Recovering Passwords From Hibernated Windows Machines

Author: Royce Davis Posted In Forensics and Incident Response On: 2017/05/11 Comments: 2
Recovering Passwords From Hibernated Windows Machines

A friend of mine recently asked if I could help them by recovering passwords from an old Windows laptop. Nothing nefarious here just a common scenario we’ve all been in before. They hadn’t used the system in quite some time and couldn’t recall the password to log in. Since many of you know, this is a trivial problem to solve provided the laptop is not utilizing disk-level encryption which in my friend’s case it was not. I naturally felt like a white knight and told them to “bring it over to my house I’ll have it unlocked in no time.”

Booting The Laptop Into Kali Linux

First of all, for those of you who don’t know, its extremely simple to create a bootable USB drive loaded up with Kali Linux. This tool also makes recovering passwords from Windows systems a breeze. Hence, thats exactly what I did for this project. I’de be happy to create a simple guide explaining how to do this so let me know in the comment section if that’s something you would like to see. After booting the laptop into Kali we simply open up a terminal and query the attached storage devices with the following command:

root@kali:~# fdisk -l

This showed me that the Windows operating system was installed on “/dev/sda3”. At this point I would typically mount the windows partition with write access and perform the age-old Sticky Keys Backdoor technique to recover the Windows password.

root@kali:~# mkdir windows
root@kali:~# mount -t ntfs -o rw /dev/sda3 windows/

Unfortunately, here’s where things started to get a little bit difficult. As luck would have it, I couldn’t mount the drive with ‘rw’ permissions which is required in order to pull off the Sticky Keys Backdoor. Here is the error message I received:

Windows is hibernated, refused to mount.
The disk contains an unclean filesystem (0, 0).
Metadata kept in Windows cache, refused to mount.
Falling back to read-only mount because the NTFS partition is in an
unsafe state.  Please resume and shutdown Windows fully (no hibernation
or fast restarting.)

Enter hiberfil.sys

I’ll spare you the long explanation but feel free to visit this link for additional details. The cliff notes version goes like this. My friend hadn’t shut down the laptop properly, as a result Windows entered into hibernation mode. Hibernation mode creates the hiberfil.sys file therefore preventing Linux from mounting the drive with write permissions. Never fear the solution is quite simple.

Using Ntfsfix and Ntfs-3g

After a bit of frustration and a lot of Googling around I eventually found that recovering passwords after removing the hiberfil.sys file is not very difficult at all. In fact, you just have to use the following commands to mount the drive.

root@kali:~# ntfsfix /dev/sda3
Mounting volume… Windows is hibernated, refused to mount.
FAILED
Attempting to correct errors…
Processing $MFT and $MFTMirr…
Reading $MFT…  OK
Reading $MFTMirr…  OK
Comparing $MFTMirr to $MFT…  OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition…  OK
Going to empty the journal ($LogFile)…  OK
Windows is hibernated, refused to mount.
Remount failed:  Operation not permitted

Next make sure the drive is not mounted.

root@kali:~# umount /dev/sda3

Finally, use ntfs-3g to remove the hibernation file and mount the drive with:

root@kali:~# ntfs-3g -o remove_hiberfile /dev/sda3 windows/

Recovering Passwords Conclusion

There you have it the drive is mounted with full read-write permissions. You can now use the Sticky Keys Backdoor to recover the Windows password. Needless to say my non-technical friend was impressed and thought the whole thing was pure sorcery. An added bonus to helping someone in need.

Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail
2  comments
2 Comments
  • Hi!

    Why not use KonBoot?
    Or just boot it up to normal login screen and than shut it off cleanly?

  • Nice write up. There is a good chance you can get the password from hiberfil.sys with volatility.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    Share This

    Follow Pentest Geek

    twitterrssyoutubetwitterrssyoutube

    Recent Posts

    Free Course

    Penetration Testing

    Categories

    Metasploit

    Web Application Hacking

    css.php