Thick Client Penetration Testing Tutorials - Part 5

-
For carrying out penetration testing assessments, our main aim has been to resolve the actual domain to the loopback IP address, by adding an entry to the hosts file.

Let us know consider a situation where the thick Client application does not send the request to a domain or a host name, then what happens?

We are stuck since it becomes impossible to make a host file entry.

Consider a thick client url like http://172.32.23.23:891/login. It cannot be mapped in hosts file without a valid pointing domain.

So lets do a workaround via configuring burp with the concept of Microsoft Loopback Adapter.

Prerequisites:

Two machines residing in the same network ,both having Burp Suite tool running
One machine (the testing machine) should have Microsoft Loopback Adapter configured.
The second machine acts as a gateway that forwards the requests to the internet.
The loopback adapter helps deceiving the local machine. In absence of a real domain, all the application requests fired to the actual server are redirected to the Loopback adapter by setting the same IP address of the Microsoft Loopback adapter as the actual server’s IP address.

Those not aware with the concept of the loopback adapter, Microsoft Loopback Adapter is a dummy network setup.

It is a kind of hidden easter egg feature of windows, which you can enable by the following steps:



Run cmd as Admin.
Enter “hdwwiz.exe”.
Welcome to the Add Hardware Wizard”, click Next.
Install the hardware manually
Network adapters
Select “Microsoft” as the Manufacturer and then select the Network Adapter “Microsoft Loopback Adapter” and click Next.


Setting up loopback adapter_1

In network connections tab, you can see it:





Machine 1 (xx.xx.xx.x1):

This is the testing machine where the Thick Client application is running.

We configure the below settings to make it ready:

Microsoft Loopback adapter is installed with the TCP/IP address of the actual server ( in our example: 172.32.23.23:891)
Burp Suite is configured to listen on the Loopback adapters IP address.
Burp Suite is configured to forward the requests to Machine 2
Once we fire an actual request, the below execution happens:


Scenario:

IP address of the Loopback adapter is of the actual server, the Thick Client application sends an HTTP  request, which first goes to the loopback adapter.

The listener setup on Burp Suite hooke to the same IP address, capturing it.

What do to next?

Since the request meant for the actual server is stuck in machine one with the loopback adapter and burp, we need to forward it to  Machine 2 (xx.xx.xx.x2), so that the request can reach the actual destination server.

Setting up IP details on loopback adapter.

Let’s see how the logic works by a simple diagram:




High level working

The following screenshots show the Burp Suite configuration in Machine 1.

Assumption: The actual server IP is 172.32.23.23:891


We now need to forward the request to the second machine ( xx.xx.xx.x2)



Machine 1

Burp setting with loopbackMachine 2 (xx.xx.xx.x2):

This machine will be configured to route the requests from machine 1 to the actual server.gateway that sends the requests forwarded by Machine 1(xx.xx.xx.x1) to the destination server.

Configuration checklist to be setup for machine 2:

Set up a Burp Suite Listener on the adapter with the IP address xx.xx.xx.x2
Configure redirection of  traffic to the actual server ( in our case, the actual ip of the server (172.32.23.23:891)
Burp listener on loopback IP moderates the requests for  capture
Finally the redirect to host configuration forwards those requests to the destination server.
The following screenshots show the configuration:



Requests via burp to actual server ( machine 2 burp)That’s it. Once done, the application will start intercepting as well as redirect the requests to the IP which does not have domain name mapped!

Happy hacking!

Comments

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more