Shell is only the Beginning

The Mimikatz extension on Meterpreter allows us to use the same commands we would on the standalone tool inside of Meterpreter as native commands. This blog post will cover specifically the stealing of a users certificates by exporting their keys for use by the attacker. In this specific scenario we have gotten a Meterpreter session on a developers system. The system is a Windows 7 System as we can see

if we look at the context we are running under we can see we are running under the target account:

Now lets take a look at what privilege level we have. For this I use a small Meterpreter script I wrote that tells me some basic information of the privilege level I’m working under the script is:

print_status "Admin token: #{is_admin?()}"
print_status "Running as SYSTEM: #{is_system?()}"
print_status "UAC Enabled: #{is_uac_enabled?()}"

When I run the script I get to see if the session is running in a elevated state, if I’m running as SYSTEM and if UAC is enabled:

As you can see the session is limited in terms of privileges, but this does not affect what we want to do which is steal the user certificates. Lets load mimikatz and take a look at the commands it offers:

for this we use the load command and the name of the extension:

the command that are added to our Meterpreter session:

We will use the mimikatz_command custom command to work with certificates.  The command takes 2 options the –f for the module name and –a for the arguments to pass to the module itself.

The command in mimikatz for working with certificates is under the crypto module. To look at the options we just specify the crypto module with no command selected so as to make mimikatz show the commands available:

Since the mimikatz tool is written in French the descriptions for the commands are in Frech but their names are self descriptive. Lets first list the stores available:

As we can see we only have access to the users store. Lets take a look at the certificates we can reach:

As we can see we have access to 2 certificates, one of them is a code signing certificate and the other is a a user certificate from their type. We can also see on the exportability field that one says no the other says yes (in French) this means the Private Key for the certificate. If we try to export them you will see the private key export will fail for the code signing certificate:

We can get around this by patching the API to allow us to export the key. One thing to keep in mind for some keys we have to also patch the LSASS to allow the Microsoft Software Key Storage Provider to export CNG certificates, for this we need to be running as SYSTEM or have the admin token and also the Debug Privilege. In this case for the Code Signing Certificate we do not need that level of access but it is good to know what would be needed if we where not able. To patch the API we use the patchapi command of the crypto module:

Lets try the export of the certificates again:

This time we where successful. The private key for each certificate was exported as a PFX file with a password of mimikatz that we can now download from the target system:

As you can see this only a simple yet effective example of the power of the mimikatz module other than credential collection. Thanks to Erick Milam ( @Brav0Hax )  from Accuvant for peaking my interest on it when he asked me how to steal a users certificate today. Hope you find it useful.