pypykatz: Mimikatz implementation in pure Python
pypykatz
Mimikatz implementation in pure Python
Why do I need these dumps files?
To create mimikatz in Python, one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the built-in parser that youβd naturally get from using a native compiler. Now, the problem is that even a single-byte misalignment will render the parsing of these structures run to an error. The problem is mostly revolving around 32 β 64 alignments, so 32-bit Windows version lsass dumps are appreciated as well!
Goals
The first step is to have the minidump file parsing capability done in a platform-independent way, so you can enjoy watching secrets in your favorite OS. Currently aiming for full sekurlsa::minidump functionality.
Install
pip3 install pypykatz
Use
Β
Debug info
Increasing the number of vΒ increases the size of memory to be shown on the screen.
Warning! Too much data might result in cross-boundary read attempts! Parameter:Β -v
Example:
pypykatz.py -vv mindidump <minidumpfile>
Write output to file:
Parameter:Β -o <output_file>
Example:
pypykatz.py -o <output_file> minidump <dumpfile>
Write output in JSON
Together with the -o option, it will write the output to a file, otherwise will print the output toΒ stdout
Parameter:Β βjson
Example:
pypykatz.py --json -o <output file> minidump <dumpfile>
Kerberos
Stores the Kerberos tickets in BOTH .kirbiΒ andΒ .ccacheΒ formats to the directory given.
WARNING! An output directory is expected, as theΒ .kirbiΒ format supports only ONE ticket/file so get prepared to be swimming in those files when dealing with multiple/large dump files.
Parameter:Β -k <output_dir>
Example:
pypykatz.py -k <output_dir> minidump <dumpfile>
Minidump command options
Directory Parsing
This parameter tells pypykatz to look for all .dmpΒ files in a given directory
Parameter:Β -d
Example:
pypykatz.py minidump <folder_with_dumpfiles> -d
Recursive parsing
Supplying this parameter will force pypykatz to recursively look for .dmpΒ files
Only works together with directory parsing.
Parameter:Β -r
Example:
pypykatz.py minidump <folder_with_folder_of_dumpfiles> -d -r
Rekall command options
Timestamp override
Reason for this parameter to exist: In order to choose the correct structure for parsing we need the tiomestamp info of the msv dll file. Rekall sadly doesnβt always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.
Parameter:Β -t
Values:Β 0 or 1
Example:
pypykatz.py rekall <momeory_dump_file> -t 0
Tutorial
Copyright (c)Β 2018Β skelsec
Source:Β https://github.com/skelsec/
