.net 如何从商店导出不可导出的私钥
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3914882/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to export non-exportable private key from store
提问by Gorf
I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.
我需要从 Windows 商店导出私钥。如果密钥被标记为不可导出,我该怎么办?我知道有可能,程序越狱可以导出这个key。
To export key I use Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair()that exports key from (RSACryptoServiceProvider)cryptoProv.ExportParameters(true). Exported key I use in Org.BouncyCastle.Cms.CmsSignedDataGeneratorfor CMS signature.
要导出密钥,我使用Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair()从(RSACryptoServiceProvider)cryptoProv.ExportParameters(true). 我Org.BouncyCastle.Cms.CmsSignedDataGenerator用于 CMS 签名的导出密钥。
I need solution for .Net, but any solution will be useful. Thank you.
我需要 .Net 的解决方案,但任何解决方案都会有用。谢谢你。
采纳答案by Gentil Kiwi
You're right, no API at all that I'm aware to export PrivateKey marked as non-exportable. But if you patch (in memory) normal APIs, you can use the normal way to export :)
你是对的,我知道根本没有 API 可以导出标记为不可导出的 PrivateKey。但是,如果您修补(在内存中)普通 API,则可以使用普通方式导出 :)
There is a new version of mimikatz that also support CNG Export (Windows Vista / 7 / 2008 ...)
有一个新版本的 mimikatz 也支持 CNG 导出(Windows Vista / 7 / 2008 ...)
- download (and launch with administrative privileges) : http://blog.gentilkiwi.com/mimikatz(trunk version or last version)
- 下载(并以管理权限启动):http: //blog.gentilkiwi.com/mimikatz(主干版本或最新版本)
Run it and enter the following commands in its prompt:
运行它并在其提示中输入以下命令:
privilege::debug(unless you already have it or target only CryptoApi)crypto::patchcng(nt 6) and/orcrypto::patchcapi(nt 5 & 6)crypto::exportCertificatesand/orcrypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
privilege::debug(除非您已经拥有它或仅针对 CryptoApi)crypto::patchcng(nt 6) 和/或crypto::patchcapi(nt 5 & 6)crypto::exportCertificates和/或crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
.pfx files are passwords protected "mimikatz"
.pfx 文件受密码保护“mimikatz”
回答by Zanon
Gentil Kiwi's answeris correct. He developed this mimikatz tool that is able to retrieve non-exportable private keys.
Gentil Kiwi 的回答是正确的。他开发了这个 mimikatz 工具,能够检索不可导出的私钥。
However, his instructions are outdated. You need:
然而,他的指示已经过时了。你需要:
Download the lastest release from https://github.com/gentilkiwi/mimikatz/releases
Run the cmd with admin rights in the same machine where the certificate was requested
Change to the mimikatz bin directory (Win32 or x64 version)
Run
mimikatzFollow the wiki instructionsand the .pfx file (protected with password mimikatz) will be placed in the same folder of the mimikatz bin
在请求证书的同一台机器上以管理员权限运行 cmd
切换到 mimikatz bin 目录(Win32 或 x64 版本)
跑
mimikatz按照wiki 说明,.pfx 文件(受密码mimikatz保护)将放置在 mimikatz bin 的同一文件夹中
mimikatz # crypto::capi
Local CryptoAPI patchedmimikatz # privilege::debug
Privilege '20' OKmimikatz # crypto::cng
"KeyIso" service patchedmimikatz # crypto::certificates /systemstore:local_machine /store:my /export
* System Store : 'local_machine' (0x00020000)
* Store : 'my'
- example.domain.local
Key Container : example.domain.local
Provider : Microsoft Software Key Storage Provider
Type : CNG Key (0xffffffff)
Exportable key : NO
Key size : 2048
Public export : OK - 'local_machine_my_0_example.domain.local.der'
Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
mimikatz #crypto::capi
本地 CryptoAPI 已修补mimikatz # privilege::debug
Privilege '20' OKmimikatz # crypto::cng
"KeyIso" 服务已修补mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
* 系统存储:'local_machine'(0x00020000)
* 存储:'我的'
- example.domain.local
密钥容器:example.domain.local
提供程序:Microsoft 软件密钥存储提供程序
类型:CNG 密钥 (0xffffffff) 可
导出密钥:NO
密钥大小:2048
公共导出:OK - 'local_machine_my_0_example.domain.local.der'
Private导出:好的 - 'local_machine_my_0_example.domain.local.pfx'
回答by Ian Boyd
i wanted to mention Jailbreakspecifically (GitHub):
Jailbreak
Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.
Prerequisites: Win32
越狱
Jailbreak 是一种用于从 Windows 证书存储中导出标记为不可导出的证书的工具。当您需要提取证书以进行备份或测试时,这会有所帮助。您必须对文件系统上的私钥具有完全访问权限,才能越狱工作。
先决条件:Win32
回答by Cocowalla
There is code and binaries available herefor a console app that can export private keys marked as non-exportable, and it won't trigger antivirusapps like mimikatz will.
有代码和二进制文件可在这里为可以导出标记为不可导出私钥一个控制台应用程序,它不会触发杀毒像mimikatz将应用程序。
The code is based on a paper by the NCC Group.
will need to run the tool with the local system account, as it works by writing directly to memory used by Windows' lsassprocess, in order to temporarily mark keys as exportable. This can be done using PsExecfrom SysInternals' PsTools:
该代码基于NCC Group的一篇论文。将需要使用本地系统帐户运行该工具,因为它通过直接写入 Windowslsass进程使用的内存来工作,以便临时将密钥标记为可导出。这是可以做到用PsExecSysinternals公司的PsTools:
Spawn a new command prompt running as the local system user:
PsExec64.exe -s -i cmd
In the new command prompt, run the tool:
exportrsa.exe
The tool will prompt you for a password for each key it finds - this is the password you want to secure the exported PFX file with, so can be whatever you want
生成一个以本地系统用户身份运行的新命令提示符:
PsExec64.exe -s -i cmd
在新的命令提示符中,运行该工具:
导出程序
该工具将提示您为它找到的每个密钥输入密码 - 这是您想要用来保护导出的 PFX 文件的密码,因此可以是您想要的任何密码
回答by Ernest Correale
Unfortunately, the tool mentioned above is blocked by several antivirus vendors. If this is the case for you then take a look at the following.
不幸的是,上面提到的工具被几个防病毒供应商阻止。如果您是这种情况,请查看以下内容。
Open the non-exportable cert in the cert store and locate the Thumbprint value.
在证书存储中打开不可导出的证书并找到 Thumbprint 值。
Next, open regedit to the path below and locate the registry key matching the thumbprint value.
接下来,打开 regedit 到下面的路径并找到与指纹值匹配的注册表项。
An export of the registry key will contain the complete certificate including the private key. Once exported, copy the export to the other server and import it into the registry.
注册表项的导出将包含完整的证书,包括私钥。导出后,将导出复制到另一台服务器并将其导入注册表。
The cert will appear in the certificate manager with the private key included.
证书将显示在证书管理器中,其中包含私钥。
Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
机器存储:HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates 用户存储:HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
In a pinch, you could save the export as a backup of the certificate.
在紧要关头,您可以将导出保存为证书的备份。
回答by Daniel Kmak
You might need to uninstall antivirus (in my case I had to get rid of Avast).
您可能需要卸载防病毒软件(就我而言,我必须摆脱 Avast)。
This makes sure that crypto::cngcommand will work. Otherwise it was giving me errors:
这确保该crypto::cng命令将起作用。否则它给了我错误:
mimikatz $ crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; OpenProcess (0x00000005)
After removing Avast:
删除 Avast 后:
mimikatz $ crypto::cng
"KeyIso" service patched
Magic. (:
魔法。(:
BTW
顺便提一句
Windows Defender is another program blocking the program to work, so you will need also to disable it for the time of using program at least.
Windows Defender 是另一个阻止程序运行的程序,因此您至少还需要在使用程序时禁用它。
回答by miker2069
This worked for me on Windows Server 2012 - I needed to export a non-exportable certificate to setup another ADFS server and this did the trick. Remember to use the jailbreak instructions above i.e.:
这在 Windows Server 2012 上对我有用 - 我需要导出一个不可导出的证书来设置另一个 ADFS 服务器,这成功了。请记住使用上面的越狱说明,即:
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
