A Mind Map to Windows Thick Client Pen test.
An approach with few take aways.
Diagrams are always easier to understand, remember and follow.
I’m here today with the a mind map, to approach, the thick client pen test on windows.
A quick summary, about thick client. A thick client is the software on your system, with it’s own features and ability to execute them. Least dependent on the server.
Classifications: Thick client can be a two tier (Client and Server) application or a three tier (Two tier with database server) application, depending on the application architecture. It is divided into two types : Proxy aware thick client and Proxy unaware thick client application, based on their ability to enable a proxy flow for the traffic. It can be GUI based application or only CLI.
Without further ado, let’s kick in.
Arsenal
Information Gathering
CFF Explorer || PEid || Detect It Easy (DIE) || Strings
Network Based Attacks
Wireshark || Echo Mirage (Proxy unaware) || TCPView || Tcpdump || Burp Suite (Proxy aware) || Fiddler
Process Monitoring
Sysinternal Suites: Process Monitor || Process Explorer || & Process Hacker
Specific DLL Monitoring
DLLSpy , but I prefer using Procmon for the NAME NOT FOUND or PATH NOT FOUND dlls.
Signature Checks : Sysinternal suite: Sigcheck.exe
Registry change detection: Regshot
Binary Analysis tools
IDA pro (Very useful with subroutine call checks) || x64dbg && x64dbg (Debugger as per application type) || DnSpy (De compile .NET Applications) || Ghidra || Frida (Dynamic instrumentation — i.e. directly call the APIs/Functions)
But methodology and tools are never enough.
Dynamic Instrumentation versus Debugging.
It is very important to understand that there is a subtle difference between dynamic instrumentation and debugging the application.
Common Points in both: They both require a process{ Instrument or Debugger} to be injected into another process {Target Application}. They both modify the process flow.
And then there lies a Difference: Instrumentation allows to inject into the process and try to modify the flow of execution when a particular function is entered, is running or exits. While the debugger injects into the process and holds ability to step by step execute the commands allowing the attacker to patch the results or modify the flow in the runtime etc.
Windows Binary Security Flags.
It is an important to check the security flags set on the binary. Before diving deep into the pen test, you can see what vulnerabilities is the binary open to. These issues arise when binary is left unhardened at time of compilation. You can check common security compile time flags a binary is missing, using checksec.py or winchecksec.
These tools check few flags to help detect following
ASLR:
/DYNAMICBASE
with stripped relocation entries edge-case
/HIGHENTROPYVA
for 64-bit systemsCode integrity/signing:
/INTEGRITYCHECK
Authenticode-signed with a valid (trusted, active) certificate (currently unsupported on Linux)DEP (a.k.a. W^X, NX)
Manifest isolation via (
/ALLOWISOLATION
)Structured Exception Handling and SafeSEH support
Control Flow Guard and Return Flow Guard instrumentation
Stack cookie (
/GS
) support
OWASP Top 10 Discovered issues in Desktop Applications. This will help in prioritizing the tests, when looking for client and server side attacks.
Injections : SQLi, LDAP, XML, OS Command, etc.
Broken Authentication & Session Management : OS / DesktopApp account Authentication & Session Management, Auth. for Import / Export with external Drive, Auth. for Network Shared Drives or other Peripheral devices
Sensitive Data Exposure : Data in Memory post App Logout, Logs with Sensitive Info., hard coded secrets in files, etc.
Improper Cryptography Usage : Weak Keys or Usage of Outdated Cryptographic Algorithms, Inappropriate usage of Cryptographic Functions, reuse of Cryptographic Parameters across all Installations, Improper usage of Cryptography for Integrity check
Improper Authorization : Weak File/Folder Permission per User Role, Missing Principle of Least Privilege approach, Improper User Roles
Security Misconfiguration : Weak OS Hardening, isconfigured Group Policies / Registry / Firewall rules etc., Missing File Type check for File Processing Apps, misconfigured Named-Pipes, misconfigured 3rd party services, etc.
Insecure Communication: Usage of weak TLS or DTLS Cipher-suites or Protocols, Unencrypted DB Queries in Transit, Absent Encrypted standard/custom protocol communication like HTTP, MQTT, COAP, etc.
Poor Code Quality : Missing Code-Signing and Verification for File Integrity, Missing Code Obfuscation, Dll-Preloading or Injection, Race Conditions, lack of binary protection (Overflows, Null pointers, memory corruption) etc.
Using Components with Known Vulnerabilities: Usage of Outdated Softwares, or Usage of Obsolete Components/Services of Windows/3rd Party vendors
Insufficient Logging & Monitoring: Missing or Improper Logging of Activities, Missing Regular Monitoring to Detect Abuse
Epilogue. The thick client pentest is a very wide topic and it is nearly impossible to cover everything in a one small article. As of now , this article is to only specify an approach, a mindset to analyze windows specific thick clients. There may be future articles for other platforms with a mindset, tools and take aways to analyze the same.