Mar 302023

In a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method (decrypting DPAPI).

Here below how to do it the easy way (by hooking a rsaenh.dll api) :

cert –export –store=root –subject= »Root Authority » –force

-> you get a cert.pfx containing both the certificate and the private key.

Import and enjoy !

Mar 262023

You want to export a certificate but its private key is marked as non exportable.

Lets export it using the hard way (a future article with demonstrate an easier method).

To realize this operation we will need:

-CAPI-FPC (here) : using windows crypto API’s (aka CAPI)

-NTHASH-FPC (here) : a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement

-TinySSL (here) : a tool based on OpenSSL library to deal with various formats for X.509 certificates, CSRs, and cryptographic keys

1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash

->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name

cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)

Lets convert this binary cert (DER format) to a PEM format:

cert.exe –der2pem –filename=blob.cer

->you get a blob.crt

2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05

->this is your encrypted (with a masterkey) DPAPI blob

Note : you can skip this test as the blob will be decrypted in step 4.

3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save

->masterkey’s will be saved to masterkeys.ini

4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save

->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.

5/ Convert the decrypted rsa key to a PEM format

cert.exe –rsa2pem –filename=decoded.bin

->you get a decoded.pem

Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.

6/ Create a pfx with your certificate and private key

Optionally : you can check that your certificate and private key share the same modulus.

tinyssl –print_private –filename=decoded.pem

tinyssl –print_cert –filename=blob.crt

Finally, create your pfx certificate.

tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt

->you get a cert.pfx, ready to import.


Fév 252023

Still pursuing my journey around ldap, ssl and certificates : lets play with OpenSSL libraries.

Have a look at the code on github here.

Possible actions so far:

--genkey generate rsa keys public.pem and private.pem
--encrypt encrypt a file using public.pem
--decrypt decrypt a file using private.pem
--mkcert make a self sign root cert, read from privatekey (option) & write to ca.crt and ca.key
--mkreq make a certificate service request, read from request.key (if exist) & write to request.csr request.key
--signreq make a certificate from a csr, read from a csr filename and a cert file
--selfsign make a self sign cert, write to cert.crt cert.key
--p12topem convert a pfx to pem, write to cert.crt and cert.key
--pemtop12 convert a pem to pfx, read from cert.crt and cert.key

Example to create a root ca, a certificate signing request and a certificate (which you can use in latest chrome) :

rem if you want to reuse an existing key and therefore renew instead of recreate
tinySSL.exe --mkcert --debug=true --privatekey=ca.key --password=password --filename=ca.crt
rem recreate, not renew
rem tinySSL.exe --mkcert --debug=true --filename=ca.crt
rem renew, not recreate
tinySSL.exe --mkreq --debug=true --filename=request.csr --privatekey=request.key
rem recreate, not renew
rem tinySSL.exe --mkreq --debug=true --filename=request.csr
tinySSL.exe --signreq --debug=true --alt="DNS:*" --password=password --filename=request.csr --cert=ca.crt

Note : have a look at this article if you want to test your certificate in a http ssl server.