Test Details
| Legend | Description |
|---|---|
| * | Confirmed |
| + | No Issue |
| ! | Warning |
| ? | To Check |
- Project:
- Dates:
Target List:
Accounts:
Guides & Tools
https://www.cyberark.com/resources/threat-research-blog/thick-client-penetration-testing-methodology
Scanning
-
nmap: TCP
UDP
-
Nessus:
-
SSLScan/TestSSL:
Enumeration
-Is the application two-tier or three-tier?
-Use CFF Explorer to examine app language.
-Search for any decompilers that can be used to decompile the language identified by CFF Explorer (In the case of .NET use dotpeek)
-Use dotpeek to decompile any interesting DLL files.
-Use Visual Code Grepper to scan any decompiled source code for vulnerabilities.
-Use Process Monitor from Sysinternals suite to check for local files being accessed by application:
-Search through any config files in the application directory
-Check to see what user the application runs under (if system or admin there may be an opportunity to escalate privilege)
-Check for any verbose error messages
Traffic Analysis
-Use TCPView from the Sysinternals suite to check network connections
-nmap/sslscan any hosts supporting application functionality (e.g. SQL databases, applications in a three-tier structure)
-Use Echo Mirage to capture and analyse traffic
-Try using wireshark to view traffic when Echo Mirage doesn’t work (often crashes application)
-Focus on any authentication/database access traffic
Insecure Data Storage
-Check for sensitive data in the registry using regshot
-Use Process Hacker to check memory strings for sensitive information
-Hardcoded credentials - use strings.exe in Sysinternals to search executable for sensitive information
Developer Backdoors/logging
-Launch the application from the command line and check for any sensitive info in the console window.
-Check through any application logs for sensitive content
-Check that application is signed using sigcheck.exe from sysinternals
-Use Binscope to analyse application exe
Access Control/Session Management
-Check the authentication mechanism
-Check how access levels are enforced
-Check for weak GUI control when functionality depends on access level using winspy or winmanipulate
-Check for idle timeout
File Upload
-Check for the existence of any file upload functionality
-If found try uploading a malicious file to the system (is AV enforced?)