To Export the Unexportable Key

March 1, 2017 at 5:04 pm

Every now and then, you have to export a certificate in Windows, and someone forgot to check that little box to let you be able to do it… What is an enterprising SysAdmin to do? Enter Mimikatz (source), a tool that lets you patch the Windows crypto api and do several cool (and frightening) things. The process is very simple.

To Export an Unexportable Private Key:

  1. Create a temp directory
  2. Download the latest version of Mimikatz
  3. Extract the appropriate version (32 or 64 bit) to the temp directory
  4. Open an admin command prompt
  5. Change to the temp directory
  6. Run mimikatz
  7. Type crypto::capi
  8. And finally type crypto::certificates /export

You’ll see all of the certificates in the MY store exported into the temp directory in pfx format. The default password is mimikatz. Want another cert store? Perhaps, the computer store? Simply run crypto::certificates /export /systemstore:LOCAL_MACHINE. Check out the github wiki for documentation on this and other cool features of this powerful tool.

Searching for Superfish using PowerShell

February 19, 2015 at 1:31 pm

Lenovo installed a piece of software that could arguably be called malware or spyware. Superfish, as this article indicates, installs a self-signed root certificate that is authoritative for everything. I wanted to be sure that this issue wasn’t present on any of our Lenovo systems, so I turned to PowerShell to help.

I found a copy of the certificate on Robert David Graham’s github here. I pulled the thumbprint from the cert which appears to be: ‎c864484869d41d2b0d32319c5a62f9315aaf2cbd

Now, some simple PowerShell code will let you run through your local certificate store and see if you have it installed.

Get-ChildItem -Recurse cert:\LocalMachine\ |where {$_.Thumbprint -eq "c864484869d41d2b0d32319c5a62f9315aaf2cbd"}

You could just as easily replace the get-childitem with “Remove-Item -Path cert:\LocalMachine\root\c864484869d41d2b0d32319c5a62f9315aaf2cbd”, but I wanted to make sure the key wasn’t installed somewhere else.

Now, to take it a step further, I use the AD commandlets and some more simple PowerShell to search all my systems for it.

Import-Module ActiveDirectory
$Cred = Get-Credential
$Computers = Get-ADComputer -Filter {enabled -eq $true} | select Name
foreach ($Computer in $Computers) {
 try{
 if(test-connection -Count 1 -ComputerName $Computer.Name){
 write-output (invoke-command -ComputerName $Computer.Name -Credential $Cred -ScriptBlock {Get-ChildItem -Recurse cert:\LocalMachine\ |where {$_.Thumbprint -eq "‎c864484869d41d2b0d32319c5a62f9315aaf2cbd"}})
 }
 }catch{
 Write-Error ("There was an issue connecting to computer $Computer : " + $_.Exception)
 }
}

Is it perfect? No. But it gets the job done in relatively short order.