> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/thick-client-pentest.md).

# Thick Client Pentest

credit to <https://csbygb.gitbook.io/pentips/thick-client-pentest/thick-client>

### Definition

A thick client, or a fat or rich client, is a software application or system architecture that relies on a substantial amount of processing power and resources on the client side, typically a user's computer or device. The following features characterize thick clients:

* Local Processing: Thick clients perform significant data processing and application logic on the user's device. They can function independently of a continuous internet connection, as they don't rely heavily on server-side processing.
* Rich User Interface: Thick clients often provide a rich and interactive user interface with features like responsive graphics, real-time updates, and advanced user experiences.
* High Resource Requirements: Because thick clients rely on local resources, they consume more memory, processing power, and storage space on the user's device than thin clients or web applications.
* Installation Required: Thick clients typically require installation on the user's device. Users need to download and install the software package before using the application.
* Updates May Require User Action: When updates or patches are released for thick client applications, users may need to download and install them manually. On the other hand, web applications can be updated centrally on the server side.

Examples of thick clients include:

* Desktop applications like Microsoft Office Suite, Adobe Creative Suite, and video games installed on a computer or gaming console.
* Some financial trading platforms that offer real-time data analysis and trading capabilities.
* Media editing software such as Adobe Photoshop or Adobe Premiere that require substantial processing power for tasks like photo or video editing.
* CAD (Computer-Aided Design) software used by engineers and designers for creating 3D models.

Thick clients can offer advantages such as improved performance, offline functionality, and a more responsive user interface. Still, they also come with challenges like the need for frequent updates, potential security vulnerabilities, and higher resource demands on the user's device. The choice between thick clients, thin clients, or web applications depends on the specific requirements and constraints of a given project or application.

> The following is a complement from HTB Academy

Thick client applications can be categorized into two-tier and three-tier architecture. In two-tier architecture, the application is installed locally on the computer and communicates directly with the database. In the three-tier architecture, applications are also installed locally on the computer, but in order to interact with the databases, they first communicate with an application server, usually using the HTTP/HTTPS protocol. In this case, the application server and the database might be located on the same network or over the internet. This is something that makes three-tier architecture more secure since attackers won't be able to communicate directly with the database.

![](/files/c141d817b5e65a97df77788c6e84400419af1fc6)Two Tier vs Three Tier

> Image from HTB Academy

Web-specific vulnerabilities like XSS, CSRF, and Clickjacking, do not apply to thick client applications. However, thick client applications are considered less secure than web applications with many attacks being applicable, including:

* Improper Error Handling.
* Hardcoded sensitive data.
* DLL Hijacking.
* Buffer Overflow.
* SQL Injection.
* Insecure Storage.
* Session Management.

***

### Methodology to pentest thick client

> Section made with HTB Academy and Mastering thick client application penetration testing by Srinivas course on Udemy

#### Information Gathering

In this step, penetration testers have to identify the application architecture, the programming languages and frameworks that have been used, and understand how the application and the infrastructure work. They should also need to identify technologies that are used on the client and server sides and find entry points and user inputs. Testers should also look for identifying common vulnerabilities.

Tips from Srinivas:

* Explore the functionalities of the Application
* Understand the architecture of the Application
* Check out the client's communications in the network
* See what files can be accesses by the client
* Look for juicy files

{% stepper %}
{% step %}

### Explore with CFF Explorer

Open CFF Explorer, open the application you want to analyze from the file menu. You will get a window with info about the executable.
{% endstep %}

{% step %}

### Explore with Procmon

Open Procmon; it will show all the processes. Set a filter: "Process Name is \<Name of the App you are analyzing (ex: myapp.exe)>". Add, Apply and OK. Launch the app and observe processes related to it.

Interesting things to check:

* Do any configuration now to see if any file is changed
* Connect now to see if your app is going to use configuration files or anything
* Explore what happens in the Registry Editor and see if any odd things are happening there

Tip: If Procmon has too many entries, clear them during analysis.
{% endstep %}

{% step %}

### Traffic Analysis

If the app is using HTTP you can intercept with Burp. If not using HTTP consider:

* Wireshark
* Echo Mirage
* MITM-Relay and Burp Suite (to modify requests)
  {% endstep %}

{% step %}

### Explore with TCPView

Open TCPView and check what happens when you launch the application. This gives information about the IP addresses the app interacts with.
{% endstep %}

{% step %}

### Explore with Wireshark

Launch Wireshark and capture traffic from loopback. Use filters informed by prior observations. Capture a short period: start capture, launch the app, connect, stop capture. Analyze by following UDP/TCP streams.
{% endstep %}

{% step %}

### Explore with EchoMirage

Open EchoMirage, launch the app, inject EchoMirage into the app. You can then see each request that is sent, step through requests, and modify requests to test behavior.
{% endstep %}

{% step %}

### Explore with MITM-relay and Burp Suite

Use MITM-Relay with Burp Suite for traffic analysis and modification. Recommended reading: "Thick Client Penetration Testing: Traffic Analysis via Burp Suite + MITM Relay" (see Resources).
{% endstep %}
{% endstepper %}

**Information Gathering - Tools**

* [CFF Explorer](https://ntcore.com/?page_id=388)
* [Detect It Easy](https://github.com/horsicq/Detect-It-Easy)
* [Process Monitor (Procmon)](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)
* [Strings](https://learn.microsoft.com/en-us/sysinternals/downloads/strings)

***

#### Attack phase

**Theory**

Client Side Attacks

Although thick clients perform significant processing and data storage on the client side, they still communicate with servers for various tasks, such as data synchronization or accessing shared resources. This interaction with servers and other external systems can expose thick clients to vulnerabilities similar to those found in web applications, including command injection, weak access control, and SQL injection.

Sensitive information like usernames and passwords, tokens, or strings for communication with other services, might be stored in the application's local files. Hardcoded credentials and other sensitive information can also be found in the application's source code, thus Static Analysis is a necessary step while testing the application. Using the proper tools, we can reverse-engineer and examine .NET and Java applications including EXE, DLL, JAR, CLASS, WAR, and other file formats. Dynamic analysis should also be performed in this step, as thick client applications store sensitive information in the memory as well.

Client Side Attacks - Tools

* [Ghidra](https://www.ghidra-sre.org/)
* [IDA](https://hex-rays.com/ida-pro/)
* [OllyDbg](http://www.ollydbg.de/)
* [Radare2](https://www.radare.org/r/index.html)
* [dnSpy](https://github.com/dnSpy/dnSpy)
* [x64dbg](https://x64dbg.com/)
* [JADX](https://github.com/skylot/jadx)
* [Frida](https://frida.re/)

Network Side Attacks

If the application is communicating with a local or remote server, network traffic analysis will help capture sensitive information that might be transferred through HTTP/HTTPS or TCP/UDP connections, and give a better understanding of how the application works.

Network Side Attacks - Tools

* [Wireshark](https://www.wireshark.org/)
* [tcpdump](https://www.tcpdump.org/)
* [TCPView](https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview)
* [Burp Suite](https://portswigger.net/burp)

Server Side Attacks

Server-side attacks in thick client applications are similar to web application attacks; pay attention to common ones including most of the OWASP Top Ten.

***

### Methodology for specific attacks

Check for hardcoded credentials

To check for hardcoded credentials, use the strings command and dump the output to a file:

```
strings.exe C:\mythickclient-to-test.exe > C:\myfile-with-strings-output
```

Then open the file and search for strings such as: password, key, etc.

Check for secrets in registry

> Tip from Udemy course Mastering thick client application penetration testing by Srinivas

* Use regshot:
  * Take a shot without the application open
  * Open the application and interact with it
  * Take a second shot
  * Compare the HTML output and search for the app name to see if credentials are stored in the registry
* If creds are stored in the registry you could try changing the username there to see if you can log in as another user.

Find connection string in memory

> Tip from Udemy course Mastering thick client application penetration testing by Srinivas

* Use Process Hacker
* Open the app and let it connect to its DB server
* In ProcessHacker, find the app process → Properties → Memory → Strings. Select image/mapped options and adjust length as needed.
* This reveals strings in memory, which can include DB passwords.

If you want to restrict search, look for common DB connection strings such as "Data Source", or keywords like "Decrypt" or "Decrypted". Once found, try connecting to the database server.

Without Process Hacker

If Process Hacker isn't available, use Task Manager to create a dump file for the process. Then run strings on the dump:

```
.strings.exe .BetaBank.DMP | Out-File -FilePath .BetaBank.DMP.txt
```

(Note: replace BetaBank with your app name. The strings command may take a long time; you may interrupt once the output is sufficiently large.)

SQL Injection

As with web applications, try classic SQL injection payloads where inputs are used by the client to build queries.

Side Channel Data leaks

> Tip from Udemy course Mastering thick client application penetration testing by Srinivas

From the application's folder, run the app and redirect output to a log file:

```
ourapp.exe > ourapp-logs.txt
```

Use the app and navigate functionalities. To append instead of overwrite:

```
ourapp.exe >> ourapp-logs.txt
```

Analyze the logs for credentials, connection strings, or other sensitive info.

DLL Hijacking

DLL hijacking places a malicious DLL in a trusted application's directory so it loads alongside genuine DLLs when the app runs. This can provide reverse shells, persistence, or command execution.

DLL Load order (Windows):

* Directory from the app
* Current directory
* System Directory C:\Windows\System32
* The 16-bit System directory
* The Windows directory
* Directories in the PATH environment variable

To test for DLL hijacking with Procmon, apply filters:

* Process Name is ourapp.exe
* Path ends with dll
* Result is NAME NOT FOUND

Launch the app and inspect results. If a DLL is missing, create a malicious DLL with the same name (e.g., using msfvenom) and place it in the app directory. Relaunch the app and check for code execution.

Tools for DLL Hijacking

* [Procmon (sysinternals)](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)
* [DLLSpy](https://github.com/cyberark/DLLSpy)

***

### Tips

#### General tips

> Thanks to my colleague Cristian for these pointers :)

* Try to find an app binary and decompile it
* Use tools like Procmon, Wireshark, Burp + MITM, and Echo Mirage
* Check what controls are implemented on the client side
* Inspect the traffic
* Can you bypass authentication?

#### How to avoid suppression of Temp files in Windows

> Tip found on HTB Academy

Right-click the folder where temp files are created (usually named Temp) and navigate to Properties → Security → Advanced → username → Disable inheritance → Convert inherited permissions into explicit permissions on this object → Edit → Show advanced permissions, then deselect the "Delete subfolders and files" and "Delete" checkboxes.

Finally click OK → Apply → OK → OK. This prevents the application from automatically deleting temp files when relaunched.

![](/files/bc9d3d4afe2f46fab7fd84aa03ef87fbaba909ed)uncheck boxes

#### If you cannot be admin on the server where the app is

> Thanks to my colleague Samuel for the following points

* Copy the app to a VM you control
* Make a tunnel between your machine and the server where the app is installed
* Test in static mode and try to reproduce findings on the server

Other things worth trying:

* Install your tools in a Windows VM and transfer them via the install folder to the target.

How to transfer files:

* SMB usually works — see: <https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers#smb>
* See additional methods: <https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers>

#### Find binaries and access them or bypass access if protected

> Can happen in Citrix desktop for example

* In Task Manager, add details columns (right-click on "PID" and add columns), add the Command Line column, or view properties to find the binary path.
* If you can't access the disk in the file browser by typing "C:", try accessing via UNC: \127.0.0.1\c$ or \\.\c$.
* From PowerShell you can cd \127.0.0.1\c$ if needed.

More info: <https://community.spiceworks.com/topic/1970180-how-to-prevent-access-to-127-0-0-1-c-or-localhost-c>

#### Read binaries and other Strings operations

* In restricted environments (e.g., Citrix) open files with Notepad to search for hardcoded credentials.
* Use Strings.exe from Sysinternals: <http://live.sysinternals.com/strings.exe>
* Example: `strings.exe yourbinary.exe` and grep for sensitive keywords: `strings.exe yourbinary.exe | findstr key`

#### Network

If Wireshark or Echo Mirage cannot be used, compare network state when the app is launched versus not:

* Use Procmon, filter on process name and enable only network view
* Combine with Wireshark analysis

Does the app open ports?

```
netstat -ano | findstr LISTENING
```

See network enumeration commands: <https://csbygb.gitbook.io/pentips/windows/powershell-cmd#network-enumeration>

#### Check if an app is signed

> Tip from Udemy course Mastering thick client application penetration testing by Srinivas

Download sigcheck from Sysinternals: <https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck>

```
sigcheck.exe our-app.exe
```

This shows whether the executable is signed or unsigned.

#### Compiler protections

To check compilation protections, use Binscope:

Download: <https://www.microsoft.com/en-ca/download/details.aspx?id=44995>

```
binscope.exe /verbose /html /logfile output.html our-app.exe
```

The output will show a detailed report.

#### Automatic analysis of the code

> Tip from Udemy course Mastering thick client application penetration testing by Srinivas

Visual Code Grepper (VCG)

* Get Visual Code Grepper: <https://github.com/nccgroup/VCG>
* Use dotPeek to decompile the app and export the decompiled code into a folder
* Run Visual Code Grepper against the folder to scan and analyze findings

Note: Do not rely solely on automatic tools; manual review is important.

***

### Reverse .NET Applications

> Tip from Udemy course Mastering thick client application penetration testing by Srinivas

#### Using DotPeek and Visual Studio

In the course example, the instructor uses dotPeek to decompile the app and extract a decrypt function used to decrypt a password found in a config file. Then they write another app in Visual Studio that uses the decrypted function from the decompiled code. This demonstrates how decompiled code can be repurposed for analysis.

#### Runtime tracing with dnSpy

Load the app in dnSpy via File → Open. Browse functions/classes of interest. To analyze a function, find where it's called and add a breakpoint (right-click → Add breakpoint). Click Start, choose the target app, and debug the function.

In the Udemy course, the instructor debugs a login function to retrieve a password and a database connection string.

#### Patch .NET applications

With ILSpy and Reflexil

* Download ILSpy
* Download Reflexil and copy the Reflexil DLL into the ILSpy directory
* Open ILSpy → File → Open the app
* (Optionally) rename the app before patching to avoid overwriting the original
* Use IL → C# view to see commented C# code for readability
* View → Reflexil; modify code in the Reflexil window

(In the course, the instructor modifies code to elevate privileges in the app.)

With ildasm & ilasm

IL Disassembler location example: `C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe`

IL Assembler location example: `C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe`

Run:

```
ildasm.exe our-app.exe
```

Save the decompiled output (our-app.il), edit in a text editor, then reassemble:

```
ilasm.exe our-app.il
```

#### Tools to Reverse .NET Applications

* dnSpy
* dotPeek
* ILSpy & Reflexil
* IL Assembler (comes with .NET framework)
* IL Disassembler (comes with Visual Studio)

***

### Resources

#### Blog and courses

**Thick Client Pentest**

* [Desktop Applications / Thick Clients - by Lisandre](https://lisandre.com/pentest/desktop-applications)
* [Thick Client Pentest: Modern Approaches and Techniques: PART 1](https://infosecwriteups.com/thick-client-pentest-modern-approaches-and-techniques-part-1-7bb0f5f28e8e)
* [Introduction to Hacking Thick Clients: Part 1 – the GUI by Austin Altmann](https://www.netspi.com/blog/technical/thick-application-penetration-testing/introduction-to-hacking-thick-clients-part-1-the-gui/)
* [Introduction to Hacking Thick Clients: Part 2 – The Network by Austin Altmann](https://www.netspi.com/blog/technical/thick-application-penetration-testing/introduction-to-hacking-thick-clients-part-2-the-network/)
* [Introduction to Hacking Thick Clients: Part 3 – The File System and Registry by Austin Altmann](https://www.netspi.com/blog/technical/thick-application-penetration-testing/introduction-to-hacking-thick-clients-part-3/)
* [Introduction to Hacking Thick Clients: Part 4 – The Assemblies by Austin Altmann](https://www.netspi.com/blog/technical/thick-application-penetration-testing/introduction-to-hacking-thick-clients-part-4-the-assemblies/)
* [Introduction to Hacking Thick Clients: Part 5 – The API by Austin Altmann](https://www.netspi.com/blog/technical/thick-application-penetration-testing/introduction-to-hacking-thick-clients-part-5-the-api/)
* [Introduction to Hacking Thick Clients: Part 6 – The Memory by Austin Altmann](https://www.netspi.com/blog/technical/thick-application-penetration-testing/introduction-to-hacking-thick-clients-part-6-the-memory/)
* [Attacking Thick Client Application by @j33n1k4](https://youtu.be/GeTkV1cWwRM?si=yhUv0D0rzY9iSf_F)
* [Thick Client Pentest - Cobalt Core Academy](https://www.cobalt.io/blog/cobalt-core-academy-thick-client-pentesting)
* [Thick Client Pentesting: Architecture, Tools and Testing Approaches - Payatu](https://payatu.com/blog/thick-client-penetration-testing/)
* [Thick Client Penetration Testing Methodology - Darkrelay](https://www.darkrelay.com/post/thick-client-penetration-testing)
* [Thick Client Application Security Testing - Optiv](https://www.optiv.com/insights/source-zero/blog/thick-client-application-security-testing)
* [Thick Client Pentesting Methodology - CyberArk](https://www.cyberark.com/resources/threat-research-blog/thick-client-penetration-testing-methodology)
* [OWASP KOLKATA MEETUP #2 - Thick Client Penetration Testing by Souvik Roy](https://youtu.be/V4RdppcosOs?si=4YHWqEiUFdU5XGoK)
* [Thick Client Security Assessment — I by SAKSHAM CHAWLA](https://medium.com/@chawla.saksham08/thick-client-security-assessment-i-bb02ac37e63)
* [Thick Client Security Assessment — II by SAKSHAM CHAWLA](https://medium.com/@chawla.saksham08/thick-client-security-assessment-ii-863526bfa88b)
* [Security Testing of Thick Client Application - David Valles](https://medium.com/@david.valles/security-testing-of-thick-client-application-15612f326cac)
* [Thick Client Pentesting by hexachordanu](https://github.com/hexachordanu/Thick-Client-Pentesting/tree/master)
* [Articles about thick client pentest on Hacking Articles by Raj Chandel](https://www.hackingarticles.in/?s=thick+client)

**Resources - DLL Hijacking**

* [Windows privesc, DLL Hijacking - CSbyGB Pentips](https://csbygb.gitbook.io/pentips/windows/privesc#dll-hijacking)
* [Have you ever hijacked a DLL?! - Michelle Eggers](https://www.linkedin.com/posts/m-eggers_cybersecurity-pentesting-penetrationtesting-activity-7102691799814610945-D0rl?utm_source=share\&utm_medium=member_desktop)
* [All About DLL Hijacking - My Favorite Persistence Method - IppSec](https://youtu.be/3eROsG_WNpE?si=q2VoaY_1Sr-tNdA6)
* [Testing Applications for DLL Preloading Vulnerabilities by Karl Fosaaen](https://www.netspi.com/blog/technical/network-penetration-testing/testing-applications-for-dll-preloading-vulnerabilities/)
* [Dll Hijacking - Hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking)

**Resources - Linux Shared Library Hijacking**

* [Linux Shared Library Hijacking by Xavi](https://xavibel.com/2022/09/06/linux-shared-library-hijacking/)

**Other related topics**

* [Echo Mirage - Walkthrough on Infosec Institute by Chiragh Dewan](https://resources.infosecinstitute.com/topics/network-security-101/echo-mirage-walkthrough/)

#### Checklists and Mindmaps

* [Thick Client Pentest - Checklist by Hari Prasaanth](https://github.com/Hari-prasaanth/Thick-Client-Pentest-Checklist)
* [Thick Client Pentesting mindmap by Security Boat](https://workbook.securityboat.in/mindmaps/thick-client-pentest-mindmap)

#### Labs to practice

* [Fatty box on HTB](https://app.hackthebox.com/machines/227)
* [BetaFast by NetSPI- vulnerable thick client to practice on](https://github.com/NetSPI/BetaFast)
* [DVTA 2.0](https://github.com/srini0x00/dvta)
  * [Setting up DVTA - Part 1 by Source Meets Sink](https://youtu.be/rx8mtI1HU5c?si=GW_lo3J2RsUvSjVw)
  * [Setting up DVTA - Part 2 by Source Meets Sink](https://youtu.be/IBdk2uOessc?si=SHCYnI4CYzRwIuvT)
* [Terrible-Thick-CLient by Kartikdurg](https://github.com/kartikdurg/Terrible-Thick-Client)
* [Another Vulnerable Thickclient by diljith369](https://github.com/diljith369/AVT)
* [It is a Broken App (IBA)](https://github.com/diljith369/IBA)

#### Writeups

* [Thick Client Application Pen-Testing Lab | DVTA (Damn Vulnerable Thick Client Application) | Part-1 by Chaitanya Eshwar Prasad](https://youtu.be/6zFhuoPj8JE?si=LawN29MakqGg4Nv2)
* [Thick Client Application Pen-Testing Lab | DVTA (Damn Vulnerable Thick Client Application) | Part-2 by Chaitanya Eshwar Prasad](https://youtu.be/Cb-K8gB8pLo?si=TpOmE5rgYPScBQ_t)
* [Thick Client Application Pen-Testing Lab | DVTA (Damn Vulnerable Thick Client Application) | Part-3 by Chaitanya Eshwar Prasad](https://youtu.be/SbqJU1PcsE8?si=KDODm86bO0RZ8vre)
* [🎯 Thick Client Penetration Testing: Hands-on Practice with AVT (Another Vulnerable Thick Client) 🚀💻 by aalphaas](https://youtu.be/LCrPmtY83IA?si=eudMtRQiCxOnVRF5)
* [🎯 Thick Client Penetration Testing: Hands-on Practice Part 2 with IBA (It is a Broken App) by aalphaas](https://youtu.be/cCChPFkq4cY?si=XGUH5EccjOoUJtYg)

#### Tools

* [Dependency walker](https://www.dependencywalker.com/)
* [Procmon (sysinternals)](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)
* [DLLSpy](https://github.com/cyberark/DLLSpy)
* [Wireshark](https://www.wireshark.org/)
* [tcpdump](https://www.tcpdump.org/)
* [TCPView](https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview)
* [Burp Suite](https://portswigger.net/burp)
* [Ghidra](https://www.ghidra-sre.org/)
* [IDA](https://hex-rays.com/ida-pro/)
* [OllyDbg](http://www.ollydbg.de/)
* [Radare2](https://www.radare.org/r/index.html)
* [dnSpy](https://github.com/dnSpy/dnSpy)
* [x64dbg](https://x64dbg.com/)
* [JADX](https://github.com/skylot/jadx)
* [Frida](https://frida.re/)
* [The sysinternals suite](https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
* [NetCore ExplorerSuite](https://ntcore.com/?page_id=388)
