Fix crypto::cng on Windows 10 x64 1909, 2004, 20H2, 21H2

[hubert3]

Fix crypto::cng on Windows 10 x64 version 1909

Was failing with error:

ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000000))

I found that the version of KeyIso service (ncryptprov.dll) on my Win10 x64 1909 needs the patch sequence defined in PTRN_W10_1809_SPCryptExportKey and the existing definition for KULL_M_WIN_BUILD_10_1909 did not work.

Also added a correct patch definition for build KULL_M_WIN_BUILD_10_2004.

crypto::cng now succeeds on both Win10 x64 1909 and 2004 for me. Non-exportable CNG private key export was successfully tested on 1909 with command crypto::certificates /systemstore:local_machine /export

Tested with Win10 Pro x64 Version 1909 Build 18363.1556 (ncryptprov.dll 10.0.18362.1411)
Also works on Win10 Pro x64 Version 2004 Build 19041.804 (ncryptprov.dll 10.0.19041.662)

[bezik46]

Anybody has version working for Microsoft Windows [Version 10.0.19044.1526] ?

[hubert3]

This pull request should make crypto::cng work on all the Windows 10 x64 versions in the table below

ncryptprov.dll version number was higher on my 20H2 test system than on 21H2 🤷‍♂️

@scerazy @juxeii grateful if you could test, contact me if you need a compiled mimikatz exe

Version	Codename	Marketing Name	Build
1909	19H2	November 2019 Update	18363
2004	20H1	May 2020 Update	19041
20H2	20H2	October 2020 Update	19042
21H2	21H2	November 2021 Update	19044

[bezik46]

Compiled exe would be appreciated

Thanks

[gentilkiwi]

As it was merged, mimikatz has automatic build: https://github.com/gentilkiwi/mimikatz#continuous-integration

You can find binaries in artifacts: https://ci.appveyor.com/project/gentilkiwi/mimikatz

Thank you to @hubert3 for the work :)

[sikhness]

Even with the latest binary, this seems to not work on my installation of Windows 10 20H2.

When I run:

crypto::capi
crypto::cng

crypto::certificates /export

I can see that it generates the pfx, however it does not actually contain the private key in it (I know because when I import it, it doesn't exist in the certificate, and also when I use openssl to extract it, it is blank).

Also, when I run:

crypto::capi
crypto::cng

crypto::keys /export

I get a Private export : ERROR kuhl_m_crypto_exportKeyToFile ; NCryptExportKey(PKCS8_PRIVATEKEY -- init): 0xc0000005 error.

I am using the latest build from AppVeyor. How can I get this to work?

[hubert3]

@sikhness what was the output of running crypto::cng & crypto::capi? Did you run privilege::debug first? It should look like this:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::capi
Local CryptoAPI RSA CSP patched
Local CryptoAPI DSS CSP patched

If you are still having an issue, please reply with output of 'version' and 'crypto::certificates' for the item you're trying to export (to confirm your Windows build, type of item and keystore it's using)

[sikhness]

Hi @hubert3,
Yes I did run privilege::debug first, I have the exact same output as you for the commands you listed:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::capi
Local CryptoAPI RSA CSP patched
Local CryptoAPI DSS CSP patched

Here is the output for the version command and crypto::certificates commands as requested (I've hidden any possible identifying information):

mimikatz # version

mimikatz 2.2.0 (arch x64)
Windows NT 10.0 build 19042 (arch x64)
msvc 150030729 207

mimikatz # crypto::certificates
 * System Store  : 'CURRENT_USER' (0x00010000)
 * Store         : 'My'

 1. <<Hidden>>
    Subject  : <<Hidden>>
    Issuer   : <<Hidden>>
    Serial   : <<Hidden>>
    Algorithm: 1.2.840.113549.1.1.1 (RSA)
    Validity : <<Hidden>>
    UPN      : <<Hidden>>
    Hash SHA1: <<Hidden>>
        Key Container  : <<Hidden>>
        Provider       : Microsoft Software Key Storage Provider
        Provider type  : cng (0)
        Type           : CNG Key (0xffffffff)
        |Provider name : Microsoft Software Key Storage Provider
        |Implementation: NCRYPT_IMPL_SOFTWARE_FLAG ;
        Key Container  : <<Hidden>>
        Unique name    : <<Hidden>>
        Algorithm      : RSA
        Key size       : 2048 (0x00000800)
        Export policy  : 00000000 ( )
        Exportable key : NO
        LSA isolation  : NO

Thanks for your help!

[hubert3]

@sikhness so the item you want to export is definitely using the CNG provider, so crypto::cng is the correct command (crypto::capi is not needed)

crypto::cng patching succeeds, so exporting the private key should work

What exactly is the output when you run:

crypto::certificates /systemstore:current_user /store:my /export

On the lines that say Public export and Private export for the specific item?

Mimikatz will try to dump everything in that key store so make sure you're looking at the output for the specific item you are interested in (there could be errors from other irrelevant items)

If it says Private export : OK - 'blah.pfx' for the cert/key you want then it should have worked - Feel free to contact me by twitter DM if it's not working

[deliciouslytyped]

xref #413 because I found this but not that.