War Room

Shells From Above

RSM logo

Home > Offense > Let’s Hack! Part 2: Using Certificates From “Let’s Encrypt”

Let’s Hack! Part 2: Using Certificates From “Let’s Encrypt”

By

This is the second post of a two-part series, so if you haven’t read part one yet, stop reading, and go do that first.  Those that have followed through the first post will have installed the Let’s Encrypt client and obtained their first certificate.  Now lets take a look at how to leverage this certificate for some offensive purposes.  This post will walk through using the certificate with several attacker tools, but before we dive into the how we should discuss the why.

Why Use a Certificate?

The reasons for an attacker to use a certificate don’t really differ from any other use case.  First, the certificate offers the ability to encrypt communication between the client and server.  For an attacker this is important if they wish to remain undetected.  If unencrypted communications are used during an operation, they may be identified on the wire and trigger an alert.  Obviously, this could be detrimental for the attackers.  While this same protection can be provided with a self-signed certificate, the sketchy-factor goes way up, which brings us to the next point.  The use of a certificate adds legitimacy to any attacker web servers that are used during the operation.  From phishing sites to C2 servers, using a certificate will only improve the outward legitimacy of your malicious sites.

Remember that little lock icon that you have been telling your users to check for years?  Well, now my phishing site has it too (and I didn’t have to fake it with the favicon!).  Noticing some encrypted traffic leaving your network going to some search site with which you are not familiar?  Now when you browse to the site to check things out, it looks a little bit more believable (hopefully you do more research than just browsing the site).

The point is that we have spent decades educating our users, and ourselves, that sites with valid certificates are trustworthy.  While that was never really the case, because attackers with a couple hundred bucks to spend could have always purchased valid certificates, with the birth of Let’s Encrypt, the bar has been lowered significantly.

 

Prep Certificates

Before we dive into the tools, there is one more quick step to get our certificate in the correct format.  If you recall at the end of Part 1, we had four .pem files:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

For our purposes, we only need to worry about cert.pem and privkey.pem, but our tools will require that they are provided in a single unified file.  To do this, make use of the cat command:

cat privkey.pem cert.pem >> unified.pem

Notice that the private key should be the first section of the unified file.  Now, we are finally ready to get on with the sploitin’.

Note: All domain names and IP addresses in the following screenshots have been obfuscated for obvious reasons.

King Phisher

Phishing is one attack vector that can greatly benefit from the use of a certificate.  This is mainly attributed to the perceived trustworthiness of the site, which can help assuage the fears of users entering their credentials or downloading files from the phishing site.  Call me biased, but my favorite tool for phishing is King Phisher.  If you have been reading the blog, or are familiar with our work, you should recognize King Phisher.  By checking the King Phisher Wiki you’ll notice how simple it is to make use of a certificate on your phishing site.  You just need to set the appropriate value(s) in your server config file and you are good to go.

Note: If you are using the unified file that we created previously, you can just point the “ssl_cert” setting to that file.  Otherwise, King Phisher will support the ability to use separate files for the certificate and key. Yay options!

The following image shows a browser connecting to the King Phisher server with no certificate issues.

blog2 kp-valid-cert
King Phisher 404 Page with Legitimate Cert

The 404 error is displayed because I didn’t take the time to set up a campaign and create content for a landing page.  Obviously, for a real operation, I would have set up the page according to my pretext.  The King Phisher Templates Repository would be a good place to start if you are looking for some content to sample.

Metasploit

For this use case, we will be setting up a payload handler (exploit/multi/handler) with the “windows/meterpreter/reverse_https” payload as shown in the following image:

blog2-msf-handler
Handler in Metasploit

Start the handler, which is a web server, by issuing the “exploit” command and then browse to the site. Make sure you use the host name you set up for the domain and not the IP you specified for the “LHOST” option.  You will get a certificate warning because currently the handler is using the self-signed certificate automatically generated by Metasploit.

blog2-msf-invalid-cert
Metasploit Handler Page with Illegitimate Cert

Kill the handler, and this time set the “HandlerSSLCert” parameter to point at the unified.pem file you created earlier.  Start the handler again (“exploit” command) and now when you browse to the site, there will not be any certificate warning.

blog2-msf-valid-cert
Metasploit Handler Page without Certificate Error

For bonus points, set the “HttpUnknownRequestResponse” parameter to something that looks a bit more believable.  This will increase the legitimacy of the site even more.

 

Empire

Hopefully you are familiar with Empire by this point, but if not, @P4tchw0rk wrote a solid introduction a while ago (see if you can spot all of the Star Wars puns).  The setup for this is going to be similar to Metasploit, so I’ll skip the part where we do it wrong the first time.  When creating your listener make sure you specify the “Port” and “CertPath” parameters.  Upon setting “Port” to “443” the “Host” parameter will update and change the protocol from “http” to “https”.  You should be fine leaving everything else with the default settings, at least for testing.

blog2-empire-settings
Empire Listener Settings

Get the listener doing its job with the “execute” command.  Afterwards, browse to the site just like before and bask in the glory of your valid certificate.

blog2-empire-valid-cert
Empire Listener Page with Legitimate Cert

As you can see, the default content when browsing the site isn’t much more than the default Metasploit provided.  Unfortunately, there isn’t a parameter you can set that will change the content the way you can with Metasploit.  If you don’t mind getting you hands dirty a bit, you can accomplish the same by editing some lines in one of the source files.

With that, we are pretty much done with this quick series.  Hopefully these posts have got you thinking about how you can use valid certificates to increase the success of your various offensive techniques.  Thanks for reading, Happy New Year, and as always:

Happy Hunting!