# ASP.NET Application * Gather application technical information using the [CFF explorer](https://ntcore.com/?page_id=388). * Scan the Application with the [BinScope](https://www.microsoft.com/en-us/download/details.aspx?id=44995) tool *BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations*. ``` Navigate to the path C:\Program Files\Microsoft BinScope 2014\ BinScope.exe /Html /OutDir . /Verbose /Target "C:\path\to\exe" ``` >Follow the below steps if you are facing "private symbols" error while running binscope. <details><Summary>BinScope Error Resolution</Summary> * In the Environment Variables window, locate the "System variables" section and find the variable named "_NT_SYMBOL_PATH". If it already exists, select it and click on the "Edit" button. If it doesn't exist, click on the "New" button to create a new system variable. * In the Edit System Variable or New System Variable window, enter the following value for the "_NT_SYMBOL_PATH" variable: ``` srv*https://msdl.microsoft.com/download/symbols ``` This value tells the debugger to use the Microsoft Symbol Server for symbol resolution. Then run again the BinScope on the target application </details> * Obtain senstive information using `Strings` Analysis The strings.exe tool is commonly used in security analysis to find and extract human-readable text strings from binary files. It can reveal insights such as hard-coded passwords, URLs, file paths, and other potentially sensitive information that might be embedded within an executable file. ``` strings.exe "Application.exe" > App_strings.txt ``` >Then search for sensitive information in the obtained text file. * Registry Analysis As part of our in-depth security analysis, we utilized [RegShot](https://sourceforge.net/projects/regshot/) to inspect the Windows Registry for any instances of sensitive data storage. Storing sensitive data in the registry without proper protection can lead to data leakage, as malicious software or users might have access to these registry keys. * DLL Hi-Jacking When attackers get an infected file onto your machine, this file is then executed when the application vulnerable to DLL hijacking is run. DLL hijacking is a cyberattack method that injects an infected file within the search parameters of an application. A user then attempts to load a file from that directory and instead loads the infected DLL file. This infected file takes action when the application is loaded. DLL files are often preloaded into a computer. Many applications with DLL files automatically load during startup, which can then compromise the entire computer, giving hackers access to it whenever the file containing the malicious code loads. #### How to test DLL Hijacking 1. Install and open the Process Monitor application 2. Search for the application the suspected DLL hijacking attack is targeting. 3. Apply a filter that only shows active files with a path ending in .dll by clicking Add and then clicking Apply. 4. Apply a filter for directory: name not found by setting the conditions- Result: NAME NOT FOUND and then click Add and then Apply to show files that are loading outside of the system directory. 5. Apply an additional filter that will only display DLL files within the application’s directory by setting the following conditions: Path is [path address] and then click Add and then click Apply. Tools: [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) [DLLSpy](https://github.com/cyberark/DLLSpy) [Robber](https://github.com/MojtabaTajik/Robber) Calculator program dll generation using the `msfvenom` ``` msfvenom -f dll -p windows/x64/exec CMD="C:\windows\system32\calc.exe" -o shell32.dll ``` References: https://www.okta.com/identity-101/dll-hijacking/ * Exe Singnature check [Sigcheck](https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal. ``` sigchek64.exe <application.exe> ``` * Network Analysis * Perform OWASP Top10 Web * Perform OWASP TOP10 API **Tools:** 1. Burp Suite 2. Fiddler Everywhere 3. Echo Mirage ## Dependency Walker