# Mounting UFS VMDK from NetScaler/Citrix ADC We have our VMDK representing a single disk from a compromised system. In this example, we're just using the VMDK available from the installer archive provided by Citrix. We've setup a test VM using the same VMDK, run through the initial setup (setting IP, netmask, gateway, etc) and the system is operational. This also assumes you have a single flat VMDK, and not a standalone snapshot. If you have a snapshot, you need to consolidate it first so you can examine the resultant disk. ``` $ file NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk: VMware4 disk image $ sudo mkdir /mnt/nsvpx ``` Execute guestfish and add (-a) our VMDK. ``` $ guestfish -a NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk Welcome to guestfish, the guest filesystem shell for editing virtual machine filesystems and disk images. Type: ‘help’ for help on commands ‘man’ to read the manual ‘quit’ to quit the shell > run 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00 > ``` We'll first attempt to list identified filesystems, but given UFS support is sometimes questionable, we're not sure whether it will be identified or not. ``` > list-filesystems libguestfs: error: list_filesystems: sfdisk exited with status 1: sfdisk: /dev/sda: partition 5: partition table contains only 4 partitions ``` This is what the same VMDK looks like in FTK Imager. ![](/files/LDfzTNjJNMpbBOPwUtw7) This maps to the following disk size information from the NetScaler console itself
Regarding our VMDK, we'll be interested in the following; * /dev/md0 (the RAM disk/partition) * /dev/da0s1a * /dev/da0s1e Side note: If this was a live system, you could image each using dd and transfer them to another host via SSH, which would make life a lot easier; ``` dd if=/dev/md0 | gzip -1 - | ssh user@remotehost dd of=/path/folder/md0.gz dd if=/dev/da0s1a | gzip -1 - | ssh user@remotehost dd of=/path/folder/da0s1a.gz dd if=/dev/da0s1e | gzip -1 - | ssh user@remotehost dd of=/path/folder/da0s1e.gz ``` ``` > list-partitions /dev/sda1 /dev/sda5 /dev/sda6 /dev/sda7 /dev/sda8 ``` We're mostly interested in logs, which are stored in /var (/dev/da0s1e) To identify which partitions relate to which filesystem (listed above), we need to mount them. ``` > mount-vfs ro,ufstype=ufs2 ufs /dev/sda1 / > df-h Filesystem Size Used Avail Use% Mounted on /dev/root 4.0G 714M 3.1G 19% / /dev 600M 0 600M 0% /dev shmfs 606M 0 606M 0% /dev/shm tmpfs 243M 72K 243M 1% /run /dev/sda1 1.6G 156M 1.3G 11% /sysroot ``` ``` > mount-vfs ro,ufstype=ufs2 ufs /dev/sda8 / > df-h Filesystem Size Used Avail Use% Mounted on /dev/root 4.0G 714M 3.1G 19% / /dev 600M 0 600M 0% /dev shmfs 606M 0 606M 0% /dev/shm tmpfs 243M 72K 243M 1% /run /dev/sda8 14G 1.3G 12G 10% /sysroot ``` Ok, so to recap; * We've mounted our VMDK in guestfish * We've mounted each partition as identified they contain relevant data We can mount the partition (identified through guestfish) on the host machine ``` > mount-local /mnt/nsvpx > mount-local-run ``` Open another console on your host machine, and navigate to /mnt/nsvpx ``` $ cd /mnt/nsvpx $ ls /mnt/nsvpx AAA clusterd core cron download gui krb log netscaler nsinstall nsproflog ns_sys_backup nstmp opt pubkey run tmp vpn app_catalog configdb crash dev gcf1 install learnt_data mastools ns_gui nslog nssynclog nstemplates nstrace osr_compliance python safenet vmtools vpns [/mnt/nsvpx/log] $ cat httpaccess.log| head 127.0.0.1 - - [23/Aug/2023:08:30:00 +0000] [1048] "GET / HTTP/1.1" 200 18705 "-" "curl/7.85.0" "Time: 102541 microsecs" 192.168.1.10 -> 192.168.1.222 - - [23/Aug/2023:08:31:27 +0000] [1046] "GET / HTTP/1.1" 200 18705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" "Time: 46242 microsecs" 192.168.1.10 -> 192.168.1.222 - - [23/Aug/2023:08:31:27 +0000] [1049] "GET /admin_ui/common/js/jquery/jquery.keyfilter.min.js HTTP/1.1" 200 756 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" "Time: 2792 microsecs" 192.168.1.10 -> 192.168.1.222 - - [23/Aug/2023:08:31:27 +0000] [1046] "GET /admin_ui/common/css/ns/ui.css HTTP/1.1" 200 8642 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" "Time: 8205 microsecs" ``` You can now use your mount point (/mnt/nsvpx) as the root directory/base to search for IOCs. ShadowServer have released a series of indicators here;\ [Technical Summary of Observed Citrix CVE-2023-3519 Incidents](https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/) Mandiant have released [their analysis](https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner), as well as a bash script to search for IOCs. You can use Mandiant's IOC scanner on a mounted image, like s ``` $ wget https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519/releases/download/v1.2/scanner-cve-2023-3519-v1.2.sh $ chmod +x scanner-cve-2023-3519-v1.2.sh Example: $ bash ./scanner-CVE-2023-3519-v1.1.sh /mnt/path/to/evidence/root/ $ ./scanner-cve-2023-3519-v1.2.sh /mnt/nsvpx ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.iblue.team/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.