Pentesting Thick

Client Applications
@0xhexninja
PS C:\> whoami
• Anurag Srivastava
• Job involves red teaming and sometimes application penetration
testing :p
• Author of buffer overflow based exploit which is now part of rapid7’s
Metasploit framework – (CVE-2017-13696)
• Remote buffer overflow in All Media Server – (CVE-2017-17932) [msf
module]
• I like to pwn AD, evade/bypass AV/EDRs
• Ctf player at hackthebox
• Worked on threat intel, OSINT, reverse engineering, basic malware
analysis & investigation
• Also holds some industry recognized certifications like OSCE, OSCP,
OSWP, eCPTX, CRTE, CRTP, CREST CRT, CPSA and few more.
• One day, I will be a Red Teamer and I never go back on my words! –
Naruto Lover <3
• I blog at - https://www.theanuragsrivastava.in/
• Social media- hexachordanu
 • Introduction
• Why did I choose this topic?
• Common Architecture
• Testing Thick Client
• Common Vulnerabilities
• Ninja Tools that you need
Agenda • Quick Demo
• Common Challenges
• Possible Solutions to our common challenges
• Basic Checklist
• Playground
• Interesting Reads
• References
Thick Client Pentesting ?
• Finding right place to inject our payload
• Reading the sensitive data
• Uncovering the truth behind the fancy UI
by decompiling and reversing
• Fuzzing the application
• Checking the signature and integrity of
the app
• Testing for vulnerabilities in client’s
wallet, data storage and data processing
mechanism

Image source: https://c8.alamy.com

 Introduction

• According to Wikipedia, a fat client/heavy

client/rich client/thick client is a computer (client)
in client–server architecture or networks that
typically provides rich functionality independent
of the central server”.
• Thick client applications can be developed using
various programming languages such as:
• .Net
• Java
• C/C++
• Microsoft Silverlight
• Example – Skype, Teams, Outlook etc.
Why did I choose this
topic?
• Commonly seen that enterprises use thick
client for internal purpose
• Organizations mostly focus on web and
mobile apps pentesting
• Wider scope
• Less resources on thick client security
testing
• Automated Vulnerability assessment is not
enough
Common Architecture (Two-tier)

DESKTOP CLIENT DATABASE

Common Architecture (Three-tier)

DESKTOP CLIENT APPLICATION SERVER DATABASE

Testing Thick Clients
Information Gathering Client Side attacks Network Side Attacks Server Side Attacks

• Application Architecture • Files Analysis • Installation Traffic • Network Layer Attacks

• Business Logic • Sensitive Information • Sensitive Installation (TCP UDP Attacks)
• Platform Mapping • Binary Analysis Information • Flooding
• Understanding • Static Analysis • Run Time Traffic • Overflows
Application & (De-compilation) • Sensitive Information • Layer 7 Attacks
Infrastructure • Dynamic Analysis • Vulnerable APIs • OWASP TOP 10
• Languages and (Run-Time Reverse
Frameworks Engineering)
• Common • Memory Analysis
Vulnerabilities • Memory Manipulation
• Sensitive information
stored in memory
 Common Vulnerabilities
Hardcoded
Sql Injection Dll hijacking
password

Unquoted Sensitive data in

Denial of Service
service path registry keys

Sensitive data in
XXE Deserialization
memory
Source: https://screenrant.com/naruto-powerful-worthless-attacks/
Ninja tools that you need

Proxy tools – sits between

Network sniffers – check
Static tools – Identify arch, De-compilers and de- client and local/server &
communication b/w client &
languages & framework obfuscators allow us to modify
server
requests/response
• CFF Explorer • dnSpy • Wireshark • Echo mirage
• Peid • ILSpy • TCPView – part of MS • Burp Suite
• Detect It Easy (DIE) • DotPeek sysinternal • Fiddler
• Strings • Jd-gui • SmartSniff • Charles Web Proxy
• Procyon • Tcpdump
• De4dot
• NeonFuscatorDeobfuscator
Ninja tools that you need

Binary analysis – Look for

File analysis – look for code logic, hidden function, Test for weak GUI control
Memory analysis & fuzzing
sensitive information & files validation checks, api keys, tools
and comments etc.
• Process Monitor • Ghidra • WinSpy++ • Winhex
• Regshot • IDA Pro • WinManipulate • Volatility
• Process Explorer • X64dbg • Windows Enabler • Tsearch
• Process Hacker • OllyDbg • Userdump
• Immunity Debugger • Spike
• Radare2 • Sulley
• Frida • AFL
• Bytecode Viewer • WinAFL
• PE Explorer
Ninja tools that you need

Miscellaneous

• Attack Surface Analyzer (ASA)

• Stunnel
• mitm_relay
• Robber
• Dllspy
• sigcheck
• Powerup/Sharpup
• HeidiSQL
• Metasploit
• Sqlmap
• Sysinternal tools
• Canape
• Static source code analysis tool etc
 Quick Demo

Source: https://www.meme-arsenal.com/memes/7ad9746c17bd9452336bb90d66196a78.jpg
Common Challenges

PROXY UNAWARE UNABLE TO INTERCEPT SSL BASED ISSUES CUSTOM PREOPERATORY

COMMUNICATION FROM TOOLS PROTOCOL LIKE FIX
LIKE BURP, ECHO MIRAGE ETC.
Possible Solution to our common challenges
Use • Use Burp Invisible proxy and non-http proxy extension to intercept tcp based traffic

Capture • Capture packet on Wireshark and write a custom script(client) to send custom requests (can be written in python,
ruby etc)

Use • Use mitm relay embeds every request into a HTTP POST Request so you can relay it through burp

Use • Use stunnel to intercept ssl based request for clients using ssl over non-http protocol

Add • Add Proxy’s certificate to the Java “System” store using the keytool application to solve java based certificate
issues

Decompile and update • Decompile and update certificate in code and recompile

Use • Use Detours to hook win32 APIs calls in order to solve issues with preoperatory softwires which uses
custom/shared key cryptographic implementation
Basic Checklist
• Check application signing
• Check for Config File
• Test the authentication mechanism
• Test the session management mechanism
• Test access controls
• Test the encryption control
• Test for input-based vulnerabilities
• Test for business logic flaws
• Test for sensitive data storage on files and registries
• Sensitive data Exposure in memory
• Test for response modification
• The reverse engineering method to test backdoors and hardcoded creds
• Test for DLL hijacking vulnerability
• Try to bypass license check/validation check or application patching
Playground

Beta Bank -
DVTA - Beta Fast -
https://github.com/NetSPI/BetaFast/t
https://github.com/secvulture/dvta https://github.com/NetSPI/BetaFast
ree/master/BetaBank

Fatty Machine -
DVJA -
https://www.hackthebox.eu/home/m
https://github.com/appsecco/dvja
achines/profile/227
Interesting reads

• https://parsiya.net/categories/thick-client-proxying/ (Part 1-10)

• https://medium.com/@mantissts/more-thick-client-fun-
73196809493d
Source: https://www.cyberark.com/resources/threat-research-blog/beware-of-the-gif-account-takeover-
• https://www.cyberark.com/resources/threat-research- vulnerability-in-microsoft-teams
blog/beware-of-the-gif-account-takeover-vulnerability-in-
microsoft-teams
• https://www.optiv.com/blog/ssl-relay-proxy-a-creative-solution-to-
a-complex-issue
• https://jitpack.io/p/summitt/Burp-Non-HTTP-Extension
• https://blog.netspi.com/introduction-to-hacking-thick-clients-part-
1-the-gui/
• https://owasp.org/www-pdf-
archive/Thick_Client_%28In%29Security_-_Neelay_S_Shah_-
_Mar_24.pdf
• https://medium.com/@gdieu/build-a-tcp-proxy-in-python-part-1-
3-7552cd5afdfe
• https://blog.appsecco.com/from-thick-client-exploitation-to-
becoming-kubernetes-cluster-admin-the-story-of-a-fun-bug-we- Source: https://jitpack.io/p/summitt/Burp-Non-HTTP-Extension
fe92a7e70aa2
References
• https://www.cyberark.com/resources/threat-research-blog/thick-
client-penetration-testing-methodology
• https://resources.infosecinstitute.com/practical-thick-client-
application-penetration-testing-using-damn-vulnerable-thick-client-
app-part-1/#gref
• https://blog.securelayer7.net/thick-client-penetration-testing-1/
• https://wiki.owasp.org/index.php/OWASP_Windows_Binary_Executa
ble_Files_Security_Checks_Project
• https://github.com/NetSPI/BetaFast
 Credit and Thanks
• Aakash Shukla

• Rahul Singh

• DevJeet singh

• Nipun Jaswal

• Ramandeep Singh

• Deepankar Arora

• Nebu Varghese

• Adhokshaj Mishra

• Deep Shankar Yadav

• Nitin Pandey

• Niv Levy

• Austin Altmann

• NetSpi

• Cyberark

• My mentors and friends – Dhairya giri, Avinash Kumar Tripathi, Manish Kishan Tanwar, Vivek Chauhan, Raghav Bisht, , Kishan
Sharma, Harpreet Singh, Himanshu Khokar, Ravi Kiran, D3, Faisal Shadab, Sultan Anwar, Spirited Wolf, Atul, Lakshay, Vardan Bansal,
Chaitanya, Pragya Varshney, Pragti, Santhosh, Shubham Gupta, Sudhir Sahni and there is a big list.

https://static.zerochan.net/Uzumaki.Naruto.full.1818648.jpg