Comments (3)
Hello! I know exactly what this is.
"First time I see retrieved password chars separated with a blank space between them." << Consider yourself really lucky XD
Jokes aside. The reason is that I have modified the code that converts the password bytes after decryption to text, apparently it's still not precise but this is still better than what was before (have you noticed asian text printed out in some cases?)
To be precise, here is the description of the problem:
Passwords/secrets (notice the secrets part) are stored encrypted in LSASS with no "encoding" information attached to them. So programmatically you can't really decide if the decrypted secret is ASCII/UTF-8/UTF-16-LE/noteventext. For this reason some guessing-logic needed to be implemented (which was changed in the recent version).
Original guessing code was:
- Try decode as UTF-16-LE
- Try decode as UTF-8
- Try decode as ASCII
- If all fails: it's either just bytes or decryption failed (since there is no checksum it's hard to distinguish)
Problems with original case: - Byte blobs gets decoded as valid UTF-16-LE strings and you see a whole bunch of asian characters (sometimes cirillic). This is especially the case with computer passwords and passwords from the SSP module. In this case you basically loose the password since you will most likely not be able to convert the characters back.
- ASCII passwords get 'decoded' to either UTF16LE or UTF8. same problem as above
Updated guessing code:
- Try to decode as ASCII
- Try to decode as UTF-16
- UTF8
- ....
-
- If the account name ends with '$' then just return bytes for the password as it's probably a machine account
Now what you are observing it's a problem on the other way around: ASCII for some reason decodes UTF16LE. Wonderful. What I can do here is to update the guessing code that checks if every second char is \x00
or if there are characters outside of 1-127 then skip ascii decoding entirely.
Anyhow this issue is still much less severe then the previous version's issue on the same topic. In the next update I'll probably create a new variable for all credential objects to make the password bytes available for later decoding by the user
from pypykatz.
Hello:
Cool.
When I say that is first time I see this output string format I meant that in lazagne pypykatz output block is the first time that the password output is inserting a blank space between chars.
So I suspected was related to latest pypykatz code.Every time you update pypykatz so I run lazagne and reinstall requirements to update also pypykatz module.
I just wanted to inform in case you didn't hear any about this behavior.
Thanks for keep in touch.
from pypykatz.
I have rolled back the decoding change, also now all credential objects (which have a password) have a password_raw
member to access the bytes right after decryption so you can do your own decoding if needed. I hope that sorts out this issue.
from pypykatz.
Related Issues (20)
- Describe command not found in DPAPI module HOT 1
- ImportError after install HOT 2
- Issue when executing "pypykatz lsa minidump lsass.DMP" HOT 4
- bad performance and high memory usage on large lsass dumps HOT 2
- AttributeError: 'collections.OrderedDict' object has no attribute 'kirbiobj' HOT 2
- LIVE DPAPI wiki mentions "chrome" but it isn't documented HOT 1
- LM Hash not being picked up. HOT 1
- pypykatz lsa minidump lsass.DMP (Exception: All detection methods failed) HOT 3
- The parsing password is hex, how should I use it?
- How to package it into exe? HOT 1
- Errors when 'pypykatz live lsa'
- Is it possible to get account password? HOT 3
- Kali Linux error LibraryNotFoundError: Error detecting the version of libcrypto HOT 10
- Exception: Could not find module! lsasrv.dll HOT 2
- load_rsa_private_numbers() missing 1 required positional argument: 'unsafe_skip_rsa_key_validation' HOT 1
- Win11: Incorrect minidump parse for DPAPI masterkeys
- kerberos brute: 'generator' object is not subscriptable HOT 3
- Exception: Could not find module! lsasrv.dll HOT 2
- Windows7 lsass.DMP under Pypykatz 069 HOT 1
- utf-8 nanodump + pypykatz HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pypykatz.