pypykatz icon indicating copy to clipboard operation
pypykatz copied to clipboard

Published 20 hours ago verified publisher icon skelsec

Issue when executing "pypykatz lsa minidump lsass.DMP"

Open RomanY467 opened this issue 1 year ago • 4 comments

When attempting to parse credentials from the "lsass.DMP" memory dump file using the command "pypykatz lsa minidump lsass.DMP", the pypykatz tool appears to have a memory leak issue. It keeps consuming more and more memory without parsing any credentials. This problem persists even after waiting for an extended period of time. However, parsing the same dump file using Mimikatz works fine. Same problem on kali linux through VM. Environment: Macbook air M1 8GB RAM Operating System: macOS Ventura 13.2 Python version: 3.11.2 pypykatz version: 0.6.6 pypykatz

RomanY467 avatar Mar 31 '23 05:03 RomanY467

Hello, I have not yet encountered this issue myself, if you could share a minidump file with me which would help reproducing this issue it might help solving the problem.
Another test case that you could perform is: can you try running the same command on the same dumpfile but on a PC? Or a Mac that is not using ARM? Reason I'm asking is that there has been already an issue submitted with the cryptography library on M1s which potentially (no likely but who knows) could cause issues.

skelsec avatar Apr 30 '23 08:04 skelsec

lsass.DMP.zip

Hello, I have not yet encountered this issue myself, if you could share a minidump file with me which would help reproducing this issue it might help solving the problem. Another test case that you could perform is: can you try running the same command on the same dumpfile but on a PC? Or a Mac that is not using ARM? Reason I'm asking is that there has been already an issue submitted with the cryptography library on M1s which potentially (no likely but who knows) could cause issues.

I used this minidump and extracted credentials using Mimikatz without encountering any issues.

RomanY467 avatar May 31 '23 19:05 RomanY467

Thanks for the dump. this is super-interesting! it seems that it's not a pypykatz rather a minidump issue. No worries, I'm also the author of that one :) Will come back soon with a solution. Side note: mimikatz uses windows' built-in parser for minidump files so ovbiously it doesn't have a problem with these

skelsec avatar May 31 '23 19:05 skelsec

Thanks for the dump. this is super-interesting! it seems that it's not a pypykatz rather a minidump issue. No worries, I'm also the author of that one :) Will come back soon with a solution. Side note: mimikatz uses windows' built-in parser for minidump files so ovbiously it doesn't have a problem with these

I've also discovered this issue when utilizing pypykatz on my kali linux VM. It cooks for a few minutes with about 20% memory usage and then skyrokets to 100% and promptly crashes the VM. Have you discovered the cause of this or a means to work around this issue?

aparker4j avatar Apr 01 '24 13:04 aparker4j