2025-12-13 –, Track 3
A discussion of thick client testing using modified field examples seeking to address the following:
- Common scoping and testing issues for thick client testing and how to avoid/solve them
- Reverse engineering and subsequent patching of thick clients using examples in Common Intermediate Language (CIL) and C# - this will be used to illustrate how you can grant administrative rights on applications and combine these for further compromise
- Chaining findings for greater client value and closer emulation of threat actor techniques - stamping out "box ticker" pentests and behaving like a threat actor
- Honorary mention of a potential, theoretical vector for harvested thick client credentials and their use in red teaming, or at least wider consideration for thick clients in various attack simulations
- Declining research quality(?) and lack of quality thick client testing resources - a brief overview of the problem and some key takeaways for wider consideration post-talk
Thick clients are an interesting vector of attack to threat actors, combining several avenues of testing ranging from mobile, web, API, build review and more.
This talk aims to provide a deep dive into application reverse engineering and patching. This talk was inspired by thick client applications seen in the wild, frustration with public resources regarding thick client testing and the all too common regurgitation of findings from security blog posters regarding "Damn Vulnerable Thick Client Application" testing, as good as this resource is. This talk will explain mock scenarios in detail, showcasing techniques for discovery under time constraints and how to demonstrate tangible business impact where applicable.
Effective chaining of vulnerabilities uncovered in thick client testing will be showcased, with mock examples provided to showcase how lower risks can be combined into thick client takeovers, data compromise and more. Limited perspective of thick client application usage in red teaming engagements will also be discussed, albeit theoretical, discussing credential harvesting from memory and how this might be applied to lateral movement to SQL servers in a given network. This is ultimately about creating solid results for clients and leaving the surface-level, box-ticking mindset behind.
Self-proclaimed Linux connoisseur, Scapy's #1 fan and ActiveDirectory (PrivEsc) enjoyer, Harry is a penetration tester with a background varying from social engineering to SOC evasion. Particularly, he enjoys Scapy so much that he did a BSides London talk on the matter in 2020. When he's not recommending risk mitigations he's recommending Linux distributions and memes in equal measure. He vehemently believes that hoodies, dark mode, Synthwave and mechanical keyboards make hacking over 9000 times faster. When not at a desk hacking things, he can be found eating pizza and climbing - where he enjoys talking about being at a desk and hacking things.