Desktop Applications / Thick Clients

Pentesting desktop applications / thick clients. A rich client (or heavy, fat or thick client) is a computer that typically provides rich functionality independent of the central server (client/server architecture) – as opposed to thin client.

For Electron applications, see Electron / Atom Shell.

Recon & Enum

If it is an application downloaded from the internet (not developed internally), scan the application with VirusTotal. The behavior tab can give a lot of information!

Checklist

  • Sensitive Information
  • Privilege Escalation
  • Check if any user input in the thick client app can be viewed by a backend web interfaces, or if there is a web client that complements the thick client. If yes, there is a possible attack vector if user input in the thick client is not sanitized and can trigger attacks such as XSS in the web client.
  • Test for code signing using either Sysinternals Sigcheck, or PESecurity. PESecurity can also test for DEP, ASLR, and Control Flow Guard enabled on exe and dll files. Having these features enabled at compile time can help prevent supply chain attacks as well as some privilege escalation attack vectors.
  • Check for outdated/vulnerable third party libraries bundled with the application.

Windows Applications

For testing, you can use a Windows VM. See Windows Lab.

Sensitive information in files

Look if the application stores clear text data somewhere on disk. Check for hard-coded credentials in configuration files.

After installation, copy the application folder from Windows to Kali.

Look for hardcoded passwords, keys, DB connection strings in files

strings <installer>.exe
strings <application name>.exe
cd <app folder>
grep -Ri pass .
grep -Ri key .

Sensitive information in Registry

  • In the Windows search bar, enter regedit
  • Search with Edit -> Search (Ctrl+F)
  • Enter the application or vendor name
  • F3 to search for next value

Sensitive information in transit

  • Start Wireshark and start capturing packets.
  • Start the desktop application and use the features.
  • Stop the capture.
  • Check the Wireshark capture for sensitive data/credentials in unencrypted communication.

Privilege Escalation

  • If the application runs a privileged service as SYSTEM, check to see if it allows any traditional privilege escalation attacks such as unquoted service paths or the ability to modify the service due to weak ACL’s.
  • Check if we can change a configuration file to elevate privileges
  • Check for DLL Hijacking. Check with PowerUp also. Run Sysinternals Procmon/Procmon64 and add include filters for: “process name is “, “result is ‘NAME NOT FOUND’”, “Path ends with ‘.dll’”. If any are found, see if you can generate a dll that opens calc.exe using Metasploit’s msfvenom. If any of those dll’s or the dll search path is modifiable by non admin users, that’s a privilege escalation attack vector.
  • Check service for Windows Unquoted Service Path

Mac OS Applications

Sensitive information in files

Mount the disk image file (.dmg) to inspect files without “installing” the app

hdiutil attach ./<application name>.dmg
cd /Volumes/<application name>

Look if the application stores clear text data somewhere on disk. Check for hard-coded credentials in configuration files.

grep -Ri pass .
grep -Ri key .