Thick Client (Desktop) Application Penetration Testing - Part-1

Thick Client (Desktop) Application Penetration Testing – Part-1

by

INFORMATION GATHERING

  • Information gathering is a critical initial phase in thick client application penetration testing, focused on collecting detailed data about the application’s architecture, components, and interactions with servers.
  • This phase aims to identify communication protocols and potential entry points for exploitation.
  • Techniques such as reverse engineering, network traffic analysis, and examining client-side storage are employed to map the application’s attack surface and understand its behavior.
  • Effective information gathering lays the foundation for a thorough security assessment, enabling testers to identify and address vulnerabilities effectively.

Using the tool CFF Explorer

  • CFF Explorer is designed to make PE (Portable Executable) editing as easy as possible while maintaining the portable executable’s internal structure.
  • This application includes a series of tools that can assist reverse engineers and programmers.
  • You can directly install CFF Explorer from this link: https://ntcore.com/files/ExplorerSuite.exe.
  • Open CFF Explorer and open the “.exe” file in it.
  • Let’s check the result, what we get …
    • This is a Portable Executable 32.NET Assembly.
    • Microsoft Visual .NET is used to build this assembly.
    • The binary is built using Microsoft Visual Studio .NET.
    • As a .NET assembly, it can be decompiled very easily.

Using the SysInternal Suites

  • Once the download is complete, install it.
  • The installation process is straightforward; simply click “Next” until the installation is finished, without making any changes.
  • Among the various tool suites available, I have selected TCP View from the Sysinternals Suite.
  • Run “TCPView” and then run the target application.
  • Log into the application.
  • Check the TCP connection for “dvta” by searching for the application name (e.g., “dvta.exe”).
  • Open the TCP View application.
  • Upon opening, observe the machine engaging in network communications.
  • Focus on monitoring the DVTA application.
  • Gather information such as the Destination IP address to understand where these applications are communicating.

Let’s start …

  • Launch the DVTA application and observe its behavior.
  • Log in to the DVTA application using the user credentials.
  • This method allows us to identify the IP addresses that our applications are communicating with.

Using the Tool Wireshark

  • to capture and analyze the packets while the application is running.
  • Download Wireshark from the official page at https://www.wireshark.org/download.html.
  • Once downloaded, install Wireshark on your system without making any changes during the installation process.
  • After installation, launch Wireshark. The interface will resemble the image shown below.
  • Since we are using the loopback address, select “loopback” for traffic capture.
  • Execute the ‘DVTA’ application and proceed to log in. Subsequently, we will monitor the intercepted traffic using ‘Wireshark’
  • Due to the numerous processes involved, I selectively filter the specific request or response that pertains to my focus, namely, determining whether login credentials are transmitted in plain text.
  • I have identified that the request contains the username ‘ashok’. To explore further details, I right-click on the request and select Follow > TCP Stream
  • Here, it is evident that the application is transmitting credentials in plain text.

Using the Tool ProcMon (Login Credentials in Registry Entry)

  • Process Monitor is an advanced monitoring tool designed to provide real-time visibility into file system, registry, and process activities on Windows.
  • Let’s start ProcMon
  • you will notice it immediately displays extensive traffic.
  • Navigate to Filter > Filter or simply press Ctrl+L to set up a filter.
  • Select “Process Name” under Attribute and enter “DVTA.exe”.
  • Click “Add” to apply the filter.
  • Click “OK”.
  • You will notice the screen is empty initially because DVTA is currently not running.
  • Without any delay, navigate back to the DVTA application folder and run DVTA.exe.
  • Upon launching DVTA, observe that network traffic is generated specifically for DVTA.exe.
  • This makes the monitoring process more focused and easier to interpret.
  • Proceed to open the DVTA application and log in using the provided user credentials.
  • Simultaneously, open another tab for Process Monitor to begin capturing the traffic.
  • Now, let’s examine if there are any noteworthy activities on the file system when attempting to open this application within the current session.
  • Continue scrolling through the output screen until something interesting catches your eye.
  • I found RegSetInfoKey operation.
  • To explore further, right-click on the registry entry and navigate to “Jump to,” or press Ctrl+J to directly jump to the file.
  • The Registry entry will open, revealing several keys such as Username, Email, isLoggedIn, and Password.
  • This indicates that the application stores credentials here and verifies if the user is already logged in.
  • Changing the “isLoggedIn” value from true to false implies that the application will likely prompt you to re-enter the login credentials, even if you are currently logged in.
  • This can be exploited for potentially malicious attacks. For instance, by altering the username and password in the registry entry, one can deceive the application into believing that a specific user is already logged in with their credentials.
  • To demonstrate, double-click on “isLoggedIn” and change its value from false to true, then click the OK button.
  • Double-click on “username” and change its value from “ashok” to “infoalth”, or any name which you want then click the OK button.
  • In last, change the password value from “ashok” to anything (I used “infoalth”) and click OK.
  • Let’s observe the outcome of reopening the DVTA application.
  • As demonstrated, we can log in directly to the application without entering the credentials again.
  • This shows how manipulating the registry entry allows us to trick the application into logging in automatically.

TRAFFIC ANALYSIS

  • Traffic analysis is vital for penetration testing.
  • HTTP traffic can be intercepted with Burp Suite but for non-HTTP protocols like FTP, TCP used by DVTA, Burp Suite is not applicable.
  • Wireshark can monitor non-HTTP traffic.
  • Echo Mirage is needed to intercept and modify non-HTTP traffic.

Traffic Analysis using Wireshark

  • Network sniffers are crucial for understanding protocols, debugging network clients, and analyzing traffic.
  • Examining traffic between a thick client application and the server can reveal sensitive, unencrypted data, such as Clear-text credentials, secrets, and API keys
  • We will analyze FTP traffic generated by DVTA.
  • To do this, launch Wireshark and select “Adapter for loopback traffic capture.”
  • Launch the application, and log in to the application using admin credentials.
  • After successfully logging in, it will display “Backup data to FTP server.”
  • Click “Backup data to FTP server” to initiate an FTP connection and upload data to the FTP server.
  • After the upload, a success message will be displayed.
  • Return to Wireshark and stop capturing data to avoid unnecessary captures.
  • Apply the FTP protocol filter to show only the traffic related to DVTA during the data upload.

Filter technique 1

Filter technique 2

  • We are interested in the credentials used by the DVTA application to log in to the FTP server.
  • Examine the captured FTP traffic in Wireshark.
  • The first packet is a response from the FileZilla server.
  • The command “USER” followed by the username “DVTA” is seen next.
  • The FTP server then responds, indicating that a password is required for DVTA.
  • The client sends the password “p@ssw0rd” in the following line.

Using Tool Echo Mirage

  • Echo Mirage is a local proxy tool used to intercept and modify TCP payloads for local Windows applications.
  • Learn about Echo Mirage, a freeware tool that hooks into an application’s process to monitor network interactions.
  • It can monitor an existing running process or run the application on behalf of the user.
  • You can directly download it from here: https://sourceforge.net/projects/echomirage.oldbutgold.p/
  • Note: Most thick client applications were developed long ago, so transmitted data is likely unencrypted.
  • When you open the Echo Mirage tool, you will see two main tabs:
    • Traffic Log: View a complete record of all messages that have passed through the proxy.
    • Rules: View, add, change, or delete the currently configured interception rules.
  • Extract and open it.
  • Open the DVTA application and set up the Echo Mirage Tool. Select the DVTA.exe process and click the “OK” button.
  • Set the Rules
  • Now it’s time to play a deep game with DVTA and Echo Mirage …
  • Attempt to log in with the normal user ‘ashok’ and analyze the intercepted login requests.
  • Look, here is some juicy information, like SQL-Server name, InstanceName, and more …
  • Now, we get the login request with username and password in plain text.
  • Create another attack scenario:
    • Log out from the ‘ashok’ user.
    • Log in with the ‘admin’ user.
    • Click on “Backup data to FTP server” to upload data to the FTP server.
  • Here, the response comes from the FileZilla server.
  • Observe that the username is being sent to the FTP server.
  • FTP responds it requires a password for DVTA.
  • The password “p@ssw0rd” is visible in clear text, as the DVTA client sends it to the FTP server.
  • We are successfully logged in now.
  • After successfully logging in, files are uploaded to the FTP server.
  • The “ftp-admin.csv” file has been successfully transferred to our desktop.