Recovering Passwords From Hibernated Windows Machines
A friend of mine recently asked if I could help them by recovering passwords from an old Windows laptop. Nothing nefarious here just a common scenario we’ve all been in before. They hadn’t used the system in quite some time and couldn’t recall the password to log in.
Since many of you know, this is a trivial problem to solve provided the laptop is not utilizing disk-level encryption which in my friend’s case it was not. I naturally felt like a white knight and told them to “bring it over to my house I’ll have it unlocked in no time.”
Booting The Laptop Into Kali Linux
First of all, for those of you who don’t know, its extremely simple to create a bootable USB drive loaded up with Kali Linux. This tool also makes recovering passwords from Windows systems a breeze. Hence, thats exactly what I did for this project. I’de be happy to create a simple guide explaining how to do this so let me know in the comment section if that’s something you would like to see. After booting the laptop into Kali we simply open up a terminal and query the attached storage devices with the following command:
root@kali:~# fdisk -l
This showed me that the Windows operating system was installed on “/dev/sda3”. At this point I would typically mount the windows partition with write access and perform the age-old Sticky Keys Backdoor technique to recover the Windows password.
root@kali:~# mkdir windows root@kali:~# mount -t ntfs -o rw /dev/sda3 windows/
Unfortunately, here’s where things started to get a little bit difficult. As luck would have it, I couldn’t mount the drive with ‘rw’ permissions which is required in order to pull off the Sticky Keys Backdoor. Here is the error message I received:
Windows is hibernated, refused to mount. The disk contains an unclean filesystem (0, 0). Metadata kept in Windows cache, refused to mount. Falling back to read-only mount because the NTFS partition is in an unsafe state. Please resume and shutdown Windows fully (no hibernation or fast restarting.)
Enter hiberfil.sys
I’ll spare you the long explanation but feel free to visit this link for additional details. The cliff notes version goes like this. My friend hadn’t shut down the laptop properly, as a result Windows entered into hibernation mode. Hibernation mode creates the hiberfil.sys file therefore preventing Linux from mounting the drive with write permissions. Never fear the solution is quite simple.
Using Ntfsfix and Ntfs-3g
After a bit of frustration and a lot of Googling around I eventually found that recovering passwords after removing the hiberfil.sys file is not very difficult at all. In fact, you just have to use the following commands to mount the drive.
root@kali:~# ntfsfix /dev/sda3 Mounting volume… Windows is hibernated, refused to mount. FAILED Attempting to correct errors… Processing $MFT and $MFTMirr… Reading $MFT… OK Reading $MFTMirr… OK Comparing $MFTMirr to $MFT… OK Processing of $MFT and $MFTMirr completed successfully. Setting required flags on partition… OK Going to empty the journal ($LogFile)… OK Windows is hibernated, refused to mount. Remount failed: Operation not permitted
Next make sure the drive is not mounted.
root@kali:~# umount /dev/sda3
Finally, use ntfs-3g to remove the hibernation file and mount the drive with:
root@kali:~# ntfs-3g -o remove_hiberfile /dev/sda3 windows/
Recovering Passwords Conclusion
There you have it the drive is mounted with full read-write permissions. You can now use the Sticky Keys Backdoor to recover the Windows password. Needless to say my non-technical friend was impressed and thought the whole thing was pure sorcery. An added bonus to helping someone in need.
Share this article
Leave a Reply
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless
Can’t get it to work because it doesn’t recognize the “unmount” command. Please let me know if there’s a solution to this.
1st part gave the error just as shown above. But the unmount command seems to be unrecognized. Tried several times and it keeps saying command “unmount” not found.
Tried the next step anyway and it can’t perform it because “The NTFS volume is already exclusively opened” Please reply or email me if you know solution! Thanks
Thanks BOB. You saved my asset.
Ha! that just worked like a champ. Thanks
The trick worked for me, thank you bob
There is no shutdown button… Hah.
Just turn on the computer and on the login screen, select shutdown WHILE pressing shift, that is going to shut it down for real
Hi!
Why not use KonBoot?
Or just boot it up to normal login screen and than shut it off cleanly?
Nice write up. There is a good chance you can get the password from hiberfil.sys with volatility.