Recovering Passwords From Hibernated Windows Machines

Recovering Passwords From Hibernated Windows Machines

Recovering Passwords From Hibernated Windows Machines

A friend of mine recently asked if I could help them by recovering passwords from an old Windows laptop. Nothing nefarious here just a common scenario we’ve all been in before. They hadn’t used the system in quite some time and couldn’t recall the password to log in.
Since many of you know, this is a trivial problem to solve provided the laptop is not utilizing disk-level encryption which in my friend’s case it was not. I naturally felt like a white knight and told them to “bring it over to my house I’ll have it unlocked in no time.”

Booting The Laptop Into Kali Linux

First of all, for those of you who don’t know, its extremely simple to create a bootable USB drive loaded up with Kali Linux. This tool also makes recovering passwords from Windows systems a breeze. Hence, thats exactly what I did for this project. I’de be happy to create a simple guide explaining how to do this so let me know in the comment section if that’s something you would like to see. After booting the laptop into Kali we simply open up a terminal and query the attached storage devices with the following command:

root@kali:~# fdisk -l

This showed me that the Windows operating system was installed on “/dev/sda3”. At this point I would typically mount the windows partition with write access and perform the age-old Sticky Keys Backdoor technique to recover the Windows password.

root@kali:~# mkdir windows
root@kali:~# mount -t ntfs -o rw /dev/sda3 windows/

Unfortunately, here’s where things started to get a little bit difficult. As luck would have it, I couldn’t mount the drive with ‘rw’ permissions which is required in order to pull off the Sticky Keys Backdoor. Here is the error message I received:

Windows is hibernated, refused to mount.
The disk contains an unclean filesystem (0, 0).
Metadata kept in Windows cache, refused to mount.
Falling back to read-only mount because the NTFS partition is in an
unsafe state.  Please resume and shutdown Windows fully (no hibernation
or fast restarting.)

Enter hiberfil.sys

I’ll spare you the long explanation but feel free to visit this link for additional details. The cliff notes version goes like this. My friend hadn’t shut down the laptop properly, as a result Windows entered into hibernation mode. Hibernation mode creates the hiberfil.sys file therefore preventing Linux from mounting the drive with write permissions. Never fear the solution is quite simple.

Using Ntfsfix and Ntfs-3g

After a bit of frustration and a lot of Googling around I eventually found that recovering passwords after removing the hiberfil.sys file is not very difficult at all. In fact, you just have to use the following commands to mount the drive.

root@kali:~# ntfsfix /dev/sda3
Mounting volume… Windows is hibernated, refused to mount.
FAILED
Attempting to correct errors…
Processing $MFT and $MFTMirr…
Reading $MFT…  OK
Reading $MFTMirr…  OK
Comparing $MFTMirr to $MFT…  OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition…  OK
Going to empty the journal ($LogFile)…  OK
Windows is hibernated, refused to mount.
Remount failed:  Operation not permitted

Next make sure the drive is not mounted.

root@kali:~# umount /dev/sda3

Finally, use ntfs-3g to remove the hibernation file and mount the drive with:

root@kali:~# ntfs-3g -o remove_hiberfile /dev/sda3 windows/

Recovering Passwords Conclusion

There you have it the drive is mounted with full read-write permissions. You can now use the Sticky Keys Backdoor to recover the Windows password. Needless to say my non-technical friend was impressed and thought the whole thing was pure sorcery. An added bonus to helping someone in need.

Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail
9 Comments
  • Can’t get it to work because it doesn’t recognize the “unmount” command. Please let me know if there’s a solution to this.

  • 1st part gave the error just as shown above. But the unmount command seems to be unrecognized. Tried several times and it keeps saying command “unmount” not found.
    Tried the next step anyway and it can’t perform it because “The NTFS volume is already exclusively opened” Please reply or email me if you know solution! Thanks

  • Thanks BOB. You saved my asset.

  • Ha! that just worked like a champ. Thanks

  • The trick worked for me, thank you bob

  • There is no shutdown button… Hah.

  • Just turn on the computer and on the login screen, select shutdown WHILE pressing shift, that is going to shut it down for real

  • Hi!

    Why not use KonBoot?
    Or just boot it up to normal login screen and than shut it off cleanly?

  • Nice write up. There is a good chance you can get the password from hiberfil.sys with volatility.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Share This

    Recent Posts

    Subscribe To Our Mailing List

    The Ultimate Burp Suite Training Program

    Learn Network Penetration Testing

    Penetration Testing

    Categories

    Metasploit

    Web Application Hacking


    Copyright 2024

    css.php

    Are You Using the Top 5 Pentest Tools?

    Enter your email address to download your copy of our FREE e-book and find out now!

    Thank you, now go check your email!!