Convert Figma logo to code with AI

skelsec logopypykatz

Mimikatz implementation in pure Python

2,806
371
2,806
28

Top Related Projects

9,431

Credentials recovery project

13,272

Impacket is a collection of Python classes for working with network protocols.

19,244

A little tool to play with Windows security

A swiss army knife for pentesting networks

Quick Overview

Pypykatz is a Python implementation of Mimikatz, a popular post-exploitation tool used for extracting plaintext passwords, hashes, and other credentials from memory. It allows security professionals and penetration testers to analyze Windows memory dumps and extract sensitive information without relying on the original Mimikatz executable.

Pros

  • Cross-platform compatibility (runs on Windows, Linux, and macOS)
  • Pure Python implementation, making it easier to integrate into existing Python projects
  • Supports various memory dump formats, including minidump and full memory dumps
  • Actively maintained and regularly updated

Cons

  • May be less feature-rich compared to the original Mimikatz
  • Potentially slower performance compared to the C++ implementation
  • Requires elevated privileges or access to memory dumps for effective use
  • Could be misused by malicious actors if not handled responsibly

Code Examples

  1. Parsing a minidump file:
from pypykatz.pypykatz import pypykatz

filename = 'lsass.dmp'
mimikatz = pypykatz.parse_minidump_file(filename)

for luid in mimikatz.logon_sessions:
    print(mimikatz.logon_sessions[luid])
  1. Extracting credentials from a live system (requires admin privileges):
from pypykatz.pypykatz import pypykatz

mimi = pypykatz.go_live()
for luid in mimi.logon_sessions:
    print(mimi.logon_sessions[luid])
  1. Parsing a full memory dump:
from pypykatz.pypykatz import pypykatz

filename = 'memdump.raw'
mimi = pypykatz.parse_memory_dump_file(filename)

for luid in mimi.logon_sessions:
    print(mimi.logon_sessions[luid])

Getting Started

To get started with pypykatz, follow these steps:

  1. Install pypykatz using pip:

    pip install pypykatz
    
  2. Import the library in your Python script:

    from pypykatz.pypykatz import pypykatz
    
  3. Use one of the parsing methods (e.g., parse_minidump_file, go_live, or parse_memory_dump_file) to extract credentials from a memory dump or live system.

  4. Iterate through the logon sessions to access the extracted information.

Remember to use this tool responsibly and only on systems you have permission to analyze.

Competitor Comparisons

9,431

Credentials recovery project

Pros of LaZagne

  • Supports a wider range of applications and browsers for credential extraction
  • Includes a graphical user interface (GUI) for easier use by non-technical users
  • More actively maintained with frequent updates and bug fixes

Cons of LaZagne

  • Written in Python 2, which is no longer supported
  • Limited to Windows operating systems
  • Slower execution compared to Pypykatz due to its broader scope

Code Comparison

LaZagne:

def run_lazagne(category_selected="all", subcategories={}, password=None):
    for category in category_selected:
        for r in runModule(category):
            yield r

Pypykatz:

def parse_minidump_file(filename):
    minidump = MinidumpFile.parse(filename)
    reader = minidump.get_reader()
    sysinfo = KatzSystemInfo.from_minidump(minidump)
    mimi = pypykatz.parse_minidump_external(reader, sysinfo)
    return mimi

LaZagne focuses on running modules for various categories of credentials, while Pypykatz specializes in parsing minidump files for extracting credentials from memory. Pypykatz is more focused on Windows memory analysis, while LaZagne covers a broader range of credential sources across multiple applications.

13,272

Impacket is a collection of Python classes for working with network protocols.

Pros of Impacket

  • Broader scope, covering various network protocols and Windows internals
  • More mature project with extensive documentation and community support
  • Offers a wide range of tools and scripts for network penetration testing

Cons of Impacket

  • Larger codebase, potentially more complex to navigate and contribute to
  • May require more dependencies and setup for specific use cases
  • Not specifically optimized for credential extraction like Pypykatz

Code Comparison

Impacket (NTLM hash extraction):

from impacket.examples import secretsdump

secretsdump.DumpSecrets('target_machine', 'username', 'password')

Pypykatz (LSASS dump parsing):

from pypykatz import pypykatz

pypykatz.parse_minidump_file('lsass.dmp')

Summary

Impacket is a comprehensive toolkit for network protocol manipulation and Windows internals, offering a wide range of tools for penetration testing. Pypykatz, on the other hand, focuses specifically on credential extraction from memory dumps and has a more streamlined codebase for this purpose. While Impacket provides broader functionality, Pypykatz excels in its specialized area of credential extraction and parsing.

19,244

A little tool to play with Windows security

Pros of Mimikatz

  • Written in C, offering better performance and lower-level system access
  • More comprehensive feature set for Windows credential extraction
  • Widely recognized and extensively tested in the security community

Cons of Mimikatz

  • Primarily designed for Windows systems, limiting cross-platform usage
  • Often flagged by antivirus software due to its popularity in malicious activities
  • Requires compilation and may need frequent updates for compatibility

Code Comparison

Mimikatz (C):

BOOL WINAPI kuhl_m_sekurlsa_utils_search_generic(PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, PVOID *pPtr, PVOID *pLocalPtr, PVOID *pRemotePtr, LPCWSTR typeStr)
{
    KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
    KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass}, aLocalMemory = {NULL, &hLocalMemory};
    KULL_M_MEMORY_SEARCH sMemory = {{{pData->pCredentialManager, pData->cLsass}, pData->SizeOfLsass}, NULL};
    PVOID bufferData;
    DWORD bufferSize;

    // ... (additional code)
}

Pypykatz (Python):

def find_signature(self, module_name, signature):
    module = self.get_module_by_name(module_name)
    if not module:
        return None
    
    return module.find_pattern(signature)

def get_module_by_name(self, module_name):
    for module in self.modules:
        if module.name.lower() == module_name.lower():
            return module
    return None

A swiss army knife for pentesting networks

Pros of CrackMapExec

  • More comprehensive toolset for network penetration testing and lateral movement
  • Supports a wider range of protocols and attack vectors
  • Active development and frequent updates

Cons of CrackMapExec

  • Larger codebase and more complex setup
  • Potentially higher resource usage due to broader feature set
  • May require more expertise to utilize effectively

Code Comparison

CrackMapExec example (simplified):

from cme.helpers.logger import highlight
from cme.helpers.misc import validate_ntlm

class CMEModule:
    def on_login(self, context, connection):
        if validate_ntlm(connection.password):
            context.log.success('Valid credentials found: {}:{}'.format(
                connection.username, connection.password))

Pypykatz example (simplified):

from pypykatz.pypykatz import pypykatz

mimi = pypykatz.parse_minidump('lsass.dmp')
for luid in mimi.logon_sessions:
    for cred in mimi.logon_sessions[luid].msv_creds:
        print('Username: {} Domain: {} LM: {} NT: {}'.format(
            cred.username, cred.domainname, cred.LM, cred.NT))

CrackMapExec focuses on network-wide enumeration and exploitation, while Pypykatz specializes in extracting credentials from memory dumps. CrackMapExec offers a modular approach for various attack scenarios, whereas Pypykatz provides targeted functionality for credential extraction and analysis.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Supported Python versions Twitter

:triangular_flag_on_post: Sponsors

If you like this project, consider sponsoring it on GitHub! Sponsors

pypykatz

Mimikatz implementation in pure Python. At least a part of it :)
Runs on all OS's which support python>=3.6 pypy_card

WIKI

Since version 0.1.1 the command line changed a little. Worry not, I have an awesome WIKI for you.

Installing

Install it via pip or by cloning it from github.
The installer will create a pypykatz executable in the python's Script directory. You can run it from there, should be in your PATH.
Take care, that the github master version might fail because I'm layz to do a proper branch for the new versions. I'll try to create a branch of stable version tho.

Via PIP

pip3 install pypykatz

Via Github

Install prerequirements

pip3 install minidump minikerberos aiowinreg msldap winacl

Clone this repo

git clone https://github.com/skelsec/pypykatz.git
cd pypykatz

Install it

python3 setup.py install

Features

General

Platform idependent - all commands have a "live" and a normal version where applicable. The "live" version will use the current system and only works on Windows. The normal commands are platform independent.
Can be used as a library for your projects.

LSASS processing

Can parse the secrets hidden in the LSASS process. This is just like mimikatz's sekurlsa:: but with different commands.
The main difference here is that all the parsing logic is separated from the data source, so if you define a new reader object you can basically perform the parsing of LSASS from anywhere.

Currently supported data sources:

  1. live - reads the LSASS porcess' memory directly
  2. minidump - processes a minidump file created by dumping the LSASS process
  3. rekall (volatility fork) - processes basically ANY windows memory dumps that rekall can parse
  4. pcileech - can dump secrets DIRECTLY via DMA of a live computer
  5. remote - this is another project. TBD :)
  6. your project here seriously, it's super-simple to integrate.

Registry processing

Parses the registry hives to obtain stroed credentials, like NT and LM hashes, domain cached credentials (DCC/DCC2) and LSA secrets.

Currently supported data sources:

  1. live - has two techniques to parse live registry. First it's in-memory doesn't touch disk, the second is dumping the hives and parsing them with the offline parser
  2. offline (hive files)
  3. your project here seriously, it's super-simple to integrate.

DPAPI functions - MASTERKEY/BLOB/VAULT/CREDENTIAL

DPAPI is the protector of local secrets of many kinds. Currently the project supports decrypting masterkeys, dpapi blobs, credential files, vault files.
The results are not 100% correct, as there is not much documentation on most of these things. PR is always welcomed!

Currently supported data sources:

  1. live - obtains masterkeys directly from LSASS -OR- the user/machine keys from live registry and decrypts the masterkeyfile.
  2. hive files (offline)- the user/machine keys from live registry and decrypts the masterkeyfile
  3. valid credentials (offline) - can decrypt masterkey files by letting you type in the correct SID and password.
  4. pls don't integrate this part to your project, it's beta

Impersonating users

Can spawn a new process as any user who has a process running on the machine.
Can assign any available token of choise to your thread
This is just a basic stuff really. Reson is there that I hate to constanly use psexec to get a system shell from admin...

other stuff

yeah... check the code. it has comments and stuff...

Rekall command options

Timestamp override

Reason for this parameter to exist: In order to choose the correct structure for parsing we need the timestamp info of the msv dll file. Rekall sadly doesnt always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.

Parameter: -t
Values: 0 or 1
Example:

pypykatz.py rekall <momeory_dump_file> -t 0

Rekall usage

There are two ways to use rekall-based memory parsing.

Via the pypykatz rekall command

You will need to specify the memory file to parse.

Via rekall command line

IMPORTANT NOTICES:

  1. If you are just now deciding to install rekall please note: it MUST be run in a virtualenv, and you will need to install pypykatz in the same virtualenv!
  2. rekall command line is not suitable to show all information acquired from the memory, you should use the out_file and kerberos_dir command switches!

You can find a rekall plugin file named pypykatz_rekall.py in the plugins folder of pypykatz.
You will need to copy it in rekall's plugins/windows folder, and rename it to pypykatz.py.
After this modify the __init__.py file located the same folder and add the following line at the end: from rekall.plugins.windows import pypykatz
If everything is okay you can use the pypykatz command from the rekall command line directly.

HELP WANTED

If you want to help me getting this project into a stable release you can send mindiumps of the lsass.exe process to the following link: https://nx5494.your-storageshare.de/s/SJteWj3PPbg8jBA IMPORTANT: please DO NOT send dumps of your own machine's lsass process!!! I will be able to see your secrets including hashes/passwords! Send dump files from machines like virtual test systems on which you don't mind that someone will see the credentials. (if you have a test domain system where kerberos is set up that would be the best)
Also I'd apprechiate if you wouldn't spam me...

Why do I need these dumps files?

In order to create mimikatz in Python one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the build-in parser that you'd naturally get from using a native compiler. Now, the problem is that even a single byte misalignemt will render the parsing of these structures run to an error. Problem is mostly revolving around 32 - 64 aligments, so 32 bit Windows version lsass dumps are apprechiated as well!

Summary

I need data I can verify the code on and administer necessary changes on the parsers until everything works fine.
Submitting issues on this github page wouldn't help at all without the actual file and github wouldn't like 40-300Mb file attachments.

Prerequisites

Most of my big python projects are aiming for maximum protability, meaning I only use 3rd party packages where absolutely necessary. As of this point three additional packages are used, and I intend to keep it this way.

Python>=3.6
minidump
minikerberos
asn1crypto

Kudos

Benjamin DELPY @gentilkiwi for Mimikatz
Francesco Picasso for the mimikatz.py plugin for volatility
Alberto Solino (@agsolino) for impacket

Crypto

Richard Moore for the AES module
Todd Whiteman for teh DES module

Utils

David Buxton for the timestamp conversion script