{"id":1752,"date":"2025-05-03T08:31:13","date_gmt":"2025-05-03T08:31:13","guid":{"rendered":"http:\/\/neu.koetzingit.de\/nskek-tool-zur-entschluesselung-von-citrix-netscaler-service-passwoertern\/"},"modified":"2026-06-02T13:31:57","modified_gmt":"2026-06-02T13:31:57","slug":"nskek-tool-zur-entschluesselung-von-citrix-netscaler-service-passwoertern","status":"publish","type":"post","link":"https:\/\/www.koetzingit.de\/en\/nskek-tool-zur-entschluesselung-von-citrix-netscaler-service-passwoertern\/","title":{"rendered":"NSKek tool for decrypting Citrix NetScaler service passwords"},"content":{"rendered":"<p>In this article, I present an NSKek tool I developed myself, featuring a user-friendly graphical user interface (GUI). This provides Netscaler administrators with an intuitive way to, <strong>Service passwords<\/strong> to decrypt securely without having to delve deeply into the technical details. This tool combines classic cryptographic methods \u2013 <strong>HMAC, AES-CBC<\/strong> and the dynamic derivative of a <strong>Key Encryption Keys<\/strong> (KEK).<br \/>In an age when data security and ease of use must go hand in hand, the <strong>targeted decryption of sensitive information <\/strong>plays an important role. The NSKek tool presented here offers an elegant solution: Not only does it allow service passwords to be decrypted, but it also provides a graphical interface that enables Netscaler administrators to easily select and process their key files.\u00a0<\/p>\n<p><!--more--><\/p>\n<h3><span class=\"label label-success\">What is Netscaler Credential Protection?<\/span><\/h3>\n<p><strong>Netscaler Credential Protection takes a two-pronged approach<\/strong>:<\/p>\n<ul>\n<li><strong>Recoverable service passwords<\/strong>: These are protected by reversible encryption (e.g., AES-256-CBC), with the KEK being dynamically derived from configuration files using an HMAC that combines two different key domains.<\/li>\n<li><strong>Non-recoverable administrator passwords<\/strong>: These are secured using strong, one-way hashing algorithms (such as PBKDF2-HMAC-SHA256), making it impossible to recover the plaintext password.<\/li>\n<\/ul>\n<p>This combination of dynamic key management and sophisticated password protection ensures that even if there is partial access to configurations, the actual login credentials remain secure. The central idea is that even if the internal processes are known, the system remains secure thanks to the secret, dynamically generated KEK.<\/p>\n<h3><span class=\"label label-success\">A handy tool for decrypting service passwords<\/span><\/h3>\n<p>Building on these ideas, I developed a tool that can be used to decrypt sensitive service passwords. <br \/>Here is the key feature of the NSKek tool:<\/p>\n<p><strong>Key derivation using HMAC and file parsing<\/strong><\/p>\n<p>The NSKek tool uses two key files from the Netscaler\u2014labeled F1 and F2\u2014from each of which a specific section is extracted. Based on the byte segments (for example, from position 33 to 65 in F1 and 35 to 67 in F2), a key material is read in for each. Subsequently, using <strong>HMAC-SHA256<\/strong> a dynamic Key Encryption Key (KEK) is generated. Using both key files, F1 and F2, along with the hash key, this tool enables even administrators without in-depth technical expertise to securely access their Netscaler service passwords.<\/p>\n<h3><span class=\"label label-success\">Structure and Functionality of the Tool<\/span><\/h3>\n<p>As an example, let\u2019s say we\u2019re using a Radius load balancer and want to know what the service password is. There could be various reasons for this, such as checking whether the password meets the required complexity and complies with company policies, or simply because no one knows the password and it might still be in use in other systems. As previously explained, three components are required for decryption: the <strong>F1 and F2 Keys<\/strong> as well as the <strong>Hash<\/strong>, which the Radius load balancer uses. The keys can be found on the Netscaler under \u201e<code>nsconfig\\keys<\/code>\u201c or \u201e<code>nsconfig\\keys\\updated<\/code>\u201cAnd now all we need is the hash value. To find it, we look in the <code>ns.conf<\/code> after the load balancer and find, for example, the following:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1749\" src=\"http:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/radius-servce-kek.jpg\" alt=\"ns.conf - Loadbalancer\" width=\"1053\" height=\"117\"  title=\"NSKek tool for decrypting Citrix NetScaler service passwords\" srcset=\"https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/radius-servce-kek.jpg 1053w, https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/radius-servce-kek-300x33.jpg 300w, https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/radius-servce-kek-1024x114.jpg 1024w, https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/radius-servce-kek-768x85.jpg 768w\" sizes=\"auto, (max-width: 1053px) 100vw, 1053px\" \/><\/p>\n<p>So the hash value is: <strong>00795842f27593df0e279e850cca4a4efc8a4353cc9188136ddd957227c90355\u00a0<\/strong>and the keys are <strong>F1_2023_10_16_05_41_44.key<\/strong> and <strong>F2_2023_10_16_05_41_44.key, <\/strong>If necessary, there should be multiple keys on the Netscaler. We use this information to configure the NSKek tool:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1750\" src=\"http:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/nskek-tool.jpg\" alt=\"KEK Tool\" width=\"365\" height=\"169\"  title=\"NSKek tool for decrypting Citrix NetScaler service passwords\" srcset=\"https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/nskek-tool.jpg 365w, https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/nskek-tool-300x139.jpg 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><\/p>\n<p>If all the values are correct, we receive the service password in plain text; additional characters may appear at the end, which is a known issue.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1751\" src=\"http:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/nskek-result.jpg\" alt=\"Result\" width=\"217\" height=\"152\"  title=\"NSKek tool for decrypting Citrix NetScaler service passwords\" \/><\/p>\n<h3><span class=\"label label-success\">Download from GitHub<\/span><\/h3>\n<p><a href=\"https:\/\/github.com\/Koetzing\/Executables\/blob\/main\/NSKek-Tool.zip\">NSKek-Tool.zip<\/a><\/p>\n<h3><span class=\"label label-success\">Conclusion<\/span><\/h3>\n<p>My NSKek tool for decrypting Netscaler service passwords is based on these best practices: It combines HMAC-based key derivation, AES decryption, and an intuitive GUI to provide Netscaler administrators with secure and easy-to-use access to sensitive data.<\/p>","protected":false},"excerpt":{"rendered":"<p>In diesem Artikel stelle ich ein selbst entwickeltes NSKek-Tool mit einer benutzerfreundlichen grafischen Oberfl\u00e4che (GUI), vor. Damit erhalten Netscaler Administratoren [&hellip;]<\/p>\n","protected":false},"author":1755,"featured_media":1748,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[12],"tags":[27,370,369,372,37,373,371],"class_list":["post-1752","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles-de","tag-citrix","tag-dienste","tag-entschluesseln","tag-kek","tag-netscaler","tag-nskek-tool","tag-tool"],"uagb_featured_image_src":{"full":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool.jpg",410,169,false],"thumbnail":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool-150x150.jpg",150,150,true],"medium":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool-300x124.jpg",300,124,true],"medium_large":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool.jpg",410,169,false],"large":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool.jpg",410,169,false],"1536x1536":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool.jpg",410,169,false],"2048x2048":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool.jpg",410,169,false],"trp-custom-language-flag":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2025\/05\/Kek-tool.jpg",18,7,false]},"uagb_author_info":{"display_name":"Thomas K\u00f6tzing","author_link":"https:\/\/www.koetzingit.de\/en\/author\/thomas-koetzing\/"},"uagb_comment_info":0,"uagb_excerpt":"In diesem Artikel stelle ich ein selbst entwickeltes NSKek-Tool mit einer benutzerfreundlichen grafischen Oberfl\u00e4che (GUI), vor. Damit erhalten Netscaler Administratoren [&hellip;]","_links":{"self":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts\/1752","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/users\/1755"}],"replies":[{"embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/comments?post=1752"}],"version-history":[{"count":1,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts\/1752\/revisions"}],"predecessor-version":[{"id":1844,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts\/1752\/revisions\/1844"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/media\/1748"}],"wp:attachment":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/media?parent=1752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/categories?post=1752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/tags?post=1752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}