Scanning Engine v2 - Module - NetScaler

Overview

Citrix NetScaler (https://en.wikipedia.org/wiki/Citrix_NetScaler) is a web application delivery controller that provides load balancing, SSL acceleration, application security, and other application delivery services. It is widely used in enterprise environments for managing web application traffic and ensuring high availability.

This module scans NetScaler devices by requesting the /vpn/js/rdx/core/lang/rdx_en.json.gz file and extracting version information from the gzip timestamp metadata. This approach is based on research from Fox-IT Security Research Team.

Targeting

This module targets TCP ports by IP address or hostname, typically port 443 for HTTPS connections.

Schemas

The schema for the body object of all results generated with .task.module_name equal to netscaler can be found here. The schema for results is available both in standalone and bundled form.

Examples

These are examples of the .body object for results with .task.module_name equal to netscaler.

Live Host

This example was generated with a live NetScaler device on the internet.

{
  "rdx_en_stamp": 1749588747,
  "rdx_en_dt": "2025-06-10T20:52:27Z",
  "version": "13.1-58.32"
}

Technical Details

How it works

1. HTTP Request: Makes a GET request to https://<target>/vpn/js/rdx/core/lang/rdx_en.json.gz
2. Gzip Analysis: Reads the first 100 bytes of the response to check for valid gzip format
3. Timestamp Extraction: Extracts the timestamp from bytes 4-7 (little endian) of the gzip header
4. Version Lookup: Matches the timestamp against an embedded database of known NetScaler versions
5. Result: Returns the identified version or "unknown" if not found

Gzip Header Analysis

The module analyzes the gzip file header structure: - Bytes 0-1: Magic number 0x1f 0x8b - Byte 2: Compression method 0x08 = deflate - Byte 3: Flags 0x08 = extra field present - Bytes 4-7: Timestamp little endian Unix timestamp

References

• Fox-IT Blog: CVE-2022-27510 & CVE-2022-27518
• Original Version Database

Changelog

v1.0.0 (2025-07-23)

• Initial release of the NetScaler module
• Implements gzip timestamp-based version fingerprinting
• Embedded database with 160+ NetScaler versions
• TLS support with automatic certificate verification bypass