• Animesh Gupta

CarbonCopy : A Tool Which Creates A Spoofed Certificate of Any Online Website

CarbonCopy is a tool which creates a spoofed certificate of any online website.

As the Internet users growing day by day, simple methods of attacking them are becoming tough.

Even the Homograph method fails sometimes. 

Here we are going to talk about a little advanced method that is spoofing website certificate

How it exactly works?

A website certificate confirms that you are on cybertechops.com (for example) not on a fake website posing as cybertechops.com.

The tool we are going to use here to spoof website certificate is called CarbonCopy.

CarbonCopy has the ability to create self-signed certificates which looks exactly the same with the original.

The best thing about this tool is, it not only spoof certificate also signs an Executable for AV Evasion so that AV softwares can't detect it as a fake certificate.

But if the validation process is done on the certificates, no local trust anchor will be found and the certificates will be marked as untrusted and rejected.

Configure CarbonCopy on Kali Linux

Fire up your Kali Linux Machine, open up the terminal, change the directory to Desktop and clone the tool from Github.

cd Desktop/

git clone https://github.com/paranoidninja/CarbonCopy.git

Now change the directory to the 'CarbonCopy' folder.

Here you can see a python script named with CarbonCopy.py.

Launch the script by the command-

python3 CarbonCopy.py

Download prometheus.exe from below link to /root/Desktop/ (Anywhere) :


Okay! you've launched the tool successfully and downloaded the prometheus file. Now it's time to clone a website certificate.

python3 CarbonCopy.py www.microsoft.com 443 /root/Desktop/prometheus.exe signed-prometheus.exe

Now understand the command line. First, we've put the name of the website (ex: www.microsoft.com) of which we want to clone the certificate. 

In the second we've put the port i.e 443 which is a TCP port used by websites who have SSL. 

In the third, we've put an AV Evasion Executable prometheus.exe. 

At the last, we've signed the Executable with the command 'signed-prometheus.exe'.


Hackers, does every possible thing to hack us right? We are not aware of the security problems around us and hackers take advantage of it. We are so vulnerable. It's our responsibility to raise security awareness. This tutorial is not for illegal purpose. It is to let you know how vulnerable we are.  When we visit a website, we do not check whether it's certificate valid or not. Do we? Even we do not check what URL is running on the Address bar or to what URL it's redirecting. That's a very bad thing. We have to take care of our security our own.

©2019 Security Unleashed | New Delhi