How to Steal Certificates from a Computer

In this exercise, you are going to emulate an attacker stealing certificates from a computer by carrying out the following actions:

  • Create a folder and file
  • Encrypt the folder
  • Use the Microsoft Management Console
  • Export both the Public and Private Keys

Creating the folder and file

On your desktop, create a folder called Security.
Next, create a text file called test.txt. Insert ‘I am passing Security+’, then save.

Encrypting the Security folder

Right-click the ‘Security’ folder and choose properties.
In the General tab, untick the ‘read only’ attribute and click the Advanced button.
Then, tick the box ‘Encrypt contents to secure data’, and press OK twice.
The output should look like the following:

The file and the folder are now encrypted.
It will show a padlock similar to the output below:

This should now have generated a certificate on the desktop that you can use to emulate an attacker stealing it.

Stealing the Certificate

Pretending to be an attacker, you will now steal the public key, then the private key.
Right-click the ‘Start’ button, then select run and type in mmc.
If you are asked if you want to continue, choose ‘Yes’.
You should see an output similar to that below:

This is the Microsoft Management Console (MMC) that is used to snap-in admin tools.
Go to File, choose Add/Remove Snap-in, and then select Certificates.
Press add, choose the default, and select finish.
The output should be similar to that below:

Press OK.
Go to File, save as Console1 and save it to the Desktop.
Open Console 1, then expand Certificates.
You should see an output similar to that below:

Trusted Root Certification Authorities

You are now going to expand the Trusted Root Certification Authorities, so now, expand Certificates.
You will then see the vendors whose certificates are installed on this computer.
If a certificate is not added there, the computer will give you a certificate trust error.
Your output should be similar to the following:

You can see some well-known vendors whose certificates are installed.

Stealing Certificates

Go to the Personal folder, expand the folder, then expand certificates.
You will see from the output (which should be similar to that below) that there is an Encrypted File System (EFS) under the heading Intended Purpose.

Right-click the EFS certificate, choose All Tasks, then Export.
The Export Wizard will appear.
The output will be similar to that below:

Here, you will select “No, do not export the private key”, and choose “Next”.
You are exporting the public key.

Exporting the Private Key

Right-click the EFS certificate, choose All Tasks, then Export.
The Export Wizard will appear.
Choose the option “Yes, export the private key”.
Your output should look similar to the that below:

You can then see that the Private Key has a format (PKCS) of P12, and the file extension is .PFX.
It is crucial that you can identify both the format and extension of a Private Key.
Choose “Next”, then check the box next to password near the bottom.
It does not need to be complex, and it is not influenced by the machine password policy.
However, it is recommended that it is complex.
Save it to the desktop. The output below shows a key pair.

Each of these keys Is around 4KB. They are very small.

You can see from the preceding image that the public key is a .CER extension, and the format, also known as PKCS, is .P7B.
Press “Next”, then select a location and call it pubkey.
In completing this lab, you have created a file and folder, encrypted the folder, investigated the Trusted Root Certification Authorities folder, and then exported both the private public keys.
If you use a smart card, you will see the certificates but will be unable to export them as they are stored on the smart card and not the desktop.

Check out the book CompTIA Security+: SY0-601 Certification Guide to help you pass on the first attempt.