pentestmonkey/pysecdump pentestmonkey/pysecdump

  • Stars
    star
    259
  • Rank 156,765 (Top 4 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 11 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
pentestmonkey/pysecdump
github

pentestmonkey

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Python-based tool to dump security information from Windows systems

pysecdump

Python-based tool to dump security information from Windows systems

Overview

pysecdump is a python tool to extract various credentials and secrets from running Windows systems. It currently extracts:

  • LM and NT hashes (SYSKEY protected)
  • Cached domain passwords
  • LSA secrets
  • Secrets from Credential Manager (only some)

pysecdump can also:

  • Impersonate other processes - if you want a shell as another user
  • Enable currently held windows privileges - see "whoami /priv"

It does exactly the same sort of things already implemented by gsecdump, Cain & Abel, metasploit and many other tools.

This implementation is in python and that's probably the only notable thing about this implementation.

If you think python is cool, this project might be of interest. If you don't, you should probably stop reading now.

Credits

This is a derivative work of:

creddump - http://code.google.com/p/creddump/

In fact very little of the code is different in pysecdump, which just pulls data from the registry instead of from on-disk hives

windows-privesc-check - http://code.google.com/p/windows-privesc-check/

This is used mostly for the registry API

I found the metasploit source code very handy for identifying the appropriate registry keys, so credit to those guys too for a great tool.

Requirements

Nothing if you just want to run pysecdump.exe on a windows system.

If you want to modify pysecdump.py then run recreate the .exe you need:

Usage

Dump cached domain hashes (run as SYSTEM):

pysecdump -c

Dump LSA secrets (run as SYSTEM):

pysecdump -l

Dump local password hashes from SAM (run as SYSTEM):

pysecdump -s

Dump (some secrets) from Credential Manager (run as SYSTEM):

pysecdump -C

Impersonate process ID 1234:

pysecdump -i 1234
whoami /all

Enable all currently held windows privileges (can also use with -i):

pysecdump -e
whoami /priv

Converting to .exe

cd C:\pyinstaller-2.0
pyinstaller.py -F "c:\somepath\pysecdump.py"

Features

  • Is written in python
  • Supports XP family and Vista+ registry locations
  • Uses impersonation of all available processes when dumping Credential Manager.

Author

pysecdump was adapted from creddump by pentestmonkey.

creddump is written by Brendan Dolan-Gavitt ([email protected]). For more information on Syskey, LSA secrets, cached domain credentials, and lots of information on volatile memory forensics and reverse engineering, check out:

http://moyix.blogspot.com/

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

More Repositories

1

php-reverse-shell

PHP
2,141
star
2

windows-privesc-check

Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
Python
1,472
star
3

unix-privesc-check

Automatically exported from code.google.com/p/unix-privesc-check
Shell
1,020
star
4

gateway-finder

Tool to identify routers on the local LAN and paths to the Internet
Python
195
star
5

smtp-user-enum

Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO.
Perl
98
star
6

timing-attack-checker

Tool to help identify timing attacks
70
star
7

yaptest

Automatically exported from code.google.com/p/yaptest
Perl
68
star
8

finger-user-enum

Username guessing tool primarily for use against the default Solaris finger service. Also supports relaying of queries through another finger server.
Perl
42
star
9

perl-reverse-shell

Perl
42
star
10

ident-user-enum

ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system.
Perl
35
star
11

unix-security-file-parser

Automatically exported from code.google.com/p/unix-security-file-parser
Python
33
star
12

exploit-suggester

This tool reads the output of β€œshowrev -p” on Solaris machines and outputs a list of exploits that you might want to try. It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported.
Perl
27
star
13

dns-grind

Tool for performing lots of DNS queries quickly
Perl
20
star
14

ftp-user-enum

Username guessing tool for use against the default Solaris ftp service and GNU inetutils ftpd.
Perl
19
star
15

php-findsock-shell

C
18
star
16

rsh-grind

Basically tries lots of combinations of local and remote usernames to execute commands via RSH
Perl
15
star
17

yapscan

Automatically exported from code.google.com/p/yapscan
C++
11
star
18

linux-bootparamd-client

Bootparamd Client for Linux
Logos
8
star
19

yaptestfe

Automatically exported from code.google.com/p/yaptestfe
HTML
8
star
20

on

Rexd Client For Linux
C
5
star