The Ultimate Post-Exploitation Credential Extraction Suite Powered by pypykatz, lsassy, DonPAPI, and impacket — unified into a single, portable executable.
DonLsassKatz is a powerful, all-in-one Python utility designed for Red Teamers, Pentesters, and Security Auditors. It bridges the capabilities of three major post-exploitation forensic tools—pypykatz, lsassy, and DonPAPI—into a unified, fully autonomous, interactive command-line interface with a sleek Zeta aesthetic visual design.
No Installation Required!
DonLsassKatz features a Self-Installing Dependency Engine. It operates completely autonomously and does not rely on local source code folders (e.g., pypykatz-main, lsassy-master, or DonPAPI-main). You can delete those folders! The script will automatically fetch and manage official dependencies directly via pip on the target machine when needed.
DonLsassKatz includes 8 powerful new utility modules and 3 core extraction engines that maximize your operational potential during an engagement:
-
Local System (
pypykatz):- Parse Minidump files (
.dmp) and ZipDumps (.zip) locally. - Perform live LSASS extraction (
SeDebugPrivilegerequired), including stealthier handle-dup methods. - Decrypt DPAPI masterkeys and blobs offline.
- Parse Windows Offline Registry hives (SYSTEM, SAM, SECURITY, SOFTWARE).
- Parse Minidump files (
-
Remote Extractor (
lsassy):- Extract LSASS remotely over SMB using 17 different dump methods (e.g.,
comsvcs,procdump,nanodump,EDRSandBlast...). - Employs 5 stealth execution methods (
wmi,task,mmc,smb,smb_stealth). - Supports multi-targeting, parse-only modes, and Kerberos Ticket (Pass-the-Ticket / Pass-the-Hash) authentications.
- Extract LSASS remotely over SMB using 17 different dump methods (e.g.,
-
Remote Harvester (
DonPAPI):- Over 21 built-in collectors extracting credentials from Browsers (Chromium, Firefox), WiFi profiles, SSH keys, MobaXTerm, RDCManager, Certificates, VNC, SCCM, and more.
- Can retrieve Windows Domain Backup Keys (
--fetch-pvk) for enterprise-wide decryption. - Includes a built-in searchable Web GUI for collected loot.
- Secretsdump (
impacket): Standardized SAM, LSA, and full NTDS.dit extraction directly from Domain Controllers over SMB. - Port 445 Scanner: A fast network pre-scanner. Avoids locking up attacks by identifying alive SMB targets before initiating full remote extraction or harvesting.
- Automated Pivoting: Seamlessly map successfully extracted active credentials to attack a new batch of targets instantly without leaving the tool.
- Credential Deduplication: Global credential store automatically flags and aggregates duplicates across different targets and methods, highlighting cleartext vs NT Hashes.
- Hashcat & John Exports: One-click formatting and export of harvested data specifically optimized for offline cracking arrays (
-m 1000structure for Hashcat, standarduser:hashfor John). - HTML Intelligence Reports: Generate styled, easily readable local HTML tables of the entire credential database for fast auditing and client handovers.
- Session Logging: Detailed, timestamped operational logging saved iteratively per session to track execution flows silently.
- Persistent Configuration: Modify and save default tool behaviors (e.g., preferred stealth methods, threads, timeouts) to a JSON file (
~/.donlsasskatz.json) to persist across sessions.
Simply execute the script to start the interactive, Zeta-styled CLI dashboard:
python DonLsassKatz.pyFor operators looking to bypass the interactive menus, the tool supports direct shell commands:
Extracting remotely:
python DonLsassKatz.py remote -t 192.168.1.10 -u Administrator -p Password123 -m procdumpHarvesting local network via Pass-the-hash:
python DonLsassKatz.py harvest -t 10.0.0.0/24 -u admin -H :<NTHASH> -c Chromium,Wifi,VaultsDumping SAM/LSA/NTDS on a DC:
python DonLsassKatz.py secretsdump -t dc01.corp.local -u DA_admin -p Winter2026! --ntdsOffline registry parser:
python DonLsassKatz.py local --registry SYSTEM SAM SECURITY- Python 3.9+
- Active Internet connection for initial dependency resolution (the auto-installer only operates the first time an uninstalled module is requested).
- If operating in restricted environments, run option
[D]in the Main Menu on an internet-connected machine to pre-cache requirements.
For Educational and Authorized Auditing Purposes ONLY. The developer assumes no liability and is not responsible for any misuse or damage caused by this program. Only use on authorized systems and networks.