pypykatz lsa minidump lsass.DMP (Exception: All detection methods failed) #130
Comments
|
Hi, -> # pypykatz lsa minidump lsass.DMP Thank you very much! |
|
The error you are receiving is likely related to a parsing error by pypykatz. Judging by the version of Windows from your dump (Build 22621 aka. Windows 11), pypykatz can not parse the dump since the correct signature and offsets for the AES and TDES keys in the LSASS dump have changed in that version of Windows. I was facing a similar issue, but I found success when updating pypykatz to version 6.8 for dumps from Windows 11. Try updating to 6.8 and parsing again? |
|
Thank you very much valerable for the help! After updating Pypykatz to version 6.8 it looks much better, but surprisingly the entire TSPKG-section (just after Kerberos) with the password is missing. Any idea what going wrong? Thank's! |
Hello
used the following command on Kali Linux 'pypykatz lsa minidump lsass.DMP' (collected with the Windows10 Taskmanager as Admin:)
but get the following error message:
Am I doing something wrong?
Thank's for your help!
└─$ pypykatz lsa minidump lsass.DMP
INFO:root:Parsing file lsass.DMP
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:pypyKatz version: 0.4.9
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 22621
INFO:pypykatz:MajorVersion: 6
INFO:pypykatz:MSV timestamp: 4168883897
INFO:pypykatz:===== BASIC INFO END =====
ERROR:root:Error while parsing file lsass.DMP
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init
self.acquire_crypto_material()
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material
self.iv = self.get_IV(sigpos)
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 58, in get_IV
self.reader.move(ptr_iv)
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffd571c8e58 is not in process memory space
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 230, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 150, in parse_minidump_file
raise e
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 146, in parse_minidump_file
mimi.start(packages)
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 350, in start
self.lsa_decryptor = self.get_lsa()
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init
self.acquire_crypto_material()
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material
self.iv = self.get_IV(sigpos)
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 58, in get_IV
self.reader.move(ptr_iv)
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffd571c8e58 is not in process memory space
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 230, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 150, in parse_minidump_file
raise e
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 146, in parse_minidump_file
mimi.start(packages)
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 350, in start
self.lsa_decryptor = self.get_lsa()
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
The text was updated successfully, but these errors were encountered: