Mimikatz is a famous post-exploitation tool written in C by Benjamin Delpy: it allows a local attacker to dump secrets from memory exploiting Windows single sign-on functionality.

How Mimikatz works?

Until Windows 10, Microsoft's OSs by default used a feature called WDigest [3] that loads encrypted passwords into memory, but also loads the secret key to decrypt them: this feature is useful for authenticating large numbers of users on an enterprise or government network, but also allows Mimikatz [1] to dump memory and extracting the passwords.

Starting with Windows 8.1, Microsoft made it possible to disable this feature, and it is disabled by default in Windows 10.
However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz [2].

A "platform independent" mimikatz clone

In the past, i've already talked about about a powershell clone of mimikatz, dubbed Mimikittenz, and today I'd like to share a pure python version, called Pypykatz.

Pypykatz [4] is a Mimikatz implementation, developed and maintained by SkelSec, that runs on all OS's which support python>=3.6.

All Pypykatz' commands have a "live" and a normal version: the "live" version works on the live memory of the current system and (obviously) only works on Windows.
The normal commands may process memory dumps and are platform independent.



Install prerequirements

pip3 install minidump minikerberos aiowinreg msldap winsspi

Clone this repo

git clone https://github.com/skelsec/pypykatz.git
cd pypykatz

Install it

python3 setup.py install


The GitHub repository of the project contains a wiki [5] with a good documentation:

Live commands

Platform-independent commands



  1. mimikatz | Blog de Gentil Kiwi
  2. https://github.com/gentilkiwi/mimikatz
  3. What is Digest Authentication?: Logon and Authentication | Microsoft Docs
  4. https://github.com/skelsec/pypykatz/
  5. https://github.com/skelsec/pypykatz/wiki