pypykatz v0.6.9 releases: Mimikatz implementation in pure Python
pypykatz
Mimikatz implementation in pure Python
Why do I need these dumps files?
In order to create mimikatz in Python, one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the built-in parser that you’d naturally get from using a native compiler. Now, the problem is that even a single byte misalignment will render the parsing of these structures run to an error. The problem is mostly revolving around 32 – 64 alignments, so 32 bit Windows version lsass dumps are appreciated as well!
Goals
The first step is to have the minidump file parsing capability done in a platform-independent way, so you can enjoy watching secrets in your favorite OS. Currently aiming for full sekurlsa::minidump functionality.
Changelog v0.6.9
- Adding timestamps for DCC2 hashes
Install
pip3 install pypykatz
Download
Use
Debug info
Increasing the number of v increases the size of memory to be shown on the screen.
Warning! Too much data might result in cross-boundary read attempts! Parameter: -v
Example:
pypykatz.py -vv mindidump <minidumpfile>
Write output to file:
Parameter: -o <output_file>
Example:
pypykatz.py -o <output_file> minidump <dumpfile>
Write output in JSON
Together with the -o option, it will write the output to a file, otherwise will print the output to stdout
Parameter: –json
Example:
pypykatz.py --json -o <output file> minidump <dumpfile>
Kerberos
Stores the Kerberos tickets in BOTH .kirbi and .ccache formats to the directory given.
WARNING! An output directory is expected, as the .kirbi format supports only ONE ticket/file so get prepared to be swimming in those files when dealing with multiple/large dump files.
Parameter: -k <output_dir>
Example:
pypykatz.py -k <output_dir> minidump <dumpfile>
Minidump command options
Directory Parsing
This parameter tells pypykatz to look for all .dmp files in a given directory
Parameter: -d
Example:
pypykatz.py minidump <folder_with_dumpfiles> -d
Recursive parsing
Supplying this parameter will force pypykatz to recursively look for .dmp files
Only works together with directory parsing.
Parameter: -r
Example:
pypykatz.py minidump <folder_with_folder_of_dumpfiles> -d -r
Rekall command options
Timestamp override
Reason for this parameter to exist: In order to choose the correct structure for parsing we need the tiomestamp info of the msv dll file. Rekall sadly doesn’t always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.
Parameter: -t
Values: 0 or 1
Example:
pypykatz.py rekall <momeory_dump_file> -t 0
Tutorial
Copyright (c) 2018 skelsec
Source: https://github.com/skelsec/
