Creating a local self signed certificate for localhost testing of Wyrm C2

Generating local self signed TLS certificates

Intro

During some modifications to the Wyrm C2, I have now made it a requirement at least for the client to interact with the C2 via HTTPS, so we can make use of secure cookies for authentication.

As such, if you deploy the C2 on localhost - we need a valid certificate both the browser and implant trust. As it is a certificate not issued by a public Certificate Authority, we need to make sure the correct trust chains are in place for this.

Note: THis is only for development where the C2, implant and client are working on localhost. To deploy publicly, simply request a TLS certificate as for a normal domain, and move the public and private keys into /nginx/certs before running the docker containers for them to copy across. Make sure to edit the nginx.conf in /docker with the correct DNS name(s).

There are two elements to cover here, the first being creating the certificate and adding your new CA as a trusted root, and the second being ensuring the browser trusts the certificate. For this we are using Windows, and Firefox.

Creating a CA and a certificate

In an admin powershell window, enter the following to create a local Certificate Authority from which we can generate a trusted (locally) TLS certificate pair (being free to edit CA names, etc):

# Create the CA
$rootCA = New-SelfSignedCertificate -Type Custom -KeyExportPolicy Exportable -KeyUsage CertSign, CRLSign, DigitalSignature -Subject "CN=Wyrm Local Dev CA" -CertStoreLocation "Cert:\LocalMachine\My" -HashAlgorithm SHA256 -KeyLength 4096 -NotAfter (Get-Date).AddYears(20) -TextExtension @("2.5.29.19={critical}{text}ca=true&pathlength=0")

Export-Certificate -Cert $rootCA -FilePath "$env:USERPROFILE\Desktop\wyrm_local_ca.cer"

Import-Certificate -FilePath "$env:USERPROFILE\Desktop\wyrm_local_ca.cer" -CertStoreLocation Cert:\LocalMachine\Root

# Generate the cert
$localhostCert = New-SelfSignedCertificate -Type Custom -Subject "CN=localhost" -KeyExportPolicy Exportable -KeyUsage DigitalSignature, KeyEncipherment -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.17={text}DNS=localhost&IPAddress=127.0.0.1") -Signer $rootCA -CertStoreLocation "Cert:\LocalMachine\My" -HashAlgorithm SHA256 -KeyLength 2048 -NotAfter (Get-Date).AddYears(5)

$password = ConvertTo-SecureString -String "1234" -Force -AsPlainText

Export-PfxCertificate -Cert $localhostCert -FilePath "$env:USERPROFILE\Desktop\localhost.pfx" -Password $password

Now, in a WSL terminal, navigate to Desktop where we saved localhost.pfx, and run the following commands to generate the public and private keypair:

openssl pkcs12 -in localhost.pfx -nokeys -out cert.pem -passin pass:1234
openssl pkcs12 -in localhost.pfx -nodes  -out key.pem  -passin pass:1234

Finally - copy the cert.pem and key.pem files into the Wyrm project /nginx/certs so the nginx docker container can ingest them and serve them locally. Remember - this is only for testing the C2 framework on localhost.

Allowing the certificate in the browser

For this, we will use Firefox, but feel free to modify as needed for other browsers. Now that the cert is trusted, we need to make sure the browser recognises certs issued by our CA.

In the Firefox settings, search for Certificates and then go into: View Certificates > Authorities > Import. Navigate to the localhost.pfx on the desktop (or wherever you saved it), and import it, ticking to trust for websites.

Now, your browser can make HTTPS requests to the C2, enabling HTTPS secure cookies :).

Final note

As a final note: In your C2 malleable profile for Wyrm, ensure that you specify the host as https://localhost - not the IP address of your machine, as from the above config, you will not get a connection.