Tools for pentesting thick client applications
General index of the course
Decompilation tools
- C++ decompilation: https://ghidra-sre.org
- C# decompilation: dnspy.
- JetBrains dotPeek.
Read app metadata
- CFF explorer. Open the app with CFF Explorer to see which language and tool was used for its creation.
Sniff connections
- TCP View from sysInternalsSuite.
- Wireshark.
Traffic monitoring
- wireshark, it's ok if we just want to monitor.
- Echo mirage, very old and not maintained.
- mitm_relay + BurpSuite.
Static analysis
Spot hard coded credentials
- Strings from sysInternalsSuite. It's similar to the command "strings" in bash. It displays all the human readable strings in a binary.
- dnspy can be used to spot functions containing hard coded credentials (for connections,...).
Log analysis
When debug mode is on, you can run:
Open the file with the logs of the application and, if you are lucky and debug mode is still on, you will be able to see some stuff such as SQL queries, decrypted database passwords, users, temp location of the ftp file...Dynamic analysis
Changes in the file system
- ProcessMonitor tool from sysInternalsSuite to see changes in the file system. For instance, you can analyze the access to interesting files in the application directory in real time.
Spot sensitive data in Registry entries
- ProcessMonitor tool from sysInternalsSuite to spot changes in the Registry Entries.
- regshot allows you to compare two snapshots of registry entries (before opening the application and during executing the application).
Check the memory
Process Hacker tool During a a connection to database the code that does it may be in clear text or encrypted. If encrypted, it's still possible to find it in memory. Process Hacker tool dumps the memory of the process so we might find the clear text connection string in memory.
Scan the application
Attacks
DLL Hickjacking
1. Locate interesting DLL files with ProcessMonitor (or ProcMon).
2. Craft malicious DLL with msfvenom from attacker machine.
3. Serve it to the victime machine using an apache server.
4. Placing the file in the same directory from where is going to be called.
5. Run the app.
Reversing .NET applications
- dnspy: c# code + IL code + patching the application
- dotPeek (from JetBrains)
- ILspy / Reflexil
- ILASM (IL Assembler) (comes with .NET Framework).
- ILDASM (IL Disassembler) (comes with Visual Studio).
Input sanitization: SQL injections
Manually
Application Signing
Sigcheck, from SysInternals Suite (more).
Compiler protection
PESecurity is a powershell script that checks if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, Authenticode, Control Flow Guard, and HighEntropyVA.
Also, check these other tools and resources:
Last update: 2024-03-29 Created: March 27, 2023 14:09:07