Login/Register
How to export non-exportable private key from store
Asked Answered
Solved .netencryptionbouncycastlersacryptoserviceprovider
S

7

69

I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.

To export key I use Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair() that exports key from (RSACryptoServiceProvider)cryptoProv.ExportParameters(true). Exported key I use in Org.BouncyCastle.Cms.CmsSignedDataGenerator for CMS signature.

I need solution for .Net, but any solution will be useful. Thank you.

Storebought answered 12/10, 2010 at 12:54 Comment(1)
FindPrivateKey.exe util (analog to CspKeyContainerInfo.UniqueKeyContainerName) can get private key file name in "Microsoft\Crypto\RSA\" folder. Are those files really contain private key and how can I decrypt key from this file?Storebought
V
60

You're right, no API at all that I'm aware to export PrivateKey marked as non-exportable. But if you patch (in memory) normal APIs, you can use the normal way to export :)

There is a new version of mimikatz that also support CNG Export (Windows Vista / 7 / 2008 ...)

  1. download (and launch with administrative privileges) : http://blog.gentilkiwi.com/mimikatz (trunk version or last version)

Run it and enter the following commands in its prompt:

  1. privilege::debug (unless you already have it or target only CryptoApi)
  2. crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
  3. crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

The exported .pfx files are password protected with the password "mimikatz"

Vickers answered 19/10, 2010 at 23:30 Comment(6)
Thank you. As I understand, this utility only exports all keys from the store, if the store contains too many certificates it takes a lot of time. Maybe I have not figured out, but can you export specific pfx certificate with this util? And how can I decode *.pvk file in my program? I solved my problem by integrating RSACryptoServiceProvider into CmsSignedDataGenerator.Storebought
This tool export all key AND individual PFX of certificate/key. Maybe can I adapt the code to select only a specified certificate (it is a forensic tool not an utility ;)) For the PVK format, OpenSSL 1.x convert it without any problem :) openssl rsa -inform pvk -in fichier.pvk -outform pem -out fichier.pemVickers
The commands in crypto module has changed: crypto::cng or crypto::capi or crypto::keys /exportCore
Use crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE for Computer Store (github.com/gentilkiwi/mimikatz/blob/master/README.md#crypto)Uranus
Is this still valid for Windows 10?Reims
@NickG / Ville, this is incorrect. The official mimikatz releases do not contain malware, at all. The tool has unfortunately been mislabeled as malware by anti-virus software because it's commonly used in exploits… like any tool that can be used to extract passwords and private keys, it's susceptible to illegitimate uses.Warhead
F
26

Gentil Kiwi's answer is correct. He developed this mimikatz tool that is able to retrieve non-exportable private keys.

However, his instructions are outdated. You need:

  1. Download the lastest release from https://github.com/gentilkiwi/mimikatz/releases

  2. Run the cmd with admin rights in the same machine where the certificate was requested

  3. Change to the mimikatz bin directory (Win32 or x64 version)

  4. Run mimikatz

  5. Follow the wiki instructions and the .pfx file (protected with password mimikatz) will be placed in the same folder of the mimikatz bin

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
* System Store : 'local_machine' (0x00020000)
* Store : 'my'

  1. example.domain.local
         Key Container : example.domain.local
         Provider : Microsoft Software Key Storage Provider
         Type : CNG Key (0xffffffff)
         Exportable key : NO
         Key size : 2048
         Public export : OK - 'local_machine_my_0_example.domain.local.der'
         Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
Finegan answered 22/3, 2016 at 15:42 Comment(5)
all store locations see msdn.microsoft.com/en-us/library/windows/desktop/aa388136.aspx and in addition, please mention the password for all exported pfx is "mimikatz"Ignatz
@Bernhard, I've edited to add the info about the password. Thank you.Finegan
This should definitely be upvoted. It just saved my backside when I ordered a certificate and when creating the request in Windows failed to mark the key as exportable... :|Increate
Identified as a threat and access denied by TrendMicro: trendmicro.com/vinfo/us/threat-encyclopedia/search/…Koressa
When I run privilege::debug I get ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061. I was using mimikatz 2.2.0 (x64) in Windows 10.0.18363.1016.Reims
V
26

There is code and binaries available here for a console app that can export private keys marked as non-exportable, and it won't trigger antivirus apps like mimikatz will.

The code is based on a paper by the NCC Group. will need to run the tool with the local system account, as it works by writing directly to memory used by Windows' lsass process, in order to temporarily mark keys as exportable. This can be done using PsExec from SysInternals' PsTools:

  1. Spawn a new command prompt running as the local system user:

    PsExec64.exe -s -i cmd

  2. In the new command prompt, run the tool:

    exportrsa.exe

  3. It will loop over every Local Computer store, searching for certificates with a private key. For each one, it will prompt you for a password - this is the password you want to secure the exported PFX file with, so can be whatever you want

Shortcuts to needed files:

Viveca answered 29/5, 2019 at 12:12 Comment(17)
This appears to work. It prompts me for a password for each file, then says it successfully exported to "4.pfx" -- but I can't find that file. Where does it export to?Adz
I found it: it exported to c:\windows\syswow64 on my 64 bit machine.Adz
By far the cleanest and easiest solution. A note about the -s option passed to PSexec - check what it does as this will affect what certificate stores are visible to exportrsa. Not needed for personal store.Intervocalic
This is a great solution. I'm finally able to work on my mac, although my admins say it's not possible :DDehumidify
@denis-v is it a WiFi certificate by chance? If so, I'd love to hear how you got that to work on your Mac!Viveca
@Viveca well, I think this certificate is also used for WiFi, but we also have a guest network and as such, I don't actually need WiFi authentication with a certificate. Just didn't try.Dehumidify
Worth mentioning that program mentioned here worked for me without PsExec64, so in some cases cmd from under Admin account is enough. But I was exporting certificate from UserStore, not from a system one.Setiform
When I tried it in Windows 10 using an administrative user I got Couldn't install PSEXESVC service: Permission denied for PsExec64.exe -s -i cmd.Reims
@u-windl did you run it in an elevated prompt, not "just" as an admin? If so, perhaps there is a GPO preventing something that PsExec needsViveca
Every cert comes up as Localhost or my username or an unrelated guid, which does not match up with what i see in certlm. how can I identify which output cert is the one i wanted to convert? are there command line options for this app that i'm not seeing?Assignment
@JodySowald might depend if you're looking at certificates for "My user account" or for "Computer account" - if you open mmc, you can choose to add the cert snapin for either.Viveca
@Viveca so i have imported my cert to current user. which is my admin account first.last. i have opened an admin cmd and run cd to pstools,then PsExec64.exe -s -u first.last -i cmd. and then in the new cmd i cd to exportrsa's release folder and simply run exportrsa.exe. I expect that this will request that i give a password for every cert under my username. however i am asked for 8 certs 6 of which are all referred to as localhost and one guid and one with my username. i have found the latter two in mmc. but the cert i have imported does not appear. am i misunderstanding the steps outlined?Assignment
@JodySowald it's been a while since I used this, but I just took a quick look at the code, and I can see that it will iterate over every "Local Computer" store, and try to export every certificate that has a private key. So, as-is, it won't work with certs in the "Current User" stores.Viveca
Following the instructions above, the export isn't working for me. I get a successfully exported message but the output PFX is 0 bytes.Berl
If you know the key you want to export is from CryptoAPI (not CNG), you do not need to use PsExec and will save a little potential troubleshooting by running exportrsa.exe directlyBromate
this solution works in my case for windows server 2019, the important is the account needs to have 'Full Control' in the private key before running the exportrsa.exe. Thanks a lot!Creath
It still works under a windows server 2022 with just admin account. would be cool to be allowable to export only what we need.Carper
E
18

I wanted to mention Jailbreak specifically (GitHub):

Jailbreak

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.

Prerequisites: Win32

  • Download the executable binaries for your version of Windows (e.g. jailbreak64.exe).

  • Start an elevated command prompt.

  • Run the command jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc -64 (note - this is not quite the same as the guidance on github. certlm.msc is used on Windows 2016 and 2019 to bring up the local machine certificate store).

Euratom answered 16/8, 2011 at 14:45 Comment(5)
Worked for me, Windows 10 Pro 1703.Ecchymosis
It works on 64-bit systems (like Windows 7 x64), but will not work for Local Machine store on W2k12R2.Foran
The first link results in "404".Reims
This answer definitely needs more work: What is the actual procedure? Trying it (both, 32 and 64 bit) in Windows 10 64-bit ([Version 10.0.18363.1016]) I only got CreateProces failed with error code = 740.Reims
The other thing is: If I run the command without jailbreak, I can only see the user certificates of the administrative user, not the user I'm interested in.Reims
G
4

Unfortunately, the tool mentioned above is blocked by several antivirus vendors. If this is the case for you then take a look at the following.

Open the non-exportable cert in the cert store and locate the Thumbprint value.

Next, open regedit to the path below and locate the registry key matching the thumbprint value.

An export of the registry key will contain the complete certificate including the private key. Once exported, copy the export to the other server and import it into the registry.

The cert will appear in the certificate manager with the private key included.

Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

In a pinch, you could save the export as a backup of the certificate.

Glossectomy answered 13/3, 2018 at 22:27 Comment(4)
Just checked it, and private key is not there - just pointer to some SID, probably file on disk (that's encrypted). So I don't think this approach will work.Foran
It's in %APPDATA%\Microsoft\Crypto\RSA\$YOURSID ... I intentionally used the invalid from $YOURSID as a placeholder as you need to figure out your own SID. Probably easiest to do with regedit under HKEY_USERS ... on a single-user machine it would in all likelihood be the SID ending in the RID -1000 ... there should be a corresponding _Classes key. You can also use HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to figure out which SID corresponds to your username. Last but not least psgetsid %USERDOMAIN%\%USERNAME% from Microsoft/Sysinternals.Berry
I can confirm that it works for LocalMachine certificates. Be aware that the keys are stored at HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Keys. So it's better to export HKLM\SOFTWARE\Microsoft\SystemCertificates\MY and edit the text file according to your needs afterwards.Adder
Worked for exporting private key from Windows 2012 to Windows 2019!Brien
S
1

You might need to uninstall antivirus (in my case I had to get rid of Avast).

This makes sure that crypto::cng command will work. Otherwise it was giving me errors:

mimikatz $ crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; OpenProcess (0x00000005)

After removing Avast:

mimikatz $ crypto::cng
"KeyIso" service patched

Magic. (:

BTW

Windows Defender is another program blocking the program to work, so you will need also to disable it for the time of using program at least.

Steam answered 27/9, 2018 at 15:35 Comment(1)
I'm not sure I'd call Windows Defender "spyware"?!Viveca
H
0

If it's issued by digicert You can use the DigiCert Certificate Utility for Windows. Do the 'Repair' on the server it was created on. Then you can export it to like c:\temp as .pfx. This worked for me with a real ssl cert.

Hoiden answered 16/4, 2021 at 18:41 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.