Hi,

I've started looking into what it will take to implement a function like the updated dpapi::chrome module found in Mimikatz:

Code found here: https://github.com/gentilkiwi/mimikatz/blob/b098bf37cf71581882e6a1fa45ac58ec87860fd5/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_chrome.c

As far as I can tell the first obstacle is that pypykatz currently has no bcrypt implementation.

Do you have any thoughts on how this should be implemented?

I'm primarily looking for an offline solution (getting keys from sid/password).

Error details
Minidump: 20190422_lsass.exe_10.0.10586_x86.DMP (uploaded)
Error:

(rekall) ubuntu@vmubuntudskt:~$ pypykatz minidump '/home/ubuntu/Desktop/20190422_lsass.exe_10.0.10586_x86.DMP'
INFO:root:Parsing file /home/ubuntu/Desktop/20190422_lsass.exe_10.0.10586_x86.DMP
ERROR:root:Error while parsing file /home/ubuntu/Desktop/20190422_lsass.exe_10.0.10586_x86.DMP
Traceback (most recent call last):
File "/home/ubuntu/pypykatz/pypykatz/main.py", line 116, in main
mimi = pypykatz.parse_minidump_file(args.minidumpfile)
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 56, in parse_minidump_file
mimi.start()
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 171, in start
self.get_kerberos()
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 155, in get_kerberos
dec.start()
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 100, in start
key_list.read(self.reader, self.decryptor_template.hash_password_struct)
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 954, in read
self.KeyEntries.append(keyentries_type(reader))
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 921, in init
self.unk0 = PVOID(reader).value
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 39, in init
super().init(reader, None) #with void we cannot determine the final type
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 12, in init
self.value = reader.read_uint()
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 161, in read_uint
return int.from_bytes(self.read(4), byteorder = 'little', signed = False)
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 135, in read
raise Exception('Would read over segment boundaries!')
Exception: Would read over segment boundaries!
Traceback (most recent call last):
File "/home/ubuntu/pypykatz/pypykatz/main.py", line 116, in main
mimi = pypykatz.parse_minidump_file(args.minidumpfile)
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 56, in parse_minidump_file
mimi.start()
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 171, in start
self.get_kerberos()
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 155, in get_kerberos
dec.start()
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 100, in start
key_list.read(self.reader, self.decryptor_template.hash_password_struct)
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 954, in read
self.KeyEntries.append(keyentries_type(reader))
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 921, in init
self.unk0 = PVOID(reader).value
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 39, in init
super().init(reader, None) #with void we cannot determine the final type
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 12, in init
self.value = reader.read_uint()
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 161, in read_uint
return int.from_bytes(self.read(4), byteorder = 'little', signed = False)
File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 135, in read
raise Exception('Would read over segment boundaries!')
Exception: Would read over segment boundaries!

Operating system details
OS name: Windows 10 Pro
OS version: 10.0.10586
CPU architecture: x86
msv1_0.dll timestamp: 30/10/2015 05:44Z

Pypykatz installation
Pypykatz installed through git clone on Ubuntu 18.04.2 with Python 3.6.7.

Thanks!

Hi,

Thank you for your work! I would very much like to try the new features in version 0.4.8 such as DCSync and remote LSASS dumping. However, it seems the Wiki is not yet updated. The built-in help also seem to be missing info about the new features. Am I missing something?

Just a small output issue, probably due to a copy/paste. Method shows the help text of the grepable output option

ERROR: Could not find a version that satisfies the requirement msldap>=0.3.20 (from pypykatz) (from versions: 0.0.2, 0.0.3, 0.0.4, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.3.0, 0.3.1, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13)
ERROR: No matching distribution found for msldap>=0.3.20 (from pypykatz)

Hi!

I have used pypykatz recently and noticed in a particular system that the NTML dumped was different from the one dumped with Mimikatz, I was curious if it could be this issue:

https://media.blackhat.com/bh-us-12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf

I dumped the .kerbi and .ccache file and I wanted to use it on Linux, but the .ccaches is a integrated file and can't be used, the old and good kirbikator I can't find online anymore. I used the Kekeo to try convert but it does nothing. If I try to load with the latest version of MIT kerberos it says that the version of the ticket file is not supported when I call klist.

How do you do it?

Thanks.

Summary

In order to support parsing LSASS dumps acquired from XP and 2003 the decryption function implementation is currently incorrect, basically the current version contains my latest (failed)approach of porting the algorithm found here

Detailed description of the problem

The main LSA secret key in the LSASS memory is stored in a DES_EXPANDED_KEY structure ( definition is here . This strutct holds the original DES key in an already scheduled form (inner struct here). BUT it is not the usual pre-scheduled key in a "textbook" format, rather it's a modified version per microsoft (original expansion process here)
Other info: the algorithm used for encryption and decryption is actually DESX, however implementing DESX is a relatively easy task, as it uses

Possible solutions

1. Implement the decryption algo as-is, basically porting the code from mimikatz
2. Find a way to de-schedule the expanded DES key and get the original key, it would be used in an existing crypto implementation (pypykatz already has a pure-python DES implementation, that can be used)
3. Convert the expanded key to a K-table used by the existing DES implementation (be careful I just think this might work, but never actually done it)

Expected input for solution 1

Provide a python function that performs the exact same decryption as this function.
The definition should look like the following:
def desx_decrypt(expanded_des_key, input_whitening_key, output_whitening_key, blob):
where
expanded_des_key : 4-byte long unsinged integers in a [16][2] matrix (list) - OR - the expanded key bytes in bytearray format (size is 16*2*4 bytes)
input_whitening_key : 8 byte long bytearray
output_whitening_key : 8 byte long bytearray
blob : data to be decrypted in bytearray format. the blob size is always %8

Hello !

there are cases where it is not possible to dump passwords because "Credential Guard" is enabled. Since August 2020, there is a method to "bypass" Credential Guard. (see https://teamhydra.blog/2020/08/25/bypassing-credential-guard/).

It would be useful to be able to dynamically patch lsass via pypykatz. The code allowing the bypass does not seem too complex: https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240
Moreover, in the case of RunAsPPL is activated, the operation of this bypass becomes complicated. However, with the addition of --method handledup it will be possible to bypass RunAsPPL and thus patch lsass.

Best regards

I'm using version 0.3.3. Below is the full message. The command was pypykatz registry system.dat --sam sam.dat.

What do you think about replacing aiowinreg/filestruct/nk.py:96 with this line:

    nk.name = nk.name.decode(encoding, "backslashreplace")

Then it might insert something like \xe4 somewhere in the output, but at least the program won't crash. Not sure if it doesn't break something else though.

# pypykatz  registry system.dat --sam sam.dat
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
Traceback (most recent call last):
  File "/root/.local/bin/pypykatz", line 10, in <module>
    sys.exit(main())
  File "/root/.local/lib/python3.7/site-packages/pypykatz/__main__.py", line 133, in main
    helper.execute(args)
  File "/root/.local/lib/python3.7/site-packages/pypykatz/registry/cmdhelper.py", line 38, in execute
    self.run(args)
  File "/root/.local/lib/python3.7/site-packages/pypykatz/registry/cmdhelper.py", line 73, in run
    po = OffineRegistry.from_files(args.system, args.sam, args.security, args.software)
  File "/root/.local/lib/python3.7/site-packages/pypykatz/registry/offline_parser.py", line 171, in from_files
    po.get_secrets()
  File "/root/.local/lib/python3.7/site-packages/pypykatz/registry/offline_parser.py", line 41, in get_secrets
    self.sam.get_secrets()
  File "/root/.local/lib/python3.7/site-packages/pypykatz/registry/sam/sam.py", line 117, in get_secrets
    self.get_HBoot_key()
  File "/root/.local/lib/python3.7/site-packages/pypykatz/registry/sam/sam.py", line 69, in get_HBoot_key
    F = self.hive.get_value(r'SAM\Domains\Account\F')[1]
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/hive.py", line 123, in get_value
    self.setup()
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/hive.py", line 28, in setup
    self.root = self.search_root_key()
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/hive.py", line 39, in search_root_key
    hbin = NTRegistryHbin.read(self.reader)
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/filestruct/hbin.py", line 49, in read
    cell = NTRegistryCell.read(reader)
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/filestruct/regcell.py", line 34, in read
    cell.data = NTRegistryKeyTypes[cell.data[:2]].from_bytes(cell.data)
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/filestruct/nk.py", line 67, in from_bytes
    return NTRegistryNK.from_buffer(io.BytesIO(data))
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/filestruct/nk.py", line 98, in from_buffer
    raise e
  File "/root/.local/lib/python3.7/site-packages/aiowinreg/filestruct/nk.py", line 96, in from_buffer
    nk.name = nk.name.decode(encoding)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 1: ordinal not in range(128)

root@kali:~/scripts# pip3 install pypykatz
Collecting pypykatz
Downloading https://files.pythonhosted.org/packages/69/1a/61511c8ad262064bf0c0e022c5a5a936dce8b7f0e48a8e2ec42b8e0ced3a/pypykatz-0.3.6-py3-none-any.whl (276kB)
100% |████████████████████████████████| 276kB 3.7MB/s
Collecting msldap>=0.2.7 (from pypykatz)
Downloading https://files.pythonhosted.org/packages/2c/d2/280e6d6ece46fdb6393dee3470ef6f4973bb50b2a32559a33c859cc48b13/msldap-0.2.8-py3-none-any.whl (127kB)
100% |████████████████████████████████| 133kB 8.6MB/s
Collecting minidump>=0.0.12 (from pypykatz)
Downloading https://files.pythonhosted.org/packages/5e/75/a8f5a59beb8a049fdf9e9af1c9cf4b99bcb25a970bbe46fc9592f1865b96/minidump-0.0.12-py3-none-any.whl (64kB)
100% |████████████████████████████████| 71kB 13.0MB/s
Collecting winsspi>=0.0.3 (from pypykatz)
Downloading https://files.pythonhosted.org/packages/28/3e/6225f5cf793492a4abb9587fe2971d5dd768fbe2a7ba33b001c75888f0bd/winsspi-0.0.5-py3-none-any.whl
Collecting minikerberos>=0.2.0 (from pypykatz)
Downloading https://files.pythonhosted.org/packages/ca/24/f814f4f31fcad73865880397bb3db97813ba07d38a5e86b38df183ad478b/minikerberos-0.2.0-py3-none-any.whl (101kB)
100% |████████████████████████████████| 102kB 10.5MB/s
Collecting aiowinreg>=0.0.2 (from pypykatz)
Downloading https://files.pythonhosted.org/packages/59/25/31cd1c57c8322e1e88d246d923bb00a88e326722c238b3a466d411d73fd4/aiowinreg-0.0.2-py3-none-any.whl
Requirement already satisfied: asn1crypto in /usr/lib/python3/dist-packages (from msldap>=0.2.7->pypykatz) (0.24.0)
Collecting asciitree (from msldap>=0.2.7->pypykatz)
Downloading https://files.pythonhosted.org/packages/2d/6a/885bc91484e1aa8f618f6f0228d76d0e67000b0fdd6090673b777e311913/asciitree-0.3.3.tar.gz
Collecting aiocmd (from msldap>=0.2.7->pypykatz)
Downloading https://files.pythonhosted.org/packages/a7/d7/1237391649ab4d86a6d5520361727e938b4ec47df834e688189dd83642bf/aiocmd-0.1.2-py3-none-any.whl
Collecting winacl>=0.0.2 (from msldap>=0.2.7->pypykatz)
Downloading https://files.pythonhosted.org/packages/a7/5e/62e8d5e9987e2c4ae46dd32eea3ede36eadb82c04892ffeb73659fca2068/winacl-0.0.2-py3-none-any.whl (42kB)
100% |████████████████████████████████| 51kB 15.4MB/s
Collecting asysocks (from msldap>=0.2.7->pypykatz)
Downloading https://files.pythonhosted.org/packages/94/34/dd3083b54dc78a5e32ee132ea2c7544c234796cc9922cc62fff7fb3c2634/asysocks-0.0.2-py3-none-any.whl
Collecting ldap-filter (from msldap>=0.2.7->pypykatz)
Downloading https://files.pythonhosted.org/packages/d3/99/5192881858166d59cbd252366b03128ff777682171e890a3b9a36e726b77/ldap-filter-0.2.1.tar.gz
Requirement already satisfied: prompt-toolkit>=2.0.9 in /usr/lib/python3/dist-packages (from aiocmd->msldap>=0.2.7->pypykatz) (2.0.10)
Building wheels for collected packages: asciitree, ldap-filter
Running setup.py bdist_wheel for asciitree ... done
Stored in directory: /root/.cache/pip/wheels/1d/d9/58/9808b306744df0208fccc640d3d9952a5bc7468502d42897d5
Running setup.py bdist_wheel for ldap-filter ... done
Stored in directory: /root/.cache/pip/wheels/e0/e0/62/4aeb744457591783ebb19e6596216aec2c0af6c6b778e3b15d
Successfully built asciitree ldap-filter
minikerberos 0.2.0 has requirement asn1crypto>=1.3.0, but you'll have asn1crypto 0.24.0 which is incompatible.
Installing collected packages: asciitree, aiocmd, winacl, asysocks, ldap-filter, msldap, minidump, minikerberos, winsspi, aiowinreg, pypykatz
Successfully installed aiocmd-0.1.2 aiowinreg-0.0.2 asciitree-0.3.3 asysocks-0.0.2 ldap-filter-0.2.1 minidump-0.0.12 minikerberos-0.2.0 msldap-0.2.8 pypykatz-0.3.6 winacl-0.0.2 winsspi-0.0.5

Thank you very much for a great project. So far I have found it very well structured and easy to import in my own projects.

I realize this error is located in an external module, but I just wanted to bring it to your attention in case there is something you can do mitigate the error in your code:

$ python3
Python 3.7.6 (default, Jan 30 2020, 10:29:04) 
[GCC 9.2.1 20190827 (Red Hat 9.2.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypykatz.registry.offline_parser import OffineRegistry
>>> po = OffineRegistry.from_files('SYSTEM', 'SAM')
SECURITY hive path not supplied! Parsing SECURITY will not work
SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/pypykatz-0.3.5-py3.7.egg/pypykatz/registry/offline_parser.py", line 171, in from_files
  File "/usr/local/lib/python3.7/site-packages/pypykatz-0.3.5-py3.7.egg/pypykatz/registry/offline_parser.py", line 41, in get_secrets
  File "/usr/local/lib/python3.7/site-packages/pypykatz-0.3.5-py3.7.egg/pypykatz/registry/sam/sam.py", line 117, in get_secrets
  File "/usr/local/lib/python3.7/site-packages/pypykatz-0.3.5-py3.7.egg/pypykatz/registry/sam/sam.py", line 69, in get_HBoot_key
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/hive.py", line 123, in get_value
    self.setup()
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/hive.py", line 28, in setup
    self.root = self.search_root_key()
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/hive.py", line 39, in search_root_key
    hbin = NTRegistryHbin.read(self.reader)
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/filestruct/hbin.py", line 49, in read
    cell = NTRegistryCell.read(reader)
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/filestruct/regcell.py", line 34, in read
    cell.data = NTRegistryKeyTypes[cell.data[:2]].from_bytes(cell.data)
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/filestruct/nk.py", line 67, in from_bytes
    return NTRegistryNK.from_buffer(io.BytesIO(data))
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/filestruct/nk.py", line 98, in from_buffer
    raise e
  File "/usr/local/lib/python3.7/site-packages/aiowinreg-0.0.2-py3.7.egg/aiowinreg/filestruct/nk.py", line 96, in from_buffer
    nk.name = nk.name.decode(encoding)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 1: ordinal not in range(128)
>>> 

Unfortunately I'm not able to share a copy of the offending SAM file. The code works fine for other data.

Please let me know if there is anything more I can do to help debug.

I guess it may be related with unicode chars in the username? The SAM contains the following usernames:

Administratör
Gäst

Hello:
Thank you for your work.
Win 1909 x64 local account with Avast disabled.

Using latest laZagne.py I installed requirements.txt and downloaded latest pypykatz(and some few others).

Now in the lazagne pypykatz block , show as this:

------------------- Pypykatz passwords -----------------

[+] Password found !!!
Type: wdigest_creds
Domain: DESKTOP-2GHHNFK
Password: p a s s w o r d

First time I see retrieved password chars separated with a blank space between them.
Chrome,Firefox,Edge(chromium),CoreFTP,WIFI logins-passwords are showing as should be.

Any info much appreciated.

Hello:
Win 10 1809 x64 .python 3.7.16 x64

I'm trying to compile pypykatz.
But the resulting pypykatz.exe doesn't works.

Thanks.

Hello,
I have the following issue with a Windows 10 Enterprise 10.0.10586 dump:

$ pypykatz -v lsa minidump -e -o test.txt ../lsass.dmp
INFO:root:Parsing file ../lsass.dmp
DEBUG:root:Found ThreadListStream @630 Size: 436
DEBUG:root:Found ModuleListStream @7f0 Size: 8860
DEBUG:root:Found Memory64ListStream @7a26 Size: 8176
DEBUG:root:Found SystemInfoStream @a4 Size: 56
DEBUG:root:Found MiscInfoStream @dc Size: 1364
DEBUG:root:Found SystemMemoryInfoStream @2a8c Size: 492
DEBUG:root:SystemMemoryInfoStream parsing is not implemented (Missing documentation)
DEBUG:root:Found ProcessVmCountersStream @2c78 Size: 152
DEBUG:root:ProcessVmCountersStream parsing is not implemented (Missing documentation)
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:pypykatz:None
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 10586
INFO:pypykatz:MajorVersion: 6 
INFO:pypykatz:MSV timestamp: 1446171655
INFO:pypykatz:===== BASIC INFO END =====
ERROR:root:Error while parsing file ../lsass.dmp
[...]
Exception: Memory address 0x002c002a is not in process memory space

pip install or git clone give the same output.

I'm testing pypykatz on Ubuntu 18.04.2 with Python 3.6.7. I get the following error message when I run the tool against a minidump I've created:

Command: pypykatz minidump '/home/ubuntu/Desktop/20190406_10.0.17134.1.lsass.exe.dmp'
Exception: Signature was not found in module lsasrv.dll Signature: 33ff458937488bf34585c974

The minidump was created on a test VM running:

OS name: Windows 10 Enterprise
OS version: 10.0.17134.1
CPU architecture: x64
msv1_0.dll timestamp: 12/04/2018 01:34

I uploaded the minidump to the URL mentioned in the README. Thanks

Hi,
I am tried using pypykatz on diffrent windows OS and builds.
on both windows 10 1803 and windows 8.1 9600 i am getting the following stack trace by running pypykatz live lsa:
Traceback (most recent call last):
File "pypykatz-script.py", line 11, in
load_entry_point('pypykatz==0.3.0', 'console_scripts', 'pypykatz')()
File "pypykatz-0.3.0-py3.7.egg\pypykatz_main_.py", line 131, in main
File "pypykatz-0.3.0-py3.7.egg\pypykatz\lsadecryptor\cmdhelper.py", line 49, in execute
File "pypykatz-0.3.0-py3.7.egg\pypykatz\lsadecryptor\cmdhelper.py", line 147, in run_live
File "pypykatz-0.3.0-py3.7.egg\pypykatz\lsadecryptor\cmdhelper.py", line 85, in process_results
AttributeError: 'Namespace' object has no attribute 'grep'

Looking on NT6 parse and comparing against mimikatz i found that for every windows 10 64bit under 1809 the following values should be applied :
#key_pattern = LSADecyptorKeyPattern()
#key_pattern.signature = b'\x83\x64\x24\x30\x00\x48\x8d\x45\xe0\x44\x8b\x4d\xd8\x48\x8d\x15'
#key_pattern.IV_length = 16
#key_pattern.offset_to_IV_ptr = 61
#key_pattern.offset_to_DES_key_ptr = -73
#key_pattern.offset_to_AES_key_ptr = 16
#
#template.key_pattern = key_pattern
#template.key_struct = KIWI_BCRYPT_KEY81
#template.key_handle_struct = KIWI_BCRYPT_HANDLE_KEY

In addition i found that for windows 8.1 the following values should be applied:
self.key_pattern = LSADecyptorKeyPattern()
self.key_pattern.signature = b'\x83\x64\x24\x30\x00\x44\x8b\x4d\xd8\x48\x8b\x0d'
self.key_pattern.IV_length = 16
self.key_pattern.offset_to_IV_ptr = 62
self.key_pattern.offset_to_DES_key_ptr = -70
self.key_pattern.offset_to_AES_key_ptr = 23

	self.key_struct = KIWI_BCRYPT_KEY81
	self.key_handle_struct = KIWI_BCRYPT_HANDLE_KEY	

Can you assist with the error?

Thanks for the help!

It seems I keep breaking stuff :)

Error details
Minidump: 20190409_lsass.exe.10.0.10240_x64.dmp (uploaded)
Error: raise MinidumpHeaderSignatureMismatchException(mh.Signature)
minidump.exceptions.MinidumpHeaderSignatureMismatchException:

Operating system details
OS name: Windows 10 Home
CPU architecture: x64
OS version: 10.0.10240
msv1_0.dll timestamp: 10/07/2015 05:18

Pypykatz installation
Pypykatz installed through git clone on Ubuntu 18.04.2 with Python 3.6.7. Thanks!

Mimikatz finds the following user and hash:
msv :
[00000003] Primary
* Username : Bente
* Domain : PWNTHIS
* NTLM : b6758b113ce4814bd659b18a6269759d
* SHA1 : feeb038d4ad991d8bc6a0d3bd8cacd8c5256b512
* DPAPI : d26ec53f1616692aa6ab125dfc592122

pypykatz does find the user but the NT hash is empty.
The only NT hash i get is the machine account

I uploaded dmp file called domain-controller.pwnthis.com.dmp

The dump is from Windows Server 2016

Cmd with administrator privileges:

C:\Users\Usuario\Downloads\pypykatz-master>pypykatz.exe live lsa

Exception while dumping LSA credentials from memory.
Traceback (most recent call last):
File "C:\Users\Usuario\AppData\Local\Programs\Python\Python37\lib\site-packages\pypykatz-0.0.7-py3.7.egg\pypykatz_main_.py", line 74, in main
mimi = pypykatz.go_live()
File "C:\Users\Usuario\AppData\Local\Programs\Python\Python37\lib\site-packages\pypykatz-0.0.7-py3.7.egg\pypykatz\pypykatz.py", line 44, in go_live
reader = LiveReader()
File "C:\Users\Usuario\AppData\Local\Programs\Python\Python37\lib\site-packages\pypykatz-0.0.7-py3.7.egg\pypykatz\commons\readers\local\live_reader.py", line 308, in init
self.setup()
File "C:\Users\Usuario\AppData\Local\Programs\Python\Python37\lib\site-packages\pypykatz-0.0.7-py3.7.egg\pypykatz\commons\readers\local\live_reader.py", line 344, in setup
pid = get_lsass_pid()
File "C:\Users\Usuario\AppData\Local\Programs\Python\Python37\lib\site-packages\pypykatz-0.0.7-py3.7.egg\pypykatz\commons\readers\local\common\live_reader_ctypes.py", line 78, in get_lsass_pid
raise Exception('Failed to find lsass.exe')
Exception: Failed to find lsass.exe

==== Parsing errors:
live

Hi there I have this error message when I run:

pypykatz -vv lsa minidump C:\dump.dmp

The dump is from a Windows Server 2016 Standard 14393 x64.

pypykatz v0.3.15 was executed on a Windows 10 Enterprise Build 1902.

Level 6:pypykatz:[LiveSsp] [decryptor] Failed to find structs! Reason: Signature was not found in module msv1_0.dll Signature: 74258b
Level 6:pypykatz:[Dpapi] [template] Selecting template for list_entry: PKIWI_MASTERKEY_CACHE_ENTRY
Level 6:pypykatz:[Dpapi] [decryptor] Searching for key struct signature
Level 6:pypykatz:[Dpapi] [decryptor] Failed to find structs! Reason: Memory address 0x7ffa7a7b5505 is not in process memory space

Any suggestions?

Thanks

i get only prekeys.. but i need also users names..
pls help me
this my code

from pypykatz.dpapi import dpapi

def parse_SAM_SECURITY_SYSTEM_files():
dpapiparse = dpapi.DPAPI()
users_keys, machine_keys =
dpapiparse.get_prekeys_form_registry_files(system_path="system.hiv",
security_path="security.hiv",
sam_path="sam.hiv")
for key in users_keys:
print(key.hex())
for key in machine_keys:
print(key.hex())

Hi mate,

Thank you for your hard work. Pypykatz is really awesome. I experience a little problem here when parsing a minidump on a fresh installed Windows.

Here how to reproduce:

• OS Name: Microsoft Windows Server 2019 Standard Evaluation
• OS Version: 10.0.17763 N/A Build 17763
• ProcDump64 Version: v9.0 (latest)
• Pypykatz Version: v0.1.1 (judging from setup.py)

Here is my ProcDump:

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[08:11:06] Dump 1 initiated: C:\lsass.dmp
[08:11:06] Dump 1 writing: Estimated dump file size is 45 MB.
[08:11:06] Dump 1 complete: 45 MB written in 0.3 seconds
[08:11:07] Dump count reached.

When I try to parse it, it fails with ValueError: 15 is not a valid PROCESSOR_LEVEL.

INFO:root:Parsing file lsass.dmp
DEBUG:root:Found ThreadListStream @684 Size: 388
DEBUG:root:Found ThreadInfoListStream @808 Size: 524
DEBUG:root:== ThreadInfoList ==
ThreadId | DumpFlags | DumpError | ExitStatus | CreateTime         | ExitTime | KernelTime | UserTime | StartAddress   | Affinity
---------------------------------------------------------------------------------------------------------------------------------
0x234    | None      | 0         | 0x103      | 132120735554477257 | 0        | 0          | 156250   | 0x7ff67c284080 | 1       
0x248    | None      | 0         | 0x103      | 132120735557657209 | 0        | 0          | 0        | 0x7ff8312e3820 | 1       
0x24c    | None      | 0         | 0x103      | 132120735557906553 | 0        | 0          | 0        | 0x7ff83566ff80 | 1       
0x914    | None      | 0         | 0x103      | 132120736219064206 | 0        | 0          | 0        | 0x7ff82522a2b0 | 1       
0xbfc    | None      | 0         | 0x103      | 132120737056810042 | 0        | 5468750    | 4843750  | 0x7ff83566ff80 | 1       
0x404    | None      | 0         | 0x103      | 132120751006547693 | 0        | 4375000    | 5312500  | 0x7ff83566ff80 | 1       
0xc14    | None      | 0         | 0x103      | 132120827606871525 | 0        | 0          | 156250   | 0x7ff83566ff80 | 1       
0xd50    | None      | 0         | 0x103      | 132120829169704025 | 0        | 0          | 0        | 0x7ff8311651d0 | 1       

DEBUG:root:Found ModuleListStream @a14 Size: 8968
DEBUG:root:Found UnloadedModuleListStream @2d1c Size: 36
DEBUG:root:Found TokenStream @2d40 Size: 704
DEBUG:root:TokenStream parsing is not implemented (Missing documentation)
DEBUG:root:Found Memory64ListStream @26be3 Size: 8192
DEBUG:root:Found MemoryInfoListStream @1e6e3 Size: 34048
DEBUG:root:Found SystemInfoStream @f8 Size: 56
ERROR:root:Error while parsing file lsass.dmp
ValueError: 15 is not a valid PROCESSOR_LEVEL

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 169, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 52, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 187, in parse
    mf._parse()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 195, in _parse
    self.__parse_directories()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 238, in __parse_directories
    self.sysinfo = MinidumpSystemInfo.parse(dir, self.file_handle)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 175, in parse
    si = MINIDUMP_SYSTEM_INFO.parse(chunk)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 92, in parse
    msi.ProcessorLevel = PROCESSOR_LEVEL(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
  File "/usr/lib/python3.7/enum.py", line 310, in __call__
    return cls.__new__(cls, value)
  File "/usr/lib/python3.7/enum.py", line 564, in __new__
    raise exc
  File "/usr/lib/python3.7/enum.py", line 548, in __new__
    result = cls._missing_(value)
  File "/usr/lib/python3.7/enum.py", line 577, in _missing_
    raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 15 is not a valid PROCESSOR_LEVEL
ValueError: 15 is not a valid PROCESSOR_LEVEL

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 169, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 52, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 187, in parse
    mf._parse()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 195, in _parse
    self.__parse_directories()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 238, in __parse_directories
    self.sysinfo = MinidumpSystemInfo.parse(dir, self.file_handle)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 175, in parse
    si = MINIDUMP_SYSTEM_INFO.parse(chunk)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 92, in parse
    msi.ProcessorLevel = PROCESSOR_LEVEL(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
  File "/usr/lib/python3.7/enum.py", line 310, in __call__
    return cls.__new__(cls, value)
  File "/usr/lib/python3.7/enum.py", line 564, in __new__
    raise exc
  File "/usr/lib/python3.7/enum.py", line 548, in __new__
    result = cls._missing_(value)
  File "/usr/lib/python3.7/enum.py", line 577, in _missing_
    raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 15 is not a valid PROCESSOR_LEVEL

I have to mention that it works perfectly with Mimikatz. Here the problematic dump.
lsass.zip

I think it may be a misspelling. Changing it to logger.error(...) will fix. BTW, Line 71 has the same issue.

Hi,
I just followed all the installation instructions through pip3, including all necessary modules.
All is installed in an ubuntu 18.04 server virtualbox.

I just provide SAM and SYSTEM files and need to have the hashes dumped.
I do:
pypykatz dpapi --system ./SYSTEM --sam ./SAM credential

And I get:
'Namespace' object has no attribute 'minidump'

I also do:
pypykatz dpapi --system ./SYSTEM --sam ./SAM vault

And I get:
'Namespace' object has no attribute 'vpol'

What is going on? Do you know of another method to do the same?

Thanks!

It seems this option while listed as valid, isn't accepted

root@ubuntu:~# pypykatz live lsa --method handleup
usage: pypykatz live lsa [-h] [--json] [-e] [-o OUTFILE] [-k KERBEROS_DIR] [-g] [--method {procopen,handledup}]
pypykatz live lsa: error: argument --method: invalid choice: 'handleup' (choose from 'procopen', 'handledup')

https://github.com/skelsec/pypykatz#why-do-i-need-these-dumps-files

In order to create mimikatz in Python one would have to create structure difinitions definitions of a gazillion different structures...

Mimikatz logfiles, obviously created on Windows machine add a CRLF line terminator when being created.
Pypykatz does not, which causes issues with other applications/scripts when parsing the logfiles.
Doing a 'file ' gives you this difference:
lsass-mimi.log: ASCII text, with very long lines, with CRLF line terminators
lsass-pypy.log: ASCII text, with very long lines

Perhaps pypykatz could use the print function differently so it writes files with CRLF?
Now I have to do 'recode CR-LF ', which isn't that hard, but if not needed it would be nice.

https://www.techwalla.com/articles/how-to-use-echo-in-python

root@kali:~/pypykatz# pip3 install pypykatz

root@kali:~/pypykatz# pypykatz minidump /root/go/src/github.com/Coalfire-Research/Slackor/loot/eofaf.dmp

INFO:root:Parsing file /root/go/src/github.com/Coalfire-Research/Slackor/loot/eofaf.dmp ERROR:root:Error while parsing file /root/go/src/github.com/Coalfire-Research/Slackor/loot/eofaf.dmp Traceback (most recent call last): File "/usr/local/lib/python3.7/dist-packages/pypykatz/__main__.py", line 116, in main mimi = pypykatz.parse_minidump_file(args.minidumpfile) File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 56, in parse_minidump_file mimi.start() File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 168, in start self.lsa_decryptor = self.get_lsa() File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 98, in get_lsa lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo) File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 21, in __init__ self.acquire_crypto_material() File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 29, in acquire_crypto_material self.iv = self.get_IV(sigpos) File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 57, in get_IV self.reader.move(ptr_iv) File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpreader.py", line 84, in move self._select_segment(address) File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpreader.py", line 55, in _select_segment raise Exception('Memory address 0x%08x is not in process memory space' % requested_position) Exception: Memory address 0x7ffcb7317dbb is not in process memory space Traceback (most recent call last): File "/usr/local/lib/python3.7/dist-packages/pypykatz/__main__.py", line 116, in main mimi = pypykatz.parse_minidump_file(args.minidumpfile) File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 56, in parse_minidump_file mimi.start() File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 168, in start self.lsa_decryptor = self.get_lsa() File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 98, in get_lsa lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo) File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 21, in __init__ self.acquire_crypto_material() File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 29, in acquire_crypto_material self.iv = self.get_IV(sigpos) File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 57, in get_IV self.reader.move(ptr_iv) File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpreader.py", line 84, in move self._select_segment(address) File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpreader.py", line 55, in _select_segment raise Exception('Memory address 0x%08x is not in process memory space' % requested_position) Exception: Memory address 0x7ffcb7317dbb is not in process memory space

This is a fresh Windows 10 VM.

Uploading the lsass dump to you now.

First of all, awesome tool, thanks a lot!

I noticed a small issue:

In the following output, you can see that username and domainname should be switched in the TSPKG section (at the very bottom)

INFO:root:Parsing file loot/lsass_648.dmp.1
DEBUG:root:Found ThreadListStream @630 Size: 484
DEBUG:root:Found ModuleListStream @820 Size: 9400
DEBUG:root:Found Memory64ListStream @8371 Size: 8912
DEBUG:root:Found SystemInfoStream @a4 Size: 56
DEBUG:root:Found MiscInfoStream @dc Size: 1364
DEBUG:root:Found SystemMemoryInfoStream @2cd8 Size: 492
DEBUG:root:SystemMemoryInfoStream parsing is not implemented (Missing documentation)
DEBUG:root:Found ProcessVmCountersStream @2ec4 Size: 152
DEBUG:root:ProcessVmCountersStream parsing is not implemented (Missing documentation)
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
DEBUG:pypykatz:CPU arch: X64
DEBUG:pypykatz:OS: Windows 10
DEBUG:pypykatz:BuildNumber: 18362
DEBUG:pypykatz:MajorVersion: 6
DEBUG:pypykatz:MSV timestamp: 1382369829
DEBUG:pypykatz:===== BASIC INFO END =====
DEBUG:pypykatz:None
FILE: ======== loot/lsass_648.dmp.1 =======

[...]

== LogonSession ==
authentication_id 1216142 (128e8e)
session_id 2
username avollmer
domainname SYSS-AVOLLMER-W
logon_server SYSS-AVOLLMER-W
logon_time 2019-09-09T16:11:56.153471
sid S-1-5-21-3608495566-3602156480-2661099115-1001
luid 1216142
        == MSV ==
                Username: avollmer
                Domain: SYSS-AVOLLMER-W
                LM: NA
                NT: <redacted>
                SHA1: <redacted>
        == WDIGEST [128e8e]==
                username avollmer
                domainname SYSS-AVOLLMER-W
                password None
        == Kerberos ==
                Username: avollmer
                Domain: SYSS-AVOLLMER-W
                Password: <redacted>
        == WDIGEST [128e8e]==
                username avollmer
                domainname SYSS-AVOLLMER-W
                password None
        == TSPKG [128e8e]==
                username SYSS-AVOLLMER-W                   <=====
                domainname avollmer                        <=====
                password <redacted>

[...]

how can i use pypykatz do kerberos::purge
when i use mimikatz，i can do kerberos::purge
https://github.com/skelsec/pypykatz/live_kerberos is 404

Hi skelsec,

I have a little problem with this machine:

C:\>systeminfo

Host Name:                 DC1-2016
OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller

I make a ProcDump using this:

C:\>procdump64.exe -accepteula -ma lsass.exe dump.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[19:01:14] Dump 1 initiated: C:\dump.dmp
[19:01:14] Dump 1 writing: Estimated dump file size is 208 MB.
[19:01:14] Dump 1 complete: 208 MB written in 0.5 seconds
[19:01:15] Dump count reached.

It works as expected when I try to parse locally with

pypykatz lsa minidump dump.dmp

But when I use parse_minidump_external() function, I have this stacktrace:

Process Process-3:
Traceback (most recent call last):
[...]
  File "/home/aas/spraykatz/core/ParseDump.py", line 23, in parseDump
    result = pypykatz.parse_minidump_external(dump)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 96, in parse_minidump_external
    mimi.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 245, in start
    self.get_logoncreds()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 146, in get_logoncreds
    logoncred_decryptor.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 367, in start
    self.walk_list(entry_ptr, self.add_entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 179, in walk_list
    callback(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 281, in add_entry
    self.parse_credman_credentials(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 301, in parse_credman_credentials
    if list_starter.start.value != list_starter.start.location:
AttributeError: 'NoneType' object has no attribute 'start'

Do you have any idea?

Note: The problematic dump weighs 200MB. If you want, I can upload it.

Hello I'm getting the following error when running pypykatz live lsa

Exception: Signature was not found in module lsasrv.dll Signature: 33ff458937488bf34585c974

==== Parsing errors:
live

0.4.3 was the last release that was tagged. The Fedora and the NixOS packages are using the GitHub releases as source.

Could you please tag the source again to get the releases from GitHub?

Thanks

Hello! Using the GitHub repository version, I have the same error but with a different memory address. I tried on a lsass dump from a Windows Server 2012 (uploaded).

pypykatz minidump SRVDC_lsass_iquaclMozy.dmp

DEBUG:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
DEBUG:pypykatz:CPU arch: X64
DEBUG:pypykatz:OS: Windows Server 2012
DEBUG:pypykatz:BuildNumber: 9200
DEBUG:pypykatz:MajorVersion: 6
DEBUG:pypykatz:MSV timestamp: 1343260942
DEBUG:pypykatz:===== BASIC INFO END =====

Mimikatz's works with the dump.

Originally posted by @alexandreborgo in #26 (comment)

In this blog post: https://en.hackndo.com/remote-lsass-dump-passwords/#dump-size

there are code edits that assist in parsing remote files without needing to download them. It would be awesome if Pypykatz had this feature.

Hey man,

I would like to compile my own binary, my question is do you use pyinstaller for this or something else?

And are there any specific requirements prior to compiling ?

Cheers

Hello,

I am reporting a parsing error problem with a recent Windows 10 dump as nt authority/system with .\procdump.exe -accepteula -ma lsass.exe lsass.dmp from sysinternals suite. Sadly at the time I cannot provide the dump as this is a live environment and I don't know if passwords are stored or not. Maybe this is enough to investigate, if not I'll try to setup a equivalent Windows 10 Demo Environment without any sensitive information to reproduce the problem.

pypykatz -v lsa minidump -e -o test.txt /media/sf_VM_Shared/lsass_dump/lsass.dmp 
INFO:root:Parsing file /media/sf_VM_Shared/lsass_dump/lsass.dmp
DEBUG:root:Found ThreadListStream @684 Size: 436
DEBUG:root:Found ThreadInfoListStream @838 Size: 588
DEBUG:root:== ThreadInfoList ==
ThreadId | DumpFlags | DumpError | ExitStatus | CreateTime         | ExitTime | KernelTime | UserTime | StartAddress   | Affinity
---------------------------------------------------------------------------------------------------------------------------------
0x328    | None      | 0         | 0x103      | 132107882520296581 | 0        | 0          | 0        | 0x7ff692874080 | 255     
0x350    | None      | 0         | 0x103      | 132107882520443197 | 0        | 0          | 468750   | 0x7ffb24f570b0 | 255     
0x358    | None      | 0         | 0x103      | 132107882520484094 | 0        | 0          | 0        | 0x7ffb292dff80 | 255     
0x374    | None      | 0         | 0x103      | 132107882521355310 | 0        | 0          | 0        | 0x7ffb282db140 | 255     
0x1be4   | None      | 0         | 0x103      | 132107882605183752 | 0        | 156250     | 0        | 0x7ffafb39a2b0 | 255     
0x37c4   | None      | 0         | 0x103      | 132108423879863795 | 0        | 12656250   | 12343750 | 0x7ffb292dff80 | 255     
0x393c   | None      | 0         | 0x103      | 132108509461476735 | 0        | 0          | 0        | 0x7ffb292dff80 | 255     
0x3a7c   | None      | 0         | 0x103      | 132108512512415381 | 0        | 781250     | 0        | 0x7ffb292dff80 | 255     
0x22e4   | None      | 0         | 0x103      | 132108513655868506 | 0        | 156250     | 0        | 0x7ffb292dff80 | 255     

DEBUG:root:Found ModuleListStream @a84 Size: 10912
DEBUG:root:Found UnloadedModuleListStream @3524 Size: 396
DEBUG:root:Found TokenStream @36b0 Size: 704
DEBUG:root:TokenStream parsing is not implemented (Missing documentation)
DEBUG:root:Found Memory64ListStream @41e29 Size: 10704
DEBUG:root:Found MemoryInfoListStream @36bc9 Size: 45664
DEBUG:root:Found SystemInfoStream @f8 Size: 56
DEBUG:root:Found MiscInfoStream @130 Size: 1364
DEBUG:root:Found HandleDataStream @21e71 Size: 85336
DEBUG:root:Found SystemMemoryInfoStream @3970 Size: 492
DEBUG:root:SystemMemoryInfoStream parsing is not implemented (Missing documentation)
DEBUG:root:Found ProcessVmCountersStream @3b5c Size: 152
DEBUG:root:ProcessVmCountersStream parsing is not implemented (Missing documentation)
DEBUG:root:Found CommentStreamW @949d Size: 242
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:root:Found UnusedStream @0 Size: 0
DEBUG:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
DEBUG:pypykatz:CPU arch: X64
DEBUG:pypykatz:OS: Windows 10
DEBUG:pypykatz:BuildNumber: 17763
DEBUG:pypykatz:MajorVersion: 6 
DEBUG:pypykatz:MSV timestamp: 412103479
DEBUG:pypykatz:===== BASIC INFO END =====
ERROR:root:Error while parsing file /media/sf_VM_Shared/lsass_dump/lsass.dmp
Traceback (most recent call last):
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 169, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/pypykatz.py", line 56, in parse_minidump_file
    mimi.start()
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/pypykatz.py", line 168, in start
    self.lsa_decryptor = self.get_lsa()
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/pypykatz.py", line 98, in get_lsa
    lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 21, in __init__
    self.acquire_crypto_material()
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 29, in acquire_crypto_material
    self.iv = self.get_IV(sigpos)
  File "/home/wittmann/ReverseTools/windows/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 57, in get_IV
    self.reader.move(ptr_iv)
  File "/home/wittmann/.virtualenvs/cpython3/lib/python3.6/site-packages/minidump/minidumpreader.py", line 84, in move
    self._select_segment(address)
  File "/home/wittmann/.virtualenvs/cpython3/lib/python3.6/site-packages/minidump/minidumpreader.py", line 55, in _select_segment
    raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffb6dbc6267 is not in process memory space

Hello:
I have lazagne that already install pypykatz.
Collecting https://github.com/skelsec/pypykatz/archive/master.zip (from -r C:\lozogno\requirements.txt (line 7))
Using cached https://github.com/skelsec/pypykatz/archive/master.zip
Requirement already satisfied (use --upgrade to upgrade): pypykatz==0.3.12 from https://github.com/skelsec/pypykatz/archive/master.zip in c:\python37\lib\site-packages (from -r C:\lozogno\requirements.txt (line 7))

I can run pypykatz live/registry/nt modules well.
Also I can run pypykatz live dpapi well.

But when trying to run pypykatz dpapi minidump ,this error throws:

C:\python37\Scripts>pypykatz dpapi minidump "C:\jibes\lsass.DMP"
Traceback (most recent call last):
File "C:\python37\Scripts\pypykatz-script.py", line 11, in
load_entry_point('pypykatz==0.3.12', 'console_scripts', 'pypykatz')()
File "c:\python37\lib\site-packages\pypykatz_main_.py", line 270, in main
dpapi.dump_masterkeys(args.out_file)
AttributeError: 'Namespace' object has no attribute 'out_file'

Any info will be great.

Thanks.

Error details
File type: memory dump from a public ENISA training exercise). I uploaded the file (1,42 GB) to here:
https://www.dropbox.com/s/m4djwnnym06j8pa/memory_win10_10586.zip?dl=0
Error:

(rekall) ubuntu@vmubuntudskt:~$ pypykatz rekall '/home/ubuntu/Desktop/memory.img'
INFO:pypykatz:Searching LSASS process
INFO:pypykatz:Detected kernel base at 0x8226D000
INFO:pypykatz:WARNING! msv.dll timestamp not found! This could cause errors with older windows builds. You might need to specify it manually for anti_mimikatz structs!
INFO:pypykatz:module.start_addr 1941110784
WARNING:root:signature not found! 6a026a1068
Traceback (most recent call last):
File "/home/ubuntu/rekall/bin/pypykatz", line 11, in
load_entry_point('pypykatz', 'console_scripts', 'pypykatz')()
File "/home/ubuntu/pypykatz/pypykatz/main.py", line 86, in main
mimi = pypykatz.parse_memory_dump_rekall(args.memoryfile, args.timestamp_override)
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 65, in parse_memory_dump_rekall
mimi.start()
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 168, in start
self.lsa_decryptor = self.get_lsa()
File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 98, in get_lsa
lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 21, in init
self.acquire_crypto_material()
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 25, in acquire_crypto_material
sigpos = self.find_signature()
File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 46, in find_signature
raise Exception('LSA signature not found!')
Exception: LSA signature not found!

Operating system details (found with Rekall)
OS name: Windows 10
OS version: 10586.th2_release_sec.160630-1736
CPU architecture: x86
msv1_0.dll timestamp: 2016:03:29 06:46:29Z

Pypykatz installation
Pypykatz installed through git clone on Ubuntu 18.04.2 with Python 3.6.7. Pypykatz and Rekall have been installed in the same virtualenv.

Thanks!

Hello:
I've noticed that when running pypykatz for a MicrosoftAccount user then the SHA1 is just retrieved as;

 Shahash: 0000000000000000000000000000000000000000

I thought this was due Win 10 2004H1 .
But is doing for every MicrosoftAccount user.

Maybe I didn't notice it.
I also ran mimikatz for a MicroaftAccount user and didn't even has a , SHA1: , entry

Any info much appreciated.

Error details
Minidump: lsass.exe.10.0.10240_x86.dmp (uploaded to the URL)
Error: Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x622160d5 is not in process memory space

Operating system details
OS name: Windows 10 Home
CPU architecture: x86
OS version: 10.0.10240
msv1_0.dll timestamp: 07/10/2015 09:24

Pypykatz installation
Pypykatz installed through git clone on Ubuntu 18.04.2 with Python 3.6.7. Thanks!

Just a suggestion, but the live option should provide some sort of checking to see if there is an LSASS process available. When it's run on Linux, (I'm not sure if using it on WSL1 would work, cool possibility there) , but if it's can't find LSASS.exe running in a process list it might be worth erroring out with a mention that live is only for localhost and can't be used for remote access of LSASS

Reading your medium.com article I decided to give handledup a go. Ran it against a fully patched Win10 box running 3rd party AV and cool it worked :)

python -m pypykatz -v live lsa --method handledup

Decided to do a bit of digging and discovered the following output:

DEBUG:pypykatz:Failed to duplicate object! PID: 744 HANDLE: 0xdb8
DEBUG:pypykatz:Failed to duplicate object! PID: 744 HANDLE: 0xdd4
DEBUG:pypykatz:Failed to duplicate object! PID: 744 HANDLE: 0xe10
DEBUG:pypykatz:Found open handle to lsass! PID: 744 HANDLE: 0xee8
DEBUG:pypykatz:Failed to duplicate object! PID: 744 HANDLE: 0xefc
DEBUG:pypykatz:Failed to duplicate object! PID: 744 HANDLE: 0xf00

There were a few other 744 handles but no other PIDs referenced. 744 was the LSASS process. I found this a little surprising as i thought (willing to be corrected on this) the idea was to evade touching this somewhat monitored process. Have I misunderstood the point of this flag and all is fine, or is this a bug?

Feel free to look at this in slow time, always grateful to open-source devs & i realise you are probably super busy.

Regards
MJW

Hi,
How can i extract dapapi key from mkf?
I know what is a prekey but what is key file in pypykatz dpapi mastery?

I can't do this one. Please help.

After locking and unlocking screen on windows 10 (Build 19041), go_live() function would raise "Exception: Would read over segment boundaries!". After some time, it would work again.
I tried 'pypykatz live lsa' and running it from lazagne project, with the same thing happening.

Hi,
While dumping the lsass process with lsassy I encountered a signature error as it was not found.
So I dump the lsass localy to give it to you in case you want to implement it ! :)

Here is the build of the remote server:

Here is the error:

And here is the lsass dump:
lsass_pypykatz.zip

Thank you for your awesome work, I hope this will be usefull :D

Hi @skelsec,

Great work, your project is very cool. I have started something like that some time ago just to retrieve wdigest passwords but your project seems more stable and do lot more.
I wanted to know if you were agree to add pypykatz in lazagne. It would be really nice, if a clear text password is found or the user hash, it will automatically retrieve softwares'passwords which used DPAPI to store their credentials (chrome, etc.). I managed password decryption using DPAPI if I have the user password or his hash.
So I think, both project are complementary. I could add it as an external dependency like that if some bugs appear, I will redirect issues to your github.

However, even if you accept, I will have a big problem to do it. I'm still really dependent on Python 2.7. Lazagne has been added as a post exploitation module of pupy, and it manages only Python 2.7 right now. But when I checked your code, I don't think it will be so hard to be compatible from Python 2.7 to newer Python versions (but I may have wrong).

So tell me what you think about it, it could be cool to join our work.

Have a nice day !

Alessandro

Setup states minikerberos==0.0.4, perhaps set this to minimum version if 0.0.6 also works?