12/05/13. Version 0.2
EmetRules is a simple command line tool that creates a configuration for importing into EMET, so that the user does not need to take any action.
To pin a domain with EMET, the following is necessary:
- Consult the certificate of this domain.
- Check what root the connection eventually trusts.
- Check its digital fingerprint.
- Create the rule by finding the certificate in the repository.
- Associate the domain to the corresponding rule.
These steps are summarized in the image located in this page.
It is a quite tedious process, especially if a good number of domains are to be pinned. At ElevenPaths, we have studied the functioning of EMET and created EmetRules, a simple command line tool making it possible to do all of the work in a single step. In addition, it makes it possible to perform the work in batches. That is, it connects to the domain or domain list indicated, visits the page through port 443, extracts the SubjectKey of the returned root certificate, validates the certification chain, creates the rule in EMET and, in addition, “pins” it to the domain. All in a single step.
Aside, it now includes a plugin so it is easier to use from Internet Explorer.
“urls.txt”: The file that contains the domains, separated by carriage returns. Domains may or may not include the “www” subdomain. If not, the program attempts to use the two, unless otherwise specified using the “-d” switch.
“output.xml”: specifies the path and file name for the creation of the configuration XML file required by EMET. If one already exists, the program asks if it should be overwritten, unless otherwise specified using the “-s” switch.
t|timeout=X: Establishes the time in milliseconds for the request. Between 500 and 1000 milliseconds are recommended, although it depends on the threads established. The value 0 indicates that there is no timeout (default value). In this case, the program attempts to connect until the connection expires.
“s”, Silent mode: Neither output nor questions are generated. Note that once finished, it will not ask whether the user wishes to configure EMET by importing the XML either.
“e”: This option generates a txt file called “error.txt” that contains the listing of domains that have generated an error in the connection for any reason. This listing can be used again to attempt it with the program.
“d”: This options disables double-checking. This means that an attempt is made to connect to the main domain and its “www” subdomain. If the domain is specified in the list with “www”, no other attempt will be made. If it is not specified, both will be attempted. With this option active, not.
c|concurrency=X: Establishes the number of threads with which the program will run. They are the number of simultaneous connections. Eight are recommended. The default is only one.
“u”: Each time the program is launched, it contacts the central servers to check whether a new version exists. This options disables this check.
“ie”: ie extension custom mode, overwrites supplied xml and shows less info.
The tool is designed for administrators and advanced users who use Internet Explorer and want to enable an alert when there is a suspicion that the connection to a domain may be in the process of being altered. Although the EMET pin system is far from perfect and issues a very low-level alert (it continues to give access to the site), it is a first implementation whose functionality is sure to improve in the future.
Some domains return different valid root certificates, depending on the country from which they are visited or other circumstances. The tool, for its part, does not allow pinning various certificates to a single domain, and therefore is linked to the place where it is executed.