> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/thick-client-pentest-methodology.md).

# Thick Client Pentest Methodology

{% stepper %}
{% step %}

### Pre-Engagement & Scoping

#### Initial Planning

* [ ] Define assessment objectives and success criteria
* [ ] Establish rules of engagement (RoE)
* [ ] Determine testing timeframe and constraints
* [ ] Identify emergency contacts and escalation procedures
* [ ] Document any out-of-scope systems or testing methods

#### Technical Scoping

* [ ] Platform identification

```plaintext
Operating System:
□ Windows (Version/Build)
□ Linux (Distribution)
□ macOS (Version)

Architecture:
□ x86 (32-bit)
□ x64 (64-bit)
□ ARM

Development Platform:
□ .NET Framework/Core
□ Java
□ Electron
□ Native (C++/Delphi)
```

#### Business Logic Analysis

* [ ] Document intended application functionality
* [ ] Map critical business workflows
* [ ] Identify high-value assets and data
* [ ] Understand authorization levels and user roles

#### Architecture Review

```plaintext
Data Flow Components:
□ Client-side processing
□ Server communication
□ Local storage
□ External integrations
□ Database interactions
```

{% endstep %}

{% step %}

### Information Gathering

#### Installation Analysis

```powershell
# Common installation paths
Get-ChildItem "C:\Program Files" -Recurse
Get-ChildItem "C:\Program Files (x86)" -Recurse
Get-ChildItem "$env:LOCALAPPDATA" -Recurse
Get-ChildItem "$env:APPDATA" -Recurse
```

#### File System Enumeration

* [ ] Document application directory structure

```bash
tree /F > directory_structure.txt    # Windows
tree -a > directory_structure.txt    # Linux
```

* [ ] Identify config files

```plaintext
□ .config, .ini, .xml, .json
□ Connection strings
□ API endpoints
□ Feature flags
```

* [ ] Locate log files and analyze content

```powershell
Get-Content *.log | Select-String "password", "key", "secret", "token"
```

#### Dependencies Analysis

```bash
# Windows
Dependencies.exe <executable>
PEStudio.exe <executable>

# Linux
ldd <executable>
objdump -p <executable>
```

#### Registry Analysis

```powershell
# Export relevant registry keys
reg export HKLM\Software\<AppName> app_hklm.reg
reg export HKCU\Software\<AppName> app_hkcu.reg

# Monitor registry access
Process Monitor -> Filter -> Registry Activity
```

{% endstep %}

{% step %}

### Static Analysis

#### Binary Analysis

```bash
# Initial analysis
strings -n 8 <binary>
pestudio <binary>
die <binary>

# Identify protection/packing
detect it easy (die) <binary>
PEiD <binary>
```

#### Decompilation

* [ ] .NET Applications

```bash
# Use dnSpy or dotPeek
dnSpy.exe <assembly>

# Check for obfuscation
de4dot.exe <assembly>
```

* [ ] Java Applications

```bash
# Decompile JAR/class files
jd-gui <jar>
procyon <class>

# Extract resources
jar xf <jar>
```

* [ ] Native Applications

```bash
# Load in Ghidra/IDA
# Analyze key functions:
□ Authentication
□ Cryptographic operations
□ File I/O
□ Network communication
```

#### Code Review Focus Areas

```plaintext
□ Hardcoded credentials
□ API keys and tokens
□ Connection strings
□ Cryptographic material
□ Debug/test code
□ Error handling
□ File operations
□ Command execution
```

{% endstep %}

{% step %}

### Dynamic Analysis

#### Runtime Monitoring

```powershell
# Process monitoring
Start-Process procmon.exe
Start-Process "Process Hacker.exe"

# Network monitoring
Start-Process wireshark.exe
```

#### Debugging Setup

```bash
# .NET debugging
dnSpy -> Debug -> Start Debugging

# Native debugging
x64dbg <executable>
WinDbg <executable>
```

#### Frida Instrumentation

```javascript
// Hook function calls
frida-trace -i "function*" <process>

// Modify return values
Interceptor.attach(targetAddr, {
    onLeave: function(retval) {
        retval.replace(0x1);
    }
});
```

#### Behavioral Analysis

* [ ] Monitor file operations
* [ ] Track registry changes
* [ ] Log network connections
* [ ] Document API calls
* [ ] Analyze memory usage
  {% endstep %}

{% step %}

### Network Communication Testing

#### Traffic Interception Setup

```bash
# Burp Suite setup
java -jar burpsuite.jar
# Configure proxy: 127.0.0.1:8080

# Fiddler setup
fiddler.exe
# Enable HTTPS decryption
```

#### SSL/TLS Analysis

```bash
# Check certificate pinning
openssl s_client -connect host:port

# Bypass certificate validation
# .NET: 
System.Net.ServicePointManager.ServerCertificateValidationCallback = {$true}

# Java:
-Djavax.net.ssl.trustAll=true
```

#### Traffic Analysis

* [ ] Document API endpoints
* [ ] Map request/response patterns
* [ ] Test parameter manipulation
* [ ] Check for sensitive data in traffic
* [ ] Verify encryption usage
  {% endstep %}

{% step %}

### Authentication & Authorization Testing

#### Authentication Analysis

```plaintext
Test Vectors:
□ Null credentials
□ Default credentials
□ SQL injection
□ Authentication bypass
□ Remember me functionality
□ Password reset mechanism
```

#### Session Management

* [ ] Locate token storage

```powershell
# Check common locations
Get-ChildItem -Path $env:APPDATA -Recurse
Get-Item -Path "HKCU:\Software\*" | Get-ItemProperty
```

* [ ] Analyze token format and structure
* [ ] Test token manipulation
* [ ] Check session timeout
* [ ] Verify session invalidation

#### Credential Storage

```bash
# Memory analysis
procdump.exe -ma <PID>
strings64.exe memory.dmp | findstr /i "password"

# File analysis
findstr /s /i "password" *.*
```

{% endstep %}

{% step %}

### Local Storage Analysis

#### File System

```powershell
# Search for sensitive files
Get-ChildItem -Recurse -Include *.config,*.ini,*.xml,*.json
Select-String -Path * -Pattern "password","key","secret"
```

#### Registry Analysis

```powershell
# Export and analyze registry
reg export HKLM\Software\* hklm.reg
reg export HKCU\Software\* hkcu.reg
```

#### Temporary Files

```bash
# Windows temp locations
%TEMP%
%APPDATA%
%LOCALAPPDATA%

# Linux temp locations
/tmp
/var/tmp
~/.cache
```

{% endstep %}

{% step %}

### Reverse Engineering & Code Injection

#### Binary Analysis

```bash
# Identify interesting functions
□ Authentication routines
□ Cryptographic operations
□ Network communication
□ File operations
```

#### Code Injection

```cpp
// DLL injection template
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        // Injection code here
        break;
    }
    return TRUE;
}
```

#### Function Hooking

```javascript
// Frida hook template
Interceptor.attach(ptr('ADDRESS'), {
    onEnter: function(args) {
        // Pre-function code
    },
    onLeave: function(retval) {
        // Post-function code
    }
});
```

{% endstep %}

{% step %}

### Privilege Escalation & Post-Exploitation

#### Local Privilege Escalation

```powershell
# Check file permissions
icacls "C:\Program Files\*"
icacls "C:\Program Files (x86)\*"

# Check service permissions
sc qc <service_name>
accesschk.exe -ucqv <service_name>
```

#### Service Exploitation

```bash
# Monitor service creation
procmon.exe -> Filter -> Operation is CreateFile

# Check for DLL hijacking
Process Monitor -> Filter -> Result contains "NAME NOT FOUND"
```

#### Memory Extraction

```powershell
# Dump process memory
procdump.exe -ma <PID>

# Extract credentials
mimikatz.exe
sekurlsa::logonpasswords
```

{% endstep %}

{% step %}

### Reporting

#### Vulnerability Documentation

```plaintext
For each finding:
□ Description
□ Reproduction steps
□ Impact
□ Risk rating
□ Remediation advice
```

#### Evidence Collection

* [ ] Screenshots
* [ ] Network captures
* [ ] Code snippets
* [ ] Proof of concept scripts
* [ ] Log files

#### Report Structure

```plaintext
1. Executive Summary
   □ Overview
   □ Risk summary
   □ Key findings

2. Technical Details
   □ Methodology
   □ Findings
   □ Reproduction steps
   □ Impact analysis

3. Remediation
   □ Short-term fixes
   □ Long-term recommendations
   □ Strategic advice
```

{% endstep %}

{% step %}

### Optional Add-Ons

#### Hybrid Application Testing

* [ ] Web component analysis
* [ ] Desktop-Web interaction testing
* [ ] Cross-origin resource sharing
* [ ] Local HTTP server testing

#### API Security Testing

```plaintext
□ API documentation review
□ Authentication mechanisms
□ Rate limiting
□ Input validation
□ Error handling
□ Data exposure
```

#### Source Code Review

```plaintext
Focus Areas:
□ Authentication mechanisms
□ Cryptographic implementations
□ File operations
□ Network communication
□ Error handling
□ Input validation
□ Third-party components
```

#### Custom Tools Development

* [ ] Automation scripts
* [ ] Custom hooks
* [ ] Traffic manipulation tools
* [ ] Data extractors
* [ ] Report generators
  {% endstep %}
  {% endstepper %}
