SlideShare a Scribd company logo

Thick Application Penetration Testing: Crash Course

Scott Sutherland
Scott Sutherland

Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.

1 of 39
Downloaded 539 times
Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
Why am I talking about this? Thick applications create unique risks that web applications don't.
Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
Why am I talking about this? Thick applications are the new web applications.
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
Attack Vectors The usual suspects: • Application GUI • Network traffic • Files and folders • Application memory • Windows registry • Configurations
Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. Show hidden objects, enabled disabled objects, execution functions, and generally WinCheat manipulate remote form objects. View form object properties including the value of masked password fields, and mask Window Detective card numbers.
Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script schtasks locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. code editor, Metasm, CFFExplorer Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, CFF Explorer, dllexp disassemble binary, and finger print language MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, Process Hacker 2 environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Registry Tool Description Tools: AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, Dump all network traffic. Rawcap is the bomb. tcpdump,Rawcap
Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the fly. Windbg, and IDA Debuggers Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
Testing the Application: Configurations Tool Description windows-privesc- Check privileges on servers and associated program directories, and manually check check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them. Administrative Tool Services.msc, Review application services for insecure registration, binary paths, and windows-privesc- determine users who is running the service. check SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix
Ad

Recommended

Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
Suraj Khetani
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
Ad

More Related Content

What's hot (20)

WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
Suraj Khetani
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
Suraj Khetani
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 

Similar to Thick Application Penetration Testing: Crash Course (20)

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
Fernando Lopez Aguilar
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
Sameer Sapra
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
Mohammed Tanveer
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
Wayne Scarano
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdfstackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
Fernando Lopez Aguilar
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
Sameer Sapra
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
Mohammed Tanveer
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
Wayne Scarano
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdfstackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
Ad

More from Scott Sutherland (20)

Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Scott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Scott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Ad

Recently uploaded (20)

tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 

Thick Application Penetration Testing: Crash Course

  • 1. Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
  • 2. Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
  • 3. What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
  • 4. Why am I talking about this? Thick applications create unique risks that web applications don't.
  • 5. Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
  • 6. Why am I talking about this? Thick applications are the new web applications.
  • 7. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
  • 8. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
  • 9. Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
  • 10. Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
  • 11. Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
  • 12. Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
  • 13. Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
  • 14. Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
  • 15. Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
  • 16. Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
  • 17. UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
  • 18. MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
  • 19. Attack Vectors The usual suspects: • Application GUI • Network traffic • Files and folders • Application memory • Windows registry • Configurations
  • 20. Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
  • 21. How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
  • 22. Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
  • 23. Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
  • 24. Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. Show hidden objects, enabled disabled objects, execution functions, and generally WinCheat manipulate remote form objects. View form object properties including the value of masked password fields, and mask Window Detective card numbers.
  • 25. Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
  • 26. Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
  • 27. Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script schtasks locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. code editor, Metasm, CFFExplorer Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, CFF Explorer, dllexp disassemble binary, and finger print language MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, Process Hacker 2 environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
  • 28. Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 29. Testing the Application: Registry Tool Description Tools: AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
  • 30. Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
  • 31. Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, Dump all network traffic. Rawcap is the bomb. tcpdump,Rawcap
  • 32. Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 33. Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
  • 34. Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the fly. Windbg, and IDA Debuggers Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
  • 35. Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
  • 36. Testing the Application: Configurations Tool Description windows-privesc- Check privileges on servers and associated program directories, and manually check check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them. Administrative Tool Services.msc, Review application services for insecure registration, binary paths, and windows-privesc- determine users who is running the service. check SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
  • 37. Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
  • 38. Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
  • 39. Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix