# Mounting UFS VMDK from NetScaler/Citrix ADC We have our VMDK representing a single disk from a compromised system. In this example, we're just using the VMDK available from the installer archive provided by Citrix. We've setup a test VM using the same VMDK, run through the initial setup (setting IP, netmask, gateway, etc) and the system is operational. This also assumes you have a single flat VMDK, and not a standalone snapshot. If you have a snapshot, you need to consolidate it first so you can examine the resultant disk. ``` $ file NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk: VMware4 disk image $ sudo mkdir /mnt/nsvpx ``` Execute guestfish and add (-a) our VMDK. ``` $ guestfish -a NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk Welcome to guestfish, the guest filesystem shell for editing virtual machine filesystems and disk images. Type: ‘help’ for help on commands ‘man’ to read the manual ‘quit’ to quit the shell > run 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00 > ``` We'll first attempt to list identified filesystems, but given UFS support is sometimes questionable, we're not sure whether it will be identified or not. ``` > list-filesystems libguestfs: error: list_filesystems: sfdisk exited with status 1: sfdisk: /dev/sda: partition 5: partition table contains only 4 partitions ``` This is what the same VMDK looks like in FTK Imager. ![](https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FJkPn8CjgwTvGpl2f65uI%2Fimage.png?alt=media\&token=d52a1252-e74e-437e-b099-059bc0c853d6) This maps to the following disk size information from the NetScaler console itself
Regarding our VMDK, we'll be interested in the following; * /dev/md0 (the RAM disk/partition) * /dev/da0s1a * /dev/da0s1e Side note: If this was a live system, you could image each using dd and transfer them to another host via SSH, which would make life a lot easier; ``` dd if=/dev/md0 | gzip -1 - | ssh user@remotehost dd of=/path/folder/md0.gz dd if=/dev/da0s1a | gzip -1 - | ssh user@remotehost dd of=/path/folder/da0s1a.gz dd if=/dev/da0s1e | gzip -1 - | ssh user@remotehost dd of=/path/folder/da0s1e.gz ``` ``` > list-partitions /dev/sda1 /dev/sda5 /dev/sda6 /dev/sda7 /dev/sda8 ``` We're mostly interested in logs, which are stored in /var (/dev/da0s1e) To identify which partitions relate to which filesystem (listed above), we need to mount them. ``` > mount-vfs ro,ufstype=ufs2 ufs /dev/sda1 / > df-h Filesystem Size Used Avail Use% Mounted on /dev/root 4.0G 714M 3.1G 19% / /dev 600M 0 600M 0% /dev shmfs 606M 0 606M 0% /dev/shm tmpfs 243M 72K 243M 1% /run /dev/sda1 1.6G 156M 1.3G 11% /sysroot ``` ``` > mount-vfs ro,ufstype=ufs2 ufs /dev/sda8 / > df-h Filesystem Size Used Avail Use% Mounted on /dev/root 4.0G 714M 3.1G 19% / /dev 600M 0 600M 0% /dev shmfs 606M 0 606M 0% /dev/shm tmpfs 243M 72K 243M 1% /run /dev/sda8 14G 1.3G 12G 10% /sysroot ``` Ok, so to recap; * We've mounted our VMDK in guestfish * We've mounted each partition as identified they contain relevant data We can mount the partition (identified through guestfish) on the host machine ``` > mount-local /mnt/nsvpx > mount-local-run ``` Open another console on your host machine, and navigate to /mnt/nsvpx ``` $ cd /mnt/nsvpx $ ls /mnt/nsvpx AAA clusterd core cron download gui krb log netscaler nsinstall nsproflog ns_sys_backup nstmp opt pubkey run tmp vpn app_catalog configdb crash dev gcf1 install learnt_data mastools ns_gui nslog nssynclog nstemplates nstrace osr_compliance python safenet vmtools vpns [/mnt/nsvpx/log] $ cat httpaccess.log| head 127.0.0.1 - - [23/Aug/2023:08:30:00 +0000] [1048] "GET / HTTP/1.1" 200 18705 "-" "curl/7.85.0" "Time: 102541 microsecs" 192.168.1.10 -> 192.168.1.222 - - [23/Aug/2023:08:31:27 +0000] [1046] "GET / HTTP/1.1" 200 18705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" "Time: 46242 microsecs" 192.168.1.10 -> 192.168.1.222 - - [23/Aug/2023:08:31:27 +0000] [1049] "GET /admin_ui/common/js/jquery/jquery.keyfilter.min.js HTTP/1.1" 200 756 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" "Time: 2792 microsecs" 192.168.1.10 -> 192.168.1.222 - - [23/Aug/2023:08:31:27 +0000] [1046] "GET /admin_ui/common/css/ns/ui.css HTTP/1.1" 200 8642 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" "Time: 8205 microsecs" ``` You can now use your mount point (/mnt/nsvpx) as the root directory/base to search for IOCs. ShadowServer have released a series of indicators here;\ [Technical Summary of Observed Citrix CVE-2023-3519 Incidents](https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/) Mandiant have released [their analysis](https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner), as well as a bash script to search for IOCs. You can use Mandiant's IOC scanner on a mounted image, like s ``` $ wget https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519/releases/download/v1.2/scanner-cve-2023-3519-v1.2.sh $ chmod +x scanner-cve-2023-3519-v1.2.sh Example: $ bash ./scanner-CVE-2023-3519-v1.1.sh /mnt/path/to/evidence/root/ $ ./scanner-cve-2023-3519-v1.2.sh /mnt/nsvpx ```