Skip to content

Rubby2001/gokatz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
pkg
pkg
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 

Repository files navigation

gokatz

Go port of pypykatz — extract credentials from Windows LSASS minidump files. Pure Go, cross-platform, zero runtime dependencies beyond the standard library.

Usage

# Build
go build -o gokatz ./cmd/gokatz/

# Run
./gokatz lsa minidump <lsass.dmp>
./gokatz lsa minidump --json <lsass.dmp>
./gokatz lsa minidump --grep <lsass.dmp>
./gokatz version

What it extracts

Package Data
MSV NTLM hash, LM hash, SHA1 hash, DPAPI masterkey per logon session
WDigest Plaintext passwords (when available)
Kerberos Username, domain, encrypted password from kerberos.dll
DPAPI Decrypted masterkeys + SHA1 hashes from LSASS memory
CredMan Credential Manager stored passwords (e.g. saved RDP credentials)

Output formats

Text (default)

== LogonSession ==
authentication_id 244996 (3bd04)
session_id 1
username Test
domainname DESKTOP-J7IL7FN
logon_server DESKTOP-J7IL7FN
logon_time 2026-05-11T01:24:16.414357+00:00
sid S-1-5-21-1404447191-537076994-3776410207-1001
luid 244996
    == MSV ==
        Username: Test
        Domain: DESKTOP-J7IL7FN
        NT: 4e57a713ddb51247e7fce18de6daa896
        SHA1: adad64a16af0d8a2b5924d1e397522f5dd8d47b4
        DPAPI: adad64a16af0d8a2b5924d1e397522f5dd8d47b4
    == WDIGEST [3bd04]==
        username Test
        domainname DESKTOP-J7IL7FN
        password None
    == Kerberos ==
        Username: Test
        Domain: DESKTOP-J7IL7FN
    == CREDMAN [3bd04]==
        luid 244996
        username administrator
        domain 192.168.0.69
        password 1q2w3e4r
    == DPAPI [3bd04]==
        luid 244996
        key_guid 6a68d489-e6dd-4325-a85b-43bf1f0961d9
        masterkey 1b0c3e5ead358bc31aff16908c3f51ee759423c2d482342df3c02994522ff588a0b0d42b48819a91434692abc9b00ddb432d71e31f0212a5c7be750da2b5e57a
        sha1_masterkey a755fa5c92b5bbba8320b61749374d7eac7280d8

JSON

./gokatz lsa minidump --json lsass.dmp | jq

Architecture

cmd/gokatz/main.go           CLI entry point
pkg/
  minidump/                  .dmp file parser (header, streams, memory segments, VA→file reader)
  wintypes/                  Windows data types (LSA_UNICODE_STRING, SID, LUID, BytesReader)
  lsass/
    types/                   SystemInfo, templates per Windows build, filetime conversion
    core/                    LSA key extraction & decryption (AES-128-CFB, 3DES-CBC)
    packages/
      msv/                   MSV credential decryption + Credential Manager
      wdigest/               WDigest credential decryption
      kerberos/              Kerberos logon session extraction
      dpapi/                 DPAPI masterkey extraction
    gokatz.go                Orchestrator: ParseMinidump → LSA keys → packages → output

Implementation status

Feature Status
Minidump reader (header, streams, memory mapping)
LSA key extraction (NT6 AES-CFB / TDES-CBC)
MSV (NTLM, SHA1, DPAPI hashes)
WDigest (plaintext passwords)
Kerberos (logon session info)
DPAPI (masterkeys from LSASS)
CredMan (Credential Manager)
LogonSession (username, domain, SID, logon_time)
SID parsing (S-1-5-21-...)
Multiple logon sessions (circular linked-list walk)
JSON / grep output
NT5 (XP/2003) DESX decryption
x86 (32-bit) full support Partial
SSP, TSPKG, LiveSSP, CloudAP

Dependencies

Only Go standard library + golang.org/x/crypto (for PBKDF2, MD4).

go mod tidy
go build -o gokatz ./cmd/gokatz/

License

MIT

About

Go port of pypykatz — extract credentials from Windows LSASS minidump files. Pure Go, cross-platform, zero runtime dependencies beyond the standard library.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages