Merry Fiddler Shenton

Fiddling with Windows: Proxy tools for Win10

If you have been following along with us, you know how to set up a Windows 10 Virtual Machine (VM) for web app pentesting. But now we have run into another problem. Let’s say that same client throws in a Windows 10 desktop app in scope. (You know, cause last minute changes never happen during the engagement right?) So the question is, how do you test it?

You could set up a system wide proxy in your VM through Burp. Which is as simple as changing the LAN settings in Internet Explorer. Here is the problem with that solution; Windows 10 is one of the noisiest operating systems out there. Whether it’s telemetry data being sent to Microsoft, Bing searches from the start menu, or just software updates, you can generate a lot of traffic without touching a web browser. If you don’t like messing with the target scope settings, your Proxy history will fill up with nonsense fast. In this post, I’d like to introduce to you two tools that I find useful for proxying traffic from Windows 10 desktop apps. 

Before you start, make sure that you read through the previous post and set up a test VM and a Burp project with active listener on the IP address of your network card on port 8080. Just skip the steps where you’re changing the IE proxy settings. We’ll be using the tools below to proxy traffic. 

Fiddler 

Fiddler is a free HTTP debugging proxy server application. The beauty behind this product is its ability to target specific desktop applications and intercept the traffic. There is a lot of functionality in this product; In fact, Fiddler and Burp Suite have many features in common.

How to use

  1. Split the screen with Fiddler and whatever desktop app you’re trying to test
  2. Click the Any Process button and drag it onto the target application
  3. Select Tools > Options > Gateway
  4. Select Manual Proxy Configuration
  5. In the first text box you will need to enter a string consisting of the type of traffic and the Burp host
    1. For example, if your IP address for your network card is 192.0.2.1 enter
      • http=192.0.2.1:8080;https=192.0.2.1:8080
  6. Click OK

Now you should see traffic from the desktop app as it populates the Burp history.

Proxifier

Proxifier is a commercial Man in the Middle (MITM) proxy tool with a 30-day free trial. Since our engagements, and our VM, won’t even last that long we can just download and install every time we set up a new virtual machine. This tool also offers a lot of functionality for debugging and manipulating requests, but we will just be using it as a proxy tool for now.  The installation process for Proxifier will be a little easier than Fiddler.

How to use

  1. Create an HTTPS Proxy Server with the Burp IP address as the host and set the port to 8080, when you save it, don’t make it default (or everything will go there)
  2. Select the Proxification Rules button at the upper right corner of the menu
Proxification Rules
  1. Remove the Localhost Proxification rules
  2. Click Add for a new Proxification rule
  3. Name the rule Demo
  4. Click Browse and find the location of the .exe file for the desktop application that you want to test. 
  5. Set the Action to direct all HTTP traffic to the Burp host on port 8080
  6. Leave the Target textbox empty

Now you should see requests from the desktop app as it populates the Burp history. 

Why use the VM?

Why use the VM at all? If I can target the traffic from the desktop apps and funnel it through Burp, why not just do that on my host instead? The first reason is obvious; I don’t want a potentially vulnerable desktop application sitting on my host machine. Even though virtual machine breakouts are possible, they are not trivial to execute, especially if you patch your hypervisor regularly. 

We also want our engagements to be as disposable as possible. Windows desktop apps routinely change registry settings and leave traces behind on HDDs. Even if you uninstall them and use a cleaning utility there is still a chance that there is something left behind. Having the engagement evidence in a VM makes it easier to destroy and ultimately makes it easier to maintain confidentiality.

That concludes part 2 of the Windows 10 pentesting series. If you are interested in API pentesting, check out this post on API Testing with Postman. We also answer general basic questions on penetration testing in our Knowledge Center. Finally, if you’re looking for a penetration test, training for your organization, or just have general security questions please Contact Us

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top