So if you haven't heard there is this awesome new thing called letsencrypt. It allows you to make valid signed certificates for pretty much any domain you have. Including dyndns and even afraid.org. So here is a very simple and 100% FREE way to get it up and running with python. First go over to afraid and grab yourself a domain, personally I always liked chickenkiller.com but it doesn't matter there are hundreds to choose from.
I say do this first because its going to take awile for it to propagate with your IP. Mine took atleast a few hours, and if I remember correctly the e-mail took a few hours also... but hey its free ;)
Also quickly while we are on the subject of free stuff grab yourself a free amazon account for a year, you'll need a valid phone number but that's a non issue really.
Now after you sign up for afraid.org and get a domain go to the "Dynamic DNS" menu and at the bottom you will find a wget/curl/direct url script that has your personal url inside. Simply hit this url on whatever box you like and bang you just updated your domain to that ip. "This is why I love afraid fyi" Anyways so now all you need is letsencrypt, I did mine on amazon simply so I didn't have to deal with port forwarding on my router.
Grab a copy from github and read it over, its pretty simple really and after running it the first time to make sure I had all the needed packages I basically just used this command and followed the prompts.
./letsencrypt-auto --no-self-upgrade --register-unsafely-without-email certonly
Now your pem files are stored here /etc/letsencrypt/archive/fancydomain.whatever.com
That's really it your pretty much all set, you can load them into Apache, or Nginx or whatever else you like, however if you are going to do that they have some pretty good self installers so you might want to choose that road.
Anyways, like I said I did mine on my amazon, so I needed to get ssh to forward properly if I wanted to run python locally, thats relatively simple but remember to set GatewayPorts clientspecified in the /etc/sshd_config we will want a reverse forward so ssh -R :8080:127.0.0.1:8080 your_ssh_server
Now as long as you have the firewall configured with amazon or whatever your host might be, and you downloaded your keys from the /etc/letsencrypt/archive/ folder you should be good to go.
For python both of these work :)
import socket, ssl
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.options = ssl.PROTOCOL_SSLv23
context.load_cert_chain(certfile="/pentest/cert.pem", keyfile="/pentest/privkey.pem")
bindsock = socket.socket()
bindsock.bind(('0.0.0.0', 8080))
bindsock.listen(5)
cnsock, fromaddr = bindsock.accept()
sl = context.wrap_socket(cnsock, server_side=True)
sl.recv(1024)
This one is a little bit less painless.. but remember to move your cert files out of the directory your using as lol
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8080), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="/pentest/cert.pem", keyfile="/pentest/privkey.pem", server_side=True)
httpd.serve_forever()
One last thing and regretfully I didn't take screencaps but it does work. Inside your /etc/letsencrypt/archive/yoursite.com there are 4 files.
cert.pem chain.pem fullchain.pem privkey.pem
If you do something like so...
cat cert.pem privkey.pem > both.pem
You can now use the both.pem with metasploit... you can then update your ip on afraid.org to whatever you like... even if its a internal ip! This will also work with stunnel if you do something like so...
echo '[lets_encrypt]
accept = 443
connect = 127.0.0.1:80
cert = /pentest/both.pem' > /etc/stunnel/stunnel.conf
stunnel4 /etc/stunnel/stunnel.conf
Whats so nice about this is stunnel will allow you to use your cert with almost ANYTHING regardless if it uses ssl or not. For instance above I showed you how to use python with ssl support, but if I wanted to I could use stunnel and never have to worry about getting ssl working.
Anyways Enjoy!
No comments:
Post a Comment