Thick Client Penetration Testing: Information Gathering
In the previous article, we have discussed the reverse engineering of original DVTA application in the Lab setup of Thick Client: DVTA part 2
In this part, we are going to systematically pentesting the DVTA application for various issues.
Table of Content
- Information Gathering by using CFF Explorer
- Information Gathering by using Sysinternal Suite
- Information Gathering by using Procmon
- Information Gathering by using Wireshark
- CFF explorer
- Sysinternals Suite
Information gathering by using CFF Explorer
You can directly install CFF Explorer from here: – https://ntcore.com/files/ExplorerSuite.exe
CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable’s internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers.
Let’s open up the CFF explorer. Basically, CFF explorer is used to checking how the binary is built. Having knowledge on what languages are used for building the binary is really useful because if it is built using Java, C, C++, ML, Al… we can look for vulnerabilities like Buffer overflow if it is built using C-sharp.net kind of languages it is very easy to decompile the application and reverse engineered
So, without wasting of much time quickly open up the DVTA.exe by navigating to File > open > DVTA.exe as shown in below image.
Let’s see which type of juicy information we get …
So if you notice by 2nd line this is a Portable Executable 32.NET Assembly and Microsoft Visual .NET is used to build this. So, as you can see this binary is built using Microsoft Visual Studio .NET and it’s a .NET assembly so that we can de-compile this application very easily.
This information is enough to decompile the application easily.
Information Gathering by using Sysinternals Suite
Download and install Sysinternal Suite: https://download.sysinternals.com/files/SysinternalsSuite.zip
Once the download complete, install it. Installation is pretty much easy there is no need to do changes in installation just simply press next and next until installation doesn’t finish.
Let’s begin with a tool TCP View from the Sysinternals Suite
Open up the application TCP view and just after opening the application you can see the machine is making network communications and what we’re interested in is DVTA application.
So, the thing is we have to gather information like where these applications communicating such as the Destination IP address.
To do this launch the modified DVTA application and see what happens… 🤔
First of all, configure the server to your local Ip address or the loopback address and the login to the DVTA application with the user credentials.
Now, you can see there is a new entry in TCP view showing DVTA.exe processes and the local address is 127.0.0.1 and the remote address that is communicating with localhost in this case because it’s the loopback address where the database is installed.
In this way, we can figure out the IP addresses that our applications are communicating with. So, we have completed the first step towards the information gathering.
Let’s move to another tool from the Sysinternals Suite called Procmon.
Information Gathering by using Procmon
Basically, Procmon is a process monitor that helps us to understand the file system changes and what is being accessed on the file system.
Let’s open up the application Procmon which you can find in the folder of Sysinternals suite.
Here we’re using 32-bit of version.
Just after the opening of Procmon application, you can see this process monitor is showing lot’s of traffic and the reason behind of that is it picks up all of the processes and shows the output of all the processes In its window.
This becomes complex for us to understand the process that we’re interested in. To reduce that complexity lets set up a filter by navigating to Filter > Filter or just simply press Ctrl+L
Select the Attribute to Process Name is DVTA.exe because this is the only process that what we’re interested in and ADD the filter.
Now you are going to see the screen empty because DVTA is not currently running.
So, without wasting of time go back to modified DVTA application folder and run the DVTA.exe Now just by the opening of DVTA, there is traffic generated only for the DVTA.exe file. So now they become more interesting and easier to understand.
Now configure our server to 127.0.0.1. we have configured the server already in previous articles we’re doing this again to understand what changes are being made in the file system when we configure it. But before doing this clear your screen to reduce the complexity by navigating to Edit > Clear Display so that when we press configure server button, we can only see which changes being made.
Just after hitting the Configure server button, you can see there is instantly lots of traffic generated as shown below In the image.
Now, what we interested in we want to understand what happens when we clicked on configure server button. So just scroll down to the output and see what we can find anything interesting.
There are lots of registry entry being accessed and at the bottom, there are some files that are being accessed such as create the file, Query Network open information file, Close File …
so, it looks like these files are something which is being accessed by DVTA.exe when we try configuring the IP address. So quickly open it up and see what it has. We can directly jump from process monitor to the location of this file by giving it a right-click and then navigate to Jump TO…
It will redirect you the location of that file changed in the file system are being made as shown below also it automatically highlights to the file where changes are being implied.
Now let’s open up the DVTA.exe XML configuration file in you favourite XML viewer.
It’s gonna very interesting as you can see the server is configured to 127.0.0.1 exactly the same IP address that we have entered earlier and looks when we click on configure the server the Ip address is taken from the text box and placed here… 🤔
Apart from these entries here we have some other interesting entries if you notice there is a database name which is DVTA … if you remember this is the name of the database we have used when creating a database in SQL Server Express. Also, there is the user name and the password for the database but it seems like the password is Encrypted but if you observe just right below that there is an AES encryption key possibly used for decrypting the Encrypted value and apart from that there is IV value which is probably used with the AES Encryption.
Now the main thing to be noted is that when we tried configuring the server in the application… the application is accessing this DVTA.exe.config file and it is trying to place the IP address place there then we have also noticed some more interesting information such as Encrypted Database password and the AES key.
Let’s open up the DVTA application and login to the application by using user credentials as shown below and on the other tab process monitor start capturing the traffic.
As you can see, we have successfully logged in to the application also you can verify the user credentials by navigating to View profile. Now close the tab directly without doing Logout.
Now again open the DVTA application and if you noticed it doesn’t ask to enter the credentials again. That means it is storing the credentials somewhere or it may be storing the session somewhere in the client. So, what we will try to do is we will close the application and clear the procmon display once again so that we’ll have to deal with less number of entries and once again we’ll open DVTA.exe and we already notice we didn’t Logout so it will directly bring you to the main screen
Now, let’s see if there is anything interesting happening on the file system when we trying to open this application with the existing session. So, keep scrolling down to the output screen until we don’t find something interesting and if you see there is a registry specific to our application name DVTA and inside that there seem to be some keys like username, is Logged in… etc
So, it seems like interesting let’s quickly open up the registry entry by giving it a right-click and navigating to Jump to or you can directly jump to file by pressing ctrl+J.
It will open up the Registry entry. As we can see it has a couple of keys like Email, Is Logged in, Password, and Username. So basically, this application is storing the credentials here and it is also checking if the user is already logged in or not.
And that means if you change the isLoggedIn value true to false then it will probably ask you to enter the login credentials again even if you are already logged in.
Hmm… exited Let’s do it.
Let’s check that by closing the DVTA application and opening it once again.
When you open the DVTA application again it will ask you to enter the login credentials again so that means our acknowledges are correct. If the application finds this registry entry with the value true it will not ask you for login.
So, this can be used for some interesting attacks for example if we change the user name and password In the registry entry, we can easily trick to the application to believe that the particular user is already logged in with his credentials.
This looks very interesting attack … isn’t it…?? Let’s do it
Change the Password value to Vijay to paras or you’re on own as by giving a double click to the registry of Password as shown below.
Same again change the username value vijay to paras or your own name and hit ok
Let’s check what happens if we once again open the DVTA application.
As you can see, we directly logged in to the application without entering the login credentials. So, as we see we can simply trick the application to logged in to application directly by doing changes in the registry entry.
Now what we learnt from all of these processes that the application is storing login credentials in the registry entry.
Information gathering by using Wireshark
You can download Wireshark by visiting the official page of Wireshark: – https://www.wireshark.org/download.html
After downloading the Wireshark install it on your system by hitting next and next it doesn’t need any changes in the installation. By installing it run the Wireshark and the interface looks similar like as shown in below image.
Since we are using loopback address let’s choose loopback traffic capture
Now go back to the modified DVTA application and login to the application by using login credentials.
Just after login to application come back to the Wireshark and you can see there are lots of traffic going there just refresh the capture and again login to the DVTA application and just after hitting the login button come back to Wireshark and its better to stop the capture immediately after clicking the login button so it won’t capture unnecessary traffic as shown below in image where I opened two different tabs one of Wireshark and another one is DVTA application just to see how it capture the traffic when I press the login button.
Now what we’re interested in is to understand how this login is making communication with the server. If you look there are some packets that uses UDP protocol so let’s open it in UDP stream and then let’s see what we can find.
When you open that packet, you can see this is a packet containing a request to SQL Server. You can see there is an SQL Express and the hostname where the SQL server is running.
So, this packet shows that we are making a network connection with the SQL server and this is enough also you can capture the whole traffic of DVTA application how the application is communicating with the server.
Now the key takeaway here is that the application is making some SQL connections when you are trying to interact with it.
In the next part, we will talk about different attack vectors.
Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here