Tools for pentesting thick client applications

General index of the course

• Introduction.
• Tools for pentesting thick client applications.
• Basic lab setup.
• First challenge: enabling a button.
• Information gathering phase.
• Traffic analysis.
• Attacking thick clients applications.
• Reversing and patching thick clients applications.
• Common vulnerabilities.

Decompilation tools

• C++ decompilation: https://ghidra-sre.org
• C# decompilation: dnspy.
• JetBrains dotPeek.

Read app metadata

• CFF explorer. Open the app with CFF Explorer to see which language and tool was used for its creation.

Sniff connections

• TCP View from sysInternalsSuite.
• Wireshark.

Traffic monitoring

• wireshark, it's ok if we just want to monitor.
• Echo mirage, very old and not maintained.
• mitm_relay + BurpSuite.

Static analysis

Spot hard coded credentials

• Strings from sysInternalsSuite. It's similar to the command "strings" in bash. It displays all the human readable strings in a binary.
• dnspy can be used to spot functions containing hard coded credentials (for connections,...).

Log analysis

When debug mode is on, you can run:

thick-app-name.exe > path/to/logs.txt

Open the file with the logs of the application and, if you are lucky and debug mode is still on, you will be able to see some stuff such as SQL queries, decrypted database passwords, users, temp location of the ftp file...

Dynamic analysis

Changes in the file system

• ProcessMonitor tool from sysInternalsSuite to see changes in the file system. For instance, you can analyze the access to interesting files in the application directory in real time.

Spot sensitive data in Registry entries

• ProcessMonitor tool from sysInternalsSuite to spot changes in the Registry Entries.
• regshot allows you to compare two snapshots of registry entries (before opening the application and during executing the application).

Check the memory

Process Hacker tool During a a connection to database the code that does it may be in clear text or encrypted. If encrypted, it's still possible to find it in memory. Process Hacker tool dumps the memory of the process so we might find the clear text connection string in memory.

Scan the application

Visual Code grepper.

Attacks

DLL Hickjacking

Step by step.

1. Locate interesting DLL files with ProcessMonitor (or ProcMon).

2. Craft malicious DLL with msfvenom from attacker machine.

3. Serve it to the victime machine using an apache server.

4. Placing the file in the same directory from where is going to be called.

5. Run the app.

Reversing .NET applications

• dnspy: c# code + IL code + patching the application
• dotPeek (from JetBrains)
• ILspy / Reflexil
• ILASM (IL Assembler) (comes with .NET Framework).
• ILDASM (IL Disassembler) (comes with Visual Studio).

How to do it?

Input sanitization: SQL injections

Manually

Application Signing

Sigcheck, from SysInternals Suite (more).

Compiler protection

Binscope.

PESecurity is a powershell script that checks if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, Authenticode, Control Flow Guard, and HighEntropyVA.

Also, check these other tools and resources:

• WinSpy.
• Window Detective
• netspi.com.

Last update: 2024-03-29
Created: March 27, 2023 14:09:07