{"id":13537599,"url":"https://github.com/skelsec/pypykatz","last_synced_at":"2025-10-22T06:29:58.217Z","repository":{"id":37479071,"uuid":"134909880","full_name":"skelsec/pypykatz","owner":"skelsec","description":"Mimikatz implementation in pure Python","archived":false,"fork":false,"pushed_at":"2025-02-22T11:57:47.000Z","size":1033,"stargazers_count":2955,"open_issues_count":36,"forks_count":388,"subscribers_count":70,"default_branch":"main","last_synced_at":"2025-02-22T12:29:23.390Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/skelsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-25T22:21:20.000Z","updated_at":"2025-02-22T11:57:52.000Z","dependencies_parsed_at":"2023-02-16T09:01:04.917Z","dependency_job_id":"d25ae910-a605-4b2d-92e0-e35ea9a56651","html_url":"https://github.com/skelsec/pypykatz","commit_stats":{"total_commits":320,"total_committers":19,"mean_commits":"16.842105263157894","dds":"0.17812499999999998","last_synced_commit":"1222aa210745ae66fa4a309f58c701186a4dcd8f"},"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skelsec%2Fpypykatz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skelsec%2Fpypykatz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skelsec%2Fpypykatz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skelsec%2Fpypykatz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/skelsec","download_url":"https://codeload.github.com/skelsec/pypykatz/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246757088,"owners_count":20828825,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:00.909Z","updated_at":"2025-10-22T06:29:58.212Z","avatar_url":"https://github.com/skelsec.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","Python","Python (1887)","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具","Operating Systems"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","Windows"],"readme":"![Supported Python versions](https://img.shields.io/badge/python-3.7+-blue.svg) [![Twitter](https://img.shields.io/twitter/follow/skelsec?label=skelsec\u0026style=social)](https://twitter.com/intent/follow?screen_name=skelsec)\n\n## :triangular_flag_on_post: Sponsors\n\nIf you like this project, consider purchasing licenses of [OctoPwn](https://octopwn.com/), our full pentesting suite that runs in your browser!  \nFor notifications on new builds/releases and other info, hop on to our [Discord](https://discord.gg/PM8utcNxMS)\n\n# pypykatz\nMimikatz implementation in pure Python. At least a part of it :)  \nRuns on all OS's which support python\u003e=3.6\n![pypy_card](https://user-images.githubusercontent.com/19204702/71646030-221fe200-2ce1-11ea-9e2a-e587ea4790d7.jpg)\n\n## :triangular_flag_on_post: Runs in the browser\n\nThis project, alongside with many other pentester tools runs in the browser with the power of OctoPwn!  \nCheck out the community version at [OctoPwn - Live](https://live.octopwn.com/)\n\n## WIKI\nSince version 0.1.1 the command line changed a little. Worry not, I have an awesome [WIKI](https://github.com/skelsec/pypykatz/wiki) for you.\n\n## Installing\nInstall it via pip or by cloning it from github.  \nThe installer will create a pypykatz executable in the python's Script directory. You can run it from there, should be in your PATH.  \nTake care, that the github master version might fail because I'm layz to do a proper branch for the new versions. I'll try to create a branch of stable version tho.  \n\n### Via PIP\n```\npip3 install pypykatz\n```\n### Via Github\nInstall prerequirements\n```\npip3 install minidump minikerberos aiowinreg msldap winacl\n```\nClone this repo\n```\ngit clone https://github.com/skelsec/pypykatz.git\ncd pypykatz\n```\nInstall it\n```\npython3 setup.py install\n```\n\n## Features\n\n### General\nPlatform idependent - all commands have a \"live\" and a normal version where applicable. The \"live\" version will use the current system and only works on Windows. The normal commands are platform independent.  \nCan be used as a library for your projects.  \n\n### LSASS processing\nCan parse the secrets hidden in the LSASS process. This is just like mimikatz's `sekurlsa::` but with different commands.  \nThe main difference here is that all the parsing logic is separated from the data source, so if you define a new reader object you can basically perform the parsing of LSASS from anywhere.  \n\nCurrently supported data sources:  \n1. live - reads the LSASS porcess' memory directly  \n2. minidump - processes a minidump file created by dumping the LSASS process \n3. rekall (volatility fork) - processes basically ANY windows memory dumps that rekall can parse \n4. pcileech - not supported anymore\n5. remote - this is another project. TBD :)\n6. `your project here` seriously, it's super-simple to integrate.\n\n### Registry processing\nParses the registry hives to obtain stroed credentials, like NT and LM hashes, domain cached credentials (DCC/DCC2) and LSA secrets.\n\nCurrently supported data sources: \n1. live - has two techniques to parse live registry. First it's in-memory doesn't touch disk, the second is dumping the hives and parsing them with the offline parser \n2. offline (hive files)  \n3. `your project here` seriously, it's super-simple to integrate.\n\n### DPAPI functions - MASTERKEY/BLOB/VAULT/CREDENTIAL\nDPAPI is the protector of local secrets of many kinds. Currently the project supports decrypting masterkeys, dpapi blobs, credential files, vault files.  \nThe results are not 100% correct, as there is not much documentation on most of these things. PR is always welcomed!\n\nCurrently supported data sources: \n1. live - obtains masterkeys directly from LSASS -OR- the user/machine keys from live registry and decrypts the masterkeyfile. \n2. hive files (offline)- the user/machine keys from live registry and decrypts the masterkeyfile  \n3. valid credentials (offline) - can decrypt masterkey files by letting you type in the correct SID and password.\n4. `pls don't integrate this part to your project, it's beta`\n\n### Impersonating users\nCan spawn a new process as any user who has a process running on the machine.  \nCan assign any available token of choise to your thread  \nThis is just a basic stuff really. Reson is there that I hate to constanly use psexec to get a system shell from admin...  \n\n### other stuff\nyeah... check the code. it has comments and stuff...  \n\n### Rekall command options \n#### Timestamp override\nReason for this parameter to exist: In order to choose the correct structure for parsing we need the timestamp info of the msv dll file. Rekall sadly doesnt always have this info for some reason, therefore the parsing may be failing.  \nIf the parsing is failing this could solve the issue.  \n  \nParameter: ```-t```  \nValues: ```0``` or ```1```  \nExample:  \n```\npypykatz.py rekall \u003cmomeory_dump_file\u003e -t 0\n```  \n\n## Rekall usage\nThere are two ways to use rekall-based memory parsing.  \n### Via the ```pypykatz rekall``` command\nYou will need to specify the memory file to parse.  \n  \n### Via rekall command line\nIMPORTANT NOTICES: \n1. If you are just now deciding to install ```rekall``` please note: it MUST be run in a virtualenv, and you will need to install pypykatz in the same virtualenv!  \n2. rekall command line is not suitable to show all information acquired from the memory, you should use the ```out_file``` and ```kerberos_dir``` command switches!     \n   \nYou can find a rekall plugin file named ```pypykatz_rekall.py``` in the ```plugins``` folder of pypykatz.  \nYou will need to copy it in rekall's ```plugins/windows``` folder, and rename it to ```pypykatz.py```.  \nAfter this modify the ```__init__.py``` file located the same folder and add the following line at the end: ```from rekall.plugins.windows import pypykatz```  \nIf everything is okay you can use the ```pypykatz``` command from the ```rekall``` command line directly.\n\n# HELP WANTED\nIf you want to help me getting this project into a stable release you can send mindiumps of the lsass.exe process to the following link: https://nx5494.your-storageshare.de/s/SJteWj3PPbg8jBA\nIMPORTANT: please *DO NOT* send dumps of your own machine's lsass process!!! I will be able to see your secrets including hashes/passwords! Send dump files from machines like virtual test systems on which you don't mind that someone will see the credentials. (if you have a test domain system where kerberos is set up that would be the best)  \nAlso I'd apprechiate if you wouldn't spam me...  \n### Why do I need these dumps files?\nIn order to create mimikatz in Python one would have to create structure definitions of a gazillion different structures (check the original code) without the help of the build-in parser that you'd naturally get from using a native compiler. Now, the problem is that even a single byte misalignemt will render the parsing of these structures run to an error. Problem is mostly revolving around 32 - 64 aligments, so 32 bit Windows version lsass dumps are apprechiated as well!  \n### Summary\nI need data I can verify the code on and administer necessary changes on the parsers until everything works fine.  \nSubmitting issues on this github page wouldn't help at all without the actual file and github wouldn't like 40-300Mb file attachments.\n\n## Prerequisites\nMost of my big python projects are aiming for maximum protability, meaning I only use 3rd party packages where absolutely necessary. \nAs of this point three additional packages are used, and I intend to keep it this way.\n\nPython\u003e=3.6  \n[minidump](https://github.com/skelsec/minidump)  \n[minikerberos](https://github.com/skelsec/minikerberos)  \n[asn1crypto](https://github.com/wbond/asn1crypto)  \n\n## Kudos\nBenjamin DELPY @gentilkiwi for [Mimikatz](https://github.com/gentilkiwi/mimikatz)  \nFrancesco Picasso for the [mimikatz.py plugin for volatility](https://raw.githubusercontent.com/sans-dfir/sift-files/master/volatility/mimikatz.py)  \nAlberto Solino (@agsolino) for [impacket](https://github.com/SecureAuthCorp/impacket)\n  \n### Crypto\nRichard Moore for the [AES module](https://github.com/ricmoo/pyaes/blob/master/pyaes/aes.py)  \nTodd Whiteman for teh [DES module](http://twhiteman.netfirms.com/des.html)  \n  \n### Utils\nDavid Buxton for the timestamp conversion script  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskelsec%2Fpypykatz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskelsec%2Fpypykatz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskelsec%2Fpypykatz/lists"}