pypykatz v0.6.9 releases: Mimikatz implementation in pure Python
Mimikatz implementation in pure Python
Why do I need these dumps files?
In order to create mimikatz in Python, one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the built-in parser that you’d naturally get from using a native compiler. Now, the problem is that even a single byte misalignment will render the parsing of these structures run to an error. The problem is mostly revolving around 32 – 64 alignments, so 32 bit Windows version lsass dumps are appreciated as well!
The first step is to have the minidump file parsing capability done in a platform-independent way, so you can enjoy watching secrets in your favorite OS. Currently aiming for full sekurlsa::minidump functionality.
- Adding timestamps for DCC2 hashes
pip3 install pypykatz
Increasing the number of v increases the size of memory to be shown on the screen.
Warning! Too much data might result in cross-boundary read attempts! Parameter: -v
pypykatz.py -vv mindidump <minidumpfile>
Write output to file:
Parameter: -o <output_file>
pypykatz.py -o <output_file> minidump <dumpfile>
Write output in JSON
Together with the -o option, it will write the output to a file, otherwise will print the output to stdout
pypykatz.py --json -o <output file> minidump <dumpfile>
Stores the Kerberos tickets in BOTH .kirbi and .ccache formats to the directory given.
WARNING! An output directory is expected, as the .kirbi format supports only ONE ticket/file so get prepared to be swimming in those files when dealing with multiple/large dump files.
Parameter: -k <output_dir>
pypykatz.py -k <output_dir> minidump <dumpfile>
Minidump command options
This parameter tells pypykatz to look for all .dmp files in a given directory
pypykatz.py minidump <folder_with_dumpfiles> -d
Supplying this parameter will force pypykatz to recursively look for .dmp files
Only works together with directory parsing.
pypykatz.py minidump <folder_with_folder_of_dumpfiles> -d -r
Rekall command options
Reason for this parameter to exist: In order to choose the correct structure for parsing we need the tiomestamp info of the msv dll file. Rekall sadly doesn’t always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.
Values: 0 or 1
pypykatz.py rekall <momeory_dump_file> -t 0
Copyright (c) 2018 skelsec