search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.77k stars 367 forks source link

pypykatz live lsa does not work on windows 10 1803, and windows 8.1 #37

Closed zur250 closed 4 years ago

zur250 commented 4 years ago

Hi, I am tried using pypykatz on diffrent windows OS and builds. on both windows 10 1803 and windows 8.1 9600 i am getting the following stack trace by running pypykatz live lsa: Traceback (most recent call last): File "pypykatz-script.py", line 11, in load_entry_point('pypykatz==0.3.0', 'console_scripts', 'pypykatz')() File "pypykatz-0.3.0-py3.7.egg\pypykatz__main__.py", line 131, in main File "pypykatz-0.3.0-py3.7.egg\pypykatz\lsadecryptor\cmdhelper.py", line 49, in execute File "pypykatz-0.3.0-py3.7.egg\pypykatz\lsadecryptor\cmdhelper.py", line 147, in run_live File "pypykatz-0.3.0-py3.7.egg\pypykatz\lsadecryptor\cmdhelper.py", line 85, in process_results AttributeError: 'Namespace' object has no attribute 'grep'

Looking on NT6 parse and comparing against mimikatz i found that for every windows 10 64bit under 1809 the following values should be applied :

key_pattern = LSADecyptorKeyPattern()

            #key_pattern.signature = b'\x83\x64\x24\x30\x00\x48\x8d\x45\xe0\x44\x8b\x4d\xd8\x48\x8d\x15'
            #key_pattern.IV_length = 16
            #key_pattern.offset_to_IV_ptr = 61
            #key_pattern.offset_to_DES_key_ptr = -73
            #key_pattern.offset_to_AES_key_ptr = 16
            #
            #template.key_pattern = key_pattern
            #template.key_struct = KIWI_BCRYPT_KEY81
            #template.key_handle_struct = KIWI_BCRYPT_HANDLE_KEY

In addition i found that for windows 8.1 the following values should be applied: self.key_pattern = LSADecyptorKeyPattern() self.key_pattern.signature = b'\x83\x64\x24\x30\x00\x44\x8b\x4d\xd8\x48\x8b\x0d' self.key_pattern.IV_length = 16 self.key_pattern.offset_to_IV_ptr = 62 self.key_pattern.offset_to_DES_key_ptr = -70 self.key_pattern.offset_to_AES_key_ptr = 23

    self.key_struct = KIWI_BCRYPT_KEY81
    self.key_handle_struct = KIWI_BCRYPT_HANDLE_KEY

Can you assist with the error?

Thanks for the help!

skelsec commented 4 years ago

AttributeError: 'Namespace' object has no attribute 'grep' indicates something is wrong with the command line arguments, not the parsing of the strucutres.
I see a problem on the live parsing, I forgot to add the --grep cmd line switch, will crate a new version soon for that. Please try the dumping without the --grep switch until then. Or create a dumpfile and parse it offline, then you'll have a --grep switch working.

skelsec commented 4 years ago

closing this for no reply