Certdump
Beacon Object File (BOF) for dumping certificates (and, when possible, private keys) on Windows
Install / Use
/learn @elephacking/CertdumpREADME
CertDump
CertDump is a Beacon Object File (BOF) for dumping certificates (and, when possible, private keys) from the target’s CurrentUser\My and LocalMachine\My stores. It was written for Cobalt Strike’s Beacon to provide quick, in-memory enumeration of certificates on both user and machine scopes.
Features
-
Enumerates all certificates in:
CurrentUser\MyLocalMachine\My
-
Displays per‐certificate metadata:
- Issuer, Subject
- Validity dates (NotBefore / NotAfter)
- Thumbprint (SHA-1)
- Certificate Template OID (if present)
- Enhanced Key Usages (friendly names via OID lookup)
- Boolean flag indicating if a private key is associated
-
Attempts to export any CNG-based private keys in PKCS#8 PEM format
-
All output is piped through
BeaconFormatPrintf/BeaconPrintfso results appear in the Beacon console
Build Instructions
A Makefile is provided for compiling both x86 and x64 BOFs. Simply run:
make
Common Errors
###N CryptExportKey failed (0x80090029)
PrivateKey PEM : <NCryptExportKey failed (0x80090029)>
Cause: The private key is protected by lsass.exe and marked as non-exportable by CNG. Workaround: If you must extract that private key, consider using Mimikatz’s modules:
privilege::debug
crypto::capi
crypto::keys /export
License
CertDump is provided “as-is,” without warranty. Use at your own risk.
