Professional Documents
Culture Documents
Thick Client Penetration Testing Methodology_1
Thick Client Penetration Testing Methodology_1
Thick Client Penetration Testing Methodology_1
• 1 Introduction (https://www.cyberark.com/#ThickClientPenetrationTestingMethodolog)
• 2 Common Architectures of Thick Client applications
(https://www.cyberark.com/#ThickClientPenetrationTestingMethodolog)
• 3.1.1 Application Architecture and Identifying the Languages and Frameworks Used
(https://www.cyberark.com/#ThickClientPenetrationTestingMethodolog)
• 3.1.2 Network Communication Between the Client and the Server
(https://www.cyberark.com/#ThickClientPenetrationTestingMethodolog)
Introduction
Thick client applications have been around for many years and can still be found within a variety of
organizations – across industries and sizes. Due to the adoption of hybrid infrastructure architecture,
thick-client applications can become a better target for attackers.
Thick client pentesting involves both local and server-side processing and often uses proprietary
protocols for communication.
Simple automated assessment scanning is not sufficient and testing thick client applications requires a
lot of patience and a methodical approach. Moreover, the process often requires specialized tools and
custom testing setup.
Thick client testing can be exciting for pentesters because the attack surface of these applications can
be significant. Unlike web applications or infrastructure pentests, thick client pentests have a more
notable success rate because the client is available locally and, hence, critical vulnerabilities may be
found during the engagements. For example, here is a couple of vulnerabilities found by security
researchers:
• https://www.cyberark.com/threat-research-blog/lazy-privilege-escalation-abusing-dells-dup-
framework-cve-2019-3726/ (https://www.cyberark.com/threat-research-blog/lazy-privilege-escalation-
abusing-dells-dup-framework-cve-2019-3726/)
• https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/
(https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/)
• https://pwning.re/2018/12/04/github-desktop-rce/ (https://pwning.re/2018/12/04/github-desktop-
rce/)
• https://medium.com/@mantissts/more-thick-client-fun-73196809493d
(https://medium.com/@mantissts/more-thick-client-fun-73196809493d)
• https://hackerone.com/reports/513154 (https://hackerone.com/reports/513154)
• https://hackerone.com/reports/291539 (https://hackerone.com/reports/291539)
This blog post aims to provide a security check-list and a number of tools to refer to when assessing the
security of Windows executable files to achieve better pentest results.
We began researching pentesting thick client applications in order to eventually build an overarching
methodology for pentesters which would serve as single source to reference for everything to with
pentesting thick client applications, summarizing all the relevant and up-to-date knowledge on the
subject. Moreover, the methodology refers to relevant tools in each section that can be used during
pentests engagements.
Thick client applications can be developed using various programming languages such as:
• .Net
• Java
• C/C++
• Microsoft Silverlight
The main focus areas have been derived from the OWASP Windows Binary Executable Files Security
Checks Project
(https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project).
(https://www.cyberark.com/wp-content/uploads/2020/02/1.jpg)
Figure 1: A series of tests and the associated tools necessary to perform tasks related to thick
client testing.
Common Architectures of Thick Client applications
In this section, we provide an overview of the common architectures that Thick Client application
developers tend to use.
Two-Tier architecture
In two-tier architecture, the thick client application implements a client-to-server communication. The
application is installed on the client computer and, in order to work, will need to communicate with a
database server. For example, imagine an HR application that was installed on the client computer and,
in order to retrieve the employees’ information, communicates directly with the HR database server.
Three-Tier architecture
In three-tier architecture, the client communicates with an application server, which in turn talks to the
database in a manner similar to a regular web application. The most common communication method
in these applications may be carried out using HTTP/HTTPS.
Three-tier architecture has a security advantage over two-tier architecture, because it prevents the end-
user from communicating directly with the database server.
• Discovering what technologies are being used on both the client and the server sides.
• Figuring out the application’s functionality and behavior.
• Identifying all of the different entry points for user input.
• Understanding the core security mechanisms used by the application.
• Identifying common vulnerabilities like languages and frameworks.
• https://cve.mitre.org/cve/search_cve_list.html (https://cve.mitre.org/cve/search_cve_list.html)
• https://www.exploit-db.com (https://www.exploit-db.com/)
Information Gathering
It is essential to understand the full functionality of the tested thick client application tested during a
pentest. Moreover, it is important to navigate through all of the UI elements with multiple users. Each
user might have different permissions and unique functionalities that need to be discovered.
For example, the admin user might see additional administrative actions that a regular user might not
see on his thick client UI.
Moreover, knowing which language the thick client was built in is very useful when reversing the thick
client binary.
There are several tools that can aid in the process of identifying the development language used to
build the thick client application.
The following table presents a set of static tools that can be used:
(https://www.cyberark.com/wp-content/uploads/2020/02/4.png)
Figure 2: Damn Vulnerable Thick Client Application loaded by the CFF explorer tool.
As can be seen in Figure 3, using another tool named “Detect It Easy (DIE),” we retrieved some basic
information about the tested thick client application.
(https://www.cyberark.com/wp-content/uploads/2020/02/5.png)
Figure 3: Damn vulnerable thick client application loaded by “Detect It Easy” tool.
Figures 2 and 3 show that the binary was built using Microsoft Visual Studio .NET. There are many .NET
decompilers available on the internet that can be used to retrieve the source code for further analysis.
The following table presents a set of .NET decompilers and deobfuscators tools:
So, now that we’ve identified the development language used to build the tested thick client application
we tested. The next step is to sniff the traffic between that thick client application and the local/remote
server. As a penetration tester, learning how to use a network packet sniffer is essential for day-to-day
operations. Whether you are trying to understand a protocol, debug a network client or analyze traffic,
you’ll always end up needing a network sniffer.
The following table presents a set of network sniffers tools that can be used in this part:
Examining the traffic between the tested thick client application and the server might reveal sensitive
and unencrypted data such as:
• Sensitive data transferred over an unencrypted tunnel (clear-text credentials/secrets/API Keys etc.)
• HTTP and HTTPS web endpoints (Web Services, REST API)
• File blobs/chunks sent over the wire
• Proprietary protocols used by the program
As can be seen in Figure 4, we can see what happens when a user performs a login on the DVTA thick
client application.
A SQL query was sent in clear-text and was captured using the Wireshark sniffer tool:
(https://www.cyberark.com/wp-content/uploads/2020/02/7.png)
Figure 4: The traffic between the Damn Vulnerable Thick Client Application and the database
server is shown using the WireShark tool.
In order to intercept the traffic between the tested thick client application and the server, we should
use a proxy tool. The proxy tool will be in the middle between the thick client and the local/remote
server, enabling us to view and modify the transmitted data.
When we talk about intercepting thick client traffic, we should know the difference between:
• Proxy aware – A thick client that has settings options in the application itself.
• Non-proxy-aware – A thick client that does not have any settings options in the application itself and
requires a different testing approach.
If the thick client application is a proxy aware, it may be possible to intercept the traffic using any proxy
tool.
When the thick client is non-proxy-aware, Burp Suite’s support for invisible proxying allows non-proxy-
aware clients to connect directly to a Proxy listener.
More details for this specific tool can be found on this support page
(https://portswigger.net/burp/documentation/desktop/tools/proxy/options/invisible).
Figure 5 presents the steps for configuring the invisible proxy feature on Burp Suite tool.
(https://www.cyberark.com/wp-content/uploads/2020/02/8.png)
Figure 5: Burp Suite invisible proxying configuration.
In addition to Burp Suite, there is an alternative proxy tool named Echo Mirage. Echo Mirage enables
intercepting non-HTTP traffic between the tested thick client and the local or remote server.
Echo Mirage can hook into the tested thick client application process so that communication between
the tested thick client application and the local or remote server can be intercepted and edited. This
can provide us insight into what kind of data was transmitted from the tested thick client application to
the local or remote server.
NOTE: Remember that most of the thick client applications you will encounter were developed a long
time ago and, therefore, the transmitted data is probably not be encrypted.
When you open the Echo Mirage tool, you will see two main tabs:
• Traffic Log – Watch a full record of all messages that have passed through the Proxy.
• Rules – Watch the currently configured rules and also add/change/delete interception rules.
Figure 6 presents the steps for injecting Echo Mirage into a currently running process.
(https://www.cyberark.com/wp-content/uploads/2020/02/9.png)
Figure 6: The first step is to click on the injector icon and choose a running process from the
list.
Do you still remember the SQL query that we previously captured using the Wireshark tool? Now, using
the Echo mirage tool, we can intercept the same TCP packet and modify the SQL query.
Figure 7 presents the SQL query that was captured after we injected Echo Mirage into the Damn
Vulnerable Thick Client Application’s process.
(https://www.cyberark.com/wp-content/uploads/2020/02/10.png)
Figure 7: The second step is to modify to SQL query marked in yellow.
The following table presents a set of proxy tools that can be used:
Client-Side attacks
Files Analysis
Applications usually store information in local files and the registry. Sensitive information that we might
look for in a thick client pentest includes:
• Usernames
• Passwords
• Connection Strings
• API keys
For this step, it is crucial to know which files are being used by the tested thick client application. We
can use the Process Monitor tool from the Sysinternals Suite to collect all the necessary information.
Figure 8 presents the Process Monitor tool with the applied filter:
(https://www.cyberark.com/wp-content/uploads/2020/02/11.png)
Figure 8: The Process Monitor filter mechanism enables us to filter unnecessary operations
by configuring rules so that they show us only the relevant operations.
The Process Monitor tool should be showing us only the relevant operations we wanted to see, those
related to the tested thick client application.
Figure 9 presents the results of the operations after applying the filter.
(https://www.cyberark.com/wp-content/uploads/2020/02/12.png)
Figure 9: The Process Monitor shows all the relevant operations for our tested thick client
application only – DVTA.exe.
The following table presents a set of file analysis tools that can be used in this part:
The next step is to examine if the tested thick client application is vulnerable to a DLL hijacking
vulnerability.
DLL hijacking is an attack that exploits the Windows search and load algorithm, allowing an attacker to
inject code into an application through disk manipulation. In other words, simply putting a DLL file in
the right place causes a vulnerable application to load that malicious DLL.
This attack method has been in use since the beginning of Windows 2000 and is still alive and kicking.
My colleague at CyberArk Labs, Eran Shimoni wrote about his research on this topic in his blog post,
“DLLSpy – Tighten Your Defense by Discovering DLL Hijacking Easily (https://www.cyberark.com/threat-
research-blog/dllspy-tighten-your-defense-by-discovering-dll-hijacking-easily/).”
When the thick client application tries to load a DLL, it will go through the following in order:
To be able to escalate privileges via DLL hijacking, the following conditions need to be in place:
The following table presents a set of tools designed for testing for DLL Hijacking vulnerability:
Run the process monitor tool and apply a filter as shown in Figure 10:
(https://www.cyberark.com/wp-content/uploads/2020/02/13.png)
Figure 10: Configure filter rules in Process Monitor tool.
The Process Monitor tool will identify if the application is trying to load any DLLs and the actual path
that the application uses when looking for the missing DLLs.
In Figure 11, we can see that the DVTA.exe process is missing several DLLs files that can be used for
privilege escalation.
(https://www.cyberark.com/wp-content/uploads/2020/02/14.png)
Figure 11: Process Monitor presents only the relevant operations as configured previously in
the Filter mechanism.
Thick client application configuration files typically contain valuable information for pentesters such as:
• Usernames
• Passwords
• License details
• Cryptographic keys
• IP addresses and ports
The configuration files are usually readable by all operating system users, which allows anyone who can
read the file access to the compromised resources.
The following table presents a set of tools aimed for locating sensitive data storage on files and
registry:
Usually, a thick client application contains several configuration files in the root folder of the application
or in a specific configuration folder.
In Figure 12, we can see the root folder of the DVTA thick client application, including some
configuration files, DLLs and other files.
(https://www.cyberark.com/wp-content/uploads/2020/02/15.png)
Figure 12: The thick client’s folder contains files that might be interesting for us as pentesters.
When inspecting the DVTA.vshost.exe.config file’s content, we can see how the sensitive data has been
stored, as shown in Figure 13:
(https://www.cyberark.com/wp-content/uploads/2020/02/16.png)
Figure 13: Configuration files often contain sensitive information, such as usernames,
passwords, connection strings, cryptographic keys, etc.
Because the information is stored in cleartext, attackers could potentially read it. Even if the
information is encoded in a way that is not human-readable, certain techniques could be used to
determine which encoding is being used and then decode the information.
As pentesters, we might stumble against thick clients in black/gray-box testing scenarios. We may not
have any prior knowledge or any documentation on the tested application.
For this challenge, we can use a decompiler tool to retrieve the tested thick client application’s source
code of. A decompiler is a computer program that takes an executable file as input and attempts to
create a high-level source file that can be recompiled successfully.
NOTE: The most popular development languages we faced was .NET or Java. Thick clients that were
developed in those languages can be decompiled simply using open-source decompilers, provided the
application has not undergone an obfuscation process.
Binary Analysis
After we have the source code for the tested thick client, we can start searching through the code for
sensitive information, such as:
• Hard-coded credentials
• API Keys
• API Endpoints
• Comments
• Hidden functions
The following table presents a set of binary analysis tools that can be used in this phase:
For .NET applications, it is possible to decompile multiple formats including libraries (.dll), executables
(.exe) and Windows metadata files (.winmd).
For Java applications, it is possible to decompile multiple formats including JAR, CLASS, WAR, EAR, AAR,
KAR, JMOD and JNLP.
Figure 14 presents the dnSpy decompiler loaded with our tested thick client executable DVTA.exe. When
inspecting the source code, it is possible to quickly find a hard-coded connection string to an FTP
service:
(https://www.cyberark.com/wp-content/uploads/2020/02/17.png)
Figure 14: The dnSpy tool helps us to edit and debug assemblies, even if we don’t have any
source code available.
Weak Graphical User Interface
During our work as pentesters, we might encounter thick client applications that serve numerous users
with different privileges. The user interface might include operations for administrators, that have been
disabled for low privileged users.
For example, imagine an admin user who logs in to a thick client application with administrative
functionalities in his user interface. For a regular user, those functionalities will be disabled, because
regular users do not have the appropriate permission for the administrative functionalities.
Therefore, to test for user interface vulnerabilities as a low privileged user, we will need to use various
tools to manipulate window objects in Windows, such as:
• Buttons
• Menu bars
• Text boxes
• OCX controls
Basically, anything that can be located as a child window and has an active window handle can be
manipulated with some predefined attributes.
The following table presents a set of weak GUI control tools that can be used:
Memory Analysis
When testing for vulnerabilities in the tested thick client application, we should perform a memory
analysis while the thick client application runs. Thick client applications developed in a two-tier
architecture transfer sensitive information in the application’s memory.
This is a design flaw, because every thick client application developed in a two-tier architecture will, by
default, disclose sensitive information in the application’s memory, such as:
• Usernames
• Passwords
• Connection strings
• Hardcoded database credentials
The following table presents a set of memory analysis tools that can be used in this phase:
Figures 15-18 demonstrate how to export memory data on a tested thick client application’s memory
with the use of Process Hacker tool.
(https://www.cyberark.com/wp-content/uploads/2020/02/18.png)
Figure 15: The first step is running the Process Hacker tool and right-clicking on the tested
thick client application and selecting the properties option.
In the properties window, we should choose the Memory tab, click on the Strings button and then click
OK.
(https://www.cyberark.com/wp-content/uploads/2020/02/19.png)
Figure 16: The second step is selecting the Memory tab and clicking on the Strings button,
choosing the maximum length and then clicking OK.
Hacker Process tool has a great filter mechanism that can help us search for a keyword somewhere in
all of the dumped memory data.
(https://www.cyberark.com/wp-content/uploads/2020/02/20.png)
Figure 17: For easy identification of sensitive information, the third step is filtering the
memory’s data output.
Figure 18 presents the extracted memory from the tested thick client application, which contains a
cleartext connection string to the application’s database.
(https://www.cyberark.com/wp-content/uploads/2020/02/21.png)
Figure 18: The Process Hacker tool displays the information according to the filter we defined
earlier.
Now, we can use any SQL client such as HeidiSQL (https://www.heidisql.com/) to connect to the
database using the credentials retrieved.
Server-Side Attacks
Once we have performed all the particulars of thick client testing, we can now focus on the OWASP
Top10.
The following list presents the relevant vulnerabilities for thick client testing:
• A1:2017-Injection (https://www.owasp.org/index.php/Top_10-2017_A1-Injection)
• A2:2017-Broken Authentication (https://www.owasp.org/index.php/Top_10-2017_A2-
Broken_Authentication)
• A3:2017-Sensitive Data Exposure (https://www.owasp.org/index.php/Top_10-2017_A3-
Sensitive_Data_Exposure)
• A4:2017-XML External Entities (XXE) (https://www.owasp.org/index.php/Top_10-2017_A4-
XML_External_Entities_(XXE))
• A5:2017-Broken Access Control (https://www.owasp.org/index.php/Top_10-2017_A5-
Broken_Access_Control)
• A6:2017-Security Misconfiguration (https://www.owasp.org/index.php/Top_10-2017_A6-
Security_Misconfiguration)
• A7:2017-Cross-Site Scripting (XSS) (https://www.owasp.org/index.php/Top_10-2017_A7-Cross-
Site_Scripting_(XSS)) (Not applicable for a thick client testing)
• A8:2017-Insecure Deserialization (https://www.owasp.org/index.php/Top_10-2017_A8-
Insecure_Deserialization)
• A9:2017-Using Components with Known Vulnerabilities (https://www.owasp.org/index.php/Top_10-
2017_A9-Using_Components_with_Known_Vulnerabilities)
• A10:2017-Insufficient Logging&Monitoring (https://www.owasp.org/index.php/Top_10-2017_A10-
Insufficient_Logging%26Monitoring)
According to OWASP, injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the
interpreter into executing unintended commands or accessing data without proper authorization. Even
today, developers are still making the same mistakes that cause SQL Injection vulnerabilities.
SQL injection can be detected manually by using a systematic set of tests against every entry point in
the application. This typically involves:
• Submitting the single quote character (‘) and looking for errors or other anomalies.
• Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point and
a different value and then looking for systematic differences in the resulting application responses.
• Submitting Boolean conditions, such as OR 1=1 and OR 1=2, and looking for differences in the
application’s responses.
• Submitting payloads designed to trigger time delays when executed within an SQL query and looking
for differences in the time taken to respond.
• Submitting OAST payloads designed to trigger an out-of-band network interaction when executed
within an SQL query and monitoring for any resulting interactions.
Most SQL injection vulnerabilities arise within the WHERE clause of a SELECT query. This type of SQL
injection is generally well-understood by experienced testers.
But, SQL injection vulnerabilities can, in principle, occur at any location within the query and within
different query types.
The most other common locations where SQL injection arises are:
Let’s check if our tested thick client application is also vulnerable to SQL Injection vulnerability.
By inspecting the CheckLogin method, we can see that the username and the password values are
being inserted into the SQL query without any validation.
(https://www.cyberark.com/wp-content/uploads/2020/02/23.png)
Figure 19: Identifying the checkLogin method.
Figure 20 presents the SQL query used by the thick client application in order to validate if the logged-in
user is valid, which means that user exists in the application database and the username matches the
password entered.
(https://www.cyberark.com/wp-content/uploads/2020/02/24.png)
Figure 20: Identifying an SQL injection vulnerability in the checkLogin method.
The above query can be exploited by commenting out the password part and appending a condition
that will always be true. Let’s assume an attacker provides the following input in the username field: ‘ or
1=1–
Let’s check if the Damn Vulnerable Thick Client Application is vulnerable to SQL injection vulnerability by
setting the username value to ‘ or 1=1– and the password field can be set to any value because it will be
commented out.
(https://www.cyberark.com/wp-content/uploads/2020/02/26.png)
Figure 21: Testing for SQL injection vulnerability on the login screen of DVTA.
As can be seen in Figure 22, we successfully bypassed the login mechanism and authenticated to the
application on behalf of Raymond’s account.
(https://www.cyberark.com/wp-content/uploads/2020/02/27.png)
Figure 22: We successfully logged in to Raymond’s account without knowing his password.
This was possible because the user input was inserted into the SQL query without the
appropriate checks.
Figure 23 presents the tested thick client application’s users table in the database.
(https://www.cyberark.com/wp-content/uploads/2020/02/28.png)
Figure 23: When inspecting the users’ table on the application’s database, we can see that
Raymond’s account is listed third in the users’ table (marked in yellow).
In the following Wireshark TCP stream, we can see that we successfully logged into Raymond’s account
without knowing his private password.
(https://www.cyberark.com/wp-content/uploads/2020/02/29.png)
Figure 24: A successful SQL injection attack on the Wireshark TCP stream.
Hacking Playgrounds
If you want to exercise on vulnerable thick client applications, you can find vulnerable thick client
applications on the following GitHub repositories: