question

ITECHSICOLTD-6508 avatar image
0 Votes"
ITECHSICOLTD-6508 asked LimitlessTechnology-0326 answered

Can not export EFS Recovery certificate with private key on domain controller

Hi All,

I'm having a headache on this issue and hope to get your help.

I enabled EFS on the user's machine and by accident the OS on the user's machine was damaged so I reinstalled the OS without backing up the private key and now I'm trying to export the certificate" Recovery Agent" from the DC server but it says that the private key for this certificate cannot be found like the image below.

205305-certgenerate.jpg 205324-certexport.jpg

All data encrypted by EFS is very important to my company so hope you can help me as to why the private key doesn't exist on the first DC server, how can I find and export it to use for EFS decryption.

Thank you very much


windows-server
certgenerate.jpg (50.2 KiB)
certexport.jpg (47.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-0326 avatar image
0 Votes"
LimitlessTechnology-0326 answered

Hi ITECHSICOLTD-6508,

The following article should assist you with recovering the key:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/back-up-recovery-agent-efs-private-key

I have had success with the following process in the past:

Despite popular perception ("If you don't have a copy of the certificate then your files are forever lost.", "If you didn't export the encryption certificates from the computer that encrypted the files then the data in those files is gone forever", etc.), it may be possible to create the necessary certificate from an offline system or backup thanks to Benjamin *** mimikatz and his guide howto ~ decrypt EFS files. Here is an abbreviated (and by turns amplified) version:

  1. Copy necessary files
    From the offline system, copy these folders and paste them into the directory containing mimikatz.exe on a running system:

%USERPROFILE%\AppData\Roaming\Microsoft\
SystemCertificates\
Crypto\
Protect\
If the password is unknown, copy these two files as well:

%WINDIR%\system32\config\
SAM
SYSTEM
1. Retrieve certificate thumbprint from one of the encrypted files
cipher /c "D:\Users\foo\Pictures\secret.jpg"
...
Certificate thumbprint: 096B A4D0 21B5 0F5E 78F2 B985 4A74 6167 8EDA A006

No recovery certificate found.

Key information cannot be retrieved.

The specified file could not be decrypted.
2. Export certificate and its public key to DER
mimikatz # crypto::system /file:"SystemCertificates\My\Certificates\096BA4D021B50F5E78F2B9854A7461678EDAA006" /export
...
Key Container : d209e940-6952-4c9d-b906-372d5a3dbd50
Provider : Microsoft Enhanced Cryptographic Provider v1.0
...
Saved to file: 096BA4D021B50F5E78F2B9854A7461678EDAA006.der
3. Find the master key
Check files within Crypto\RSA\SID\ to find the one containing a pUniqueName which matches the key container found in step 2, e.g.,

mimikatz # dpapi::capi /in:"Crypto\RSA\S-1-5-21-9**8-1000\43838b0ac634d4f965f7c24f0fa91b2b_a55eeef9-ab65-4716-a466-adfc937caecd"
...
pUniqueName : d209e940-6952-4c9d-b906-372d5a3dbd50
...
guidMasterKey : {92f17fce-aae6-488b-9fd8-7774c6c3eb16}
4. Recover NTLM hash if necessary
If the password is unknown, recover the NTLM hash:

mimikatz # lsadump::sam /system:SYSTEM /SAM:SAM
...
RID : 000003e8 (1000)
User : foo
Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
For domain accounts, you'll only need the NTLM hash (/hash:xx); for local accounts, you'll need either the corresponding password (/password:xx) or its SHA1 hash (/hash:xx), which means knowing, cracking, or looking it up:1

Lookup online:
CrackStation
Ntlm() Encrypt & Decrypt
HashKiller
Lookup offline:
Rainbow **
FreeRainbowTables.com
Crack via hashcat or similar
5. Decrypt the master key
In this example, we have a local account with an NTLM hash of 31d6cfe0d16ae931b73c59d7e0c089c0, which corresponds to a blank password and a SHA1 hash of da39a3ee5e6b4b0d3255bfef95601890afd80709:

mimikatz # dpapi::masterkey /in:"Protect\S-1-5-21-98-1000\92f17fce-aae6-488b-9fd8-7774c6c3eb16" /hash:da39a3ee5e6b4b0d3255bfef95601890afd80709
...
[masterkey] with hash: da39a3ee5e6b4b0d3255bfef95601890afd80709 (sha1 type)
key : 6e24723a56a885fc957f25d4872cbbf10589b1f08033d32174ef3618a192f0e101e41196ca76d689057737429af000af2d7e19497ef2151344dfdfdfb9a6bfd0
sha1: 4505118da94b7df471bbbcf6d2c6c744a612e62b
6. Decrypt the private key
mimikatz # dpapi::capi /in:"Crypto\RSA\S-1-5-21-
9****8-1000\43838b0ac634d4f965f7c24f0fa91b2b_a55eeef9-ab65-4716-a466-adfc937caecd" /masterkey:4505118da94b7df471bbbcf6d2c6c744a612e62b
...
Private export : OK - 'raw_exchange_capi_0_d209e940-6952-4c9d-b906-372d5a3dbd50.pvk'
7. Build PFX certificate
with OpenSSL:2

openssl.exe x509 -inform DER -outform PEM -in 096BA4D021B50F5E78F2B9854A7461678EDAA006.der -out public.pem

openssl.exe rsa -inform PVK -outform PEM -in raw_exchange_capi_0_d209e940-6952-4c9d-b906-372d5a3dbd50.pvk -out private.pem
writing RSA key

openssl.exe pkcs12 -in public.pem -inkey private.pem -password pass:bar -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
8. Install PFX certificate
certutil -user -p bar -importpfx cert.pfx NoChain,NoRoot
Certificate "user" added to store.
CertUtil: -importPFX command completed successfully.
9. Access your files!
Your files should now be accessible, but you may want to take this opportunity to decrypt them:

cipher /d "D:\Users\foo\Pictures\secret.jpg"

cipher /d /s:"D:\Users\foo\Pictures\"
(or right click → Advanced → uncheck "Encrypt contents to secure data" → OK).




--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.