Pypykatz is a mimikatz implementation in pure Python and can be runs on all OS’s which support python>=3.6.
Installing
Install it via pip or by cloning it from github. The installer will create a pypykatz executable in the python’s Script directory. You can run it from there, should be in your PATH.
pip3 install pypykatz
Install Pre-Requirements
pip3 install minidump minikerberos aiowinreg msldap winsspi
Clone this repo
git clone https://github.com/skelsec/pypykatz.git
cd pypykatz
Install it
python3 setup.py install
Also Read – ShuffleDNS : Wrapper Around Massdns Written In Go To Enumerate Valid Subdomains Using Active Bruteforce
Features
Platform independent – all commands have a “live” and a normal version where applicable. The “live” version will use the current system and only works on Windows. The normal commands are platform independent.
Can be used as a library for your projects.
Can parse the secrets hidden in the LSASS process. This is just like mimikatz’s sekurlsa
::
but with different commands.
The main difference here is that all the parsing logic is separated from the data source, so if you define a new reader object you can basically perform the parsing of LSASS from anywhere.
Currently supported data sources:
Parses the registry hives to obtain stored credentials, like NT and LM hashes, domain cached credentials (DCC/DCC2) and LSA secrets.
Currently supported data sources:
DPAPI is the protector of local secrets of many kinds. Currently the project supports decrypting masterkeys, dpapi blobs, credential files, vault files.
The results are not 100% correct, as there is not much documentation on most of these things. PR is always welcomed!
Currently supported data sources:
Can spawn a new process as any user who has a process running on the machine.
Can assign any available token of choice to your thread
Reason for this parameter to exist: In order to choose the correct structure for parsing we need the timestamp info of the msv dll file.
Rekall sadly doesn’t always have this info for some reason, therefore the parsing may be failing. If the parsing is failing this could solve the issue.
Parameter: -t
Values: 0
or 1
Example:
pypykatz.py rekall -t 0
Rekall Usage
There are two ways to use rekall-based memory parsing.
pypykatz rekall
commandYou will need to specify the memory file to parse.
Note:
rekall
, it MUST be run in a virtualenv, and you will need to install pypykatz in the same virtualenv!out_file
and kerberos_dir
command switches!pypykatz_rekall.py
in the plugins
folder of pypykatz.plugins/windows
folder, and rename it to pypykatz.py
.__init__.py
file located the same folder and add the following line at the end: from rekall.plugins.windows import pypykatz
pypykatz
command from the rekall
command line directly.Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…