RESEARCH
Amplia Security believes research activities are fundamental to generate innovation and to provide the best service possible to our clients, for this reason we are continuously investigating around several topics including vulnerability identification, prevention, reverse engineering and new attack vectors. Next you can find some of the results of our research.
GoSNMP Denial of Service Vulnerability
A malformed SNMPv1 trap packet can cause a Denial-of-Service condition in software using the gosnmp library.
OS X Gatekeeper Bypass Vulnerability
A malicious Jar file can bypass all OS X Gatekeeper warnings and protections, allowing a remote attacker to execute arbitrary unsigned code downloaded by the user. Java must be installed on the victim's machine.
Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability
Remote attackers can bypass authentication and access the router's management web interface obtaining complete control of the device.
Windows SMB NTLM Weak Nonce Vulnerability Advisory
We found several flaws in the NTLM authentication mechanism which completely break the security of the protocol allowing attackers to gain read/write access to files and remote code execution. One of the attacks presented includes the ability to predict pseudo-random numbers/challenges/nonces generated by the protocol. These flaws were present in all versions of Windows for 17 years. The advisory includes different fully working proof-of-concept exploits.
"Understanding the Windows SMB NTLM Weak Nonce Vulnerability"
Presentation explaining critical flaws found affecting the NTLM protocol, it includes exploitation code. The flaws found affected the NTLM protocol for 17 years.
Hernan Ochoa, Agustin Azubel
BlackHat USA 2010 (download) and Ekoparty 2010 (download)
"Transferring files on isolated remote desktop environments using windows messages"
Presentation that explains techniques to upload and download data on isolated Citrix environments (applies to remote desktop environments in general). An 'isolated' Citrix environment is one where there is no explicit communication channel with the 'outside world'; no clipboard, no client drive mapping, no internet access, etc. For example, companies setup such an environment on the Internet or Intranet to give users access to, for example, the source code of applications and other confidential information because they trust the information cannot be downloaded. This tool/technique proves that this information can be downloaded, and that users can, for example, upload tools that will help them get deeper access to the internal network the isolated server is connected to, elevate privileges, etc.
GUI Transfer Toolkit v1.0
Toolkit to upload/download files/data to isolated Citrix environments using the GUI as a communication channel
GTT v1.0 (download)
Windows Credentials Editor (WCE)
Windows Credentials Editor (WCE) is a security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets). This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon. WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.
Current Version: WCE v1.42beta (32-bit) (download) - WCE v1.42beta (64-bit) (download) - WCE v1.41beta (Universal Binary) (download)
Frequently Asked Questions (FAQ) available here.
WCE web page available here
WCE Internals
Presentation explaining the inner workings of WCE v1.1 including how Windows XP,2003,7,Vista and 2008 store credentials in memory, describing undocumented structures found via reverse engineering, encryption algorithms used to encrypt credentials and how to recover encryption keys and IVs to decrypt NTLM credentials.
RootedCon 2011 (download)
Post-Exploitation with WCE
This presentation describes the techniques WCE brings to penetration testers and how these can be used in different scenarios. Although originally targeted to college students studying information security, you might find useful information you didn't know about even if you are an experienced user of WCE or penetration tester.
UBA 2011 - Spanish (download) - English (download)
ASP.NET Padding Oracle attack PoC exploit (MS10-070)
This is a fully functional proof-of-concept exploit that takes advantage of the vulnerabilities described in MS10-070. This PoC exploit can be used against any ASP.NET application running under an unpatched version of the framework to download files from the remote web server. By default, the PoC exploit downloads the file 'Web.config'. This PoC exploit servers as a perfect example on how to implement a Padding Oracle attack.
ASP.NET Auto-Decryptor File Download PoC exploit (MS10-070)
This is a fully functional proof-of-concept exploit that takes advantage of the vulnerabilities described in MS10-070. This PoC exploit can be used against any ASP.NET application running under an unpatched version of the framework to download files from the remote web server. By default, the PoC exploit downloads the file 'Web.config'. This PoC exploit is padding oracle independent, it takes advantage of another source of information leak.
Decrypting Coldfusion datasources passwords
These two small scripts will allow you to decrypt the datasource passwords stored by Coldfusion. After compromising a coldfusion installation it is useful to obtain the clear-text passwords used for the different configured datasources. These passwords can then be used to access the datasources (commonly database servers) directly and to try to access other services.
Additional information: https://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html and https://hexale.blogspot.com/2009/10/how-to-decrypt-coldfusion-v6-datasource.html
Coldfusion v7 and v8 decryptor: https://www.ampliasecurity.com/research/coldfusion78_ds_decrypt.tgz
Coldfusion v6 decryptor: https://www.ampliasecurity.com/research/decryptcf6.tgz