当前位置: 文江博客话题详情

如何从商店导出不可导出的私钥

发布于 2024-09-27 02:37:31 字数 350 浏览 6 评论 0原文

我需要从 Windows 商店导出私钥。如果密钥被标记为不可导出,我该怎么办?我知道有可能,程序越狱可以导出这个密钥。

要导出密钥,我使用 Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair()(RSACryptoServiceProvider)cryptoProv.ExportParameters(true) 导出密钥。我在 Org.BouncyCastle.Cms.CmsSignedDataGenerator 中使用导出的密钥进行 CMS 签名。

我需要 .Net 的解决方案,但任何解决方案都会有用。谢谢。

原文

I need to export private key from Windows store. What should I do if the key is marked as non-exportable? I know that it is possible, program jailbreak can export this key.

To export key I use Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair() that exports key from (RSACryptoServiceProvider)cryptoProv.ExportParameters(true). Exported key I use in Org.BouncyCastle.Cms.CmsSignedDataGenerator for CMS signature.

I need solution for .Net, but any solution will be useful. Thank you.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

我也只是我 2024-10-04 02:37:31

你是对的,据我所知,根本没有 API 可以导出标记为不可导出的 PrivateKey。
但是,如果您修补(在内存中)正常的 API,则可以使用正常的方式导出:)

有一个新版本的 mimikatz 也支持 CNG 导出(Windows Vista / 7 / 2008 ...)

  1. 下载(并使用管理启动权限): http://blog.gentilkiwi.com/mimikatz (主干版本或最新版本)

运行它并在提示符中输入以下命令:

  1. privilege::debug(除非您已经拥有它或仅针对 CryptoApi)
  2. crypto::patchcng (nt 6) 和/或 < code>crypto::patchcapi (nt 5 & 6)
  3. crypto::exportCertificates 和/或 crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

导出的 .pfx 文件是密码用密码“mimikatz”保护

You're right, no API at all that I'm aware to export PrivateKey marked as non-exportable.
But if you patch (in memory) normal APIs, you can use the normal way to export :)

There is a new version of mimikatz that also support CNG Export (Windows Vista / 7 / 2008 ...)

  1. download (and launch with administrative privileges) : http://blog.gentilkiwi.com/mimikatz (trunk version or last version)

Run it and enter the following commands in its prompt:

  1. privilege::debug (unless you already have it or target only CryptoApi)
  2. crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
  3. crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

The exported .pfx files are password protected with the password "mimikatz"

回复 原文
朦胧时间 2024-10-04 02:37:31

Gentil Kiwi 的答案是正确的。他开发了这个 mimikatz 工具,能够检索不可导出的私钥。

然而,他的指示已经过时了。您需要:

  1. https://github.com/gentilkiwi/mimikatz/releases下载最新版本< /a>

  2. 在请求证书的同一台计算机中以管理员权限运行 cmd

  3. 更改为 mimikatz bin 目录(Win32 或 x64 版本)

  4. 运行 mimikatz

  5. 遵循 wiki 说明 和 .pfx 文件(受密码保护) mimikatz)将被放置在mimikatz bin的同一文件夹中

mimikatz # crypto::capi
本地 CryptoAPI 已修补

mimikatz # 权限::调试
权限“20”确定

mimikatz # crypto::cng
“KeyIso”服务已修补

mimikatz # crypto::certificates /systemstore:local_machine /store:my
/导出
* 系统存储:'local_machine' (0x00020000)
* 商店:'我的'

  1. 示例.域.本地
         密钥容器:example.domain.local
         提供商:Microsoft 软件密钥存储提供商
         类型:CNG 密钥 (0xffffffff)
         可导出密钥:否
         密钥大小:2048
         公共导出:确定 - 'local_machine_my_0_example.domain.local.der'
         私有导出:确定 - 'local_machine_my_0_example.domain.local.pfx'

Gentil Kiwi's answer is correct. He developed this mimikatz tool that is able to retrieve non-exportable private keys.

However, his instructions are outdated. You need:

  1. Download the lastest release from https://github.com/gentilkiwi/mimikatz/releases

  2. Run the cmd with admin rights in the same machine where the certificate was requested

  3. Change to the mimikatz bin directory (Win32 or x64 version)

  4. Run mimikatz

  5. Follow the wiki instructions and the .pfx file (protected with password mimikatz) will be placed in the same folder of the mimikatz bin

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::certificates /systemstore:local_machine /store:my
/export
* System Store : 'local_machine' (0x00020000)
* Store : 'my'

  1. example.domain.local
         Key Container : example.domain.local
         Provider : Microsoft Software Key Storage Provider
         Type : CNG Key (0xffffffff)
         Exportable key : NO
         Key size : 2048
         Public export : OK - 'local_machine_my_0_example.domain.local.der'
         Private export : OK - 'local_machine_my_0_example.domain.local.pfx'
回复 原文
寂寞美少年 2024-10-04 02:37:31

此处提供了控制台应用程序的代码和二进制文件,可以导出标记为非的私钥-可导出,并且它不会像mimikatz那样触发防病毒应用程序。

该代码基于 NCC Group。
需要使用本地系统帐户运行该工具,因为它的工作原理是直接写入 Windows lsass 进程使用的内存,以便临时将密钥标记为可导出。这可以使用 SysInternals 的 PsTools 中的 PsExec 来完成a>:

  1. 生成一个以本地系统用户身份运行的新命令提示符:

    PsExec64.exe -s -i cmd

  2. 在新命令提示符中运行该工具:

    exportrsa.exe

  3. 它将循环遍历每个本地计算机存储,搜索带有私钥的证书。对于每一个,它都会提示您输入密码 - 这是您想要用来保护导出的 PFX 文件的密码,因此可以是您想要的任何密码

所需文件的快捷方式:

There is code and binaries available here for a console app that can export private keys marked as non-exportable, and it won't trigger antivirus apps like mimikatz will.

The code is based on a paper by the NCC Group.
will need to run the tool with the local system account, as it works by writing directly to memory used by Windows' lsass process, in order to temporarily mark keys as exportable. This can be done using PsExec from SysInternals' PsTools:

  1. Spawn a new command prompt running as the local system user:

    PsExec64.exe -s -i cmd

  2. In the new command prompt, run the tool:

    exportrsa.exe

  3. It will loop over every Local Computer store, searching for certificates with a private key. For each one, it will prompt you for a password - this is the password you want to secure the exported PFX file with, so can be whatever you want

Shortcuts to needed files:

回复 原文
乖乖哒 2024-10-04 02:37:31

我想提一下 越狱具体(GitHub) >:

越狱

Jailbreak是一个用于导出标记为的证书的工具
不可从 Windows 证书存储区导出。这可以在以下情况下有所帮助:
您需要提取证书进行备份或测试。你必须有
对文件系统上的私钥的完全访问权限,以便
越狱即可工作。

先决条件:Win32

  • 下载适合您的 Windows 版本的可执行二进制文件(例如,jailbreak64.exe)。

  • 启动提升的命令提示符。

  • 运行命令 jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc -64 (注意 - 这与 github 上的指导不太一样.certlm.msc 在 Windows 2016 和 2019 上用于启动本地计算机证书存储。

I wanted to mention Jailbreak specifically (GitHub):

Jailbreak

Jailbreak is a tool for exporting certificates marked as
non-exportable from the Windows certificate store. This can help when
you need to extract certificates for backup or testing. You must have
full access to the private key on the filesystem in order for
jailbreak to work.

Prerequisites: Win32

  • Download the executable binaries for your version of Windows (e.g. jailbreak64.exe).

  • Start an elevated command prompt.

  • Run the command jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc -64 (note - this is not quite the same as the guidance on github. certlm.msc is used on Windows 2016 and 2019 to bring up the local machine certificate store).

回复 原文
指尖上得阳光 2024-10-04 02:37:31

不幸的是,上述工具被多家防病毒供应商阻止。如果您属于这种情况,请查看以下内容。

打开证书存储中的不可导出证书并找到指纹值。

接下来,打开 regedit 到以下路径并找到与指纹值匹配的注册表项。

注册表项的导出将包含完整的证书,包括私钥。导出后,将导出复制到其他服务器并将其导入到注册表中。

该证书将显示在证书管理器中,其中包含私钥。

机器存储:HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

用户存储:HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

在紧要关头,您可以将导出保存为证书的备份。

Unfortunately, the tool mentioned above is blocked by several antivirus vendors. If this is the case for you then take a look at the following.

Open the non-exportable cert in the cert store and locate the Thumbprint value.

Next, open regedit to the path below and locate the registry key matching the thumbprint value.

An export of the registry key will contain the complete certificate including the private key. Once exported, copy the export to the other server and import it into the registry.

The cert will appear in the certificate manager with the private key included.

Machine Store: HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

User Store: HKCU\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates

In a pinch, you could save the export as a backup of the certificate.

回复 原文
蔚蓝源自深海 2024-10-04 02:37:31

您可能需要卸载防病毒软件(就我而言,我必须删除 Avast)。

这可以确保 crypto::cng 命令能够正常工作。否则它会给我错误:

mimikatz $ crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; OpenProcess (0x00000005)

删除 Avast:Magic 后

mimikatz $ crypto::cng
"KeyIso" service patched

。 (:

顺便说一句,

Windows Defender 是另一个阻止程序运行的程序,因此您至少在使用程序时还需要禁用它。

You might need to uninstall antivirus (in my case I had to get rid of Avast).

This makes sure that crypto::cng command will work. Otherwise it was giving me errors:

mimikatz $ crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; OpenProcess (0x00000005)

After removing Avast:

mimikatz $ crypto::cng
"KeyIso" service patched

Magic. (:

BTW

Windows Defender is another program blocking the program to work, so you will need also to disable it for the time of using program at least.

回复 原文
却一份温柔 2024-10-04 02:37:31

如果它是由 digicert 颁发的 您可以使用适用于 Windows 的 DigiCert 证书实用程序。在创建它的服务器上进行“修复”。然后您可以将其导出到 c:\temp 等 .pfx。这对我来说有一个真正的 ssl 证书。

If it's issued by digicert You can use the DigiCert Certificate Utility for Windows. Do the 'Repair' on the server it was created on. Then you can export it to like c:\temp as .pfx. This worked for me with a real ssl cert.

回复 原文
~没有更多了~

关于作者

如日中天

暂无简介

0 文章
0 评论
636 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文