Thick Application Penetration TestCRASH COURSE v1.0Author: Scott Sutherland
Who am I?Scott SutherlandPrincipal Security Consultant• Penetration Testing‒ Networks‒ Web apps / services‒ Thick apps• Co...
What are we going to talk about?• Why should you care• Testing Goal and Objectives• Project Scoping• Common Architectures•...
Why am I talking about this?Thick applications create uniquerisks that web applications dont.
Why am I talking about this?Users often have full control over theapplication environment which:‒ Allows attacks on truste...
Why am I talking about this?Thick applications are the new webapplications.
Why am I talking about this?Publishing thick applications via TerminalServices and Citrix: Good Stuff‒ Helps meet client d...
Why am I talking about this?Publishing thick applications via TerminalServices and Citrix: Bad Stuff‒Very hard to secure p...
Testing Goal & ObjectivesGoal:Determine what risks the application implementationpresents to the business so they can be m...
Scoping ProjectsEstimate effort:‒ Number of forms‒ Number of files‒ Number of registry keys‒ Number of user levels‒ Applic...
Common ArchitecturesDesktop Client  Remote Database‒ Usually entire implementation is on internal networkDesktop Client ...
Common ArchitecturesTerminal Services Application‒ RDP  Terminal Server  Published app‒ Website  RDP  Terminal Server ...
Accessing the Application• Install locally, and test over VPN• Install locally, and test over the internet• Test over VPN,...
Testing RequirementsMinimum Requirements:• 2 application credentialsfor each role• Application AccessPotential Requirement...
Application Walkthrough• Verify connectivity to application• Verify all credentials• Walk through common use cases• Identi...
Application TargetsUNMANAGED CODE APPLICATIONSandMANAGED CODE APPLICATIONS
UNMANAGED CODE APPLICATIONS• General Information‒ C and C++ (“unmanaged” or “native” languages)‒ Compiled to machine code‒...
MANAGED CODE APPLICATIONS• General Information‒ Frameworks: .net (C# VB), Java Runtime, Dalvik‒ Compiled to bytecode‒ Usua...
Attack VectorsThe usual suspects:• Network traffic• Application memory• Configurations• Application GUI• Files and folders...
Application Test PlanCreate a test plan and follow it…• Address high priority test cases identified byclients and business...
How far do we take this?Stay in scope!• That means only networks, servers, andapplications defined by the client• On in sc...
Testing the Servers• Automated authenticated scanning‒ Multiple tools‒ Multiple rounds• Manual testing using standardizedp...
Testing the Application: GUI• GUI object privilegesShow hidden form objectsEnable disabled functionalityReveal masked pass...
Testing the Application: GUITool DescriptionUISpy Enable disabled functions, and call actions related to disabled function...
Testing the Application: Files• File permissionsFiles and folders• File IntegrityStrong naming, Authenticode signing• File...
Testing the Application: Files• Exported Functions (usually native code)Identify and run exported functions without authen...
Testing the Application: FilesTool DescriptionAccessEnum, Privesc, autoruns,schtasksDump file, registry, and service permi...
Testing the Application: Registry• Registry permissionsRead and write access to registry keys• Registry contentSensitive d...
Testing the Application: RegistryTools:Tool DescriptionAccessEnum Dump file and registry permissionsRegedit Backup, review...
Testing the Application: Network• Network RulesLocal and network firewall rules• Network contentSensitive data, files, pas...
Testing the Application: NetworkTool DescriptionCain Can be used for ARP based man in the middle attacks. Can be used to p...
Testing the Application: Memory• Process controlsDEP, ASLR, permissions, and privileges• Memory contentSensitive data, pas...
Testing the Application: MemoryRun-time Modifications• Direct editing• DLL injection• Shell code Injection• Process replac...
Testing the Application: MemoryTool DescriptionMetasploit Can be used to generate shell code, exe, and DLL payloads. Can a...
Testing the Application: Configurations• Application user privileges• Service account privileges• Service configuration pr...
Testing the Application: ConfigurationsTool Descriptionwindows-privesc-checkCheck privileges on servers and associated pro...
Vulnerability Categories1. Application Logic2. Code Injection3. Excessive Privileges4. Unencrypted Storage of Sensitive Da...
Reporting Stuff• Create severity ranking system based onstatic criteria• Internally, criteria should take compensatingcont...
Wrap Up• General Summary‒ Attack thick applications and related infrastructurefrom many vectors using many tools‒ Managed ...
Upcoming SlideShare
Loading in …5
×

Thick Application Penetration Testing - A Crash Course

2,864 views

Published on

Published in: Technology

Thick Application Penetration Testing - A Crash Course

  1. 1. Thick Application Penetration TestCRASH COURSE v1.0Author: Scott Sutherland
  2. 2. Who am I?Scott SutherlandPrincipal Security Consultant• Penetration Testing‒ Networks‒ Web apps / services‒ Thick apps• Community Stuff‒ Researcher‒ Blogger‒ Tool smith (or smithy if you like)‒ Twitter stalker: @_nullbind
  3. 3. What are we going to talk about?• Why should you care• Testing Goal and Objectives• Project Scoping• Common Architectures• Accessing the Application• Testing Requirements• Application Walkthrough• Managed vs. Unmanaged• Testing the Application• Vulnerability Categories• Reporting
  4. 4. Why am I talking about this?Thick applications create uniquerisks that web applications dont.
  5. 5. Why am I talking about this?Users often have full control over theapplication environment which:‒ Allows attacks on trustedcomponents‒ Exposes data, admin/hiddenfunctions‒ Leads to application and OS privilegeescalation
  6. 6. Why am I talking about this?Thick applications are the new webapplications.
  7. 7. Why am I talking about this?Publishing thick applications via TerminalServices and Citrix: Good Stuff‒ Helps meet client demand for “cloudservices”‒Converts Client/Server model to SaaSmodel‒Cheaper/Faster than developingactual web based solution fromscratch
  8. 8. Why am I talking about this?Publishing thick applications via TerminalServices and Citrix: Bad Stuff‒Very hard to secure publisheddesktops/applications‒Commonly results in direct databaseaccess‒Often exposes internal networks ofservice provider
  9. 9. Testing Goal & ObjectivesGoal:Determine what risks the application implementationpresents to the business so they can be mitigated.Objectives:Identify vulnerabilities that may exist in:‒ The client application and server components‒ The workstation or published application configuration‒ The server or network configuration
  10. 10. Scoping ProjectsEstimate effort:‒ Number of forms‒ Number of files‒ Number of registry keys‒ Number of user levels‒ Application architecture‒ Application technology‒ Constraints‒ EnvironmentGenerally…‒ More stuff = more time‒ More complexity = more time
  11. 11. Common ArchitecturesDesktop Client  Remote Database‒ Usually entire implementation is on internal networkDesktop Client  local DB Remote Database‒ Local db typically syncs with remote db‒ Usually client and local db are on internal networkremote db is hosted by service providerDesktop Client  Application Server  Database‒ Usually client in on internal network and app/db serveris located is hosted by service provider‒ Common technologies: Web Services, WebApplications, JBOSS, and IBM WebSphere
  12. 12. Common ArchitecturesTerminal Services Application‒ RDP  Terminal Server  Published app‒ Website  RDP  Terminal Server  Published appCitrix Application‒ Citrix client  Terminal Server  Published app‒ Website  Citrix client  Published appThin Application‒ VMware application‒ Hyper-V application
  13. 13. Accessing the Application• Install locally, and test over VPN• Install locally, and test over the internet• Test over VPN, RDP to a client system,and install the tool sets for testing• VPN + Terminal Services (TS)• Web based TS• VPN + Citrix Client• Web based Citrix• Run from network share
  14. 14. Testing RequirementsMinimum Requirements:• 2 application credentialsfor each role• Application AccessPotential Requirements:• VPN access• Local administratoron client test system• Internet endpoints• Installation package
  15. 15. Application Walkthrough• Verify connectivity to application• Verify all credentials• Walk through common use cases• Identify potential areas of client concern• Better understand applicationarchitecture
  16. 16. Application TargetsUNMANAGED CODE APPLICATIONSandMANAGED CODE APPLICATIONS
  17. 17. UNMANAGED CODE APPLICATIONS• General Information‒ C and C++ (“unmanaged” or “native” languages)‒ Compiled to machine code‒ Include exportable functions• Pros‒ Typically run faster due to pre compiled code‒ Can’t be easily decompiled to the original source code• Cons‒ Architecture specific‒ Disassembly and reassembly is still possible‒ API hooking is still possible
  18. 18. MANAGED CODE APPLICATIONS• General Information‒ Frameworks: .net (C# VB), Java Runtime, Dalvik‒ Compiled to bytecode‒ Usually does not include exportable functions‒ Uses reflection to share public functions• Pros‒ Architecture independent‒ Can be coded in different languages‒ Can access unmanaged/native code• Cons‒ Slower due to Just in Time (JIT) compiling‒ Disassembly and reassembly of CIL code is still possible‒ Decompiling via reflection is still possible‒ Global Assembly Cache (GAC) poisoning is possible‒ API hooking is still possible
  19. 19. Attack VectorsThe usual suspects:• Network traffic• Application memory• Configurations• Application GUI• Files and folders• Windows registry
  20. 20. Application Test PlanCreate a test plan and follow it…• Address high priority test cases identified byclients and business owners first• Testing can be broken out by vector:‒ GUI Review‒ File Review‒ Registry Review‒ Network Review‒ Memory Review‒ Configuration Review
  21. 21. How far do we take this?Stay in scope!• That means only networks, servers, andapplications defined by the client• On in scope systems:‒ Application admin = yes‒ Database user = yes‒ Database admin = yes‒ Local OS admin = yes‒ Remote OS admin = yes‒ Domain Admin = yes(IF logged into system)…then no more escalation
  22. 22. Testing the Servers• Automated authenticated scanning‒ Multiple tools‒ Multiple rounds• Manual testing using standardizedpenetration test approach‒ Information Gathering‒ Vulnerability Enumeration‒ Penetration‒ Escalation‒ Evidence Gathering‒ Clean up
  23. 23. Testing the Application: GUI• GUI object privilegesShow hidden form objectsEnable disabled functionalityReveal masked passwords (GUI B GONE)• GUI contentReview for sensitive data and passwords• GUI logicBypass controls using intended GUI FunctionalityCommon Examples:‒ SQL query windows‒ Access control fields‒ Export functions allow more access to data‒ Break out of Citrix and Terminal Server applications‒ External program execution
  24. 24. Testing the Application: GUITool DescriptionUISpy Enable disabled functions, and call actions related to disabled functions.WinCheatShow hidden objects, enabled disabled objects, execution functions, and generallymanipulate remote form objects.Window DetectiveView form object properties including the value of masked password fields, and maskcard numbers.
  25. 25. Testing the Application: Files• File permissionsFiles and folders• File IntegrityStrong naming, Authenticode signing• File contentDebugging Symbols/files, sensitive data, passwords, and settings• File and content manipulationBackdoor the frameworkDLL pre loadingRace conditionsReplacing files and contentCommon Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords and Private keys
  26. 26. Testing the Application: Files• Exported Functions (usually native code)Identify and run exported functions without authenticating• Public Methods (managed code reflection)Create a wrapper to access public methods without authenticating• Decompile and RecompileRecover source code, passwords, keys, and create patched assembly• Decrypt and DeobfuscateRecover source code, passwords, keys, etc• Disassemble and ReassembleCreate patched assembly
  27. 27. Testing the Application: FilesTool DescriptionAccessEnum, Privesc, autoruns,schtasksDump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write scriptlocations..Net Reflector, Reflexil, ildasm, IL_Spy,Graywolf,JD Java decompiler, java bytecode editor, Metasm, CFFExplorerDecompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools toidentify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms.Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assembliesCFF Explorer, dllexpReview exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression,disassemble binary, and finger print languageMetasploitMSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads forinjection and side loading. This also ships with METASM ruby library that can be used to disassemble andcompile binariesProcess Explorer View image file settings, process, connections, threads, permissions, strings from process, environmentalvariablesProcess Hacker 2View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process,environmental variablesProcess Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like.Spider2008 Search file system for interesting strings with regular expressionsStrings Dump strings from filesSymantec EPP Scan all files for know malwarePE Explorer Detect compiler or packer type and versionUPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other filesVisual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
  28. 28. Testing the Application: Registry• Registry permissionsRead and write access to registry keys• Registry contentSensitive data, passwords, and settings• Registry manipulationBypass authentication and authorizationReplace contentCommon Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords‒ Private keys
  29. 29. Testing the Application: RegistryTools:Tool DescriptionAccessEnum Dump file and registry permissionsRegedit Backup, review, and edit the registryRegshot Registry diffing tool.Process Monitor Monitors calls to file, registry keys, and sockets
  30. 30. Testing the Application: Network• Network RulesLocal and network firewall rules• Network contentSensitive data, files, passwords, and settings• Network manipulationBypass authentication and authorization (SQL)Replacing content (Parameters)Common Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords‒ Private keys• Reverse and Fuzz Proprietary Protocols
  31. 31. Testing the Application: NetworkTool DescriptionCain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file.Burp Can be used to manipulate HTTP traffic.Metasploit Create custom fuzzer for RPC protocols.Sully Create custom fuzzing templates.Echo Mirage Generic TCP proxy.Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters.Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates.Network Miner Parse network traffic for files, systems, and shares.oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made.SOAPUI Can be used to interact directly with web services, and is often used with BURPWeb Inspect Service Attack Tool Generic web service review.Wireshark, windump,tcpdump,RawcapDump all network traffic. Rawcap is the bomb.
  32. 32. Testing the Application: Memory• Process controlsDEP, ASLR, permissions, and privileges• Memory contentSensitive data, passwords, and settings• Memory manipulationBypass authentication and authorizationReplacing contentCommon Examples:‒ Application settings‒ Trusted paths and executables‒ Trusted hosts‒ Update servers‒ Passwords‒ Private keys
  33. 33. Testing the Application: MemoryRun-time Modifications• Direct editing• DLL injection• Shell code Injection• Process replacement• Modify assembly in memory• Identification of dangerous functions• Check if debugger can be run• Debugging via stepping and breakpointsto analyze and modify
  34. 34. Testing the Application: MemoryTool DescriptionMetasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used tomigrate into a running process.Process Explorer View image file settings, process, connections, threads, permissions, strings fromprocess, environmental variablesProcess Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions,environmental variables, inject DLLRemoteDLL Can be used to inject a DLL into a process.Tsearch Can be used to quickly find and replace strings in memory.Immunity, OllyDBG,Windbg, and IDADebuggersCan be used to step through the application and modify assembly instructions on thefly.Winhex Can be used to quickly find and replace strings in memory.Userdump Dump memory from process.
  35. 35. Testing the Application: Configurations• Application user privileges• Service account privileges• Service configuration privileges• Service registration• Database account privileges• Remote share permissions• TS breakouts to OS• Citrix breakouts to OS
  36. 36. Testing the Application: ConfigurationsTool Descriptionwindows-privesc-checkCheck privileges on servers and associated program directories, and manuallycheck for insecurely registered services.Citrix Client Used to connect to Citrix applications.Data Source (ODBC)Administrative ToolLook for existing ODBC connection and use tools like excel to leverage them.Services.msc,windows-privesc-checkReview application services for insecure registration, binary paths, anddetermine users who is running the service.SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL,SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express.Windows Explorer andcommon dialog boxesAccess Windows dialog boxes to obtain access to a cmd console orPowershell. Target links, shortcuts, open file functions, export functions,import functions, and reporting functions. Help menus and verbose errorpages can also be handy.
  37. 37. Vulnerability Categories1. Application Logic2. Code Injection3. Excessive Privileges4. Unencrypted Storage of Sensitive Data5. Unencrypted Transmission of Sensitive Data6. Weak Encryption Implementations7. Weak Assembly Controls8. Weak GUI Controls9. Weak or Default Passwords
  38. 38. Reporting Stuff• Create severity ranking system based onstatic criteria• Internally, criteria should take compensatingcontrols into consideration• Prioritize findings based onranking system• Include instructions orscreen shots to helpreproduce and fix issues• Don’t forget recommendations
  39. 39. Wrap Up• General Summary‒ Attack thick applications and related infrastructurefrom many vectors using many tools‒ Managed code suffers from inherent weaknessesthat can’t be fixed and is easier to attack• General Advice‒ Never store sensitive anything in an assembly‒ If something sensitive “must” be stored in anassembly use unmanaged coding languages like Cand C++‒ Be very careful to implement sufficient controlswhen deploying thick applications via terminalservices or Citrix

×