Pypykatz: a Mimikatz Python implementation
Mimikatz is a famous post-exploitation tool written in C by Benjamin Delpy: it allows a local attacker to dump secrets from memory exploiting Windows single sign-on functionality.
How Mimikatz works?
Until Windows 10, Microsoft's OSs by default used a feature called WDigest [3] that loads encrypted passwords into memory, but also loads the secret key to decrypt them: this feature is useful for authenticating large numbers of users on an enterprise or government network, but also allows Mimikatz [1] to dump memory and extracting the passwords.
Starting with Windows 8.1, Microsoft made it possible to disable this feature, and it is disabled by default in Windows 10.
However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz [2].
A "platform independent" mimikatz clone
In the past, i've already talked about about a powershell clone of mimikatz, dubbed Mimikittenz, and today I'd like to share a pure python version, called Pypykatz.
Pypykatz [4] is a Mimikatz implementation, developed and maintained by SkelSec, that runs on all OS's which support python>=3.6.
All Pypykatz' commands have a "live" and a normal version: the "live" version works on the live memory of the current system and (obviously) only works on Windows.
The normal commands may process memory dumps and are platform independent.
Prerequisites
- Python>=3.6
- minidump
- minikerberos
- asn1crypto
Installation
Install prerequirements
pip3 install minidump minikerberos aiowinreg msldap winsspiClone this repo
git clone https://github.com/skelsec/pypykatz.git
cd pypykatzInstall it
python3 setup.py installDocumentation
The GitHub repository of the project contains a wiki [5] with a good documentation: