Open yellephen opened 8 months ago
Mind providing a bit more information?
My initial guess is that the dump file was corrupted during transport. If it is less than roughly 40 or 50MB, this is probably the case. Also, check the file signature. If it doesn't say microsoft minidump or something similar, this is another indication the file is corrupted.
pypykatz does pull out some information from the file so parts of the file must be ok.
INFO:pypykatz:Parsing file eviltwin.bin INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.6.9 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows Server 2016 Technical Preview INFO:pypykatz:BuildNumber: 17763 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 0 INFO:pypykatz:===== BASIC INFO END ===== ERROR:pypykatz:Error while parsing file eviltwin.bin
Having trouble reproducing the issue, although I've come to the conclusion Mimikatz and Pypykatz are simply having trouble with the ModuleList Stream. Whether that be due to not being able to find the Stream in the first place or due to not finding lsasrv.dll or some other module within it, I do not know.
Not sure what your function to save locally looks like, but you can keep the temporary dump file on-disk by commenting out (or outright removing) this block (lines 254 to 259) in EvilLsassTwin.nim:
status = NtSetInformationFile(outFile, addr IoStatusBlock, addr fileDI, cast[ULONG](sizeof(fileDI)), 13)
if NT_SUCCESS(status) == false:
echo "[-] NtSetInformationFile Failed! Error: ", toHex($status)
quit(1)
if twin.txt is still unable to be parsed, something very strange is occurring.
Dumped the lsass of a windows server 2016 which had ppl enabled. The dump was created successfully and transferred to the EvilTwinServer. However, neither mimikatz or pypykatz could extract the secrets from the .dmp file. Both threw errors. Alot of python errors for pypykatz and mimikatz gave "ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations"