Kev Posted April 1, 2020 Report Share Posted April 1, 2020 Introduction This research article throws light on the internal password storage and encryption mechanism used for storing the WiFi account passwords. It explains where the WiFi passwords are stored on different platforms and how to decrypt them using the practical code sample. Note that it deals with WiFi settings stored by built-in Windows Wireless Configuration manager only. Also it covers only Vista and higher operating systems, though it may touch upon some aspects of Windows XP. WiFi Configuration All Windows systems has built-in 'Wireless Configuration Manager' which helps in managing your Wireless connections Here are the simple steps involved in configuring your WiFi setup, From Control Panel, click on 'Network & Internet' Next click on 'Network & Sharing Center'. You will see all your network connections Now from the left panel click on 'Manage Wireless Networks' This will launch 'Wireless Configration' screen showing all your configured WiFi connections You can click on 'ADD' and then click on 'Manually Create Network Profile' to create new WiFi connections. Below is the screenshot showing the 'Add Wireless Network' dialog WiFi Password Location Before we proceed, we need to know where these wireless settings are stored on the system. Depending on the platform, 'Wireless Configuration Manager' uses different techniques and different storage locations to store these wireless settings. For Windows XP/2003 On XP, all the Wireless settings are stored in Registry at following location,. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} Here each wireless device/interface is represented by unique GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the settings for this device are stored under this GUID within the value 'ActiveSettings'. Actual contents are encrypted using 'Windows Cryptography' functions [Reference 1]. For Vista, Windows 7, Windows 8 & Windows 10 Vista onwards, 'Wireless Configuration Manager' no longer uses the registry. Instead all the wireless parameters including SSID, Authentication method & encrypted Password are stored at following file, C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\{Random-GUID}.xml Here each wireless device is represented by its interface GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the wireless settings for this device are stored in XML file with random GUID name. WiFi Storage Mechanism All the information discussed hence forth will apply only to Vista and higher operating systems only. As we know already, each wireless settings are stored in XML file. Here is the actual contents of one such file, <?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>SecurityXploded</name> <SSIDConfig> <SSID> <hex>536563757269747958706C6F646564</hex> <name>SecurityXploded</name> </SSID> <nonBroadcast>false</nonBroadcast> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <autoSwitch>false</autoSwitch> <MSM> <security> <authEncryption> <authentication>WPAPSK</authentication> <encryption>AES</encryption> <useOneX>false</useOneX> </authEncryption> <sharedKey> <keyType>passPhrase</keyType> <protected>true</protected> <keyMaterial>01000000D08C9DDF0115D1118C7A00C0***TRUNCATED***DA88A2</keyMaterial> </sharedKey> </security> </MSM> </WLANProfile> Each Wireless profile mainly stores information about WiFi name, security settings such as authentication, encryption and the encrypted password. In the above example, WiFi Network name aka SSID is 'SecurityXploded' which is stored in both ASCII and HEX format. Next important things are authentication & encryption which are stored within <authEncryption> node. This wireless configuration uses WPA (WPAPSK) for authentication and AES for encryption. Now comes the most interesting thing, 'WiFi Password' which is stored under under <sharedKey> node. Here <protected> field indicates if the password is encrypted or stored in clear text. If the <protected> field is true that means password is encrypted and same can be found in <keyMaterial> node as in above example. WiFi Password Encryption & Decryption If you are one of us who live in Crypto world then it does not take much time to decipher the encryption method used here. Clearly it uses 'Windows Cryptography' functions [Reference 1] to encrypt & decrypt the WiFi passwords. Here is the signature which is at the beginning of encrypted password. 01000000D08C9DDF0115D1118C7A00C0 To be more precise, 'Wireless Configuration Manager' uses CryptProtectData to encrypt the Wireless keys & passwords. Another notable thing is that it does not use any salt or magic key for encryption. This makes decryption simple and straightforward using CryptUnprotectData as shown in the example below. // // Wireless Key/Password Decryption Algorithm for Vista/Windows 7/Windows 8/Windows 10 // void DecryptWiFiPassword(BYTE *buffer, DWORD dwSizeBuffer) { DATA_BLOB DataIn; DATA_BLOB DataOut; DataIn.pbData = buffer; DataIn.cbData = dwSizeBuffer; if(CryptUnprotectData(&DataIn, 0, NULL, NULL,NULL,0,&DataOut)) { printf("\n Wireless Key Password : %s", (char *) DataOut.pbData); } } One catch here is that you can't just decrypt the password even though you are administrator. To successfully decrypt the password, you have to perform the decryption operation under system context. There are many ways to execute the code under SYSTEM context, one of the popular way is to inject the code via remote thread [Reference 2] in system process - LSASS.EXE. But this one is more risky, as any flaw in code can bring down the entire system. Much safer way is to create Windows service as System account and then execute the above decryption code from that service. Recover Wireless Passwords using WiFi Password Decryptor WiFi Password Decryptor is the FREE tool to automatically detects & decrypts Wireless passwords stored on your system. It instantly recovers all the WiFi passwords and displays various security settings (WEP/WPA/AES/TKIP etc) along with password in clear text. It works on both 32 bit & 64 bit platforms, starting from Vista to latest operating system, Windows 10. References Windows Cryptography Functions Remote Thread Execution in System Process using NtCreateThreadEx for Vista/Win7 Source 1 Quote Link to comment Share on other sites More sharing options...
