In the first part of this series, we have seen an introduction to Thick Client Applications, set up Damn Vulnerable Thick Client Application and finally performed some information gathering on the target application in question. We will slowly move towards various techniques to attack the application and its infrastructure starting from this article. Let us discuss the traffic analysis techniques in this article.
Any application communicating with the backend would send some data to its backend components (web server, FTP Server, database server, etc.) Analyzing the data during transfer is crucial during the analysis of an application. Many apps perform data transit without enforcing any encryption. Though the concept of intercepting traffic of thick clients is not different than thin clients, the tools will differ depending on the protocols used by the application. Since these applications are non-proxy aware, the intercepting techniques also will slightly vary.
Intercepting HTTP traffic:
If the application in question is sending HTTP traffic, it is possible to intercept it using burp with its invisible proxy option under proxy listeners.
Intercepting TCP traffic:
But, the case mentioned above will not help with all the thick clients we encounter during the penetration tests. Some applications might send non-HTTP traffic, and that’s where burp will be out of scope.
Echo Mirage is an old tool that comes to the rescue when the application sends TCP traffic. DVTA has an admin module where we can generate the traffic for this exercise. After logging in with admin’s credentials, the form can be used to generate FTP traffic. We will discuss more internal details about this functionality in a later article. Let us focus on traffic interception for now.
Launch DVTA and enter the admin credentials to log in as admin.
We should see the following screen after logging in as admin. The administrator can back up some data to his FTP Server, which is already configured in the application. This means, clicking Backup Data to FTP Server button will generate some TCP traffic.
Let us use Echo Mirage and check if we can see the traffic. It appears that Echo Mirage is not active on its official website, but you can download Echo Mirage from the following link owned by the Author.
Extract the zip file and you should see Echo Mirage inside it. Run it and the following window will appear.
Let’s navigate to Rules tab shown above. By default, there are only two rules, which can be used to intercept everything on Inbound and Outbound communications. We can check the check box to enable or disable these rules.
Since we are looking specifically for FTP traffic in DVTA application, let’s create a new rule that looks for traffic on port 21 destined to 192.168.56.110 which is the server where SQL Server and FTP Server running. These are set up in PART 1 of this series.
Navigate to Rules | New and fill in the form as shown below.
Click OK button and a new rule will be created. The newly created rule should look as shown below.
So, the new rule is to intercept outbound traffic destined to 192.168.56.110:21. It should be noted that port number for the FTP traffic could be different if the admin changes it.
Lastly, let’s hook into DVTA using Echo Mirage by navigating to Process | Inject “DVTA.exe” as shown in the figure below.
The above step would enable Echo Mirage to stop any traffic matching the rules enabled.
Clicking Backup Data to FTP Server button will have to send the username and password of the FTP account before uploading the data. The following figure shows request with the username “data” is intercepted.
Now, click OK to forward the request and then we should see the next request with the FTP password being sent by the application as shown in the following figure.
The FTP password is p@ssw0rd in this case. Forwarding the above request will authenticate the application, and the next command will be executed. As you can see in the figure below, STOR admin.csv is executed on the FTP Server. This is an indication that some data is being uploaded on to the server after successfully authenticating.
The requests we saw earlier will also be available in the Traffic Log tab, and they can be viewed later.
Since we already got the FTP Credentials, we can use any FTP client to login to the FTP Server and view/transfer data. A simpler way of doing it is to use a browser and loading ftp://192.168.56.110 as shown below.
Enter the credentials we obtained (dvta:p@ssw0rd) and we should see the listing of files on the FTP Server as shown below.
You may try to use the FileZilla FTP client or any other similar tool if you want to upload/download files.
It should be noted that we can also modify the traffic using Echo Mirage without changing the number of bytes. We will discuss an example of it in a later article.
Analysis with Wireshark:
Another way of traffic analysis is to use Wireshark. Since the thick application is running on the user’s machine, any traffic generated by the application should be visible on the network interface. So, let us see how we can view the same FTP traffic using Wireshark.
Launch Wireshark and select the interface you want to listen on. If you are following the same lab setup explained in the previous article, please use Local Area Connection 2 as your interface. This is shown below.
Now, freshly generate the traffic with DVTA by following the steps we followed previously, and you should see a lot of packets in Wireshark. Let’s filter the packets by entering ftp in the filter bar to view only packets with FTP protocol. This is shown below.
Observing the last column in the above picture would show us the username and password of the FTP server the client is connecting to.
Searching for the string admin would also reveal some SQL Queries being run on the SQL server as shown in the following screenshot.
Though it is possible to view and analyze the traffic in Wireshark; it is a good choice to go for Echo Mirage if you want to modify the traffic being sent/received.
This article has shown how someone can analyze the traffic of thick client applications during a penetration test. We were able to see the traffic being sent during authentication in this article. Though it is not possible with all the applications; it is a known problem that many applications use SSL for authentication and then followed by clear text traffic for the rest of the requests. In these cases, also, analyzing the traffic will be useful. In the next article, we will discuss data storage issues in thick client applications specifically DVTA.