|
|
@@ -7,10 +7,13 @@ tags: [fatclient, audit]
|
|
|
# Fat-Client Audit Checklist
|
|
|
|
|
|
|
|
|
-## Authentication & Encryption
|
|
|
+## Cryptography: Authentication & Encryption
|
|
|
|
|
|
* [ ] Is the traffic encrypted?
|
|
|
* [ ] Insecure Crypto Algorithms?
|
|
|
+* [ ] Replay attacks possible?
|
|
|
+* [ ] Forward Secrecy?
|
|
|
+* [ ] Key Control? (Is one party alone responsible for the final session key?)
|
|
|
* [ ] HTTPS: Certificate Pinning?
|
|
|
* [ ] Message Authentication (HMAC?)
|
|
|
* [ ] Authentication only on the client side?
|
|
|
@@ -53,17 +56,17 @@ tags: [fatclient, audit]
|
|
|
|
|
|
## Useful Tools
|
|
|
|
|
|
-* Dissassembler: IDA Pro, Cutter, Ghidra, dnSpy, ..
|
|
|
+* Dissassembler: IDA Pro, Cutter, Ghidra, dnSpy, ...
|
|
|
* Debugger: r2, x64, ...
|
|
|
-* Proxy: Burp Suite, CANAPE
|
|
|
-* Sysinternals: Process Explorer, Process Monitor, strings, ..
|
|
|
+* Proxy: Burp Suite, CANAPE, Postman (APIs)
|
|
|
+* Sysinternals: Process Explorer, Process Monitor, strings, ...
|
|
|
* API Monitor
|
|
|
* Frida (+ Fermion GUI)
|
|
|
|
|
|
|
|
|
## Further Tipps/Hints:
|
|
|
|
|
|
-* procmon for president:
|
|
|
+* Procmon for president:
|
|
|
* Check for network endpoints (disable DNS resolving)
|
|
|
* Check loaded configuration files
|
|
|
* Check if files are loaded from shares
|
|
|
@@ -71,4 +74,4 @@ tags: [fatclient, audit]
|
|
|
* Introspect socket content with API Monitor and backtrace syscalls to the original DLL/Executable
|
|
|
* View all loaded DLLs with Process Explorer (Ctr+D)
|
|
|
* If openSSL is used: hook the SSL_write and SSL_read functions to read the plaintext traffic.
|
|
|
-
|
|
|
+* DnSpy can export all loaded modules of a (.Net) application as VS project
|
Hans Martin