# Thick Client Pentest Methodology

## Thick Client Penetration Testing Checklist

### 1. Pre-Engagement

#### 1.1 Scope and Objectives

* [ ] Define assessment boundaries and target application(s)
* [ ] Confirm testing timeframe and deadlines
* [ ] Obtain written approval for testing activities
* [ ] Document emergency contacts and escalation procedures
* [ ] Verify any out-of-scope components or restrictions

#### 1.2 Application Information

* [ ] Identify application type:

  ```plaintext
  □ .NET Framework/Core
  □ Java
  □ Electron
  □ Native (C++/Delphi)
  □ Other: __________
  ```
* [ ] Document platform requirements:

  ```plaintext
  □ Operating System: __________
  □ Architecture: __________
  □ Dependencies: __________
  □ Minimum Specifications: __________
  ```
* [ ] Map application components:

  ```plaintext
  □ Client Application
  □ Backend Services
  □ Databases
  □ Third-party Integrations
  □ APIs
  ```

#### 1.3 Resource Collection

* [ ] Obtain installation package/files
* [ ] Get test environment access credentials
* [ ] Acquire documentation (if available):

  ```plaintext
  □ User Manual
  □ API Documentation
  □ Architecture Diagrams
  □ Known Issues List
  ```
* [ ] Set up testing environment:

  ```plaintext
  □ Virtual Machine(s)
  □ Network Configuration
  □ Required Tools
  □ Monitoring Setup
  ```

### 2. Information Gathering

#### 2.1 Installation Analysis

* [ ] Document installation process
* [ ] Map installation directory structure
* [ ] Identify file types and extensions
* [ ] Note default installation paths:

  ```plaintext
  Windows:
  □ C:\Program Files\
  □ C:\Program Files (x86)\
  □ %APPDATA%
  □ %LOCALAPPDATA%

  Linux:
  □ /opt/
  □ /usr/local/
  □ ~/.config/
  □ ~/.local/share/
  ```

#### 2.2 Configuration Analysis

* [ ] Locate and analyze config files:

  ```plaintext
  □ .config files
  □ .ini files
  □ .xml files
  □ .json files
  □ Registry entries
  ```
* [ ] Document found settings:

  ```plaintext
  □ Connection strings
  □ API endpoints
  □ Feature flags
  □ User settings
  □ Debug options
  ```

#### 2.3 Binary Analysis

* [ ] Extract strings from executables
* [ ] Identify third-party components
* [ ] Check for debugging symbols
* [ ] Analyze dependencies:

  ```plaintext
  □ Required DLLs
  □ Native libraries
  □ Framework versions
  □ External components
  ```

### 3. Static Analysis

#### 3.1 Decompilation

* [ ] Decompile .NET assemblies:

  ```plaintext
  □ Use dnSpy/dotPeek
  □ Check for obfuscation
  □ Extract resources
  □ Analyze BAML/XAML
  ```
* [ ] Analyze Java bytecode:

  ```plaintext
  □ Decompile JAR files
  □ Extract resources
  □ Check for native libraries
  ```
* [ ] Review native binaries:

  ```plaintext
  □ Load in Ghidra/IDA
  □ Identify key functions
  □ Map program flow
  ```

#### 3.2 Code Review

* [ ] Search for sensitive data:

  ```plaintext
  □ Hardcoded credentials
  □ API keys
  □ Connection strings
  □ Encryption keys
  □ Internal URLs
  ```
* [ ] Analyze security mechanisms:

  ```plaintext
  □ Authentication logic
  □ Encryption implementation
  □ Access controls
  □ Input validation
  ```

### 4. Dynamic Analysis

#### 4.1 Runtime Monitoring

* [ ] Monitor file system activity:

  ```plaintext
  □ File creation
  □ File modifications
  □ File permissions
  □ Temporary files
  ```
* [ ] Track registry changes:

  ```plaintext
  □ New keys
  □ Modified values
  □ Startup entries
  □ Security settings
  ```
* [ ] Observe process behavior:

  ```plaintext
  □ Child processes
  □ DLL loading
  □ Handle creation
  □ Network connections
  ```

#### 4.2 Debugging and Hooking

* [ ] Set up debugging environment:

  ```plaintext
  □ Attach debugger
  □ Set breakpoints
  □ Monitor exceptions
  □ Track function calls
  ```
* [ ] Implement function hooks:

  ```plaintext
  □ Authentication checks
  □ Encryption functions
  □ API calls
  □ File operations
  ```

### 5. Network Communication

#### 5.1 Traffic Interception

* [ ] Configure proxy tools:

  ```plaintext
  □ Burp Suite
  □ Fiddler
  □ mitmproxy
  □ Wireshark
  ```
* [ ] Handle SSL/TLS:

  ```plaintext
  □ Install certificates
  □ Bypass pinning
  □ Configure trust
  ```

#### 5.2 Traffic Analysis

* [ ] Document communication:

  ```plaintext
  □ Endpoints
  □ Protocols
  □ Data formats
  □ Authentication methods
  ```
* [ ] Test request manipulation:

  ```plaintext
  □ Parameter tampering
  □ Header modification
  □ Session handling
  □ API abuse
  ```

### 6. Authentication & Session Testing

#### 6.1 Authentication Analysis

* [ ] Test login mechanisms:

  ```plaintext
  □ Default credentials
  □ Password policies
  □ MFA implementation
  □ Password recovery
  ```
* [ ] Check for bypasses:

  ```plaintext
  □ Direct page access
  □ Client-side validation
  □ Remember me function
  □ Credential storage
  ```

#### 6.2 Session Management

* [ ] Analyze session handling:

  ```plaintext
  □ Token generation
  □ Token storage
  □ Session timeout
  □ Concurrent sessions
  ```
* [ ] Test session security:

  ```plaintext
  □ Token prediction
  □ Session fixation
  □ Token exposure
  □ Logout function
  ```

### 7. Local Storage Analysis

#### 7.1 File System

* [ ] Search for sensitive data:

  ```plaintext
  □ Configuration files
  □ Log files
  □ Backup files
  □ Temporary data
  ```
* [ ] Check file permissions:

  ```plaintext
  □ Write access
  □ Execute permissions
  □ Symbolic links
  □ Shared locations
  ```

#### 7.2 Memory Analysis

* [ ] Analyze process memory:

  ```plaintext
  □ Dump memory
  □ Search for credentials
  □ Extract secrets
  □ Review handles
  ```

### 8. Privilege Escalation

#### 8.1 Local Privilege Escalation

* [ ] Check for misconfigurations:

  ```plaintext
  □ Service permissions
  □ Registry permissions
  □ File permissions
  □ Scheduled tasks
  ```
* [ ] Test for common vectors:

  ```plaintext
  □ DLL hijacking
  □ UAC bypass
  □ Named pipes
  □ Token manipulation
  ```

### 9. Post-Exploitation

#### 9.1 Data Extraction

* [ ] Collect sensitive information:

  ```plaintext
  □ User credentials
  □ Configuration data
  □ Business logic
  □ Security settings
  ```
* [ ] Document persistence options:

  ```plaintext
  □ Registry autoruns
  □ Scheduled tasks
  □ Service creation
  □ DLL injection
  ```

### 10. Cleanup & Documentation

#### 10.1 Environment Cleanup

* [ ] Remove testing artifacts:

  ```plaintext
  □ Test accounts
  □ Modified files
  □ Installed tools
  □ Network changes
  ```
* [ ] Restore original state:

  ```plaintext
  □ Configuration files
  □ Registry settings
  □ File permissions
  □ Service settings
  ```

#### 10.2 Documentation

* [ ] Document findings:

  ```plaintext
  □ Vulnerability details
  □ Reproduction steps
  □ Impact assessment
  □ Evidence/screenshots
  ```
* [ ] Prepare reports:

  ```plaintext
  □ Executive summary
  □ Technical details
  □ Risk ratings
  □ Remediation advice
  ```

### 11. Quality Assurance

#### 11.1 Verification

* [ ] Validate findings:

  ```plaintext
  □ Confirm reproducibility
  □ Verify impact
  □ Check false positives
  □ Test fixes (if provided)
  ```
* [ ] Review deliverables:

  ```plaintext
  □ Report quality
  □ Evidence clarity
  □ Remediation steps
  □ Overall coverage
  ```