Unable to download from API - Powershell receiving TLS errors

[Nick-C]

I'm trying to use the script on our 2012 R2 file server to setup FSRM however im receiving the following error when it tries to download via the API:

`Exception calling "DownloadString" with "1" argument(s): "The request was aborted: Could not create SSL/TLS secure channel." At C:\Scripts\DeployCryptoBlocker.ps1:205 char:1

• $jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get")

• 
  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : WebException`

Google suggested adding the following line into the script to force powershell to allow TLS 1.2 connections however I've not had any luck getting it working:

[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls","Ssl3")

[PurpleTeamAdmin]

@Nick-C I have identified the problem. At some point you must have properly hardened the server using IISCrypto or even through manual registry edits. The problem you are getting is the same one I was getting. I dug into it and found a breakdown in the SSL Handshake. I re-enabled all default ciphers via IISCrypto, rebooted, fired up Wireshark and then reran the script. The command negotiated the following Cipher:

Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 67 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 63 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Compression Method: null (0) Extensions Length: 23 Extension: renegotiation_info Extension: server_name Extension: Extended Master Secret Extension: SessionTicket TLS Extension: ec_point_formats

I ran IISCrypto again and set it to the Secure Defaults. It unchecked this Cipher automatically. So there is both the problem and the fix. You can re-enable that particular cipher, reboot, run the script, then redisable the cipher. Personally rather than having my servers reaching out to a website I'd rather have a way to point at a local file that I manually update. Would that be possible @nexxai? I know of other variations of this script that can do that but I'd prefer to stay with yours.

[nexxai]

I definitely don't have time to add such an option to the script right now, but if someone wants to add that functionality to the script (check for a local file; if local file doesn't exist, check website), I'd be more than happy to merge it into the main version.

[PurpleTeamAdmin]

Okay, totally understood and thanks for providing both the site and the script! If I happen to figure out how to perform such a task I'll let you know.

[Rooven-tech]

I had the same issue on our server 2012 R2 and was able to fix the issue. I used IIS Crypto 2.0 GUI from https://www.nartac.com/Products/IISCrypto/Download. I choose Cipher Suites and checked TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 and moved it moved it up to the last checked item and then applied it. A restart of the server is needed.

Then i had to change the code in the powershell

# Download list of CryptoLocker file extensions Write-Host "`n####" Write-Host "Dowloading CryptoLocker file extensions list from fsrm.experiant.ca api.."

$jsonStr = Invoke-WebRequest -Uri https://fsrm.experiant.ca/api/v1/get $monitoredExtensions = @(ConvertFrom-Json20 $jsonStr | ForEach-Object { $_.filters })

[nexxai]

@Rooven-tech This is almost certainly the problem but I'll leave the question open for now.

[davidande]

We meet the same problem on our Exchange servers. Impossible to update and we look for a trick to make it works. any idea?

[nexxai]

@davidande Please use the suggestion @Rooven-tech provided (to use IISCrypto, etc) and see if that fixes the issue.