A few weeks ago, around about the time of the DigiNotar compromise, I thought that it'd be really neat to have a way to inject a trusted Certificate Authority as part of post-exploitation activities. So I made one! There's currently an issue in Metasploit's issue tracker for my patch, myca.
To add a CA to a Windows host didn't take much to figure out; existing CAs can be found at the following location in the Windows registry: HKLM\Software\Microsoft\SystemCertificates\CA\Certificates\
The branches of that tree are named after the SHA1 of the various CA's certificates. The contents of each of these branches consisted of one key; Blob, and its associated value, which was, funnily enough, a lot of hex. I imported my own CA through Internet Explorer so that I'd have more known elements, and sat down with a coffee to pull it apart.
I found the following elements of my certificate to be included somewhere in the hex:
The pseudo-hex of the blob of my certificate can be found below:
04 00 00 00 01 00 00 00 10 00 00 00 <md5>03 00 00 00 01 00 00 00 14 00 00 00 <sha1>14 00 00 00 01 00 00 00 14 00 00 00 <subject key identifier>20 00 00 00 01 00 00 00 41 03 00 00 <DER of the certificate>^1 ^2 ^3The red identifiers above can be explained as such (as far as I can tell, anyway. The explanation works for me..):
Armed with the information above, I spent a few hours battling with Ruby to get the formatting right, and I could form the blob perfectly. Using the existing registry commands in meterpreter, the rest of the module was a piece of cake.
Myca also allows the adding and removing of entries from the Windows hosts file, which makes SSL MITM that much easier, as you no longer need to be on your victim's network. Bonus.
|