Offensive Security Tool: Pypykatz

Reading Time: 3 Minutes

Description

PyPyKatz by skelsec is the Mimikatz implementation in pure Python. It runs on all OS’s which support python. Its designed to extract credentials and other sensitive information from Windows systems. It focuses on the extraction of various types of credentials, such as passwords, hashes, and tickets, from the system’s memory or security databases.

The tool primarily targets Windows authentication subsystems and supports multiple methods of extracting credentials, including:

Mimikatz-like extraction: PyPykatz provides functionality similar to Mimikatz, a popular credential extraction tool. It can extract credentials from the LSASS process memory, SAM (Security Accounts Manager) database, and other system databases.

Live system memory extraction: PyPykatz allows the extraction of credentials directly from the live memory of a running Windows system. This can be useful for scenarios where the system is actively running and the memory contains valuable credentials.

Offline system hive extraction: The tool can also extract credentials from offline system hive files, such as the SAM database or Security registry hives, which store password hashes and other security-related information.

Installation

Install it via pip or by cloning it from github.
The installer will create a pypykatz executable in the python’s Script directory. You can run it from there, should be in your PATH.

Via PIP

pip3 install pypykatz

Via Github

Install prerequirements

pip3 install minidump minikerberos aiowinreg msldap winacl

Clone this repo

git clone https://github.com/skelsec/pypykatz.git

cd pypykatz

Install it

python3 setup.py install

Features

General

Platform independent – all commands have a “live” and a normal version where applicable. The “live” version will use the current system and only works on Windows. The normal commands are platform independent.
Can be used as a library for your projects.

LSASS processing

Can parse the secrets hidden in the LSASS process. This is just like mimikatz’s sekurlsa:: but with different commands. The main difference here is that all the parsing logic is separated from the data source, so if you define a new reader object you can basically perform the parsing of LSASS from anywhere.

Currently supported data sources:

1. live – reads the LSASS porcess’ memory directly
2. minidump – processes a minidump file created by dumping the LSASS process
3. rekall (volatility fork) – processes basically ANY windows memory dumps that rekall can parse
4. pcileech – can dump secrets DIRECTLY via DMA of a live computer
5. your project here seriously, it’s super-simple to integrate.

Registry processing

Parses the registry hives to obtain stored credentials, like NT and LM hashes, domain cached credentials (DCC/DCC2) and LSA secrets.

Currently supported data sources:

1. live – has two techniques to parse live registry. First, it’s in-memory and doesn’t touch disk, the second is dumping the hives and parsing them with the offline parser
2. offline (hive files)
3. your project here seriously, it’s super-simple to integrate.

DPAPI functions – MASTERKEY/BLOB/VAULT/CREDENTIAL

DPAPI is the protector of local secrets of many kinds. Currently, the project supports decrypting masterkeys, dpapi blobs, credential files, and vault files. The results are not 100% correct, as there is not much documentation on most of these things.

Currently supported data sources:

1. live – obtains masterkeys directly from LSASS -OR- the user/machine keys from live registry and decrypts the masterkeyfile.
2. hive files (offline)- the user/machine keys from live registry and decrypts the masterkeyfile
3. valid credentials (offline) – can decrypt masterkey files by letting you type in the correct SID and password.
4. Don’t integrate this part to your project, it’s beta

Impersonating users

Can spawn a new process as any user who has a process running on the machine.
Can assign any available token of choice to your thread

Rekall command options

Timestamp override

Reason for this parameter to exist: In order to choose the correct structure for parsing we need the timestamp info of the msv dll file. Rekall sadly doesnt always have this info for some reason, therefore the parsing may be failing.
If the parsing is failing this could solve the issue.

Parameter: -t
Values: 0 or 1

Example:

pypykatz.py rekall <momeory_dump_file> -t 0

Rekall usage

There are two ways to use rekall-based memory parsing.

Via the pypykatz rekall command

You will need to specify the memory file to parse.

Via rekall command line

IMPORTANT NOTICES:

1. If you are just now deciding to install rekall please note: it MUST be run in a virtualenv, and you will need to install pypykatz in the same virtualenv!
2. rekall command line is not suitable to show all information acquired from the memory, you should use the out_file and kerberos_dir command switches!

You can find a rekall plugin file named pypykatz_rekall.py in the plugins folder of pypykatz.
You will need to copy it in rekall’s plugins/windows folder, and rename it to pypykatz.py.
After this modify the __init__.py file located the same folder and add the following line at the end: from rekall.plugins.windows import pypykatz
If everything is okay you can use the pypykatz command from the rekall command line directly.

Clone the repo from here: GitHub Link