Thursday, October 13, 2011

Pentesting Thick Client Apps


Pentesting thick client applications is not a new concept instead the techniques adopted are new and interesting. I’m a bit lazy on explaining what thick client apps are, please refer here for more info. GTalk, Pidgin, Skype, MSN are few examples of thick client applications. These days many financial institutions are adapting the technology for internal transaction purposes.

The Challenges:
  • Typical thick client apps do not communicate over HTTP/HTTPS (some of them do); so you cannot intercept traffic with regular web proxy tools
  • Unknown modification to registry/system files
  • Unknown technical details of architecture
  • Manipulating client-server communication over the wire
  • Encryption techniques adopted by client software
  • Will used by only trusted users
 Above list just mentions a few challenges that we regularly face while pentesting thick clients.

Way To Go:

Understanding Architecture
  
Thick client applications are generally 2-tier applications, meaning, the request is constructed at user’s end (client) and sent to the server for processing. There is no web server or middle ware technology sitting in middle; it directly communicates to the database. This can be identified by observing the time lapse between request and response or analyzing the communication traffic on wireshark.

Architecture can also be hybrid i.e. listening on both HTTP/S and any unknown port. In this case we may have to use the combination of tools to intercept and modify the communication. 

Intercepting/Manipulating Client-Server Communication

The two most popular open source tools are EchoMirage and ITR. The tool I prefer the most is Echomirage; because of its simplicity. It directly hooks with your client executable and starts intercepting traffic on the go. There is also an option to hook your client exe with its associated process. Here’s how you can do the above steps:


After you do this successfully, all our traditional application security checks are applicable. If you are lucky, you may see SQL queries passing through our Echomirage Interceptor.

Local Storage of Sensitive Information

Sensitive information can be clear-text passwords, server configuration, user personal detail, user financial detail, etc. Look for .ini, ,cfg, dat, .log files in application folder for application related sensitive information. Generally, you will find server configuration in .ini files.

File and Registry Modification Analysis/Reverse Engineering

Another two most popular tools are Filemon and Regmon from sysinternals. These both tools are now packaged into one as Process Monitor. These tools identify files accessed or registry modified when you double click your client executables. Here, you need to look for interesting files and investigate further; filename can hint which file you should investigate. It will help in application reverse engineering.

Regmon list all registry entries which are accessed when you double click your client executables. Use the registry search feature to find keywords, passwords, and sensitive information.

Happy Reading!!!