Attacking Thick Client Applications

Attacking Thick Client Applications

Category: Thick Client Applications

https://github.com/RakeshKengale/RaKKeN/blob/master/Index/Thick_Client.md

https://medium.com/@m14r41/thick-client-pentesting-guide-95529a980ea4

Information Gathering

In this step, penetration testers have to identify the application architecture, the programming languages and frameworks that have been used, and understand how the application and the infrastructure work. They should also need to identify technologies that are used on the client and server sides and find entry points and user inputs.

Tools:

• https://ntcore.com/explorer-suite/

• https://github.com/horsicq/Detect-It-Easy

• https://learn.microsoft.com/en-us/sysinternals/downloads/strings

• https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

Client Side attacks

Sensitive information like usernames and passwords, tokens, or strings for communication with other services, might be stored in the application's local files. Hardcoded credentials and other sensitive information can also be found in the application's source code. Using the proper tools, we can reverse-engineer and examine .NET and Java applications including EXE, DLL, JAR, CLASS, WAR, and other file formats.

Tools:

• https://github.com/NationalSecurityAgency/ghidra/

• https://hex-rays.com/ida-pro

• https://www.ollydbg.de/

• https://www.radare.org/r/index.html

• https://github.com/dnSpy/dnSpy

• https://x64dbg.com/

• https://github.com/skylot/jadx

• https://frida.re/

Network Side Attacks

If the application is communicating with a local or remote server, network traffic analysis will help us capture sensitive information that might be transferred through HTTP/HTTPS or TCP/UDP connection, and give us a better understanding of how that application is working.

Wireshark	tcpdump	TCPView	Burp Suite

Server Side Attacks

Server-side attacks in thick client applications are similar to web application attacks, and penetration testers should pay attention to the most common ones including most of the OWASP Top Ten.

Amazing Thick client pentestin resouces:

• https://www.cyberark.com/resources/threat-research-blog/thick-client-penetration-testing-methodology
• https://www.darkrelay.com/post/thick-client-penetration-testinghttps://payatu.com/blog/thick-client-penetration-testing/
• https://qualysec.com/thick-client-pen-testing-a-comprehensive-guide/https://medium.com/@abhishek.offsec/thick-client-security-testing-the-essential-guide-78f0015ed94f
• https://infosecwriteups.com/thick-client-pentest-modern-approaches-and-techniques-part-1-7bb0f5f28e8e
• https://qualysec.com/thick-client-pen-testing-a-comprehensive-guide/
• https://www.threatintelligence.com/blog/thick-client-application-penetration-test

Most Common Tools used for Thick Client Pentesting:

The is list is not complete, however this is most common tools used during conducting thick client pentesting.

• Network Traffic Analysis Tools — Wireshark, Fiddler, Burp Suite, OWASP ZAP

• Proxy Tools — Burp Suite, OWASP ZAP, Charles Proxy, ProxymanStatic Tools for Identifying Development Language — CFF Explorer, PEid, Detect It Easy (DIE), Strings

• .NET Decompilers and Deobfuscators — dnSpy, ILSpy, JetBrains DotPeek, de4dot, NeonFuscatorDeobfuscator

• Network Sniffers — Wireshark, TCPView, SmartSniff, tcpdump, Microsoft Network Monitor 3.4

• Proxy Tools for Intercepting Traffic — Burp Suite, Fiddler, Echo Mirage, Charles Web Debugging Proxy

• File Analysis Tools — Process Monitor, Regshot, Process Explorer, Process Hacker

• DLL Hijacking Testing Tools — DLLSpy, Robber

• Tools for Locating Sensitive Data Storage on Files and Registry — Process Monitor, Regshot, Process Explorer, Process Hacker

Labs:

• https://github.com/srini0x00/dvta
• https://github.com/kartikdurg/Terrible-Thick-Client
• https://github.com/Warxim/vucsa
• https://github.com/DarkRelayLabs/VWA
• https://github.com/NetSPI/BetaFast