EMET, the Microsoft tool, introduced in its 4.0 version the chance to pin root certificates to domains, only in Internet Explorer. Although useful and
necessary, the ability to associate domains to certificates does not seem to be
very used nowadays. It may be hard to set and use… we have tried to fix it with EmetRules.
necessary, the ability to associate domains to certificates does not seem to be
very used nowadays. It may be hard to set and use… we have tried to fix it with EmetRules.
To pin a
domain with EMET it is necessary
domain with EMET it is necessary
- Check
the certificate in that domain - Check its
root certificate - Check
its thumbprint - Create
the rule locating the certificate in the store - Pin the
domain with its rule
Steps are summarized in this figure:
It is
quite a tedious process, much more if your target is to pin a big number of
domains at once. In Eleven Paths we have studied how EMET works, and created EmetRules, a
little command line tool that allows to complete all the work in just one step. Besides it allows batch work. So it will
connect to domain or list indicated, will visit 443 port, will extract SubjectKey from its root
certificate, will validate certificate chain, will create the rule in EMET and pin it with the
domain. All in one step.
 |
| EmetRules de ElevenPaths |
The
way it works is simple. The tools needs a list of domains, and will create its
correspondent XML file, ready to be imported to EMET, even from the tool
itself (command line).
Some options are:
Parameters:
- “urls.txt”: Is
a file containing the domains, separated by “n”. Domains may have “www” on them or not. If not, EMET
will try both, unless stated in “d” option (see below).
- “output.xml”
specifies the path and filename of the output file where the XML config file that EMET
needs will be created. If it already exists, the program will ask if it should
overwrite, unless stated otherwise with “-s” option (see below).
Options:
- t|timeout=X. Sets the timeout in milliseconds for the request. Between 500 and 1000 is recommended, but it depends on the trheads used. 0 (by default) states for no timeout. In this case, the program will try the connection until it expires.
- “s”, Silent mode. No output is generated or question asked. Once finished it will not ask if you wish to import the generated XML to EMET.
- “e”, This option will generate a TXT file named “error.txt” listing the domains that have generated any errors during connection. This list may be used again as an input for the program.
- “d”. This option disables double checking, meaning trying to connect to main domain and “www” subdomain. If the domain with “www” is used in “url.txt”, no other will be connected. If not, both will be connected. With this option, it will not.
- c|concurrency=X. Sets the number of threads the program will run with. 8 are recommended. By default, only one will be used.
- “u”. Every time the program runs, it will contact central servers to check for a new version. This option disables it.
Tool is
intended mainly for admins or power users that use Internet Explorer and
want to receive an alert when a connection to a domain is suspected to be
“altered”. Pinning system in EMET is far to be perfect, and even the
warning displayed is very shy (it allows to get to the suspected site), but we
think is the first step to what it will be, for sure, an improved feature in
the future.
intended mainly for admins or power users that use Internet Explorer and
want to receive an alert when a connection to a domain is suspected to be
“altered”. Pinning system in EMET is far to be perfect, and even the
warning displayed is very shy (it allows to get to the suspected site), but we
think is the first step to what it will be, for sure, an improved feature in
the future.
It may be downloaded from: http://elevenpaths.com/downloads/emetrules.zip
We encourage you to use it.
