Traffic analysis
Analysing thick client application's network traffic
Last updated
Analysing thick client application's network traffic
Last updated
All application communicates to backend services like ftp server, database server or a HTTP server. It is crucial to intercept this network traffic to understand the information flow and it might reveal some important infromation.
Some applications enforces encryption some doesn't. We have to prepare our testing environment according to that.
Thick client applications are generally non proxy aware which means they may be using HTTP under the hood but doesn't really have an option to setup a proxy server. So you can't just fire up your burp suite unlike you do with your browser to proxy traffic.
Burp has invisible proxy support to mitigate this problem.
Burp can't help with protocols other than HTTP e.g. FTP protocol used by DVTA . Although tools like wireshark can capture non-HTTP protocols also but wireshark doesn't really let you modify the data on fly like burp suite does. That's why some tools are created for this purpose like echo mirage.
You can follow this article for detail step by step guide.
Run wireshark in background and then run DVTA application. Login as admin and backup your data.
You can find the credentials used by DVTA application for connecting to FTP server and that's a find.
Note: if you are having difficulty capturing SQL traffic in wireshark it is because your SQL server is on same machine as of wireshark. So one thing you can do is start SQL server in a different VM and give that VM IP in DVTA.exe.config file.
Echomirage helps in intercepting TCP traffic and modifyt it on fly.
As it is a very old tool and no longer maintained here is a mega link to download a copy of tool
Link: https://mega.nz/file/bHhQ3QrA#l4d-lc3bL1tm8AOUcMzlkbN6SaMYFPXNjRr1caD0m1E
Run Echo mirage and create new rule to intercept traffic and go to processes and inject it to DVTA.exe process. Now login as admin and hit backup you will start noticing traffic in echo mirage.
As the author of this tools describes it is a "Hackish way to intercept and modify non-HTTP protocols through Burp & others".
Tool GitHub Link: https://github.com/jrmdev/mitm_relay
Using MITM relay it is possible to intercept protocols other than http with existing interceptors like burp suite. It supports both TCP and UDP protocols and comes with support of SSL where you can create your own trusted CA certificate and place it between client and certificate but that won't work if application does SSL pinning.
MITM relay script is written in python so you need to install python on your machine.
There are 3 main components with MiTM relay that you would have to understand:
Relay listener: A MiTm listener that will listen for specific protocol(TCP/UDP), source port and then forward that traffic to destination address and port.
Packet wrapper and unwrapper: It will wrap the original protocol and data into a HTTP request body and send it to a temporary web server which and unwrap the HTTP request back to original protocol when request is forwarded from proxy tool.
Interception software and webserver: When a original prtocol is wrapped into a HTTP requet it is sent to a temporary web server which communicates with a proxy tool like burp suite for allowing us to modify or drop the request. Then forward the request back to mitm listener in original form with help of unwrapper so it can be forwarded to destination server.
It is your job to identify what is the source protocol and port of your application which means what protocl application communicates over i.e. tcp/udp and on which port it's trying to send the request.
e.g. In case of DVTA we know for back up, Application uses TCP protocol over port 21 and we can configure our attack according to that. Also as attacker and victim machine is same we needed to move ftp to port 2111 for this case as mitm relay needs port 21.
In above image you can see how FTP data is sent over a Mitm temporrary HTTP server which proxy through burp suite and then all the data is forwarded to destination server in original form.
