Skip to content

A quick and dirty way to bypass encrypted EPA to connect to a NetScaler Gateway

License

Notifications You must be signed in to change notification settings

SECFORCE/NetScalerEPABypass

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 

Repository files navigation

NetScalerEPABypass

A quick and dirty way to bypass encrypted EPA to connect to a NetScaler Gateway

Read the paper that this code is a result of here: http://Lucky0x0d.com/NSEPA-Bypass.pdf

The Citrix NetScaler Gateway VPN has the ability to check various conditions on a user device when it attempts to connect to a NetScaler Gateway. Based on the results of those conditions the NetScaler Gateway decides if a client is permitted to attempt a login, if the client is blocked or if the client is to be quarantined. Citrix calls this “Pre-Authentication Endpoint Analysis”, or EPA. This is a problem when trying to connect to a NetScaler Gateway VPN without knowing the client-side checks required.

The NetScaler does this by running a client on the user’s machine. On Windows this client is called nsepa.exe. It connects to the NetScaler, receives a list of conditions, checks those conditions on the client device and then sends the NetScaler Gateway a result of pass or fail.

On the NetScaler this EPA communication can be configured to be in plaintext or be encrypted. When the NetScaler is configured without ‘Client Security Encryption’ the EPA check is trivial to bypass.

Previously there was no publicly available way to bypass EPA if ‘Client Security Encryption’ is enabled.

This is a python script that enables encrypted Pre-Authentication Endpoint Analysis to be bypassed almost as trivially as plaintext EPA.

Usage:

python NSEPA-Bypass.py "NSC_EPAC Cookie Value"  "EPOCH Time from client"  "Value of the HOST: Header" "Base64 encoded string from Server"

Example Usage:

python NSEPA-Bypass.py "981005eef29ce34c80f535f9e78f4b4d" "1498797356"  "vpn.example.com" "WWoNstbK760pVoPwPzHbs9pEf6Tj/iBk55gnHYwptPohBR0bKsiVVZmDN8J8530G4ISIFkRcC/1IaQSiOr8ouOYC84T5Hzbs2yH3Wq/KToo="

About

A quick and dirty way to bypass encrypted EPA to connect to a NetScaler Gateway

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%