Added option --tls-certKey to supply cert private key#20
Conversation
Thanks for the PR and no worries! |
That is totally fine and understandable—no problem at all. |
Sorry for the late response(s). I have not forgotten this PR, I just did not have the time yet (and do not in the coming 2-3 weeks. Bear with me, I will merge it when life is a bit less stressful. Hopefully in august. |
| if has_cert and has_private_key: | ||
| self.logger.warning("Private key BEGIN in the certfile is not secure separate the two and keep the private key safe") |
There was a problem hiding this comment.
I will remove this warning since imo it is fine to store both in one file. Usually you throw away both after the attack, so this is never supposed to be stored long term anyway. Let me know if you think otherwise



Hello Neff,
sorry for the delay
What changed:
This PR adds support for providing a TLS certificate private key as a separate file via the
--tls-certKeyarg.see issue #19 for more details
Key features:
--tls-certKeyis not provided, the code automatically checks if the certificate file contains an embedded private key (legacy format)How to test (simple test):
Generate a self-signed certificate and private key :
openssl genrsa -out private_key.pem 2048 openssl req -x509 -new -key private_key.pem -out certificate.pem -days 365 -nodes -subj "/"sudo wsuks --serve-only --tls-cert certificate.pem --tls-certKey private_key.pem # use -I to specify the correct interfaceHow to test against ESC17 LAB:
attack flow (template vulnerable for ESC17 --> CSR generation --> Submit CSR to CA --> Retrieve cert.pem --> (optional) Convert to PFX --> Extract cert.pem + private_key.pem --> Run wsuks with --tls-cert and --tls-certKey )
1) Obtain CSR via enrolled user
2) Submit CSR to CA and retrieve certificate
from compromised windows machine as user with enrollment right to ESC17
download the cert.pem to your machine and use it with the generated private key or convert it to pfx to save it and use later.
back to our attacker machine.
3) Convert certificate + key into PFX (step 3 and 4 are optional. once you get cert.pem you can jump to step 5)
4) Extract cert.pem and private_key.pem from PFX
5) Run wsuks with TLS cert and key
note* in this scenario i have control over dns and was able to add machines account to domain so i pointed wsus.domain.local to machine i control
note** the private_key.pem you generated with
openssl genrsa -out private_key.pem 2048is the same privatekey thats get extracted withopenssl pkcs12 -in certificate.pfx -nocerts -out private_key.pem -nodes -passin pass:YOUR_PFX_PASSWORD