Pentesting desktop applications / thick clients. A rich client (or heavy, fat or thick client) is a computer that typically provides rich functionality independent of the central server (client/server architecture) – as opposed to thin client.
- OWASP Desktop App Security Top 10
- Introduction to Hacking Thick Clients: Part 1 – the GUI
- radare2 (assembly debugger)
- Thick Client (CSbyGB)
💡 For Electron applications, see Electron / Atom Shell.
Recon & Enum
If it is an application downloaded from the internet (not developed internally), scan the application with VirusTotal. The behavior tab can give a lot of information!
Checklist
- Sensitive Information
- Privilege Escalation
- Check if any user input in the thick client app can be viewed by a backend web interfaces, or if there is a web client that complements the thick client. If yes, there is a possible attack vector if user input in the thick client is not sanitized and can trigger attacks such as XSS in the web client.
- Test for code signing using either Sysinternals Sigcheck, or PESecurity. PESecurity can also test for DEP, ASLR, and Control Flow Guard enabled on exe and dll files. Having these features enabled at compile time can help prevent supply chain attacks as well as some privilege escalation attack vectors.
- Check for outdated/vulnerable third party libraries bundled with the application.
Windows Applications
💡 For testing, you can use a Windows VM. See Windows Lab.
Sensitive information in files
Look if the application stores clear text data somewhere on disk. Check for hard-coded credentials in configuration files.
💡 After installation, copy the application folder from Windows to Kali.
Look for hardcoded passwords, keys, DB connection strings in files
strings <installer>.exestrings <application name>.execd <app folder>grep -Ri pass .grep -Ri key .Sensitive information in Registry
- In the Windows search bar, enter regedit
- Search with Edit -> Search (Ctrl+F)
- Enter the application or vendor name
- F3 to search for next value
Sensitive information in transit
- Start Wireshark and start capturing packets.
- Start the desktop application and use the features.
- Stop the capture.
- Check the Wireshark capture for sensitive data/credentials in unencrypted communication.
Privilege Escalation
- If the application runs a privileged service as SYSTEM, check to see if it allows any traditional privilege escalation attacks such as unquoted service paths or the ability to modify the service due to weak ACL’s.
- Check if we can change a configuration file to elevate privileges
- Check for DLL Hijacking. Check with PowerUp also. Run Sysinternals Procmon/Procmon64 and add include filters for: “process name is “, “result is ‘NAME NOT FOUND’”, “Path ends with ‘.dll’”. If any are found, see if you can generate a dll that opens calc.exe using Metasploit’s msfvenom. If any of those dll’s or the dll search path is modifiable by non admin users, that’s a privilege escalation attack vector.
- Check service for Windows Unquoted Service Path
Mac OS Applications
- MacOS Apps – Inspecting, debugging and Fuzzing (HackTricks)
- .DS_Store
Sensitive information in files
Mount the disk image file (.dmg) to inspect files without “installing” the app
hdiutil attach ./<application name>.dmgcd /Volumes/<application name>Look if the application stores clear text data somewhere on disk. Check for hard-coded credentials in configuration files.
grep -Ri pass .grep -Ri key .