Amplia Security believes research activities are fundamental to generate innovation and to provide the best service possible to our clients, for this reason we are continuously investigating around several topics including vulnerability identification, prevention, reverse engineering and new attack vectors. Next you can find some of the results of our research.

Windows SMB NTLM Weak Nonce Vulnerability Advisory

We found several flaws in the NTLM authentication mechanism which completely break the security of the protocol allowing attackers to gain read/write access to files and remote code execution. One of the attacks presented includes the ability to predict pseudo-random numbers/challenges/nonces generated by the protocol. These flaws were present in all versions of Windows for 17 years. The advisory includes different fully working proof-of-concept exploits.

February 2010
Hernan Ochoa, Agustin Azubel (download)

"Understanding the Windows SMB NTLM Weak Nonce Vulnerability"

Presentation explaining critical flaws found affecting the NTLM protocol, it includes exploitation code. The flaws found affected the NTLM protocol for 17 years.

Hernan Ochoa, Agustin Azubel
BlackHat USA 2010 (download) and Ekoparty 2010 (download)

"Transferring files on isolated remote desktop environments using windows messages"

Presentation that explains techniques to upload and download data on isolated Citrix environments (applies to remote desktop environments in general). An 'isolated' Citrix environment is one where there is no explicit communication channel with the 'outside world'; no clipboard, no client drive mapping, no internet access, etc. For example, companies setup such an environment on the Internet or Intranet to give users access to, for example, the source code of applications and other confidential information because they trust the information cannot be downloaded. This tool/technique proves that this information can be downloaded, and that users can, for example, upload tools that will help them get deeper access to the internal network the isolated server is connected to, elevate privileges, etc.

Hernan Ochoa
Ekoparty 2010 (download)

GUI Transfer Toolkit v1.0

Toolkit to upload/download files/data to isolated Citrix environments using the GUI as a communication channel

GTT v1.0 (download)

Windows Credentials Editor (WCE)

Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes and Kerberos tickets). This can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used to perform further attacks, obtain Kerberos tickets and reuse them in other Windows or Unix systems. Supports Windows XP, 2003, Vista, 7 and 2008.

Current Version: WCE v1.3beta (32-bit) (download) - WCE v1.3beta (64-bit) (download)
Old Versions (x32): WCE v1.2 (download), WCE v1.1 (download), WCE v1.0 (download)
Old Versions (x64): WCE v1.21 (download), WCE v1.2 (download)
Frequently Asked Questions (FAQ) available here.

WCE Internals

Presentation explaining the inner workings of WCE v1.1 including how Windows XP,2003,7,Vista and 2008 store credentials in memory, describing undocumented structures found via reverse engineering, encryption algorithms used to encrypt credentials and how to recover encryption keys and IVs to decrypt NTLM credentials.

RootedCon 2011 (download)

Post-Exploitation with WCE

This presentation describes the techniques WCE brings to penetration testers and how these can be used in different scenarios. Although originally targeted to college students studying information security, you might find useful information you didn't know about even if you are an experienced user of WCE or penetration tester.

UBA 2011 - Spanish (download) - English (download)

ASP.NET Padding Oracle attack PoC exploit (MS10-070)

This is a fully functional proof-of-concept exploit that takes advantage of the vulnerabilities described in MS10-070. This PoC exploit can be used against any ASP.NET application running under an unpatched version of the framework to download files from the remote web server. By default, the PoC exploit downloads the file 'Web.config'. This PoC exploit servers as a perfect example on how to implement a Padding Oracle attack.

(download) (YouTube video) (Vimeo video)

ASP.NET Auto-Decryptor File Download PoC exploit (MS10-070)

This is a fully functional proof-of-concept exploit that takes advantage of the vulnerabilities described in MS10-070. This PoC exploit can be used against any ASP.NET application running under an unpatched version of the framework to download files from the remote web server. By default, the PoC exploit downloads the file 'Web.config'. This PoC exploit is padding oracle independent, it takes advantage of another source of information leak.

(download)

Decrypting Coldfusion datasources passwords

These two small scripts will allow you to decrypt the datasource passwords stored by Coldfusion. After compromising a coldfusion installation it is useful to obtain the clear-text passwords used for the different configured datasources. These passwords can then be used to access the datasources (commonly database servers) directly and to try to access other services.

Additional information: http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html and http://hexale.blogspot.com/2009/10/how-to-decrypt-coldfusion-v6-datasource.html
Coldfusion v7 and v8 decryptor: http://www.ampliasecurity.com/research/coldfusion78_ds_decrypt.tgz
Coldfusion v6 decryptor: http://www.ampliasecurity.com/research/decryptcf6.tgz