Pypykatz: a Mimikatz Python implementation

Mimikatz is a famous post-exploitation tool written in C by Benjamin Delpy: it allows a local attacker to dump secrets from memory exploiting Windows single sign-on functionality.

How Mimikatz works?

Until Windows 10, Microsoft’s OSs by default used a feature called WDigest [3] that loads encrypted passwords into memory, but also loads the secret key to decrypt them: this feature is useful for authenticating large numbers of users on an enterprise or government network, but also allows Mimikatz [1] to dump memory and extracting the passwords.

Starting with Windows 8.1, Microsoft made it possible to disable this feature, and it is disabled by default in Windows 10.
However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz [2].


A “platform independent” mimikatz clone

In the past, i’ve already talked about about a powershell clone of mimikatz, dubbed Mimikittenz, and today I’d like to share a pure python version, called Pypykatz.

Pypykatz [4] is a Mimikatz implementation, developed and maintained by SkelSec, that runs on all OS’s which support python>=3.6.

All Pypykatz‘ commands have a “live” and a normal version: the “live” version works on the live memory of the current system and (obviously) only works on Windows.
The normal commands may process memory dumps and are platform independent.

Prerequisites

Installation

Install prerequirements

pip3 install minidump minikerberos aiowinreg msldap winsspi

Clone this repo

git clone https://github.com/skelsec/pypykatz.git
cd pypykatz

Install it

python3 setup.py install

Documentation

The GitHub repository of the project contains a wiki [5] with a good documentation:

Live commands

Platform-independent commands

ConnectionString


References

  1. mimikatz | Blog de Gentil Kiwi
  2. https://github.com/gentilkiwi/mimikatz
  3. What is Digest Authentication?: Logon and Authentication | Microsoft Docs
  4. https://github.com/skelsec/pypykatz/
  5. https://github.com/skelsec/pypykatz/wiki

Related posts

  1. Practical approach to Golden Ticket Attacks: one technique, five useful tools
  2. Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack
  3. Extracting credentials from Linux memory with MimiPenguin
  4. mimikittenz, a PowerShell tool to extract plain-text passwords from memory
  5. Mimikatz: a swiss-army knife for Windows credential gathering