performing-thick-client-application-penetration-test
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePerforming Thick Client Application Penetration Test
厚客户端应用渗透测试实施
Overview
概述
Thick client (fat client) penetration testing assesses the security of desktop applications that run locally on user machines and communicate with backend servers. Unlike web applications, thick clients present a broader attack surface including local file storage, binary analysis, memory manipulation, DLL injection, process interception, and client-server communication. Common targets include banking applications, ERP clients (SAP GUI), trading platforms, healthcare systems, and legacy enterprise software.
厚客户端(胖客户端)渗透测试用于评估在用户本地机器运行并与后端服务器通信的桌面应用程序的安全性。与Web应用不同,厚客户端拥有更广泛的攻击面,包括本地文件存储、二进制分析、内存操纵、DLL注入、进程拦截以及客户端-服务器通信。常见测试目标包括银行应用、ERP客户端(SAP GUI)、交易平台、医疗系统和遗留企业软件。
When to Use
适用场景
- When conducting security assessments that involve performing thick client application penetration test
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
- 开展涉及厚客户端应用渗透测试的安全评估时
- 针对相关安全事件执行应急响应流程时
- 进行定期安全测试或审计活动时
- 通过实操测试验证安全控制措施时
Prerequisites
前置条件
- Application installer and valid credentials
- Windows/Linux test machine (isolated)
- Tools: dnSpy, Procmon, Process Hacker, Wireshark, Burp Suite, Echo Mirage, Fiddler, IDA Pro/Ghidra
- Administrative access to test machine
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
- 应用程序安装包及有效凭据
- Windows/Linux测试机(隔离环境)
- 工具:dnSpy、Procmon、Process Hacker、Wireshark、Burp Suite、Echo Mirage、Fiddler、IDA Pro/Ghidra
- 测试机的管理员权限
法律声明: 本技能仅用于授权的安全测试和教育目的。未经授权对非自有或未获得书面测试许可的系统使用本技能属于违法行为,可能违反计算机欺诈相关法律。
Phase 1 — Information Gathering
第一阶段 — 信息收集
Static Analysis
静态分析
powershell
undefinedpowershell
undefinedIdentify application technology
识别应用程序技术
Check file properties, signatures, framework (.NET, Java, C++, Electron)
检查文件属性、签名、框架(.NET、Java、C++、Electron)
file application.exe
file application.exe
.NET -> dnSpy, JetBrains dotPeek
.NET -> dnSpy, JetBrains dotPeek
Java -> JD-GUI, JADX
Java -> JD-GUI, JADX
C/C++ -> Ghidra, IDA Pro
C/C++ -> Ghidra, IDA Pro
Electron -> extract asar archive
Electron -> 提取asar归档文件
Check for .NET framework
检查.NET框架
Get-ChildItem -Path "C:\Program Files\TargetApp" -Recurse -Filter "*.dll" |
ForEach-Object { [System.Reflection.AssemblyName]::GetAssemblyName($_.FullName).FullName }
Get-ChildItem -Path "C:\Program Files\TargetApp" -Recurse -Filter "*.dll" |
ForEach-Object { [System.Reflection.AssemblyName]::GetAssemblyName($_.FullName).FullName }
Strings analysis
字符串分析
strings application.exe | findstr -i "password|secret|api|key|token|jdbc|connection"
strings application.exe | findstr -i "password|secret|api|key|token|jdbc|connection"
Check for hardcoded credentials
检查硬编码凭据
strings application.exe | findstr -i "username|user=|pass=|pwd=|admin"
strings application.exe | findstr -i "username|user=|pass=|pwd=|admin"
Review configuration files
查看配置文件
type "C:\Program Files\TargetApp\app.config"
type "C:\Program Files\TargetApp\settings.xml"
type "%APPDATA%\TargetApp\config.json"
type "C:\Program Files\TargetApp\app.config"
type "C:\Program Files\TargetApp\settings.xml"
type "%APPDATA%\TargetApp\config.json"
Check for certificate pinning
检查证书固定
strings application.exe | findstr -i "cert|pin|ssl|tls"
undefinedstrings application.exe | findstr -i "cert|pin|ssl|tls"
undefined.NET Decompilation with dnSpy
使用dnSpy进行.NET反编译
undefinedundefinedOpen application in dnSpy
在dnSpy中打开应用程序
- Launch dnSpy
- File > Open > Select application.exe and DLLs
- Search for:
- "password", "secret", "connectionString"
- Authentication methods
- Encryption/decryption functions
- API endpoints and keys
- License validation logic
- 启动dnSpy
- 文件 > 打开 > 选择application.exe及相关DLL
- 搜索以下内容:
- "password"、"secret"、"connectionString"
- 认证方法
- 加密/解密函数
- API端点及密钥
- 许可证验证逻辑
Look for:
重点查找:
- Hardcoded credentials in source
- Insecure encryption (DES, MD5, base64 "encryption")
- SQL queries (potential injection)
- Disabled certificate validation
- Debug/verbose logging with sensitive data
undefined- 源代码中的硬编码凭据
- 不安全的加密算法(DES、MD5、base64“加密”)
- SQL查询(存在注入风险)
- 已禁用的证书验证
- 包含敏感数据的调试/详细日志
undefinedPhase 2 — Dynamic Analysis
第二阶段 — 动态分析
Process Monitoring
进程监控
powershell
undefinedpowershell
undefinedMonitor file system activity with Procmon
使用Procmon监控文件系统活动
Filters:
筛选条件:
Process Name = application.exe
进程名称 = application.exe
Operation = CreateFile, WriteFile, ReadFile, RegSetValue
操作 = CreateFile、WriteFile、ReadFile、RegSetValue
Key observations:
关键观察点:
- Where does the app store data? (AppData, temp, registry)
- 应用程序存储数据的位置?(AppData、临时目录、注册表)
- Does it write credentials to disk?
- 是否将凭据写入磁盘?
- Does it create temporary files with sensitive data?
- 是否创建包含敏感数据的临时文件?
- What registry keys does it access?
- 访问了哪些注册表项?
Monitor with Process Hacker
使用Process Hacker监控
Check: loaded DLLs, network connections, handles, tokens
检查:已加载的DLL、网络连接、句柄、令牌
Monitor network traffic
监控网络流量
Wireshark filter: ip.addr == <server_ip>
Wireshark筛选器:ip.addr == <服务器IP>
Check for: unencrypted credentials, API keys, tokens
检查:未加密的凭据、API密钥、令牌
undefinedundefinedTraffic Interception
流量拦截
bash
undefinedbash
undefinedIntercept HTTP/HTTPS traffic with Burp Suite
使用Burp Suite拦截HTTP/HTTPS流量
Configure system proxy: 127.0.0.1:8080
配置系统代理:127.0.0.1:8080
Install Burp CA certificate in Windows certificate store
在Windows证书存储中安装Burp CA证书
For non-HTTP protocols, use Echo Mirage
针对非HTTP协议,使用Echo Mirage
Inject into process and intercept TCP/UDP traffic
注入进程并拦截TCP/UDP流量
For HTTPS with certificate pinning:
针对存在证书固定的HTTPS:
Method 1: Patch certificate validation in dnSpy
方法1:在dnSpy中修补证书验证逻辑
Method 2: Use Frida to hook SSL validation
方法2:使用Frida挂钩SSL验证
frida -l bypass_ssl_pinning.js -f application.exe
frida -l bypass_ssl_pinning.js -f application.exe
Fiddler for .NET applications
针对.NET应用使用Fiddler
Enable HTTPS decryption
启用HTTPS解密
Monitor API calls, request/response bodies
监控API调用、请求/响应体
undefinedundefinedPhase 3 — Vulnerability Testing
第三阶段 — 漏洞测试
Authentication Bypass
认证绕过
undefinedundefinedTest local authentication bypass
测试本地认证绕过
- Open dnSpy, find authentication method
- Set breakpoint on credential validation
- Modify return value to bypass (Debug > Set Next Statement)
- Or: Patch binary to always return true
- 打开dnSpy,找到认证方法
- 在凭据验证处设置断点
- 修改返回值以绕过(调试 > 设置下一条语句)
- 或者:修补二进制文件使其始终返回true
Test for credential storage
测试凭据存储
Check: registry, config files, SQLite databases, Windows Credential Manager
检查:注册表、配置文件、SQLite数据库、Windows凭据管理器
reg query "HKCU\Software\TargetApp" /s
type "%APPDATA%\TargetApp\user.db"
reg query "HKCU\Software\TargetApp" /s
type "%APPDATA%\TargetApp\user.db"
SQLite: sqlite3 user.db ".dump"
SQLite:sqlite3 user.db ".dump"
undefinedundefinedDLL Hijacking
DLL劫持
powershell
undefinedpowershell
undefinedIdentify DLL search order vulnerability
识别DLL搜索顺序漏洞
Use Procmon to find DLLs loaded from writable paths
使用Procmon查找从可写路径加载的DLL
Filter: Result = NAME NOT FOUND, Path ends with .dll
筛选条件:结果 = NAME NOT FOUND,路径以.dll结尾
Create malicious DLL
创建恶意DLL
msfvenom -p windows/exec CMD=calc.exe -f dll -o hijacked.dll
msfvenom -p windows/exec CMD=calc.exe -f dll -o hijacked.dll
Place in application directory or writable PATH directory
将其放置在应用程序目录或可写的PATH目录中
DLL sideloading
DLL侧加载
If app loads DLL without full path:
如果应用程序未使用完整路径加载DLL:
1. Create DLL with same exports
1. 创建具有相同导出函数的DLL
2. Place in app directory
2. 将其放置在应用程序目录中
3. DLL loads before legitimate version
3. 该DLL会优先于合法版本加载
undefinedundefinedMemory Analysis
内存分析
powershell
undefinedpowershell
undefinedDump process memory
转储进程内存
Use Process Hacker > Process > Properties > Memory
使用Process Hacker > 进程 > 属性 > 内存
Search for plaintext credentials, tokens, session IDs
搜索明文凭据、令牌、会话ID
Strings from memory dump
从内存转储中提取字符串
strings process_dump.dmp | findstr -i "password|token|session|bearer"
strings process_dump.dmp | findstr -i "password|token|session|bearer"
Modify memory values (license bypass, privilege escalation)
修改内存值(绕过许可证、权限提升)
Use Cheat Engine or x64dbg to:
使用Cheat Engine或x64dbg:
1. Find memory address of authorization variable
1. 找到授权变量的内存地址
2. Modify value (e.g., isAdmin = 0 -> isAdmin = 1)
2. 修改值(例如:isAdmin = 0 -> isAdmin = 1)
undefinedundefinedInput Validation
输入验证
undefinedundefinedSQL Injection in local database
本地数据库SQL注入
Test input fields with: ' OR 1=1--
在输入字段中测试:' OR 1=1--
If app uses local SQLite/SQL Server Express
如果应用程序使用本地SQLite/SQL Server Express
Command injection
命令注入
Test fields that interact with OS:
测试与操作系统交互的字段:
File paths: ........\windows\system32\cmd.exe
文件路径:........\windows\system32\cmd.exe
Print/export: | calc.exe
打印/导出:| calc.exe
Buffer overflow
缓冲区溢出
Send oversized input to text fields
向文本字段发送超大输入
Monitor with x64dbg for crashes
使用x64dbg监控崩溃情况
Check for SEH-based or stack-based overflows
检查基于SEH或栈的溢出
undefinedundefinedPhase 4 — API Security Testing
第四阶段 — API安全测试
bash
undefinedbash
undefinedCapture API calls from thick client
捕获厚客户端的API调用
In Burp Suite, analyze:
在Burp Suite中分析:
IDOR (Insecure Direct Object Reference)
IDOR(不安全直接对象引用)
Change user IDs in requests to access other users' data
修改请求中的用户ID以访问其他用户的数据
GET /api/users/1001 -> GET /api/users/1002
GET /api/users/1001 -> GET /api/users/1002
Authorization bypass
授权绕过
Remove or modify JWT tokens
删除或修改JWT令牌
Test role escalation: change role claim from "user" to "admin"
测试角色提升:将角色声明从"user"改为"admin"
Mass assignment
批量赋值
Add additional parameters to API requests
向API请求添加额外参数
POST /api/profile {"name": "test", "isAdmin": true}
POST /api/profile {"name": "test", "isAdmin": true}
Rate limiting
速率限制
Test for brute-force protection on login API
测试登录API的暴力破解防护
Test for account lockout bypass
测试账户锁定绕过
undefinedundefinedFindings Template
发现结果模板
| Finding | Severity | CVSS | Remediation |
|---|---|---|---|
| Hardcoded database credentials in binary | Critical | 9.1 | Use secure credential storage (DPAPI, vault) |
| DLL hijacking via writable app directory | High | 7.8 | Use full DLL paths, validate DLL signatures |
| Plaintext credentials in memory | High | 7.5 | Zero memory after use, use SecureString |
| No certificate pinning | Medium | 6.5 | Implement certificate pinning |
| Local SQLite DB with cleartext passwords | Critical | 9.0 | Use bcrypt/Argon2 hashing |
| Disabled SSL validation in code | High | 8.1 | Enable proper certificate validation |
| 发现项 | 严重程度 | CVSS | 修复建议 |
|---|---|---|---|
| 二进制文件中存在硬编码数据库凭据 | 严重 | 9.1 | 使用安全凭据存储(DPAPI、密钥库) |
| 可写应用目录导致的DLL劫持 | 高 | 7.8 | 使用完整DLL路径,验证DLL签名 |
| 内存中存在明文凭据 | 高 | 7.5 | 使用后清空内存,采用SecureString |
| 未实现证书固定 | 中 | 6.5 | 实现证书固定机制 |
| 本地SQLite数据库存储明文密码 | 严重 | 9.0 | 使用bcrypt/Argon2哈希算法 |
| 代码中禁用SSL验证 | 高 | 8.1 | 启用正确的证书验证 |
References
参考资料
- dnSpy: https://github.com/dnSpy/dnSpy
- Procmon: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
- OWASP Thick Client Testing Guide: https://owasp.org/www-project-thick-client-top-10/
- Ghidra: https://ghidra-sre.org/
- Echo Mirage: https://sourceforge.net/projects/echomirage/
- dnSpy: https://github.com/dnSpy/dnSpy
- Procmon: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
- OWASP厚客户端测试指南: https://owasp.org/www-project-thick-client-top-10/
- Ghidra: https://ghidra-sre.org/
- Echo Mirage: https://sourceforge.net/projects/echomirage/