Antisyphon KB

1. Desktop Application Checklist

Nov 04, 20242 min read

Attack Surface Evaluation

  • Determine points of input into the application
  • Identify interesting inputs that may be abusable by an attacker

Tasks

  • If you get to install the application, take a snapshot of filesystem and registry before and after to see what it lays down.
  • Use the application as a normal user to find points of input and where higher-risk activities take place
  • Run Process Explorer or Process Monitor to see what filesystem, registry, and network objects the application interacts with

Reverse Engineering

  • Determine the base language for application development
  • Attempt to decompile the application (language dependent)
  • Identify sensitive information included in the compiled binary or associated libraries
  • Identify any host operating system dependencies that may be abusable for exploitation of the application

Tasks

  • Decompile the application with jad or dnspy or similar
    • Explore the resulting source code files, searching for sensitive functions and data
  • Run strings (on the binary and associated dlls) with various options, looking for sensitive or interesting things
    • passwords, keys, database connection strings, URLs, hostnames, etc
  • Open any configuration files or support files and search for sensitive information.
  • Check for dll hijacking, unquoted service paths, etc
  • Is the NX bit on?
  • Are debug symbols present?

Input Handling

  • Submit malicious inputs to the application in order to:
  • Attempt to access privileged data within the application
  • Attempt to escalate privilege in the host operating system or application
  • Attempt to gain control of the host operating system

Tasks

  • Attach a debugger and inspect interesting functions
  • Capture network traffic and look for interesting interactions
  • Capture network traffic and look for any unencrypted communications
  • Route through Burp Suite or similar to better view and interact with communication in real time

Fuzzing

  • Generate input into the application to attempt to elicit a crash condition
  • Monitor and debug the crash condition to determine exploitability of the condition

Tasks

  • Fuzz with Peach Fuzzer, Google OSS Fuzzer, or manually

Output Handling

  • Monitor output generated by the application to determine whether the following security considerations are addressed.
    • At-rest encryption
    • In-transit encryption
  • Output could consist of one or more of the following
    • Application process memory
    • File output
    • Network communication

Tasks

  • Same as above (?)

Exploitation

  • Attempt to weaponize conditions discovered during any of the previous phases

Graph View

Backlinks

  • No backlinks found