Thick client applications are those application which provides rich set of functionalities runs on user’s machine independent of the server. These kinds of applications usually need to follow some installation procedure by making use of the installation package or may need to set it up by manually.
The security analysis on the thick client application is always exciting because of its complexity, varying kind of architecture and protocols used to communicate with the external systems. Hence, testing this kind of application requires a systematic approach and setting up of a custom environment with the required tools.
In this article we will be explaining the interception of TCP traffic from a .Net based desktop application to Burp suite using the tool mitm_relay. We will make use of the DVTA 2.0 (https://github.com/srini0x00/dvta) application for capturing the traffic. Setting up details of DVTA lab environment may be out of scope for this article. There are several nice articles already available on the internet which neatly explains on the steps and procedure to set it up, kindly refer to it.
So once we set up the DVTA application we need to make ensure that the communication to DVTA database is happening through TCP. We can confirm it by running the windows program TCPView. It can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview. Once we download TCPView run the DVTA application and login.
DVTA configuration for mitm_relay
In order to relay the traffic through mitm_relay we need to make ensure that value of the “DBSERVER” in the application configuration(app.config) has set to the correct port number, through which we are relaying the traffic to the actual database server where DVTA database is running. In this case we set it as below.
<add key=”DBSERVER” value=”192.168.1.6, 5301" />
192.168.16 is my local IP address and 5301 is the local port with which we will be relaying the traffic to the remote server. The port number should not be used by any other application and we have to use the same port number with in the mitm_relay as well.
Setting up the Burp proxy
Open the burp suite and set the “Bind to port” to any port as you wish(for eg:8081) and “Bind to address” to “Loopback only 127.0.0.1”.We need to use the same port in the mitm_proxy for proxying the traffic to Burp. Turn on the intercept button.
Running the mitm_relay
Mitm_relay is a python script to intercept and modify the non-HTTP traffic through using any of the proxy tools like Burp. The script can be downloaded from https://github.com/jrmdev/mitm_relay. The git url has sufficient details about the tools and its documentation.
Before running the mitm_relay please make ensure that we have installed Python3 in our machine.
Once we download mitm_relay successfully from the above mentioned URL, run it with the below parameters from any command line.
Parameter values must be changed based on your environment setup.
-l Indicates the listening IP address. Here I have used 0.0.0.0 to listen from all the interfaces. We can use our local IP address as well.
-r Indicates the relay. We have used the port tcp:5301 for setting up the relay, which means we listen on port 5301 and redirect anything on 5301 to the remote database server running at 192.168.1.6 on the port 58394. Please note that we have used the same relay port number in the DVTA application configuration as well.
-p is for the proxy. We set it up to 127.0.0.1:8081, where my Burp is running.
At this point if we run the DVTA application, we can see the requests are captured in the burp suite.
Let us capture the add expense traffic to Burp now. Login to DVTA as non admin user, click on the add expenses button.
We can try any other functionalities of the application and could intercept and do the manipulations if required.
This way we can intercept and modify any TCP traffic from any application and perform security testing provided that the local ports are configured correctly in the mitm_relay.
References: