Comments (6)
kildonan5
commented on August 24, 2024
Also seeing this issue after running parse minidump file, and printing the output.
E.g. output from mimikatz (with some redactions)
Authentication Id : 0 ; 1607729 (00000000:00188831)
Session : Interactive from 1
User Name : joey
Domain : CASTLE
Logon Server : (null)
Logon Time : 1/27/2021 7:36:51 AM
SID : [redacted]
msv :
[00000003] Primary
- Username : joey
- Domain : CASTLE
- NTLM : [redacted]
- DPAPI : [redacted]
tspkg :
wdigest :- Username : joey
- Domain : CASTLE
- Password : (null)
kerberos :- Username : joey
- Domain : CASTLE
- Password : (null)
- Smartcard
PIN code : [redacted]
Card :
Reader :
Container: [redacted]
Provider : Microsoft Passport Key Storage Provider
ssp :
[00000000]- Username : superjoey
- Domain : CASTLE
- Password : =j~oeys1s@@perPass
[00000001]- Username : joey
- Domain : CASTLE
- Password : joeyisAlame00boy
Output from the same auth session from pypykatz parse minidump
== SSP [188831]== username CASTLE domainname superjoey password b'\xab\x9f[redacted]' == SSP [188831]== username CASTLE domainname joey password b'\xe5\x8f[redacted]'
Based on the fact that the username and domainname are in the wrong place, im guessing this is just a simple index mistake and password is pointing to something that is not in fact the password in the parse?
Also I noticed it does not parse H4B pins currently... e.g. mimikatz shows
kerberos :
- Username : superjoey
- Domain : CASTLE
- Password : (null)
- Smartcard
PIN code : joeyssupersecretPin!
Card : Identity Device (Microsoft Generic Profile)
Reader : Windows Hello for Business 2
Whereas the same LogonSession in pypykatz parse does not have the 'smartcard' section/H4B pin. I'm guessing this is a feature not implemented (yet)?
from pypykatz.
skelsec
commented on August 24, 2024
I'm aware of the issues with sspi parsing, but please keep sending these infos (preferably with the dumpfile) so I can track it down.
This is actually a long ongoing problem with the SSPI parsing in pypykatz and I'm looking into it from time to time. Will write updates here if any.
@kildonan5 the PIN parsing is not implemented as I have never encountered it before and noone sent test dumps so far so I can't look into that.
from pypykatz.
kildonan5
commented on August 24, 2024
Ah unfortunately I can't share this dump but I'll keep it in mind for the future. Did you see my note about the username/domain/possible index swap? I tried to find in the code where this assignment and/or parsing is done but didn't have luck in my brief search.
from pypykatz.
skelsec
commented on August 24, 2024
Yes, I saw it. Now the problem is that it already has been swapped once as per user request. Because on some buildversions it's different than others. And the strange part that it's always about sspi.
from pypykatz.
skelsec
commented on August 24, 2024
Okay, I had some time to work on this. Issue is considered fixed in version 0.4.2 (just published). It fixes the SSPI password issue, the kerberos PIN parsing issue and the user/domain mixup. The latter however I'm sure will come back
from pypykatz.
skelsec
commented on August 24, 2024
This is considered solved, in case of errors please open a new issue.
from pypykatz.
Related Issues (20)
- AttributeError: 'collections.OrderedDict' object has no attribute 'kirbiobj' HOT 2
- LIVE DPAPI wiki mentions "chrome" but it isn't documented HOT 1
- LM Hash not being picked up. HOT 1
- pypykatz lsa minidump lsass.DMP (Exception: All detection methods failed) HOT 3
- The parsing password is hex, how should I use it?
- How to package it into exe? HOT 1
- Errors when 'pypykatz live lsa'
- Is it possible to get account password? HOT 3
- Kali Linux error LibraryNotFoundError: Error detecting the version of libcrypto HOT 10
- Exception: Could not find module! lsasrv.dll HOT 2
- load_rsa_private_numbers() missing 1 required positional argument: 'unsafe_skip_rsa_key_validation' HOT 1
- Win11: Incorrect minidump parse for DPAPI masterkeys
- kerberos brute: 'generator' object is not subscriptable HOT 3
- Exception: Could not find module! lsasrv.dll HOT 2
- Windows7 lsass.DMP under Pypykatz 069 HOT 1
- utf-8 nanodump + pypykatz HOT 2
- No module named 'winacl.dtyp.wcee.cryptoapikey' HOT 1
- LSA signature not found HOT 4
- how to use masterkey to Decrypting files
- Error C2065: 'FFI_STDCALL': undeclared identifier HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pypykatz.