Thick Client Testing SOP

What is thick client application:

A thick client is a type of application where the bulk of processing and operations happen at the
client side or on the machine where the application is installed. Common examples of thick
client applications are video games, audio video editing tools, Microsoft Office, etc.

Common designs of Thick Client :

● 2-tier applications
● 3-tier applications

2-tier applications:
The two tier thick client application consists of the user computer and the server. In this type,
the application is installed on the client side, which directly communicates with the database on
the server. These usually involve legacy applications.

Figure 1: 2-tier application example

3-tier applications:
These kinds of thick client applications involve three tiers, wherein the client talks to the
application server, which in turn talks to the database. The communication in these applications
is carried out using HTTP/HTTPS. Examples of these applications involve G-Talk or Yahoo
Messenger.

Figure 2: 3-tier application example

Methodology:
● Information Gathering
● Client-Side Attacks
● Server-side Attacks
● Network-side Attacks
Figure 3: Thick Client testing framework
Information Gathering:
Information Gathering is a crucial step in penetration testing. In this phase, we need to gather all
the possible information about the target application.

Some of the common things that we need to do during the information gathering phase of a
thick client penetration test are as follows.

Application Architecture and Identifying the Languages and Frameworks Used:

There are several tools that can aid in the process of identifying the development
language used to build the thick client application.

The following table presents a set of static tools that can be used:

Sno Tool Name Description

1 CFF Explorer A tool that was designed to make PE editing as easy

as possible without losing sight of the portable
executable’s internal structure.

2 PEid A tool that detects most common packers, crypters

and compilers for PE files.

3 Detect It Easy (DIE) A program for determining file types for Windows,
Linux and macOS.

4 Strings A tool that scans any files you pass it for UNICODE
or ASCII strings of a default length of three or more
UNICODE or ASCII characters.
Network Communication Between the Client and the Server:

So, now that we’ve identified the development language used to build the tested thick
client application we tested. The next step is to sniff the traffic between that thick client
application and the local/remote server. As a penetration tester, learning how to use a
network packet sniffer is essential for day-to-day operations. Whether you are trying to
understand a protocol, debug a network client or analyze traffic, you’ll always end up
needing a network sniffer.

The following table presents a set of network sniffers tools that can be used in this part:

Sno Tool Name Description

1 Wireshark Wireshark is the world’s foremost and most widely-used network

protocol analyzer.

2 TCPView TCPView is a Windows program that shows detailed listings of

all TCP and UDP endpoints on your system, including the local
and remote addresses and the state of TCP connections.

3 SmartSniff SmartSniff is a network monitoring utility that allows you to

capture TCP/IP packets that pass through your network adapter
and view the captured data as sequence of conversations
between clients and servers.

4 tcpdump tcpdump is a common packet analyzer that runs under the

command line. It allows the user to intercept and display TCP/IP
and other packets being transmitted or received over a network
to which the computer is attached.

5 Microsoft Microsoft Network Monitor 3.4 is a tool for network traffic capture
Network and protocol analysis.
Monitor 3.4

When we talk about intercepting thick client traffic, we should know the difference
between:
 ● Proxy aware – A thick client that has settings options in the application itself.
● Non-proxy-aware – A thick client that does not have any settings options in the
application itself and requires a different testing approach.

If the thick client application is proxy aware, it may be possible to intercept the traffic
using any proxy tool.

When the thick client is non-proxy-aware, Burp Suite’s support for invisible proxying
allows non-proxy-aware clients to connect directly to a Proxy listener.

The following table presents a set of proxy tools that can be used:

Sno Tool Name Description

1 Burp Suite Burp Suite Professional is an advanced set of tools for testing
web security.

2 Fiddler Fiddler is a free web debugging tool which logs all HTTP(S)
traffic between your computer and the Internet.

3 Echo Mirage Echo Mirage is a versatile local proxy tool that can be used to
intercept and modify TCP payloads for local Windows
applications.

4 Charles Web Charles is an HTTP proxy that enables to view all of the HTTP
Debugging and SSL / HTTPS traffic between the local machine and the
Proxy Internet. This includes requests, responses and the HTTP
headers.

Client-Side attacks:

Files Analysis
Applications usually store information in local files and the registry. Sensitive information
that we might look for in a thick client pentest includes:

● Usernames
● Passwords
● Connection Strings
● API keys

For this step, it is crucial to know which files are being used by the tested thick client
application. We can use the Process Monitor tool from the Sysinternals Suite to collect
all the necessary information

The following table presents a set of file analysis tools that can be used in this part:

Sno Tool Name Description

1 Process Monitor An advanced monitoring tool for Windows that shows real-
time file system, Registry and process/thread activity.

2 Regshot An open-source (LGPL) registry compare utility that

allows you to quickly take a snapshot of your registry and
then compares it with a second one – used after doing
system changes or installing a new software product.

3 Process Explorer Provides the functionality of the Windows Task Manager

along with a rich set of features for collecting information
about processes running on the user’s system. It can be
used as the first step in debugging software.

4 Process Hacker A free, powerful multi-purpose tool that helps you monitor
system resources, debug software and detect malware.

Identifying DLL Hijacking Vulnerability

The next step is to examine if the tested thick client application is vulnerable to a DLL
hijacking vulnerability.

DLL hijacking is an attack that exploits the Windows search and load algorithm, allowing
an attacker to inject code into an application through disk manipulation. In other words,
simply putting a DLL file in the right place causes a vulnerable application to load that
malicious DLL.

When the thick client application tries to load a DLL, it will go through the following in
order:

● The directory from which the application is loaded

● C:\Windows\System32
● C:\Windows\System
● C:\Windows
● The current working directory
● Directories in the system PATH environment variable
● Directories in the user PATH environment variable

To be able to escalate privileges via DLL hijacking, the following conditions need to be
in place:

● Write Permissions on a system folder.

● Software installation in a non-default directory.
● A service that is running as a system and is missing a DLL.
● Permissions for restarting the service.
The following table presents a set of tools designed for testing for DLL Hijacking
vulnerability:

Sno Tool Description

Name

1 DLLSpy A tool that detects DLL hijacking in running processes and

services and in their binaries.

2 Robber An open-source tool for finding executables prone to DLL

hijacking.

The Process Monitor tool will identify if the application is trying to load any DLLs and the
actual path that the application uses when looking for the missing DLLs.

Thick client application configuration files typically contain valuable information for
pentesters such as:

● Usernames
● Passwords
● License details
● Cryptographic keys
● IP addresses and ports

Identifying Interesting Files Bundled with the Thick Client Application

The configuration files are usually readable by all operating system users, which allows
anyone who can read the file access to the compromised resources.

The following table presents a set of tools aimed for locating sensitive data storage on
files and registry:
 Sno Tool Name Description

1 Process An advanced monitoring tool for Windows that shows real-

Monitor time file system, Registry and process/thread activity.

2 Regshot An open-source (LGPL) registry compare utility that allows

you to quickly take a snapshot of your registry and then
compares it with a second one – used after doing system
changes or installing a new software product.

3 Process A tool that provides the functionality of the Windows Task

Explorer Manager along with a rich set of features for collecting
information about processes running on the user’s system.
It can be used as the first step in debugging software.

4 Process Hacker A free, powerful multi-purpose tool that helps you monitor
system resources, debug software and detect malware.

Usually, a thick client application contains several configuration files in the root folder of
the application or in a specific configuration folder.

If information is stored in cleartext, attackers could potentially read it. Even if the
information is encoded in a way that is not human-readable, certain techniques could be
used to determine which encoding is being used and then decode the information.

As pentesters, we might stumble against thick clients in black/gray-box testing

scenarios. We may not have any prior knowledge or any documentation on the tested
application.

For this challenge, we can use a decompiler tool to retrieve the tested thick client
application’s source code of. A decompiler is a computer program that takes an
executable file as input and attempts to create a high-level source file that can be
recompiled successfully.
Binary Analysis

After we have the source code for the tested thick client, we can start searching through
the code for sensitive information, such as:

● Hard-coded credentials
● API Keys
● API Endpoints
● Comments
● Hidden functions

The following table presents a set of binary analysis tools that can be used in this
phase:

SNo Tool Name Description

1 Ghidra A suite of free software reverse engineering tools developed by

the NSA’s Research Directorate. It was originally exposed in
WikiLeaks’s “Vault 7” publication and is now maintained as
open-source software.

2 Immunity Immunity Debugger is a powerful new way to write exploits,

Debugger analyze malware and reverse engineer binary files.

3 Interactive Proprietary multi-processor disassembler and debugger for

Disassemble Windows, GNU/Linux or macOS. It also has a free version, IDA
r (IDA Pro) Free.

4 OllyDbg x86 debugger for Windows binaries that emphasizes binary

code analysis.

5 Radare2 Open source, cross-platform reverse engineering framework.

6 dnSpy A tool to reverse engineer .NET assemblies.

 7 x64dbg Open source x64/x32 debugger for windows.

8 JetBrains Free .NET decompiler and assembly browser.

DotPeek

9 ILSpy Open-source .NET assembly browser and decompiler.

10 JD-GUI A standalone Java decompiler GUI.

11 Jadx Dex to Java decompiler.

12 Bytecode A lightweight user-friendly Java bytecode viewer.

Viewer

13 Luyten An Open source Java Decompiler GUI for Procyon

14 PE Explorer View, Edit and Reverse Engineer EXE and DLL Files.

15 UPX A free, portable, extendable, high-performance executable

Decompress packer for several executable formats.
ion

16 Frida A dynamic instrumentation toolkit for developers, reverse-

engineers and security researchers.

Weak Graphical User Interface

To test for user interface vulnerabilities as a low privileged user, we will need to use
various tools to manipulate window objects in Windows, such as:

● Buttons
● Menu bars
● Text boxes
● OCX controls
Basically, anything that can be located as a child window and has an active window
handle can be manipulated with some predefined attributes.

The following table presents a set of weak GUI control tools that can be used:

SNo Tool Name Description

1 WinSpy++ A tool whose purpose is to help you view and modify the
properties of any window in your system with great ease.

2 WinManipulate A simple tool to manipulate window objects in Windows.

3 Windows Enabler A simple tool that lets you activate functions your thick
client application has blocked.

Memory Analysis

When testing for vulnerabilities in the tested thick client application, we should perform a
memory analysis while the thick client application runs. Thick client applications
developed in a two-tier architecture transfer sensitive information in the application’s
memory.

This is a design flaw, because every thick client application developed in a two-tier
architecture will, by default, disclose sensitive information in the application’s memory,
such as:

● Usernames
● Passwords
● Connection strings
● Hardcoded database credentials
The following table presents a set of memory analysis tools that can be used in this
phase:

SNo Tool Description

Name

1 Winhex An advanced monitoring tool for Windows that shows real-time file
system, Registry and process/thread activity.

2 Volatility An open-source (LGPL) registry compare utility that allows you to

quickly take a snapshot of your registry and then compares it with
a second one – used after doing system changes or installing a
new software product.

3 Process Provides the functionality of the Windows Task Manager along

Explorer with a rich set of features for collecting information about
processes running on the user’s system. It can be used as the
first step in debugging software.

4 Strings Strings scan any file you pass it for UNICODE or ASCII strings
with a default length of three or more UNICODE or ASCII
characters.

Server-Side Attacks

OWASP TOP10 Vulnerabilities

Once we have performed all the particulars of thick client testing, we can now focus on
the OWASP Top10.

The following list presents the relevant vulnerabilities for thick client testing:

● A1:2017-Injection
 ● A2:2017-Broken Authentication
● A3:2017-Sensitive Data Exposure
● A4:2017-XML External Entities (XXE)
● A5:2017-Broken Access Control
● A6:2017-Security Misconfiguration
● A7:2017-Cross-Site Scripting (XSS) (Not applicable for a thick client testing
if html forms are not used)
● A8:2017-Insecure Deserialization
● A9:2017-Using Components with Known Vulnerabilities
● A10:2017-Insufficient Logging Monitoring

Network test:

Here we observe and test network communication between client and server or any

other connected entity.

● Testing transmission of sensitive data

Observe how data is passed over the wire. Report usage of sensitive data

such as user credentials, personally identifiable information (PII), etc.

transmitted in cleartext. Wireshark can be used to observe unencrypted

transmission of sensitive information.

● Testing weak encryption

Usage of weak encryption such as MD5, RC4, etc. may result in broken

authentication, spoofing attack, key leakage and poor integrity of data in

 transit and must be reported. Vulnerability scanners such as Nessus can

help to spot weak encryption along with Wireshark to observe usage.

● Scan server for low hanging fruits

Use Nmap/Nessus to find what ports and services are open on the server

along with OS version and patch level. If any unnecessary service is in use

then research further to learn if there is any vulnerability present that can be

leverage to attack the server.

● Testing SSL/TLS usage

In recent times many high impact issues such as Heartbleed, FREAK,

logjam, etc. have been reported in the SSL/TLS protocols. One should check

for presence of usage of weak cipher suites, security policies, deprecated

protocols and misconfigurations. Tools that can aid in testing these are

Nmap, sslscan, sslyze and OpenSSL.