Thick Client Pentest Methodology

Thick Client Penetration Testing Checklist

1. Pre-Engagement

1.1 Scope and Objectives

• Define assessment boundaries and target application(s)

• Confirm testing timeframe and deadlines

• Obtain written approval for testing activities

• Document emergency contacts and escalation procedures

• Verify any out-of-scope components or restrictions

1.2 Application Information

• Identify application type:

  □ .NET Framework/Core
  □ Java
  □ Electron
  □ Native (C++/Delphi)
  □ Other: __________

• Document platform requirements:

  □ Operating System: __________
  □ Architecture: __________
  □ Dependencies: __________
  □ Minimum Specifications: __________

• Map application components:

  □ Client Application
  □ Backend Services
  □ Databases
  □ Third-party Integrations
  □ APIs

1.3 Resource Collection

• Obtain installation package/files

• Get test environment access credentials

• Acquire documentation (if available):

  □ User Manual
  □ API Documentation
  □ Architecture Diagrams
  □ Known Issues List

• Set up testing environment:

  □ Virtual Machine(s)
  □ Network Configuration
  □ Required Tools
  □ Monitoring Setup

2. Information Gathering

2.1 Installation Analysis

• Document installation process

• Map installation directory structure

• Identify file types and extensions

• Note default installation paths:

  Windows:
  □ C:\Program Files\
  □ C:\Program Files (x86)\
  □ %APPDATA%
  □ %LOCALAPPDATA%
  
  Linux:
  □ /opt/
  □ /usr/local/
  □ ~/.config/
  □ ~/.local/share/

2.2 Configuration Analysis

• Locate and analyze config files:

  □ .config files
  □ .ini files
  □ .xml files
  □ .json files
  □ Registry entries

• Document found settings:

  □ Connection strings
  □ API endpoints
  □ Feature flags
  □ User settings
  □ Debug options

2.3 Binary Analysis

• Extract strings from executables

• Identify third-party components

• Check for debugging symbols

• Analyze dependencies:

  □ Required DLLs
  □ Native libraries
  □ Framework versions
  □ External components

3. Static Analysis

3.1 Decompilation

• Decompile .NET assemblies:

  □ Use dnSpy/dotPeek
  □ Check for obfuscation
  □ Extract resources
  □ Analyze BAML/XAML

• Analyze Java bytecode:

  □ Decompile JAR files
  □ Extract resources
  □ Check for native libraries

• Review native binaries:

  □ Load in Ghidra/IDA
  □ Identify key functions
  □ Map program flow

3.2 Code Review

• Search for sensitive data:

  □ Hardcoded credentials
  □ API keys
  □ Connection strings
  □ Encryption keys
  □ Internal URLs

• Analyze security mechanisms:

  □ Authentication logic
  □ Encryption implementation
  □ Access controls
  □ Input validation

4. Dynamic Analysis

4.1 Runtime Monitoring

• Monitor file system activity:

  □ File creation
  □ File modifications
  □ File permissions
  □ Temporary files

• Track registry changes:

  □ New keys
  □ Modified values
  □ Startup entries
  □ Security settings

• Observe process behavior:

  □ Child processes
  □ DLL loading
  □ Handle creation
  □ Network connections

4.2 Debugging and Hooking

• Set up debugging environment:

  □ Attach debugger
  □ Set breakpoints
  □ Monitor exceptions
  □ Track function calls

• Implement function hooks:

  □ Authentication checks
  □ Encryption functions
  □ API calls
  □ File operations

5. Network Communication

5.1 Traffic Interception

• Configure proxy tools:

  □ Burp Suite
  □ Fiddler
  □ mitmproxy
  □ Wireshark

• Handle SSL/TLS:

  □ Install certificates
  □ Bypass pinning
  □ Configure trust

5.2 Traffic Analysis

• Document communication:

  □ Endpoints
  □ Protocols
  □ Data formats
  □ Authentication methods

• Test request manipulation:

  □ Parameter tampering
  □ Header modification
  □ Session handling
  □ API abuse

6. Authentication & Session Testing

6.1 Authentication Analysis

• Test login mechanisms:

  □ Default credentials
  □ Password policies
  □ MFA implementation
  □ Password recovery

• Check for bypasses:

  □ Direct page access
  □ Client-side validation
  □ Remember me function
  □ Credential storage

6.2 Session Management

• Analyze session handling:

  □ Token generation
  □ Token storage
  □ Session timeout
  □ Concurrent sessions

• Test session security:

  □ Token prediction
  □ Session fixation
  □ Token exposure
  □ Logout function

7. Local Storage Analysis

7.1 File System

• Search for sensitive data:

  □ Configuration files
  □ Log files
  □ Backup files
  □ Temporary data

• Check file permissions:

  □ Write access
  □ Execute permissions
  □ Symbolic links
  □ Shared locations

7.2 Memory Analysis

• Analyze process memory:

  □ Dump memory
  □ Search for credentials
  □ Extract secrets
  □ Review handles

8. Privilege Escalation

8.1 Local Privilege Escalation

• Check for misconfigurations:

  □ Service permissions
  □ Registry permissions
  □ File permissions
  □ Scheduled tasks

• Test for common vectors:

  □ DLL hijacking
  □ UAC bypass
  □ Named pipes
  □ Token manipulation

9. Post-Exploitation

9.1 Data Extraction

• Collect sensitive information:

  □ User credentials
  □ Configuration data
  □ Business logic
  □ Security settings

• Document persistence options:

  □ Registry autoruns
  □ Scheduled tasks
  □ Service creation
  □ DLL injection

10. Cleanup & Documentation

10.1 Environment Cleanup

• Remove testing artifacts:

  □ Test accounts
  □ Modified files
  □ Installed tools
  □ Network changes

• Restore original state:

  □ Configuration files
  □ Registry settings
  □ File permissions
  □ Service settings

10.2 Documentation

• Document findings:

  □ Vulnerability details
  □ Reproduction steps
  □ Impact assessment
  □ Evidence/screenshots

• Prepare reports:

  □ Executive summary
  □ Technical details
  □ Risk ratings
  □ Remediation advice

11. Quality Assurance

11.1 Verification

• Validate findings:

  □ Confirm reproducibility
  □ Verify impact
  □ Check false positives
  □ Test fixes (if provided)

• Review deliverables:

  □ Report quality
  □ Evidence clarity
  □ Remediation steps
  □ Overall coverage