Data Storage Issues with DAMN Vulnerable Thick Client App
Practical Thick Client Application Penetration Testing using Damn Vulnerable Thick Client App: Insecure Data Storage
Background:
Welcome to part-3 of thick client application penetration testing series. In the first part of this series, we have set up the lab and discussed the information gathering techniques. In the second part of this series, we have discussed traffic analysis for thick client applications. In this third part of this series, let's discuss the data storage issues in thick client applications.
What should you learn next?
Insecure Data Storage (specifically at client side) has got more attention after the evolution of mobile applications. However, this is not new. Thick client (desktop) applications are also prone to these vulnerabilities. In this article, let us discuss various data storage issues in DVTA application.
Sensitive data in registry:
"Sensitive data in registry" is one of the most common vulnerabilities seen in Windows desktop applications. Developers often use the registry as a storage location for their client-side data storage needs.
Let's analyze DVTA and see if it is storing any sensitive data in the registry.
regshot is a popular tool for analyzing registry modifications. This tool comes handy in understanding registry changes in Windows machine before and after a specific instance. It is hard for us to check the new registry entries added/modified without the help of such tool.
regshot can be downloaded from the link below.
https://sourceforge.net/projects/regshot/
After downloading, launch regshot, and take the 1st shot by clicking the 1st shot button. Make sure that you did not start DVTA yet. Also take note that HTML Document is selected in regshot as shown in the figure below.
After taking the 1st shot, launch DVTA application and login as Rebecca using the following credentials that we setup in part-1.
User credentials: - rebecca: rebecca
If the login was successful, we should see the user logged in. This looks as shown in the figure below.
Now, to see if any changes are made to the registry after running DVTA, let's take another copy of registry by clicking the 2nd shot button shown in the following figure.
After taking this 2nd shot, we can compare these two shots by clicking Compare button shown in the figure below.
Let's click Compare in the above figure and observe the HTML output, which will be loaded automatically. This looks as shown in the figure below.
Interestingly, there is a new registry key added, and there are some new values added to this newly added registry key.
These are the currently logged in user details. We can see the username, password, email ID and another interesting key called isLoggedIn. isLoggedIn may be used as authorization check by the application. We will explore the attacks associated with this in a later article.
We can also view these in the registry by navigating to Start Button | run and then typing regedit to open registry. After opening, registry navigates to HKEY_CURRENT_USER | dvta as shown in the figure below.
Note: As shown in part 1 of this series, we can also use Process Monitor from Sys Internals suite to identify the registry entries being accessed by the application.
Obtaining Database credentials:
It is common in applications with two-tier architecture to leave the database credentials in the memory while connecting to the database. This is a design fault, as every two-tier application by default will place the connection string in memory at some point in time. Usually, we see two common cases with two-tier apps to gain access to database credentials.
Case 1:
- Clear text Connection string is hard coded
- Connection String is seen in memory
Case 2:
- The encrypted Connection string is hard coded, so encrypted credentials are found.
- The connection string is seen in memory while the application is decrypting it.
In case 1, we have two easy ways to obtain the connection string. First is to obtain it from the memory and the second is to get it from the hard coded strings.
In case 2, one-way is to obtain the connection string from memory. Another way is to decrypt the connection string.
DVTA application falls under case 2. We will discuss the hard coding part and decryption technique in a later article, but let's see how to get access to the database credentials from memory in this section.
Obtaining connection string from memory:
Let us explore the ways to obtain connection string from memory. We are using a tool known as Process Hacker, which can be downloaded from the following link.
https://sourceforge.net/projects/processhacker/
Download and install Process Hacker in the machine, where DVTA is running. Launch Process Hacker and you should see DVTA.exe process running as shown in the following figure.
We now need to analyze DVTA.exe in memory for the connection string. So, choose DVTA.exe and give a right click on it, then click on Properties as shown in the following figure.
We should be able to see the following window after the above step. Now, Choose Memory and click on Strings to obtain the strings associated with this application in memory. This looks like what we see in the figure below.
After clicking Strings button in the above window, we can choose to have the minimum length of the strings to be displayed next.
Let us leave it to a default value and click OK. Now, we should see all the strings dumped from memory. Since we have a huge number of strings, we can use the Filter button shown in the figure below, to look for what we need.
From part-1 of this series, we have setup database server's IP address as 192.168.56.110. As DVTA has to communicate with this IP, let us check for this IP using the filter available. This looks as shown in the figure below. Next, click OK.
Now, we should see the strings containing the pattern we are searching for. Notice the output highlighted in the figure below. We have got the Connection String used in the application.
Following are the database credentials dumped.
Database name: DVTA
username: sa
password: p@ssw0rd
As you can see, the application is connecting to the database as "sa," which is a privileged account. This is another important security issue that we should note. It is always recommended to provide a least privileged account to minimize the attack surface.
Connecting to the database:
Now, we can use any SQL client such as Heidi SQL to connect to the database using the credentials obtained.
The following window shows the values to be used with Heidi SQL client.
We will see the following after connecting to the database. As we can see in the figure below, there are two tables associated with DVTA.
Clicking on dbo.users will show us the entries in it. This looks as shown in the figure below.
As you can notice, the user credentials in the database are stored in clear text.
Hard coded credentials:
Another commonly seen issue in thick client applications is hard coded credentials. In the previous article, we have seen that DVTA uses clear text FTP communications for uploading some data to its server. The same credentials can be obtained by looking at the hard coded strings in this application.
The following figure from DVTA's Github page shows the code used to upload FTP data. We can notice those credentials highlighted.
If your question is about what if we do not have source code; we can reverse engineer the application using a .NET decompiler or get strings from the executable itself.
We will discuss the reverse engineering tools later. Let us see the strings.exe tool available in Sys Internals suite to grab the strings of our interest.
The following figure shows the command searching for the string ftp within DVTA.exe binary.
Though we need to look for these from the strings output, I am grepping and showing that we can find these strings in the application binary itself since we already knew them.
The following figure shows the command searching for the string dvta, which is the username.
The next figure shows the command searching for the string p@ssw0rd, which is the ftp password.
How you find the credentials is your choice, but the idea here is to demonstrate various ways of doing it.
What should you learn next?
Conclusion:
In this article, we have learned how DVTA application can be used to practice various data storage issues and then we have seen how to analyze memory for sensitive data, followed by hard coding issues. In the next article, we will discuss vulnerabilities related to input validation.
In this Series
- Data Storage Issues with DAMN Vulnerable Thick Client App
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness