mimikatz icon indicating copy to clipboard operation
mimikatz copied to clipboard

Published 20 hours ago verified publisher icon gentilkiwi

Cannot patch CNG or export certificate

Open clock-workorange opened this issue 4 years ago • 1 comments

Thank you for your amazing work

I'm trying to Extract a Non-Exportable Private Key on my laptop.

The Certificate is installed with the Private Key as I see it with Certmgr.exe Certificates Manager "You have a Private Key that corresponds to this Certificate"

Winows Defender is totally OFF by Group Policy Settings and I never install any AV on my computer in the past

mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29 W10 Pro build 19041 (x64) - English

mimikatz # version /full

mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19041 (arch x64) msvc 150030729 207

SecureKernel is running

lsasrv.dll : 6.2.19041.546 msv1_0.dll : 6.2.19041.450 tspkg.dll : 6.2.19041.264 wdigest.dll : 6.2.19041.388 kerberos.dll : 6.2.19041.546 dpapisrv.dll : 6.2.19041.546 cryptdll.dll : 6.2.19041.546 samsrv.dll : 6.2.19041.546 rsaenh.dll : 6.2.19041.546 ncrypt.dll : 6.2.19041.546 ncryptprov.dll : 6.2.19041.546 wevtsvc.dll : 6.2.19041.388 termsrv.dll : 6.2.19041.84

mimikatz # crypto::capi Local CryptoAPI RSA CSP patched Local CryptoAPI DSS CSP patched

mimikatz # privilege::debug Privilege '20' OK

mimikatz # crypto::cng ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000005)

mimikatz # crypto::stores Asking for System Store 'CURRENT_USER' (0x00010000) 0. My

  1. Root
  2. Trust
  3. CA
  4. UserDS
  5. TrustedPublisher
  6. Disallowed
  7. AuthRoot
  8. TrustedPeople
  9. ClientAuthIssuer
  10. ISG Trust
  11. Local NonRemovable Certificates
  12. REQUEST
  13. SmartCardRoot

mimikatz # crypto::providers

CryptoAPI providers : 0. RSA_FULL ( 1) H - eToken Base Cryptographic Provider

  1. RSA_FULL ( 1) - Microsoft Base Cryptographic Provider v1.0
  2. DSS_DH (13) - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
  3. DSS ( 3) - Microsoft Base DSS Cryptographic Provider
  4. RSA_FULL ( 1) H - Microsoft Base Smart Card Crypto Provider
  5. DH_SCHANNEL (18) - Microsoft DH SChannel Cryptographic Provider
  6. RSA_FULL ( 1) - Microsoft Enhanced Cryptographic Provider v1.0
  7. DSS_DH (13) - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
  8. RSA_AES (24) - Microsoft Enhanced RSA and AES Cryptographic Provider
  9. RSA_SCHANNEL (12) - Microsoft RSA SChannel Cryptographic Provider
  10. RSA_FULL ( 1) - Microsoft Strong Cryptographic Provider

CryptoAPI provider types: 0. RSA_FULL ( 1) - RSA Full (Signature and Key Exchange)

  1. DSS ( 3) - DSS Signature
  2. RSA_SCHANNEL (12) - RSA SChannel
  3. DSS_DH (13) - DSS Signature with Diffie-Hellman Key Exchange
  4. DH_SCHANNEL (18) - Diffie-Hellman SChannel
  5. RSA_AES (24) - RSA Full and AES

CNG providers : 0. Microsoft Key Protection Provider

  1. Microsoft Passport Key Storage Provider
  2. Microsoft Platform Crypto Provider
  3. Microsoft Primitive Provider
  4. Microsoft Smart Card Key Storage Provider
  5. Microsoft Software Key Storage Provider
  6. Microsoft SSL Protocol Provider
  7. SafeNet Smart Card Key Storage Provider
  8. Windows Client Key Protection Provider

mimikatz # crypto::certificates /store:my /export

Key Container : p11#b3935*********** Provider : eToken Base Cryptographic Provider Provider type : RSA_FULL (1) Type : AT_KEYEXCHANGE (0x00000001) |Provider name : eToken Base Cryptographic Provider |Key Container : p11#b3935********** |Unique name : p11#b3935********** |Implementation: CRYPT_IMPL_HARDWARE ; CRYPT_IMPL_SOFTWARE ; CRYPT_IMPL_REMOVABLE ; Algorithm : CALG_RSA_KEYX Key size : 2048 (0x00000800) Key permissions: 000000c3 ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT_KEY ; CRYPT_IMPORT_KEY ; ) Exportable key : NO Public export : OK - 'CURRENT_USER_my_1_****Limited.der' Private export : ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx/kull_m_file_writeData (0x8009000b)

crypto::keys /export /cngprovider:"SafeNet Smart Card Key Storage Provider"

  • Store : 'user'
  • Provider : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0')
  • Provider type : 'PROV_RSA_FULL' (1)
  • CNG Provider : 'SafeNet Smart Card Key Storage Provider'

CNG keys : 0. p11#b3935********** |Provider name : SafeNet Smart Card Key Storage Provider |Implementation: NCRYPT_IMPL_HARDWARE_FLAG ; NCRYPT_IMPL_SOFTWARE_FLAG ; NCRYPT_IMPL_REMOVABLE_FLAG ; Key Container : p11#b3935*********** Unique name : p11#b3935*********** Algorithm : RSA Key size : 2048 (0x00000800) Export policy : 00000000 ( ) Exportable key : NO Private export : ERROR kuhl_m_crypto_exportKeyToFile ; NCryptExportKey(CAPIPRIVATEBLOB -- init): 0x80090027

mimikatz # crypto::keys /export /provider:"eToken Base Cryptographic Provider"

  • Store : 'user'
  • Provider : 'eToken Base Cryptographic Provider' ('eToken Base Cryptographic Provider')
  • Provider type : 'PROV_RSA_FULL' (1)
  • CNG Provider : 'Microsoft Software Key Storage Provider'

CryptoAPI keys : 0. p11#b3935************** p11#b3935************** Type : AT_KEYEXCHANGE (0x00000001) |Provider name : eToken Base Cryptographic Provider |Key Container : p11#b3935************** |Unique name : p11#b3935************** |Implementation: CRYPT_IMPL_HARDWARE ; CRYPT_IMPL_SOFTWARE ; CRYPT_IMPL_REMOVABLE ; Algorithm : CALG_RSA_KEYX Key size : 2048 (0x00000800) Key permissions: 000000c3 ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT_KEY ; CRYPT_IMPORT_KEY ; ) Exportable key : NO Private export : ERROR kuhl_m_crypto_exportKeyToFile ; CryptExportKey(init) (0x8009000b)

clock-workorange avatar Oct 14 '20 20:10 clock-workorange

If still relevant, try this again with the latest mimikatz code (binaries at https://ci.appveyor.com/project/gentilkiwi/mimikatz)

crypto::cng was failing for you on Win10 x64 build 19041 (20H2), support for this was merged a few days ago in this PR https://github.com/gentilkiwi/mimikatz/pull/362

hubert3 avatar Jul 30 '22 16:07 hubert3