search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.81k stars 371 forks source link

show password as hex but mimikatz show cleartext #66

Closed Havivw closed 3 years ago

Havivw commented 3 years ago 
dump = pypykatz.parse_minidump_file(lssas_path)
logon = dump.logon_sessions

== SSP [894a]==
    username xxx
    domainname xxx
    password b'\xa7\xae\xc7\xd8\xdb\x9d\x94o\x01\xfeY\xb1\x07H\x8c\xe5\xe7\x97\xdbm\xb1l\xfc\xce\xd3:\xb9\xe7kUd\x98B\x7f!\x19h\x116i\x01&\xe4\xc1'
kildonan5 commented 3 years ago

Also seeing this issue after running parse minidump file, and printing the output.

E.g. output from mimikatz (with some redactions)

Authentication Id : 0 ; 1607729 (00000000:00188831) Session : Interactive from 1 User Name : joey Domain : CASTLE Logon Server : (null) Logon Time : 1/27/2021 7:36:51 AM SID : [redacted] msv :
[00000003] Primary

  • Username : joey
  • Domain : CASTLE
  • NTLM : [redacted]
  • DPAPI : [redacted] tspkg : wdigest :
  • Username : joey
  • Domain : CASTLE
  • Password : (null) kerberos :
  • Username : joey
  • Domain : CASTLE
  • Password : (null)
  • Smartcard PIN code : [redacted] Card : Reader : Container: [redacted] Provider : Microsoft Passport Key Storage Provider ssp :
    [00000000]
  • Username : superjoey
  • Domain : CASTLE
  • Password : =j~oeys1s@@perPass [00000001]
  • Username : joey
  • Domain : CASTLE
  • Password : joeyisAlame00boy

Output from the same auth session from pypykatz parse minidump

    == SSP [188831]==
            username CASTLE
            domainname superjoey
            password b'\xab\x9f[redacted]'
    == SSP [188831]==
            username CASTLE
            domainname joey
            password b'\xe5\x8f[redacted]'

Based on the fact that the username and domainname are in the wrong place, im guessing this is just a simple index mistake and password is pointing to something that is not in fact the password in the parse?

Also I noticed it does not parse H4B pins currently... e.g. mimikatz shows

kerberos :

  • Username : superjoey
  • Domain : CASTLE
  • Password : (null)
  • Smartcard PIN code : joeyssupersecretPin! Card : Identity Device (Microsoft Generic Profile) Reader : Windows Hello for Business 2

Whereas the same LogonSession in pypykatz parse does not have the 'smartcard' section/H4B pin. I'm guessing this is a feature not implemented (yet)?

skelsec commented 3 years ago

I'm aware of the issues with sspi parsing, but please keep sending these infos (preferably with the dumpfile) so I can track it down. This is actually a long ongoing problem with the SSPI parsing in pypykatz and I'm looking into it from time to time. Will write updates here if any. @kildonan5 the PIN parsing is not implemented as I have never encountered it before and noone sent test dumps so far so I can't look into that.

kildonan5 commented 3 years ago

Ah unfortunately I can't share this dump but I'll keep it in mind for the future. Did you see my note about the username/domain/possible index swap? I tried to find in the code where this assignment and/or parsing is done but didn't have luck in my brief search.

skelsec commented 3 years ago

Yes, I saw it. Now the problem is that it already has been swapped once as per user request. Because on some buildversions it's different than others. And the strange part that it's always about sspi.

skelsec commented 3 years ago

Okay, I had some time to work on this. Issue is considered fixed in version 0.4.2 (just published). It fixes the SSPI password issue, the kerberos PIN parsing issue and the user/domain mixup. The latter however I'm sure will come back

skelsec commented 3 years ago

This is considered solved, in case of errors please open a new issue.