrix\ICA Client" shows that it is an application for Citrix HDX Engine.
A fair guess about the usage of the "wfica32.exe" would be an application to connect to the Citrix server for published applications. To confirm this, I added "wfica32.exe" into the application list in the "Proxification Rule" as below:
Now click "OK" to save the setting and you should be able to launch the ".ica" file without having the error message we saw previously.
Upon the loading is completed, you should be able to use the Citrix RDP application to access your target system or jump host in the restricted network via the internal Citrix server.
This is the way that I make it work to run Citrix applications over SOCKS proxy and I hope people who have similar situation will find it useful.
On the other hand, I would wonder the Citrix Receiver will behave differently if the ICA configuration is different. If you encounter similar situation and my way couldn't help you, please feel free to reach me out and we can brainstorm together.