The script searches the Citrix NetScaler logs for possible CVE-2023-4966 exploitation.
usage: check-cve-2023-4966.py [-h] [--nologline] logdir_path
Python script to check CitrixNetScaler logs for possible CVE-2023-4966 exploitation
positional arguments:
logdir_path path to NetScaler log files (located on the NetScaler in the directory /mnt/temp/log/)
options:
-h, --help show this help message and exit
--nologline do not print the logline
$ python check-cve-2023-4966.py NetScaler/log/mnt/temp/log/ --nologline
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345Citrix XenDesk and XenApp sessions are logged in the monitoring database. With this monitoring database it is possible to find the sessions and worker machines which might be used after successful exploitation.
The helper directory contains sql queries to check the monitoring database.
Script to get the machine id, name and ip address.
Query to get sessions from a specific machine (MachineId).
Query to get additionl sessions information for a specific machine (MachineId) and user.