pypykatz: Mimikatz implementation in pure Python

by ddos ·

pypykatz

Mimikatz implementation in pure Python

Why do I need these dumps files?

To create mimikatz in Python, one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the built-in parser that you’d naturally get from using a native compiler. Now, the problem is that even a single-byte misalignment will render the parsing of these structures run to an error. The problem is mostly revolving around 32 – 64 alignments, so 32-bit Windows version lsass dumps are appreciated as well!

Goals

The first step is to have the minidump file parsing capability done in a platform-independent way, so you can enjoy watching secrets in your favorite OS. Currently aiming for full sekurlsa::minidump functionality.

Install

pip3 install pypykatz

Use

 

pypykatz

Debug info

Increasing the number of v increases the size of memory to be shown on the screen.
Warning! Too much data might result in cross-boundary read attempts! Parameter: -v
Example:

pypykatz.py -vv mindidump <minidumpfile>

Write output to file:

Parameter: -o <output_file>
Example:

pypykatz.py -o <output_file> minidump <dumpfile>

Write output in JSON

Together with the -o option, it will write the output to a file, otherwise will print the output to stdout

Parameter: –json
Example:

pypykatz.py --json -o <output file> minidump <dumpfile>

Kerberos

Stores the Kerberos tickets in BOTH .kirbi and .ccache formats to the directory given.
WARNING! An output directory is expected, as the .kirbi format supports only ONE ticket/file so get prepared to be swimming in those files when dealing with multiple/large dump files.

Parameter: -k <output_dir>
Example:

pypykatz.py -k <output_dir> minidump <dumpfile>

Minidump command options

Directory Parsing

This parameter tells pypykatz to look for all .dmp files in a given directory

Parameter: -d
Example:

pypykatz.py minidump <folder_with_dumpfiles> -d

Recursive parsing

Supplying this parameter will force pypykatz to recursively look for .dmp files
Only works together with directory parsing.

Parameter: -r
Example:

pypykatz.py minidump <folder_with_folder_of_dumpfiles> -d -r

Rekall command options

Timestamp override

Reason for this parameter to exist: In order to choose the correct structure for parsing we need the tiomestamp info of the msv dll file. Rekall sadly doesn’t always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.

Parameter: -t
Values: 0 or 1
Example:

pypykatz.py rekall <momeory_dump_file> -t 0

Tutorial

Copyright (c) 2018 skelsec

Source: https://github.com/skelsec/

Tags: pypykatz