Traffic Analysis

Effective penetration testing of thick-client applications heavily relies on detailed traffic analysis, client-side inspection, and server-side validation. This article covers crucial techniques and tools for intercepting, analyzing, and manipulating traffic, as well as examining client and server components to uncover security flaws.

2. Traffic Analysis Phase

Traffic analysis involves capturing, inspecting, and understanding network communications between the client application and external servers or services. This step is vital to identify sensitive data leaks, unencrypted credentials, and protocol weaknesses.

Protocol Monitoring

HTTP/S Traffic Capture:

Use Burp Suite as a proxy to intercept HTTP/S traffic:

Configure your browser or application to use 127.0.0.1:8080 as proxy.
Launch Burp Suite, set proxy listener on 127.0.0.1:8080.

Custom Protocols (e.g., FTP, TCP):
For non-HTTP protocols like FTP or proprietary TCP protocols, Wireshark is essential:
```
# Launch Wireshark
wireshark
# Select the loopback interface for capturing local traffic
```

Encryption Assessment

Test TLS Security:
Use testssl.sh to evaluate the TLS configuration of target services:
```
# Run the script against the target:
./testssl.sh target:443
```
Look for weak ciphers, outdated protocols, or misconfigurations.

Data Leakage Detection

Spot PII or Credentials:
In Wireshark, set filters to identify sensitive info:
```
# Filter for potential passwords or sensitive data in traffic
http contains "password"
```
or for FTP traffic:
```
ftp
```
Example: Analyzing FTP Traffic
Launch Wireshark, start capturing on the loopback interface, then:
- Initiate the FTP connection from the application.
- After login, filter:
  ftp
- Examine packets for USER and PASS commands:
  Command: USER DVTA Response: 331 Password required for DVTA Command: PASS p@ssw0rd
This reveals credentials transmitted in plaintext.

MITM Testing & Pinning Bypass

Use Echo Mirage or custom MITM relay scripts to intercept and modify traffic:

# Example command using mitm_relay.py
python3 mitm_relay.py -L 0.0.0.0 -r tcp:21:target_ip:1111 -p 127.0.0.1:8080

Bypassing SSL pinning involves injecting or modifying the application’s certificate validation routines, often with tools like Frida.

3. Client-Side Analysis Phase

Examining the client application itself can uncover stored credentials, insecure configurations, or exploitable logic.

Static Analysis

Inspect binaries:

For .NET applications, use DnSpy:

# Load the binary
dnspy.exe
# Open target DLL or EXE
# Search for hardcoded credentials, URLs, or logic flaws

For Java applications, use JD-GUI:

# Open the JAR or class files
# Examine source code for secrets or insecure code

Dynamic Analysis

Monitor runtime behavior:

Use Procmon:

# Launch Procmon
procmon.exe
# Set filter:
# Process Name = target.exe
# Path ends with .dll
# Result = NAME NOT FOUND

File System & Registry:

Search application directories for config or log files containing sensitive info.

Use Regshot to compare registry snapshots:

# Take initial snapshot
Regshot.exe
# Run the application and perform typical operations
# Take second snapshot
# Compare to identify stored credentials or settings

Memory Analysis:

Create a dump:

# Using Task Manager
Select target process > Create dump file

Search for passwords with HxD:

# Open dump file in HxD
# Search for "password" or other secrets

4. Server-Side Analysis Phase

Understanding server interactions can reveal insecure API endpoints, authorization flaws, and business logic issues.

API Security Testing

Use Burp Suite to intercept and tamper with API requests:

# Tamper request parameters:
# Attempt IDOR by changing resource IDs
# Inject SQL payloads for SQL injection testing

Backend Communication & Session Analysis

Capture traffic with Wireshark:

# Filter for relevant protocols:
tcp or udp
# Observe session tokens, cookies, or protocol-specific data

Business Logic Manipulation

Intercept API calls and modify workflow parameters:
- Change order quantities, user roles, or workflow steps to test for privilege escalation or logic flaws.

Practical Example: Analyzing FTP Traffic in DVTA

Scenario: The application performs a backup by uploading data via FTP. We want to inspect this traffic.

Steps:

Launch Wireshark and select the loopback interface:
```
# Capture on Loopback Interface
wireshark
```
Log in to the application with admin credentials, then trigger the data backup.
Stop the capture after the transfer completes.
Filter FTP traffic:
```
ftp
```
Examine packets:
- The first command: USER DVTA
- Server response: 331 Password required for DVTA
- Credential: PASS p@ssw0rd
This plaintext credential indicates a significant security flaw.

Using Echo Mirage for Interception

Setup:

Download and install Echo Mirage from here.
Launch Echo Mirage, select the DVTA.exe process, and set interception rules.

Example:

Capture login requests:
- Run the application and attempt login.
- Observe the intercepted request containing username/password in plain text.
Manipulate or replay requests to test server validation.

Wireshark Commands

# Start capturing on interface eth0
wireshark -i eth0

# Capture with a filter (e.g., HTTP traffic)
wireshark -i eth0 -f "tcp port 80"

# Save capture to file
wireshark -i eth0 -w capture.pcap

tcpdump Commands

# Capture all traffic on interface eth0
sudo tcpdump -i eth0

# Capture TCP traffic on port 443 (SSL)
sudo tcpdump -i eth0 tcp port 443 -w ssl_capture.pcap

# Capture specific host traffic
sudo tcpdump -i eth0 host 192.168.1.10 -w host_capture.pcap

# Filter traffic by protocol
sudo tcpdump -i eth0 udp port 53 -w dns_traffic.pcap

mitmproxy Commands

# Start mitmproxy in interactive mode
mitmproxy

# Run mitmproxy with specific options and port
mitmproxy -p 8080

# Save flows to a file
mitmproxy -w flows.mitm

# Load flows from a file
mitmproxy -r flows.mitm

# Run in transparent mode
mitmproxy --mode transparent

Fiddler Commands

# Launch Fiddler (GUI; commands depend on OS)
# Use FiddlerScript to automate or modify behavior

OpenSSL Commands (for SSL/TLS interception/setup)

# Generate a root CA certificate
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365

# Generate a private key
openssl genrsa -out server.key 2048

# Create a CSR
openssl req -new -key server.key -out server.csr

# Generate a self-signed certificate
openssl x509 -req -in server.csr -signkey server.key -out server.crt -days 365

Frida Commands

# Attach to a running process
frida -U -n com.target.app

# Run a script
frida -U -n com.target.app -l script.js

# List connected devices
frida-ls-devices

Radare2 Commands

# Open binary
r2 binary.exe

# Analyze
aaa

# List functions
afl

# Disassemble function
pdf @ main

Ghidra Commands (via GUI, but CLI options exist)

# Launch Ghidra headless
ghidraRun -import yourbinary.bin -scriptPath ./scripts -postScript analyze.py

PreviousInformation Gathering NextDLL Hijacking

Last updated 1 month ago