19.-Attacking-thick-client-applications

1. Thick Client Application Overview

• Definition: Locally installed applications that perform processing on the client side.

• Common Technologies: .NET, Java, C++.

• Security Risks:

  • Hardcoded credentials.

  • DLL hijacking.

  • Improper error handling.

  • Insecure data storage.

  • Unencrypted network communication.

• Architecture:

  • Two-Tier: Direct communication with the database.

  • Three-Tier: Communication through an application server.

---

2. Penetration Testing Steps

Information Gathering

• Identify application architecture, programming languages, and technologies.

• Tools:

  • CFF Explorer

  • Detect It Easy

  • Process Monitor

  • Strings

  • PE Explorer (for analyzing PE headers and dependencies)

Client-Side Attacks

• Analyze local files and source code for sensitive information.

• Tools:

  • Ghidra

  • IDA

  • OllyDbg

  • Radare2

  • dnSpy

  • x64dbg

  • JADX

  • Frida

  • De4Dot (for deobfuscating .NET applications)

Network-Side Attacks

• Capture and analyze network traffic for sensitive data.

• Tools:

  • Wireshark

  • tcpdump

  • TCPView

  • Burp Suite

  • MitMProxy (for intercepting and modifying traffic)

Server-Side Attacks

• Apply web application attack techniques (OWASP Top 10).

• Check for MitM vulnerabilities in communication channels.

• Investigate DLL hijacking possibilities.

---

3. Retrieving Hardcoded Credentials

Scenario:

• Access: Exposed SMB service.

• File Discovered: RestartOracle-Service.exe in the NETLOGON share.

Analysis:

1. Monitor Process Execution:

   • ProcMon64 reveals a temporary batch file being created.

   • Modify Temp folder permissions to prevent file deletion.

2. Investigate Dropped Files:

   • Batch file drops:

     • .txt file.

     • PowerShell script (monta.ps1).

     • restart-service.exe.

   • PowerShell script decodes .txt into restart-service.exe.

3. Reverse Engineering:

   • x64dbg: Debug restart-service.exe.

   • Memory Dump Analysis: Identify DOS MZ executable.

   • Strings Tool: Extract hardcoded credentials.

   • De4Dot & DnSpy: Reverse engineer the .NET binary.

Commands:

# 1. Run the executable (Restart-OracleService.exe)
C:\Apps> .\Restart-OracleService.exe

# 2. List temp files
C:\Apps> dir C:\Users\cybervaca\AppData\Local\Temp\2

# 3. View PowerShell script
C:\> cat C:\programdata\monta.ps1

# 4. List files in ProgramData
C:\> ls C:\programdata\

# 5. Run strings on the memory dump
C:\TOOLS\Strings\strings64.exe .\restart-service_00000000001E0000.bin

# 6. Use de4dot to clean .NET binary
de4dot restart-service_00000000001E0000.bin

# 7. Extract strings from PowerShell script
strings C:\programdata\monta.ps1

# 8. Extract logs for debugging
Get-EventLog -LogName Application -Newest 50

---

4. Key Takeaways

• Thick client applications often contain sensitive data.

• Process monitoring & memory analysis help identify hidden credentials.

• Reverse engineering tools like dnSpy and De4Dot are crucial for .NET applications.

• Modifying file permissions allows capturing temporary files.

• Understanding application behavior is essential for successful exploitation.

• DLL hijacking risks should be examined.

• MitM attacks can reveal unencrypted credentials.

---

5. Important Notes

• GUI Tools (No CLI commands available):

  • DnSpy: Drag & drop the cleaned .bin file.

  • ProcMon64: Run to monitor the executable's behavior.

  • x64dbg: Debug restart-service.exe.

• Mitigation Strategies:

  • Code Obfuscation: Makes reverse engineering harder.

  • Network Hardening: Limit SMB access to trusted users.

  • Apply Latest Security Patches: Ensure software is up-to-date.

• Ethical Testing: Ensure explicit permission before testing.

• System Adjustments: Modify file paths and usernames to match your environment.

• Administrative Privileges: Some tests require elevated permissions.

• Tool Availability: Ensure all necessary tools are installed.