Pypykatz : Mimikatz Implementation In Pure Python

Pypykatz is a mimikatz implementation in pure Python and can be runs on all OS’s which support python>=3.6.

Installing

Install it via pip or by cloning it from github. The installer will create a pypykatz executable in the python’s Script directory. You can run it from there, should be in your PATH.

Via PIP

pip3 install pypykatz

Via Github

Install Pre-Requirements

pip3 install minidump minikerberos aiowinreg msldap winsspi

Clone this repo

git clone https://github.com/skelsec/pypykatz.git
cd pypykatz

Install it

python3 setup.py install

Also Read – ShuffleDNS : Wrapper Around Massdns Written In Go To Enumerate Valid Subdomains Using Active Bruteforce

Features

  • General

Platform independent – all commands have a “live” and a normal version where applicable. The “live” version will use the current system and only works on Windows. The normal commands are platform independent.
Can be used as a library for your projects.

  • LSASS processing

Can parse the secrets hidden in the LSASS process. This is just like mimikatz’s sekurlsa:: but with different commands.
The main difference here is that all the parsing logic is separated from the data source, so if you define a new reader object you can basically perform the parsing of LSASS from anywhere.

Currently supported data sources:

  1. live – reads the LSASS porcess’ memory directly
  2. minidump – processes a minidump file created by dumping the LSASS process
  3. rekall (volatility fork) – processes basically ANY windows memory dumps that rekall can parse
  4. pcileech – can dump secrets DIRECTLY via DMA of a live computer
  5. remote
  • Registry processing

Parses the registry hives to obtain stored credentials, like NT and LM hashes, domain cached credentials (DCC/DCC2) and LSA secrets.

Currently supported data sources:

  1. live – has two techniques to parse live registry. First it’s in-memory doesn’t touch disk, the second is dumping the hives and parsing them with the offline parser
  2. offline (hive files)
  • DPAPI functions – MASTERKEY/BLOB/VAULT/CREDENTIAL

DPAPI is the protector of local secrets of many kinds. Currently the project supports decrypting masterkeys, dpapi blobs, credential files, vault files.

The results are not 100% correct, as there is not much documentation on most of these things. PR is always welcomed!

Currently supported data sources:

  1. live – obtains masterkeys directly from LSASS -OR- the user/machine keys from live registry and decrypts the masterkeyfile.
  2. hive files (offline)- the user/machine keys from live registry and decrypts the masterkeyfile
  3. valid credentials (offline) – can decrypt masterkey files by letting you type in the correct SID and password.
  • Impersonating users

Can spawn a new process as any user who has a process running on the machine.

Can assign any available token of choice to your thread

  • Rekall command options

Timestamp override

Reason for this parameter to exist: In order to choose the correct structure for parsing we need the timestamp info of the msv dll file.

Rekall sadly doesn’t always have this info for some reason, therefore the parsing may be failing. If the parsing is failing this could solve the issue.

Parameter: -t
Values: 0 or 1

Example:

pypykatz.py rekall -t 0

Rekall Usage

There are two ways to use rekall-based memory parsing.

  • Via the pypykatz rekall command

You will need to specify the memory file to parse.

  • Via rekall command line

Note:

  • If you are just now deciding to install rekall, it MUST be run in a virtualenv, and you will need to install pypykatz in the same virtualenv!
  • rekall command line is not suitable to show all information acquired from the memory, you should use the out_file and kerberos_dir command switches!
  • You can find a rekall plugin file named pypykatz_rekall.py in the plugins folder of pypykatz.
  • You will need to copy it in rekall’s plugins/windows folder, and rename it to pypykatz.py.
  • After this modify the __init__.py file located the same folder and add the following line at the end: from rekall.plugins.windows import pypykatz
  • If everything is okay you can use the pypykatz command from the rekall command line directly.
Download
R K

Share
Published by
R K
Tags: PypykatzPython
6 years ago

Recent Posts

Best Social Media Search Engines and Tools for 2026

Social media is a key part of our daily lives, with millions of users sharing…

1 hour ago

How to Remove Your Personal Information from Data Broker Websites (2026 Guide)

What Are Data Brokers? Data brokers are companies that collect, aggregate, and sell personal information,…

2 hours ago

WhatsMyName App – Find Anyone Across 640+ Platforms

Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…

6 hours ago

Microsoft Unveils “Project Helix”- A Next-Gen Xbox Merging Console and PC Gaming

Microsoft has officially unveiled its latest gaming venture, Project Helix, a next-generation gaming console set…

17 hours ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

18 hours ago

Mr.Holmes – A Comprehensive Guide To Installing And Using The OSINT Tool

Mr.Holmes is an OSINT (Open Source Intelligence) tool designed to gather valuable information from public…

18 hours ago