search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.43k stars 3.73k forks source link

Cannot patch CNG or export certificate #315

Open clock-workorange opened 4 years ago

clock-workorange commented 4 years ago

Thank you for your amazing work

I'm trying to Extract a Non-Exportable Private Key on my laptop.

The Certificate is installed with the Private Key as I see it with Certmgr.exe Certificates Manager "You have a Private Key that corresponds to this Certificate"

Winows Defender is totally OFF by Group Policy Settings and I never install any AV on my computer in the past

mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29 W10 Pro build 19041 (x64) - English

mimikatz # version /full

mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19041 (arch x64) msvc 150030729 207

SecureKernel is running

lsasrv.dll : 6.2.19041.546 msv1_0.dll : 6.2.19041.450 tspkg.dll : 6.2.19041.264 wdigest.dll : 6.2.19041.388 kerberos.dll : 6.2.19041.546 dpapisrv.dll : 6.2.19041.546 cryptdll.dll : 6.2.19041.546 samsrv.dll : 6.2.19041.546 rsaenh.dll : 6.2.19041.546 ncrypt.dll : 6.2.19041.546 ncryptprov.dll : 6.2.19041.546 wevtsvc.dll : 6.2.19041.388 termsrv.dll : 6.2.19041.84

mimikatz # crypto::capi Local CryptoAPI RSA CSP patched Local CryptoAPI DSS CSP patched

mimikatz # privilege::debug Privilege '20' OK

mimikatz # crypto::cng ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000005)

mimikatz # crypto::stores Asking for System Store 'CURRENT_USER' (0x00010000)

  1. My
  2. Root
  3. Trust
  4. CA
  5. UserDS
  6. TrustedPublisher
  7. Disallowed
  8. AuthRoot
  9. TrustedPeople
  10. ClientAuthIssuer
    1. ISG Trust
    2. Local NonRemovable Certificates
    3. REQUEST
    4. SmartCardRoot

mimikatz # crypto::providers

CryptoAPI providers :

  1. RSA_FULL ( 1) H - eToken Base Cryptographic Provider
  2. RSA_FULL ( 1) - Microsoft Base Cryptographic Provider v1.0
  3. DSS_DH (13) - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
  4. DSS ( 3) - Microsoft Base DSS Cryptographic Provider
  5. RSA_FULL ( 1) H - Microsoft Base Smart Card Crypto Provider
  6. DH_SCHANNEL (18) - Microsoft DH SChannel Cryptographic Provider
  7. RSA_FULL ( 1) - Microsoft Enhanced Cryptographic Provider v1.0
  8. DSS_DH (13) - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
  9. RSA_AES (24) - Microsoft Enhanced RSA and AES Cryptographic Provider
  10. RSA_SCHANNEL (12) - Microsoft RSA SChannel Cryptographic Provider
    1. RSA_FULL ( 1) - Microsoft Strong Cryptographic Provider

CryptoAPI provider types:

  1. RSA_FULL ( 1) - RSA Full (Signature and Key Exchange)
  2. DSS ( 3) - DSS Signature
  3. RSA_SCHANNEL (12) - RSA SChannel
  4. DSS_DH (13) - DSS Signature with Diffie-Hellman Key Exchange
  5. DH_SCHANNEL (18) - Diffie-Hellman SChannel
  6. RSA_AES (24) - RSA Full and AES

CNG providers :

  1. Microsoft Key Protection Provider
  2. Microsoft Passport Key Storage Provider
  3. Microsoft Platform Crypto Provider
  4. Microsoft Primitive Provider
  5. Microsoft Smart Card Key Storage Provider
  6. Microsoft Software Key Storage Provider
  7. Microsoft SSL Protocol Provider
  8. SafeNet Smart Card Key Storage Provider
  9. Windows Client Key Protection Provider

mimikatz # crypto::certificates /store:my /export

Key Container : p11#b3935*** Provider : eToken Base Cryptographic Provider Provider type : RSA_FULL (1) Type : AT_KEYEXCHANGE (0x00000001) |Provider name : eToken Base Cryptographic Provider |Key Container : p11#b3935** |Unique name : p11#b3935** |Implementation: CRYPT_IMPL_HARDWARE ; CRYPT_IMPL_SOFTWARE ; CRYPT_IMPL_REMOVABLE ; Algorithm : CALG_RSA_KEYX Key size : 2048 (0x00000800) Key permissions: 000000c3 ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT_KEY ; CRYPT_IMPORT_KEY ; ) Exportable key : NO Public export : OK - 'CURRENT_USER_my1****Limited.der' Private export : ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx/kull_m_file_writeData (0x8009000b)

crypto::keys /export /cngprovider:"SafeNet Smart Card Key Storage Provider"

CNG keys :

  1. p11#b3935** |Provider name : SafeNet Smart Card Key Storage Provider |Implementation: NCRYPT_IMPL_HARDWARE_FLAG ; NCRYPT_IMPL_SOFTWARE_FLAG ; NCRYPT_IMPL_REMOVABLE_FLAG ; Key Container : p11#b3935 Unique name : p11#b3935 Algorithm : RSA Key size : 2048 (0x00000800) Export policy : 00000000 ( ) Exportable key : NO Private export : ERROR kuhl_m_crypto_exportKeyToFile ; NCryptExportKey(CAPIPRIVATEBLOB -- init): 0x80090027

mimikatz # crypto::keys /export /provider:"eToken Base Cryptographic Provider"

CryptoAPI keys :

  1. p11#b3935** p11#b3935** Type : AT_KEYEXCHANGE (0x00000001) |Provider name : eToken Base Cryptographic Provider |Key Container : p11#b3935** |Unique name : p11#b3935** |Implementation: CRYPT_IMPL_HARDWARE ; CRYPT_IMPL_SOFTWARE ; CRYPT_IMPL_REMOVABLE ; Algorithm : CALG_RSA_KEYX Key size : 2048 (0x00000800) Key permissions: 000000c3 ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT_KEY ; CRYPT_IMPORT_KEY ; ) Exportable key : NO Private export : ERROR kuhl_m_crypto_exportKeyToFile ; CryptExportKey(init) (0x8009000b)
hubert3 commented 2 years ago

If still relevant, try this again with the latest mimikatz code (binaries at https://ci.appveyor.com/project/gentilkiwi/mimikatz)

crypto::cng was failing for you on Win10 x64 build 19041 (20H2), support for this was merged a few days ago in this PR https://github.com/gentilkiwi/mimikatz/pull/362