Thick Application Penetration Testing - A Crash Course
Thick Application Penetration TestCRASH COURSE v1.0Author: Scott Sutherland
Who am I?Scott SutherlandPrincipal Security Consultant• Penetration Testing‒ Networks‒ Web apps / services‒ Thick apps• Community Stuff‒ Researcher‒ Blogger‒ Tool smith (or smithy if you like)‒ Twitter stalker: @_nullbind
What are we going to talk about?• Why should you care• Testing Goal and Objectives• Project Scoping• Common Architectures• Accessing the Application• Testing Requirements• Application Walkthrough• Managed vs. Unmanaged• Testing the Application• Vulnerability Categories• Reporting
Why am I talking about this?Thick applications create uniquerisks that web applications dont.
Why am I talking about this?Users often have full control over theapplication environment which:‒ Allows attacks on trustedcomponents‒ Exposes data, admin/hiddenfunctions‒ Leads to application and OS privilegeescalation
Why am I talking about this?Thick applications are the new webapplications.
Why am I talking about this?Publishing thick applications via TerminalServices and Citrix: Good Stuff‒ Helps meet client demand for “cloudservices”‒Converts Client/Server model to SaaSmodel‒Cheaper/Faster than developingactual web based solution fromscratch
Why am I talking about this?Publishing thick applications via TerminalServices and Citrix: Bad Stuff‒Very hard to secure publisheddesktops/applications‒Commonly results in direct databaseaccess‒Often exposes internal networks ofservice provider
Testing Goal & ObjectivesGoal:Determine what risks the application implementationpresents to the business so they can be mitigated.Objectives:Identify vulnerabilities that may exist in:‒ The client application and server components‒ The workstation or published application configuration‒ The server or network configuration
Scoping ProjectsEstimate effort:‒ Number of forms‒ Number of files‒ Number of registry keys‒ Number of user levels‒ Application architecture‒ Application technology‒ Constraints‒ EnvironmentGenerally…‒ More stuff = more time‒ More complexity = more time
Common ArchitecturesDesktop Client Remote Database‒ Usually entire implementation is on internal networkDesktop Client local DB Remote Database‒ Local db typically syncs with remote db‒ Usually client and local db are on internal networkremote db is hosted by service providerDesktop Client Application Server Database‒ Usually client in on internal network and app/db serveris located is hosted by service provider‒ Common technologies: Web Services, WebApplications, JBOSS, and IBM WebSphere
Common ArchitecturesTerminal Services Application‒ RDP Terminal Server Published app‒ Website RDP Terminal Server Published appCitrix Application‒ Citrix client Terminal Server Published app‒ Website Citrix client Published appThin Application‒ VMware application‒ Hyper-V application
Accessing the Application• Install locally, and test over VPN• Install locally, and test over the internet• Test over VPN, RDP to a client system,and install the tool sets for testing• VPN + Terminal Services (TS)• Web based TS• VPN + Citrix Client• Web based Citrix• Run from network share
Testing RequirementsMinimum Requirements:• 2 application credentialsfor each role• Application AccessPotential Requirements:• VPN access• Local administratoron client test system• Internet endpoints• Installation package
Application Walkthrough• Verify connectivity to application• Verify all credentials• Walk through common use cases• Identify potential areas of client concern• Better understand applicationarchitecture
UNMANAGED CODE APPLICATIONS• General Information‒ C and C++ (“unmanaged” or “native” languages)‒ Compiled to machine code‒ Include exportable functions• Pros‒ Typically run faster due to pre compiled code‒ Can’t be easily decompiled to the original source code• Cons‒ Architecture specific‒ Disassembly and reassembly is still possible‒ API hooking is still possible
MANAGED CODE APPLICATIONS• General Information‒ Frameworks: .net (C# VB), Java Runtime, Dalvik‒ Compiled to bytecode‒ Usually does not include exportable functions‒ Uses reflection to share public functions• Pros‒ Architecture independent‒ Can be coded in different languages‒ Can access unmanaged/native code• Cons‒ Slower due to Just in Time (JIT) compiling‒ Disassembly and reassembly of CIL code is still possible‒ Decompiling via reflection is still possible‒ Global Assembly Cache (GAC) poisoning is possible‒ API hooking is still possible
Attack VectorsThe usual suspects:• Network traffic• Application memory• Configurations• Application GUI• Files and folders• Windows registry
Application Test PlanCreate a test plan and follow it…• Address high priority test cases identified byclients and business owners first• Testing can be broken out by vector:‒ GUI Review‒ File Review‒ Registry Review‒ Network Review‒ Memory Review‒ Configuration Review
How far do we take this?Stay in scope!• That means only networks, servers, andapplications defined by the client• On in scope systems:‒ Application admin = yes‒ Database user = yes‒ Database admin = yes‒ Local OS admin = yes‒ Remote OS admin = yes‒ Domain Admin = yes(IF logged into system)…then no more escalation
Testing the Servers• Automated authenticated scanning‒ Multiple tools‒ Multiple rounds• Manual testing using standardizedpenetration test approach‒ Information Gathering‒ Vulnerability Enumeration‒ Penetration‒ Escalation‒ Evidence Gathering‒ Clean up
Testing the Application: GUI• GUI object privilegesShow hidden form objectsEnable disabled functionalityReveal masked passwords (GUI B GONE)• GUI contentReview for sensitive data and passwords• GUI logicBypass controls using intended GUI FunctionalityCommon Examples:‒ SQL query windows‒ Access control fields‒ Export functions allow more access to data‒ Break out of Citrix and Terminal Server applications‒ External program execution
Testing the Application: GUITool DescriptionUISpy Enable disabled functions, and call actions related to disabled functions.WinCheatShow hidden objects, enabled disabled objects, execution functions, and generallymanipulate remote form objects.Window DetectiveView form object properties including the value of masked password fields, and maskcard numbers.
Testing the Application: Files• File permissionsFiles and folders• File IntegrityStrong naming, Authenticode signing• File contentDebugging Symbols/files, sensitive data, passwords, and settings• File and content manipulationBackdoor the frameworkDLL pre loadingRace conditionsReplacing files and contentCommon Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords and Private keys
Testing the Application: Files• Exported Functions (usually native code)Identify and run exported functions without authenticating• Public Methods (managed code reflection)Create a wrapper to access public methods without authenticating• Decompile and RecompileRecover source code, passwords, keys, and create patched assembly• Decrypt and DeobfuscateRecover source code, passwords, keys, etc• Disassemble and ReassembleCreate patched assembly
Testing the Application: FilesTool DescriptionAccessEnum, Privesc, autoruns,schtasksDump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write scriptlocations..Net Reflector, Reflexil, ildasm, IL_Spy,Graywolf,JD Java decompiler, java bytecode editor, Metasm, CFFExplorerDecompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools toidentify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms.Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assembliesCFF Explorer, dllexpReview exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression,disassemble binary, and finger print languageMetasploitMSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads forinjection and side loading. This also ships with METASM ruby library that can be used to disassemble andcompile binariesProcess Explorer View image file settings, process, connections, threads, permissions, strings from process, environmentalvariablesProcess Hacker 2View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process,environmental variablesProcess Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like.Spider2008 Search file system for interesting strings with regular expressionsStrings Dump strings from filesSymantec EPP Scan all files for know malwarePE Explorer Detect compiler or packer type and versionUPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other filesVisual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
Testing the Application: Registry• Registry permissionsRead and write access to registry keys• Registry contentSensitive data, passwords, and settings• Registry manipulationBypass authentication and authorizationReplace contentCommon Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords‒ Private keys
Testing the Application: RegistryTools:Tool DescriptionAccessEnum Dump file and registry permissionsRegedit Backup, review, and edit the registryRegshot Registry diffing tool.Process Monitor Monitors calls to file, registry keys, and sockets
Testing the Application: Network• Network RulesLocal and network firewall rules• Network contentSensitive data, files, passwords, and settings• Network manipulationBypass authentication and authorization (SQL)Replacing content (Parameters)Common Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords‒ Private keys• Reverse and Fuzz Proprietary Protocols
Testing the Application: NetworkTool DescriptionCain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file.Burp Can be used to manipulate HTTP traffic.Metasploit Create custom fuzzer for RPC protocols.Sully Create custom fuzzing templates.Echo Mirage Generic TCP proxy.Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters.Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates.Network Miner Parse network traffic for files, systems, and shares.oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made.SOAPUI Can be used to interact directly with web services, and is often used with BURPWeb Inspect Service Attack Tool Generic web service review.Wireshark, windump,tcpdump,RawcapDump all network traffic. Rawcap is the bomb.
Testing the Application: Memory• Process controlsDEP, ASLR, permissions, and privileges• Memory contentSensitive data, passwords, and settings• Memory manipulationBypass authentication and authorizationReplacing contentCommon Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords‒ Private keys
Testing the Application: MemoryRun-time Modifications• Direct editing• DLL injection• Shell code Injection• Process replacement• Modify assembly in memory• Identification of dangerous functions• Check if debugger can be run• Debugging via stepping and breakpointsto analyze and modify
Testing the Application: MemoryTool DescriptionMetasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used tomigrate into a running process.Process Explorer View image file settings, process, connections, threads, permissions, strings fromprocess, environmental variablesProcess Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions,environmental variables, inject DLLRemoteDLL Can be used to inject a DLL into a process.Tsearch Can be used to quickly find and replace strings in memory.Immunity, OllyDBG,Windbg, and IDADebuggersCan be used to step through the application and modify assembly instructions on thefly.Winhex Can be used to quickly find and replace strings in memory.Userdump Dump memory from process.
Testing the Application: Configurations• Application user privileges• Service account privileges• Service configuration privileges• Service registration• Database account privileges• Remote share permissions• TS breakouts to OS• Citrix breakouts to OS
Testing the Application: ConfigurationsTool Descriptionwindows-privesc-checkCheck privileges on servers and associated program directories, and manuallycheck for insecurely registered services.Citrix Client Used to connect to Citrix applications.Data Source (ODBC)Administrative ToolLook for existing ODBC connection and use tools like excel to leverage them.Services.msc,windows-privesc-checkReview application services for insecure registration, binary paths, anddetermine users who is running the service.SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL,SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express.Windows Explorer andcommon dialog boxesAccess Windows dialog boxes to obtain access to a cmd console orPowershell. Target links, shortcuts, open file functions, export functions,import functions, and reporting functions. Help menus and verbose errorpages can also be handy.
Reporting Stuff• Create severity ranking system based onstatic criteria• Internally, criteria should take compensatingcontrols into consideration• Prioritize findings based onranking system• Include instructions orscreen shots to helpreproduce and fix issues• Don’t forget recommendations
Wrap Up• General Summary‒ Attack thick applications and related infrastructurefrom many vectors using many tools‒ Managed code suffers from inherent weaknessesthat can’t be fixed and is easier to attack• General Advice‒ Never store sensitive anything in an assembly‒ If something sensitive “must” be stored in anassembly use unmanaged coding languages like Cand C++‒ Be very careful to implement sufficient controlswhen deploying thick applications via terminalservices or Citrix