Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Situation
  • Install/export certificate using Windows VM
  • Run mimikatz to get the private key
  • Convert PVK to PEM
  • Import the PFX certificate from mimikatz on BurpSuite
  • References
  • Bonus

Was this helpful?

  1. Data Exfiltration

Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite

Extracting certs/private keys from certificates that disable private key exporting and use BurpSuite to intercept the requests.

PreviousData ExfiltrationNextCVE & Exploits / CTF

Last updated 4 years ago

Was this helpful?

Situation

  • I have installed a new client certificate on my Windows machine

  • I cannot export the private key for this certificate (the export flag is false)

  • I am a Linux user that needs to have the cert and private key to import it on BurpSuite to perform tests ...

Install/export certificate using Windows VM

  1. Install the certificate through the VM as needed

  2. In Internet Explorer, click the settings icon (looks like a gear) and choose "Internet Options"

  3. Click the "Content Tab"

  4. Click "Certificates"

  5. Click the certificate you installed (likely on the Personal tab) and click the "Export..." button

  6. Click "Next" through the next few prompts in the Certificate Export Wizard

  7. On the "File to Export" screen, click "Browse" and find a location (like your Desktop) to save the file to and give it a name

  8. Click "Next" and "Finish"

  9. Bring the certificate back over to Linux

Run mimikatz to get the private key

  1. Extract the mimikatz files to a directory (you only need the Win32 folder)

  2. Run cmd.exe as an Administrator (you may need to navigate to C:\Windows\System32\ and right-click the cmd.exe file)

  3. Run the mimikatz.exe from the command prompt

  4. Run the following commands:

privilege::debug
crypto::capi
crypto::keys /export

If you need to extract the certificates:

crypto::certificates /export

You should have a .pvk (private key) file in the same directory as mimikatz.exe now—probably just the one you installed. If you see multiple private keys, you'll have to determine which one is the one you installed.

You can use some other tools to work with the certificate stores. The certutil tool has some uses, for example you can view all the personal certificates for the current user with:

certutil -user -viewstore My
certutil -store -user 

If you simply want to dump all the information in the console, you can use:
certutil -user -store My

To do the same for the computer account, simply drop the ‘-user’ parameter:
certutil -store My or certutil -viewstore My

For the PowerShell lovers, the Cert: drive can provide most of the needed information. Here are some uses:
PS C:\> cd Cert:; dir

To list all the certificates in the ‘Personal’ store for the current user, use:
PS Cert:\> dir Cert:\CurrentUser\My

To get all the details for a particular certificate, you can use the thumbprint:
PS Cert:\> dir Cert:\CurrentUser\My\106796B4130A9AE14BF38C7CE553353204613796 | fl *

Convert PVK to PEM

You can convert the Windows proprietary ".pvk" file to a useful ".pem" file by using the following command:

openssl rsa -inform pvk -in YOUR_PRIVATE_KEY.pvk -outform pem -out YOUR_NEW_PRIVATE_KEY.pem

Import the PFX certificate from mimikatz on BurpSuite

In BurpSuite "User Options / TLS" option, import the PFX certificate directly obtained from mimikatz, and everything will work fine.

From here, you can intercept all the traffic between your browser and the server, use enumeration tools from Linux such as gobuster, dirsearch and, so on. You need to use the BurpSuite as a proxy everytime, or your requests will not be valid (bad SSL handshake).

python3 dirsearch.py -e php,html,js -u https://target --proxy 127.0.0.1:8080

References

Bonus

Download - a tool that will extract the private key from installed certificates

The PFX password is "mimikatz" by default

Mimikatz walkthrough:

🤓
Get a Windows VM
mimikatz
https://gist.github.com/derrickorama/7b08298b657048660293
burpsuite import client certificate of website - Programmer Sought
Logo
Windows certificate storesBlog
Logo
GitHub - TheWover/CertStealer: A .NET tool for exporting and importing certificates without touching disk.GitHub
Logo