DLL Hijacking using Damn Vulnerable Thick Client App
Background:
Welcome to the part 7 of Practical Thick Client Application Penetration Testing using Damn Vulnerable Thick Client App (DVTA). In the previous article, we have discussed how to perform .NET application patching using ildasm and ilasm utilities to modify the functionality of a .NET assembly. In this article, we will discuss DLL Hijacking in thick client applications using DVTA.
What should you learn next?
Introduction to DLL Hijacking:
DLL (Dynamic Link Library) files usually hold executable code that can be used by other applications. When an application needs to use this DLL file, it has to search for it if the absolute path is not provided. If an attacker replaces his own DLL file with the name that the application is searching for, then the application loads the attacker's DLL and executes the malicious code. This is popularly known as DLL Hijacking.
To better understand DLL Hijacking, we must understand how Windows applications find their DLL files when the full path is not provided (This order might slightly change in some special conditions such as SafeDllSearchMode).
- The directory from which the application is loaded
- The current directory
- The system directory (C:WindowsSystem32)
- The 16-bit system directory
- The Windows directory.
- The directories that are listed in the PATH environment variable.
Now, assume that the application needs to load the test.dll file to execute some functionality and the absolute path to the DLL is not provided. Let us also assume that this file is located in the system directory. If an attacker places his own DLL file (test.dll) in the directory from which the application is loaded, this directory will be accessed by the application before the system directory is accessed thus loading the attacker's malicious DLL file rather than loading the original test.dll.
Finding DLL Hijacking in DVTA:
Finding DLL Hijacking vulnerabilities is easy with a tool like Process Monitor. There are several automated tools available online for identifying DLL Hijacking but still Process Monitor is the all-time best. Process Monitor comes with Sysinternals suite of tools.
Launch Process Monitor and apply some filters to shorten the output. We can apply a filter by navigating to the Filter window and choosing the desired options as shown in the figure below.
Similarly, add two more filters and your filter list should look as shown in the figure below.
We have applied the above filters, because:
We want to see the results associated only with DVTA.exe process
We want to see if the result column contains name not found
We want to see if the application accesses any path containing the word DVTA.
Now, let us launch DVTA application and log in as Rebecca using the following credentials.
Username: rebecca
Password: rebecca
After logging in, switch back to Process Monitor and you should see the following results as per the filters we applied.
If you closely observe the output, you should see the following entries.
This means the application tried to access the DLLs shown above from the location where DVTA.exe is loaded, and the DLLs were not found in that directory.
This means that we can place a malicious DLL in this directory with the same name, and it will be loaded by the application. You can write your own DLL or create one using msfpayload as shown in the figure below.
I have created a DLL file named poc.dll, which pops up a calculator when it is loaded. Let us rename it as credssp.dll and place it in DVTA.exe's directory. This looks as shown in the figure below.
Everything is set. Close DVTA.exe & Process Monitor and re-launch DVTA.exe once again and log in as Rebecca as we did earlier. A calculator should pop up as shown below.
You may use other payloads such as meterpreter reverse shell rather than a calculator.
What should you learn next?
Conclusion:
In this article, we have discussed the basics of DLL Hijacking vulnerabilities and how one can find and exploit DLL Hijacking vulnerabilities in DVTA application. In the next article, we will discuss some miscellaneous test cases that can be used against Thick Client Applications.
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- DLL Hijacking using Damn Vulnerable Thick Client App
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness