How to export non-exportable private key from store

前端 未结 7 620
野的像风
野的像风 2021-01-29 20:51

I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.

相关标签:
7条回答
  • 2021-01-29 21:01

    There is code and binaries available here for a console app that can export private keys marked as non-exportable, and it won't trigger antivirus apps like mimikatz will.

    The code is based on a paper by the NCC Group. will need to run the tool with the local system account, as it works by writing directly to memory used by Windows' lsass process, in order to temporarily mark keys as exportable. This can be done using PsExec from SysInternals' PsTools:

    1. Spawn a new command prompt running as the local system user:

    PsExec64.exe -s -i cmd

    1. In the new command prompt, run the tool:

    exportrsa.exe

    1. It will loop over every Local Computer store, searching for certificates with a private key. For each one, it will prompt you for a password - this is the password you want to secure the exported PFX file with, so can be whatever you want
    0 讨论(0)
  • 2021-01-29 21:14

    You're right, no API at all that I'm aware to export PrivateKey marked as non-exportable. But if you patch (in memory) normal APIs, you can use the normal way to export :)

    There is a new version of mimikatz that also support CNG Export (Windows Vista / 7 / 2008 ...)

    1. download (and launch with administrative privileges) : http://blog.gentilkiwi.com/mimikatz (trunk version or last version)

    Run it and enter the following commands in its prompt:

    1. privilege::debug (unless you already have it or target only CryptoApi)
    2. crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
    3. crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

    The exported .pfx files are password protected with the password "mimikatz"

    0 讨论(0)
  • 2021-01-29 21:16

    Unfortunately, the tool mentioned above is blocked by several antivirus vendors. If this is the case for you then take a look at the following.

    Open the non-exportable cert in the cert store and locate the Thumbprint value.

    Next, open regedit to the path below and locate the registry key matching the thumbprint value.

    An export of the registry key will contain the complete certificate including the private key. Once exported, copy the export to the other server and import it into the registry.

    The cert will appear in the certificate manager with the private key included.

    Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

    In a pinch, you could save the export as a backup of the certificate.

    0 讨论(0)
  • 2021-01-29 21:18

    You might need to uninstall antivirus (in my case I had to get rid of Avast).

    This makes sure that crypto::cng command will work. Otherwise it was giving me errors:

    mimikatz $ crypto::cng
    ERROR kull_m_patch_genericProcessOrServiceFromBuild ; OpenProcess (0x00000005)
    

    After removing Avast:

    mimikatz $ crypto::cng
    "KeyIso" service patched
    

    Magic. (:

    BTW

    Windows Defender is another program blocking the program to work, so you will need also to disable it for the time of using program at least.

    0 讨论(0)
  • 2021-01-29 21:19

    Gentil Kiwi's answer is correct. He developed this mimikatz tool that is able to retrieve non-exportable private keys.

    However, his instructions are outdated. You need:

    1. Download the lastest release from https://github.com/gentilkiwi/mimikatz/releases

    2. Run the cmd with admin rights in the same machine where the certificate was requested

    3. Change to the mimikatz bin directory (Win32 or x64 version)

    4. Run mimikatz

    5. Follow the wiki instructions and the .pfx file (protected with password mimikatz) will be placed in the same folder of the mimikatz bin

    mimikatz # crypto::capi
    Local CryptoAPI patched

    mimikatz # privilege::debug
    Privilege '20' OK

    mimikatz # crypto::cng
    "KeyIso" service patched

    mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
    * System Store : 'local_machine' (0x00020000)
    * Store : 'my'

    1. example.domain.local
           Key Container : example.domain.local
           Provider : Microsoft Software Key Storage Provider
           Type : CNG Key (0xffffffff)
           Exportable key : NO
           Key size : 2048
           Public export : OK - 'local_machine_my_0_example.domain.local.der'
           Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
    0 讨论(0)
  • 2021-01-29 21:20

    This worked for me on Windows Server 2012 - I needed to export a non-exportable certificate to setup another ADFS server and this did the trick. Remember to use the jailbreak instructions above i.e.:

    crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

    0 讨论(0)
提交回复
热议问题