A simple command line tool that creates a configuration for importing into EMET, so that the user does not need to take any action

Technology description

A simple command line tool that creates a configuration for importing into EMET, so that the user does not need to take any action.

To pin a domain with EMET, the following is necessary:

- Consult the certificate of this domain.
- Check what root the connection eventually trusts.
- Check its digital fingerprint.
- Create the rule by finding the certificate in the repository.
- Associate the domain to the corresponding rule.

These steps are summarized in the image located in this page.

It is a quite tedious process, especially if a good number of domains are to be pinned. At ElevenPaths, we have studied the functioning of EMET and created EmetRules, a simple command line tool making it possible to do all of the work in a single step. In addition, it makes it possible to perform the work in batches. That is, it connects to the domain or domain list indicated, visits the page through port 443, extracts the SubjectKey of the returned root certificate, validates the certification chain, creates the rule in EMET and, in addition, “pins” it to the domain. All in a single step.

Aside, it now includes a plugin so it is easier to use from Internet Explorer.

Functionalities

Parameters:

“urls.txt”: the file that contains the domains, separated by carriage returns. Domains may or may not include the “www” subdomain. If not, the program attempts to use the two, unless otherwise specified using the “-d” switch

“output.xml”: specifies the path and file name for the creation of the configuration XML file required by EMET. If one already exists, the program asks if it should be overwritten, unless otherwise specified using the “-s” switch

Options:

t|timeout=X: establishes the time in milliseconds for the request. Between 500 and 1000 milliseconds are recommended, although it depends on the threads established

“s”, Silent mode: neither output nor questions are generated. Note that once finished, it will not ask whether the user wishes to configure EMET by importing the XML either

“e”: this option generates a txt file called “error.txt” that contains the listing of domains that have generated an error in the connection for any reason

“d”: this options disables double-checking. This means that an attempt is made to connect to the main domain and its “www” subdomain. If the domain is specified in the list with “www”, no other attempt will be made. If it is not specified, both will be attempted

c|concurrency=X: establishes the number of threads with which the program will run. They are the number of simultaneous connections

“u”: each time the program is launched, it contacts the central servers to check whether a new version exists

“ie”: ie extension custom mode, overwrites supplied xml and shows less info

The tool is designed for administrators and advanced users who use Internet Explorer and want to enable an alert when there is a suspicion that the connection to a domain may be in the process of being altered. Although the EMET pin system is far from perfect and issues a very low-level alert (it continues to give access to the site), it is a first implementation whose functionality is sure to improve in the future.
EmetRules
Innovation Technologies

Pin Patrol for Chrome

A tool for improving the experience using HSTS and HPKP in Chrome. It shows this information in a human readable way, from your own browser or from any other.

Certificate Transparency

Certificate Transparency is a new layer of security on top of TLS ecosystem.

Pin Patrol for Firefox

Firefox extension that shows in a readable format, the state of HSTS (HTTP Strict Transport Security) and HPKP (HTTP Public Key Pins) domains stored by the browser.