skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.77k stars 367 forks source link

Windows7 lsass.DMP under Pypykatz 069 #149

Open sudo-joe opened 5 months ago

sudo-joe commented 5 months ago

Hello dumped lsass with taskmgr as admin on a Windows7.

[The file is located at:] [c:\Users\test\App Data\Local\Temp\lsass.DMP]

pypykatz lsa minidumd lsass.DMP

Surprisingly the output shows only the hash of one Windows7 user (the one i am mostly using) and it's password in cleartext The other Windows7 users are not listed.

If I am using ' pypykatz registry....´ all Windows users are listed...

Question: Any idea why Pypykatz 069 does only list one user?

Thanks a lot in advance for any feedback!

PS: No idea why the lsass.DMP is writtern to user test [c:\Users\test\App Data\Local\Temp\lsass.DMP] and not to user Admin..... since I logged into Windows as Admin

skelsec commented 4 months ago

I believe you're expecting the same information to be acquired from the registry and form the lsass but those are two different things which while do have some relation with one another ultimately don't store the same information.