• Stars
    star
    2,799
  • Rank 16,272 (Top 0.4 %)
  • Language
    Python
  • License
    MIT License
  • Created over 6 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Mimikatz implementation in pure Python

Supported Python versions Twitter

🚩 This is the public repository of PyPyKatz, for latest version and updates please consider supporting us through https://porchetta.industries/

pypykatz

Mimikatz implementation in pure Python. At least a part of it :)
Runs on all OS's which support python>=3.6 pypy_card

🚩 Sponsors

If you want to sponsors this project and have the latest updates on this project, latest issues fixed, latest features, please support us on https://porchetta.industries/

Official Discord Channel

Come hang out on Discord!

Porchetta Industries

WIKI

Since version 0.1.1 the command line changed a little. Worry not, I have an awesome WIKI for you.

Installing

Install it via pip or by cloning it from github.
The installer will create a pypykatz executable in the python's Script directory. You can run it from there, should be in your PATH.
Take care, that the github master version might fail because I'm layz to do a proper branch for the new versions. I'll try to create a branch of stable version tho.

Via PIP

pip3 install pypykatz

Via Github

Install prerequirements

pip3 install minidump minikerberos aiowinreg msldap winacl

Clone this repo

git clone https://github.com/skelsec/pypykatz.git
cd pypykatz

Install it

python3 setup.py install

Features

General

Platform idependent - all commands have a "live" and a normal version where applicable. The "live" version will use the current system and only works on Windows. The normal commands are platform independent.
Can be used as a library for your projects.

LSASS processing

Can parse the secrets hidden in the LSASS process. This is just like mimikatz's sekurlsa:: but with different commands.
The main difference here is that all the parsing logic is separated from the data source, so if you define a new reader object you can basically perform the parsing of LSASS from anywhere.

Currently supported data sources:

  1. live - reads the LSASS porcess' memory directly
  2. minidump - processes a minidump file created by dumping the LSASS process
  3. rekall (volatility fork) - processes basically ANY windows memory dumps that rekall can parse
  4. pcileech - can dump secrets DIRECTLY via DMA of a live computer
  5. remote - this is another project. TBD :)
  6. your project here seriously, it's super-simple to integrate.

Registry processing

Parses the registry hives to obtain stroed credentials, like NT and LM hashes, domain cached credentials (DCC/DCC2) and LSA secrets.

Currently supported data sources:

  1. live - has two techniques to parse live registry. First it's in-memory doesn't touch disk, the second is dumping the hives and parsing them with the offline parser
  2. offline (hive files)
  3. your project here seriously, it's super-simple to integrate.

DPAPI functions - MASTERKEY/BLOB/VAULT/CREDENTIAL

DPAPI is the protector of local secrets of many kinds. Currently the project supports decrypting masterkeys, dpapi blobs, credential files, vault files.
The results are not 100% correct, as there is not much documentation on most of these things. PR is always welcomed!

Currently supported data sources:

  1. live - obtains masterkeys directly from LSASS -OR- the user/machine keys from live registry and decrypts the masterkeyfile.
  2. hive files (offline)- the user/machine keys from live registry and decrypts the masterkeyfile
  3. valid credentials (offline) - can decrypt masterkey files by letting you type in the correct SID and password.
  4. pls don't integrate this part to your project, it's beta

Impersonating users

Can spawn a new process as any user who has a process running on the machine.
Can assign any available token of choise to your thread
This is just a basic stuff really. Reson is there that I hate to constanly use psexec to get a system shell from admin...

other stuff

yeah... check the code. it has comments and stuff...

Rekall command options

Timestamp override

Reason for this parameter to exist: In order to choose the correct structure for parsing we need the timestamp info of the msv dll file. Rekall sadly doesnt always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.

Parameter: -t
Values: 0 or 1
Example:

pypykatz.py rekall <momeory_dump_file> -t 0

Rekall usage

There are two ways to use rekall-based memory parsing.

Via the pypykatz rekall command

You will need to specify the memory file to parse.

Via rekall command line

IMPORTANT NOTICES:

  1. If you are just now deciding to install rekall please note: it MUST be run in a virtualenv, and you will need to install pypykatz in the same virtualenv!
  2. rekall command line is not suitable to show all information acquired from the memory, you should use the out_file and kerberos_dir command switches!

You can find a rekall plugin file named pypykatz_rekall.py in the plugins folder of pypykatz.
You will need to copy it in rekall's plugins/windows folder, and rename it to pypykatz.py.
After this modify the __init__.py file located the same folder and add the following line at the end: from rekall.plugins.windows import pypykatz
If everything is okay you can use the pypykatz command from the rekall command line directly.

HELP WANTED

If you want to help me getting this project into a stable release you can send mindiumps of the lsass.exe process to the following link: https://nx5494.your-storageshare.de/s/SJteWj3PPbg8jBA IMPORTANT: please DO NOT send dumps of your own machine's lsass process!!! I will be able to see your secrets including hashes/passwords! Send dump files from machines like virtual test systems on which you don't mind that someone will see the credentials. (if you have a test domain system where kerberos is set up that would be the best)
Also I'd apprechiate if you wouldn't spam me...

Why do I need these dumps files?

In order to create mimikatz in Python one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the build-in parser that you'd naturally get from using a native compiler. Now, the problem is that even a single byte misalignemt will render the parsing of these structures run to an error. Problem is mostly revolving around 32 - 64 aligments, so 32 bit Windows version lsass dumps are apprechiated as well!

Summary

I need data I can verify the code on and administer necessary changes on the parsers until everything works fine.
Submitting issues on this github page wouldn't help at all without the actual file and github wouldn't like 40-300Mb file attachments.

Prerequisites

Most of my big python projects are aiming for maximum protability, meaning I only use 3rd party packages where absolutely necessary. As of this point three additional packages are used, and I intend to keep it this way.

Python>=3.6
minidump
minikerberos
asn1crypto

Kudos

Benjamin DELPY @gentilkiwi for Mimikatz
Francesco Picasso for the mimikatz.py plugin for volatility
Alberto Solino (@agsolino) for impacket

Crypto

Richard Moore for the AES module
Todd Whiteman for teh DES module

Utils

David Buxton for the timestamp conversion script

More Repositories

1

jackdaw

gather gather gather
Python
556
star
2

kerberoast

Kerberoast attack -pure python-
Python
413
star
3

msldap

LDAP library for auditing MS AD
Python
357
star
4

evilrdp

Python
281
star
5

minidump

Python library to parse and read Microsoft minidump file format
Python
271
star
6

minikerberos

Kerberos manipulation library in pure Python
Python
244
star
7

aiosmb

Fully asynchronous SMB library written in pure python
Python
193
star
8

aardwolf

Asynchronous RDP client for Python (headless)
Python
142
star
9

pypykatz_server

Pypykatz server
Python
124
star
10

Responder3

Responder for Python3
Python
95
star
11

pypykatz_agent_dn

Pypykatz agent implemented in .NET
C#
85
star
12

CVE-2017-12542

Test and exploit for CVE-2017-12542
Python
84
star
13

pysnaffler

pysnaffler
Python
82
star
14

PyKerberoast

Implementing Kerberoast attack fully in python
Python
72
star
15

adiskreader

Async Python library to parse local and remote disk images.
Python
70
star
16

asysocks

Socks5 / Socks4 client and server library
Python
66
star
17

aardwolfgui

Asynchronous RDP/VNC client for Python (GUI)
Python
62
star
18

octopwnweb

OctoPwn in your browser
JavaScript
58
star
19

BitErrant

BitErrant
Objective-C
58
star
20

pypykatz_wasm

pypykats in your browser
Python
53
star
21

socksohttp

Socks5 server over Websockets
Python
40
star
22

windows_ad_dos_poc

PoC code for crashing windows active directory
Python
34
star
23

aroadtools

fully async implementation of Dirkjan's ROADTools
Python
31
star
24

pypykatz-volatility3

pypykatz plugin for volatility3 framework
Python
30
star
25

wsnet

wsnet
Python
24
star
26

anfs

Asynchronous NFSv3 client in pure Python
Python
22
star
27

aesedb

async parser for JET
Python
21
star
28

pydesfire

Desfire card library for Python
Python
18
star
29

aiowinreg

Registry hive parsing the async way
Python
18
star
30

winsspi

Windows SSPI wrapper in prue python
Python
15
star
31

winacl

Platform independent library for interfacing windows security descriptors
Python
15
star
32

unicrypto

Unified interface for some crypto algos
Python
12
star
33

wsnet-dotnet

C#
12
star
34

LocalNTLMTest

Tool to acquire netNTLM hashes on a local machine wihtout network traffic
Python
11
star
35

pysecur3

Python communication library for BiSecur devices
Python
11
star
36

HuaweiSMSender

Python script to send SMS using Huawei new[er] USB dongles via the HTTP interface
Python
11
star
37

asyauth

Python
10
star
38

nimwsnetproxy

websockets-tcp proxy in nim
Nim
10
star
39

foscam_stupid_poc

PoC auth bypass for some IP cameras. Vendor unknown
Python
9
star
40

socks5line

Helping tunneling for proxy-unaware scripts
Python
9
star
41

awinrm

Python
8
star
42

amurex

asynchronous SSH client in Python
Python
8
star
43

multiplexor

this will be interesting....
Python
8
star
44

aiosecretsdump

Secretsdump for aiosmb
Python
8
star
45

sprayit

Password spraying toolkit
Python
7
star
46

pyodide-wsnetwork

Websocket to TCP proxy for pyodide
Python
7
star
47

COMP128

initial commit
Python
6
star
48

duckysvc

webscokets service to use usb hid keyboard devices with rubberducky scripts
Python
5
star
49

sslyzedb

Database and reporting backed for sslyze
Python
4
star
50

zipserver

zipserver
C#
4
star
51

mysql_client_libload

PoC for loading arbitrary shared libraries to mysql-client.
Python
3
star
52

jdauto

Auto collection service for JackDaw and Mulitplexor
Python
3
star
53

aiogps

Library to interface with gpsd using asyncio
Python
2
star
54

winrecon

winrecon
Python
2
star
55

responder3-log-discord

Discord logging extension for Responder3
Python
2
star
56

unidns

basic async DNS library
Python
2
star
57

responder3-log-splunk

Splunk HTTP Event Colletor logging extension for Responder3
Python
2
star
58

CubieTruckManager

Framework to manage/control cubietruck board
Python
1
star
59

jdiotclient

C#
1
star
60

secop

2nd OPinion - DB driven scanning
Python
1
star
61

GPSTrackerServer

Server side code for the GPSTracker framework
Python
1
star
62

responder3-log-logstash

Logstash TCP logging extension for Responder3
Python
1
star
63

bucketindex

index.html that allows browsing the gcp bucket
HTML
1
star
64

responder3-log-remote-ws

Responder3 plugin for remote logging over websockets
Python
1
star
65

GPSTracker

Client - Server based tracker with DB and fireworks and everything
Python
1
star
66

guidedog-nmap

Nmap XML script parser for
Python
1
star
67

buildall

Python
1
star
68

GPSTrackerClientWS

Client part of the GPSTracker suite running on websockets
Python
1
star