mimikatz
mimikatz copied to clipboard
gentilkiwi
Error exporting certificate on Windows 10 1909
Dear all, I am trying to export the user certificate with private key of a computer running Windows 10 1909. I have disabled Windows defender and uninstalled every trace of the previous McAfee antivirus and export encounters problems at the command crypto::cng that returns ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000000) If I stop the service CNG Key isolation and run crypto::cng returns no message just a black row. I am able to export the public certificate and exports some pfx file that should be the private key but somehow this doesn't work and it looks as a copy of the public key. On top of that during export another error is shown ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x800706b5) Any ideas? Thank you!
Same here, crypto::cng patching stopped working since I updated my Windows 10 to build 1909
Does this work on build 1909 for anyone?
Hi @raduci68, I have submitted a PR which fixes this for my copy of Win10 1909, try applying this patch https://github.com/gentilkiwi/mimikatz/pull/362 or clone mimikatz from https://github.com/hubert3/mimikatz
@hubert3 Any chance you can upload a PR for windows version 21H2(build 19044)? How can I find out which patch sequence is needed for KeyIso service (ncryptprov.dll)? I tried PTRN_W10_1809_SPCryptExportKey and PTRN_W10_1607_SPCryptExportKey, but both won't work. Thx for help.
@juxeii I just updated my fork so crypto::cng works on 20H2 (2009 / 19041), I will take a look at 21H2 next
@juxeii my PR #362 was merged today, this should make it work on 21H2 x64.
I found that PTRN_W10_1607_SPCryptExportKey is the correct patch for this version when I tested it on a new 21H2 vm today (but also a #define for this Windows build version was missing in globals.h)
If it's still not working for you let me know.
Has this failure to patch returned with 21H2 19044? I'm getting ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000000) on crypto::cng, but on a 21H2 machine with 19041 it's working as intended.
@Proplex Please send me the output of mimikatz 'version' and the DLL version of the Windows ncryptprov.dll file on the system where it's not working?
According to the table on https://en.wikipedia.org/wiki/Windows_10_version_history 19041 is 20H2 and 19044 is 21H2, so I'm a bit confused by "21H2 machine with 19041"
Thanks @pineman, my 21H2 test system on OS build 19044.1826 still had ncryptprov.dll 10.0.19041.1620, I have not seen your version of the DLL before
The new version may or may not require a different patch but Mimikatz code will have to be updated either way, I'll look into it
@pineman I ran Windows update on my Windows 10 Pro 21H2 64-bit vm and have ended up with OS build 19044.2251 (newer than yours) but my ncryptprov.dll is still an older version than yours (10.0.19041.2193)
Not sure how to get my system updated to the DLL version you have, or which KB update updates it - What edition of Windows 10 are you running?
Can you send me a link to your DLL binary?
@juxeii @pineman @proplex Try this build, it may work https://ci.appveyor.com/project/gentilkiwi/mimikatz/builds/45524049/job/kh17wjuqhk7uq27q/artifacts
If not please apply any outstanding Windows updates and send me your windows\system32\ncryptprov.dll
@hubert3 It worked with ncryptprov.dll 10.0.19041.2193! Thank you!!
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
"KeyIso" service patched