Introduction
Managing certificates has always been tedious which is why SpecterInsight has a dedicated UI just for certificate management in order to make that work as easy as possible for the operator.
Out-of-the-box, SpecterInsight will generate two new self-signed SSL certificates: one for the management API and one for implant C2 channels. These will be sufficient for installation and evaluation; however, these certificates, particularly the certificate for C2 should be changed for any contracted engagements. I assume that the fields of the default certificates will be signaturized very quickly and self-signed certificates can be a read flag to network defenders.
This tutorial will show you how to manage SSL certificates using SpecterInsight.
Viewing Certificates
Certificates can be viewed in the Certificates page under the Operations tab. The two newly generated default certificates are shown in the list.
Creating a New Self-Signed Certificate
At a minimum, you probably want to generate a custom self-signed certificate so that you’re not using the default (likely signaturized fields). You can do this by clicking on the “New” button. This will bring up a new Window similar to the one shown here. Fill out the fields and then click “At a minimum, you probably want to generate a custom self-signed certificate so that you’re not using the default (likely signaturized fields). You can do this by clicking on the “New” button. This will bring up a new Window similar to the one shown here. Fill out the fields and then click “Create Certificate” to generate the certificate.
You should now see an updated certificate similar to the one below. This certificate can now be selected when setting up an HTTPS listener.
Importing a Certificate
You can import any certificate generated outside of SpecterInsight; however, the certificate must contain both the public AND private keys, otherwise the certificate cannot be used to host encrypted communications. These types of certificates often come password protected. SpecterInsight will first try to open the certificate file without a password. If that fails, the n the UI will prompt for a password.
Click on the “Import” button to bring up the “Import Certificate” window. Click on the button next to the “Certificate Path” to bring up the open file dialog.
In this case, the file containing both the public and private keys is a .pfx file. Select the certificate file you
SpecterInsight has determined that this file is password protected and must be decrypted prior to import, so an additional password field is displayed.
Type in the password and then click the “Import” button.
You should now see the new certificate available in the certificate list. This certificate can now be used to encrypt implant or management traffic.
Generate a Trusted Certificate with LetsEncrypt
How LetsEncrypt Works
LetsEncrypt is a free service for generating trusted SSL certificates. Normally to get a certificate, you would need to purchase one from one of the large certificate authorities so that the certificate chains could be validated and trusted by your target users. LetsEncrypt provides this service for free to help improve the secure communications globally. LetsEncrypt uses a protocol called Automated Certificate Management Environment (ACME). This protocol was designed by the Internet Security Research Group (ISRG) to automate the issuance and renewal of certificates, all without human interaction. SpecterInsight implements an ACME client to help automate this process for you.
All you need to do to generate a SSL certificate with LetsEncrypt is:
- Own a domain
- Create an account (which can be done via API)
- Prove you own the domain
Acquire a Domain
This step must be done outside of SpecterInsight. There are multiple ways to acquire a domain, the simplest of which is to purchase one for a few bucks a month.
Creating a LetsEncrypt Account
From the Certificates page, click on the “LetsEncrypt” tab. This area lists all of the LetsEncrypt accounts managed by SpecterInsight. By default, no accounts exist. Start by clicking the “New Account” button.
Type in the email address you wish to use for the LetsEncrypt account, then click the “Create Account” button.
Create a New Authorization
You should now see the account listed in the table. LetsEncrypt offers two ways to conduct validation: (1) HTTP and (2) DNS. for this example, we will use DNS. Select the account and then click the “Create
SpecterInsight communicates with LetsEncrypt using the ACME protocol to generate a validation token. To prove you own the domain for which the request is being made, you must create a DNS TXT record called _acme-challenge.yourdomain.com and store the token value there.
You can verify that the TXT record has been updated with the nslookup command.
nslookup -a=TXT _acme-challenge.chat.practicalsecurityanalytics.com
Next, click the “Validate” button. This will use the ACME protocol to request validation. The LetsEncrypt servers will query the _acme-challenge DNS record and verify the contents match the token generated in the previous step. If successful, LetsEncrypt will issue a certificate and SpecterInsight will download and add the certificate to the SpecterInsight certificate store.