Thick Client Pentest Methodology

Thick Client Penetration Testing Methodology

1. Pre-Engagement & Scoping

1.1 Initial Planning

• Define assessment objectives and success criteria

• Establish rules of engagement (RoE)

• Determine testing timeframe and constraints

• Identify emergency contacts and escalation procedures

• Document any out-of-scope systems or testing methods

1.2 Technical Scoping

• Platform identification

  Operating System:
  □ Windows (Version/Build)
  □ Linux (Distribution)
  □ macOS (Version)
  
  Architecture:
  □ x86 (32-bit)
  □ x64 (64-bit)
  □ ARM
  
  Development Platform:
  □ .NET Framework/Core
  □ Java
  □ Electron
  □ Native (C++/Delphi)

1.3 Business Logic Analysis

• Document intended application functionality

• Map critical business workflows

• Identify high-value assets and data

• Understand authorization levels and user roles

1.4 Architecture Review

Data Flow Components:
□ Client-side processing
□ Server communication
□ Local storage
□ External integrations
□ Database interactions

2. Information Gathering

2.1 Installation Analysis

# Common installation paths
Get-ChildItem "C:\Program Files" -Recurse
Get-ChildItem "C:\Program Files (x86)" -Recurse
Get-ChildItem "$env:LOCALAPPDATA" -Recurse
Get-ChildItem "$env:APPDATA" -Recurse

2.2 File System Enumeration

• Document application directory structure

  tree /F > directory_structure.txt    # Windows
  tree -a > directory_structure.txt    # Linux

• Identify config files

  □ .config, .ini, .xml, .json
  □ Connection strings
  □ API endpoints
  □ Feature flags

• Locate log files and analyze content

  Get-Content *.log | Select-String "password", "key", "secret", "token"

2.3 Dependencies Analysis

# Windows
Dependencies.exe <executable>
PEStudio.exe <executable>

# Linux
ldd <executable>
objdump -p <executable>

2.4 Registry Analysis

# Export relevant registry keys
reg export HKLM\Software\<AppName> app_hklm.reg
reg export HKCU\Software\<AppName> app_hkcu.reg

# Monitor registry access
Process Monitor -> Filter -> Registry Activity

3. Static Analysis

3.1 Binary Analysis

# Initial analysis
strings -n 8 <binary>
pestudio <binary>
die <binary>

# Identify protection/packing
detect it easy (die) <binary>
PEiD <binary>

3.2 Decompilation

• .NET Applications

  # Use dnSpy or dotPeek
  dnSpy.exe <assembly>
  
  # Check for obfuscation
  de4dot.exe <assembly>

• Java Applications

  # Decompile JAR/class files
  jd-gui <jar>
  procyon <class>
  
  # Extract resources
  jar xf <jar>

• Native Applications

  # Load in Ghidra/IDA
  # Analyze key functions:
  □ Authentication
  □ Cryptographic operations
  □ File I/O
  □ Network communication

3.3 Code Review Focus Areas

□ Hardcoded credentials
□ API keys and tokens
□ Connection strings
□ Cryptographic material
□ Debug/test code
□ Error handling
□ File operations
□ Command execution

4. Dynamic Analysis

4.1 Runtime Monitoring

# Process monitoring
Start-Process procmon.exe
Start-Process "Process Hacker.exe"

# Network monitoring
Start-Process wireshark.exe

4.2 Debugging Setup

# .NET debugging
dnSpy -> Debug -> Start Debugging

# Native debugging
x64dbg <executable>
WinDbg <executable>

4.3 Frida Instrumentation

// Hook function calls
frida-trace -i "function*" <process>

// Modify return values
Interceptor.attach(targetAddr, {
    onLeave: function(retval) {
        retval.replace(0x1);
    }
});

4.4 Behavioral Analysis

• Monitor file operations

• Track registry changes

• Log network connections

• Document API calls

• Analyze memory usage

5. Network Communication Testing

5.1 Traffic Interception Setup

# Burp Suite setup
java -jar burpsuite.jar
# Configure proxy: 127.0.0.1:8080

# Fiddler setup
fiddler.exe
# Enable HTTPS decryption

5.2 SSL/TLS Analysis

# Check certificate pinning
openssl s_client -connect host:port

# Bypass certificate validation
# .NET: 
System.Net.ServicePointManager.ServerCertificateValidationCallback = {$true}

# Java:
-Djavax.net.ssl.trustAll=true

5.3 Traffic Analysis

• Document API endpoints

• Map request/response patterns

• Test parameter manipulation

• Check for sensitive data in traffic

• Verify encryption usage

6. Authentication & Authorization Testing

6.1 Authentication Analysis

Test Vectors:
□ Null credentials
□ Default credentials
□ SQL injection
□ Authentication bypass
□ Remember me functionality
□ Password reset mechanism

6.2 Session Management

• Locate token storage

  # Check common locations
  Get-ChildItem -Path $env:APPDATA -Recurse
  Get-Item -Path "HKCU:\Software\*" | Get-ItemProperty

• Analyze token format and structure

• Test token manipulation

• Check session timeout

• Verify session invalidation

6.3 Credential Storage

# Memory analysis
procdump.exe -ma <PID>
strings64.exe memory.dmp | findstr /i "password"

# File analysis
findstr /s /i "password" *.*

7. Local Storage Analysis

7.1 File System

# Search for sensitive files
Get-ChildItem -Recurse -Include *.config,*.ini,*.xml,*.json
Select-String -Path * -Pattern "password","key","secret"

7.2 Registry Analysis

# Export and analyze registry
reg export HKLM\Software\* hklm.reg
reg export HKCU\Software\* hkcu.reg

7.3 Temporary Files

# Windows temp locations
%TEMP%
%APPDATA%
%LOCALAPPDATA%

# Linux temp locations
/tmp
/var/tmp
~/.cache

8. Reverse Engineering & Code Injection

8.1 Binary Analysis

# Identify interesting functions
□ Authentication routines
□ Cryptographic operations
□ Network communication
□ File operations

8.2 Code Injection

// DLL injection template
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        // Injection code here
        break;
    }
    return TRUE;
}

8.3 Function Hooking

// Frida hook template
Interceptor.attach(ptr('ADDRESS'), {
    onEnter: function(args) {
        // Pre-function code
    },
    onLeave: function(retval) {
        // Post-function code
    }
});

9. Privilege Escalation & Post-Exploitation

9.1 Local Privilege Escalation

# Check file permissions
icacls "C:\Program Files\*"
icacls "C:\Program Files (x86)\*"

# Check service permissions
sc qc <service_name>
accesschk.exe -ucqv <service_name>

9.2 Service Exploitation

# Monitor service creation
procmon.exe -> Filter -> Operation is CreateFile

# Check for DLL hijacking
Process Monitor -> Filter -> Result contains "NAME NOT FOUND"

9.3 Memory Extraction

# Dump process memory
procdump.exe -ma <PID>

# Extract credentials
mimikatz.exe
sekurlsa::logonpasswords

10. Reporting

10.1 Vulnerability Documentation

For each finding:
□ Description
□ Reproduction steps
□ Impact
□ Risk rating
□ Remediation advice

10.2 Evidence Collection

• Screenshots

• Network captures

• Code snippets

• Proof of concept scripts

• Log files

10.3 Report Structure

1. Executive Summary
   □ Overview
   □ Risk summary
   □ Key findings

2. Technical Details
   □ Methodology
   □ Findings
   □ Reproduction steps
   □ Impact analysis

3. Remediation
   □ Short-term fixes
   □ Long-term recommendations
   □ Strategic advice

11. Optional Add-Ons

11.1 Hybrid Application Testing

• Web component analysis

• Desktop-Web interaction testing

• Cross-origin resource sharing

• Local HTTP server testing

11.2 API Security Testing

□ API documentation review
□ Authentication mechanisms
□ Rate limiting
□ Input validation
□ Error handling
□ Data exposure

11.3 Source Code Review

Focus Areas:
□ Authentication mechanisms
□ Cryptographic implementations
□ File operations
□ Network communication
□ Error handling
□ Input validation
□ Third-party components

11.4 Custom Tools Development

• Automation scripts

• Custom hooks

• Traffic manipulation tools

• Data extractors

• Report generators