Anybody has version working for Microsoft Windows [Version 10.0.19044.1526] ?

This pull request should make crypto::cng work on all the Windows 10 x64 versions in the table below

ncryptprov.dll version number was higher on my 20H2 test system than on 21H2 🤷‍♂️

@scerazy @juxeii grateful if you could test, contact me if you need a compiled mimikatz exe

Compiled exe would be appreciated

Thanks

As it was merged, mimikatz has automatic build: https://github.com/gentilkiwi/mimikatz#continuous-integration

You can find binaries in artifacts: https://ci.appveyor.com/project/gentilkiwi/mimikatz

Thank you to @hubert3 for the work :)

Even with the latest binary, this seems to not work on my installation of Windows 10 20H2.

When I run:

crypto::capi
crypto::cng

crypto::certificates /export

I can see that it generates the pfx, however it does not actually contain the private key in it (I know because when I import it, it doesn't exist in the certificate, and also when I use openssl to extract it, it is blank).

Also, when I run:

crypto::capi
crypto::cng

crypto::keys /export

I get a Private export : ERROR kuhl_m_crypto_exportKeyToFile ; NCryptExportKey(PKCS8_PRIVATEKEY -- init): 0xc0000005 error.

I am using the latest build from AppVeyor. How can I get this to work?

@sikhness what was the output of running crypto::cng & crypto::capi? Did you run privilege::debug first? It should look like this:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::capi
Local CryptoAPI RSA CSP patched
Local CryptoAPI DSS CSP patched

If you are still having an issue, please reply with output of 'version' and 'crypto::certificates' for the item you're trying to export (to confirm your Windows build, type of item and keystore it's using)

Hi @hubert3,
Yes I did run privilege::debug first, I have the exact same output as you for the commands you listed:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::capi
Local CryptoAPI RSA CSP patched
Local CryptoAPI DSS CSP patched

Here is the output for the version command and crypto::certificates commands as requested (I've hidden any possible identifying information):

mimikatz # version

mimikatz 2.2.0 (arch x64)
Windows NT 10.0 build 19042 (arch x64)
msvc 150030729 207

mimikatz # crypto::certificates
 * System Store  : 'CURRENT_USER' (0x00010000)
 * Store         : 'My'

 1. <<Hidden>>
    Subject  : <<Hidden>>
    Issuer   : <<Hidden>>
    Serial   : <<Hidden>>
    Algorithm: 1.2.840.113549.1.1.1 (RSA)
    Validity : <<Hidden>>
    UPN      : <<Hidden>>
    Hash SHA1: <<Hidden>>
        Key Container  : <<Hidden>>
        Provider       : Microsoft Software Key Storage Provider
        Provider type  : cng (0)
        Type           : CNG Key (0xffffffff)
        |Provider name : Microsoft Software Key Storage Provider
        |Implementation: NCRYPT_IMPL_SOFTWARE_FLAG ;
        Key Container  : <<Hidden>>
        Unique name    : <<Hidden>>
        Algorithm      : RSA
        Key size       : 2048 (0x00000800)
        Export policy  : 00000000 ( )
        Exportable key : NO
        LSA isolation  : NO

Thanks for your help!

@sikhness so the item you want to export is definitely using the CNG provider, so crypto::cng is the correct command (crypto::capi is not needed)

crypto::cng patching succeeds, so exporting the private key should work

What exactly is the output when you run:

crypto::certificates /systemstore:current_user /store:my /export

On the lines that say Public export and Private export for the specific item?

Mimikatz will try to dump everything in that key store so make sure you're looking at the output for the specific item you are interested in (there could be errors from other irrelevant items)

If it says Private export : OK - 'blah.pfx' for the cert/key you want then it should have worked - Feel free to contact me by twitter DM if it's not working

xref #413 because I found this but not that.