Netscaler: Making sense of the Cookie – part 1

Today was the first day back after my Christmas break, so it was a bit “slow”. Never to sit around being bored, I was writing up some notes on Netscaler cookie’s for an ethical hacker called Alejandro Nolla who has written up a cool application for checking to see if a domain has a load balancer behind it. You can find the application here or follow Alejandro on Twitter at @z0mbiehunt3r

Anyway while typing up my info I discovered something about the Netscaler cookies that I hadn’t noticed before. The Netscaler cookies are by default “encrypted” in 3 parts. Below is the extract from Citrix regarding Netscaler cookies:

The format of the cookie that the NetScaler appliance inserts is:
NSC_XXXX=
where:
NSC_XXXX is the virtual server ID that is derived from the virtual server name.
ServiceIP is an encrypted representation of the service IP address.
ServicePort is an encrypted representation of the service port.

So the 3 “encrypted” parts are Virtual Server ID, ServiceIP and then ServicePort. After a bit of coffee I realised something about the Virtual Server ID, it is “encrypted” using a substitution cipher, for example a=z, d=c etc. etc. the name “NSC_mc_udru” would be “NSC_lb_test” on the Netscaler as the configured load balancer name.

Now it might not seem much to you, but I was happy with my discovery, my next challenge finding out how the ServiceIP and ServicePort is encrypted. This is an NSC cookie

ffffffff3c19594d45525d5f4f58455e445a4a423660

Now to me at first it looked like HEX the first 8 F’s equally to 255 255 255 255 which seemed like it was a subnet address you use to reference a single host (as you would expect from a persistence cookie), I also know that af when converted from hex to dec equals 175 but the server IP actually starts with 172. I’ve converted the rest from hex to dec but the numbers are out for the server IP. At the end of the example above I know that for port 80 (http) the value is 3660 only changes if the port changes, the rest seems to stay the same.

So I’m a third of the way there.. maybe I will never break the encryption but it’s fun trying and it’s given my brain a good workout. If you can spot something I’ve missed then let me know.

NOTE: I have since worked out how to decrypt the whole cookie and wrapped it up in a python script which you can find HERE

The Geek

Advertisements

5 thoughts on “Netscaler: Making sense of the Cookie – part 1

  1. Hello, thanks for the article (and part2), I found it researching these NSC cookies. I just wanted to say thanks and add that the virtual server ID encryption you figured out is called an “atbash” cipher.

  2. Same as Ryan above dude, researching webseal and netscaler cookies and this is some nice info! We’re getting some weird results with sessions on some of our webapps and this is helping me understand some of the moving parts. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s