This research article throws light on the internal password storage and encryption mechanism used for storing the WiFi account passwords. It explains where the WiFi passwords are stored on different platforms and how to decrypt them using the practical code sample.
Note that it deals with WiFi settings stored by built-in Windows Wireless Configuration manager only. Also it covers only Vista and higher operating systems, though it may touch upon some aspects of Windows XP. WiFi ConfigurationAll Windows systems has built-in 'Wireless Configuration Manager' which helps in managing your Wireless connections
Here are the simple steps involved in configuring your WiFi setup,
From Control Panel, click on 'Network & Internet'
Next click on 'Network & Sharing Center'. You will see all your network connections
Now from the left panel click on 'Manage Wireless Networks'
This will launch 'Wireless Configration' screen showing all your configured WiFi connections
You can click on 'ADD' and then click on 'Manually Create Network Profile' to create new WiFi connections.
Below is the screenshot showing the 'Add Wireless Network' dialog
WiFi Password Location
Before we proceed, we need to know where these wireless settings are stored on the system. Depending on the platform, 'Wireless Configuration Manager' uses different techniques and different storage locations to store these wireless settings.
For Windows XP/2003
On XP, all the Wireless settings are stored in Registry at following location,.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
Here each wireless device/interface is represented by unique GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the settings for this device are stored under this GUID within the value 'ActiveSettings'. Actual contents are encrypted using 'Windows Cryptography'
For Vista, Windows 7, Windows 8, Windows 10
Vista onwards, 'Wireless Configuration Manager' no longer uses the registry. Instead all the wireless parameters including SSID, Authentication method & encrypted Password are stored at following file,
C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\{Random-GUID}.xml
Here each wireless device is represented by its interface GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the wireless settings for this device are stored in XML file with random GUID name.
WiFi Storage Mechanism
All the information discussed hence forth will apply only to Vista and higher operating systems only.
As we know already, each wireless settings are stored in XML file. Here is the actual contents of one such file,
Each Wireless profile mainly stores information about WiFi name, security settings such as authentication, encryption and the encrypted password.
In the above example, WiFi Network name aka SSID is 'SecurityXploded' which is stored in both ASCII and HEX format. Next important things are authentication & encryption which are stored within
Now comes the most interesting thing, 'WiFi Password' which is stored under under
WiFi Password Encryption & Decryption
If you are one of us who live in Crypto world then it does not take much time to decipher the encryption method used here.
Clearly it uses 'Windows Cryptography' to encrypt & decrypt the WiFi passwords. Here is the signature which is at the beginning of encrypted password.
01000000D08C9DDF0115D1118C7A00C0
To be more precise, 'Wireless Configuration Manager' uses CryptProtectData to encrypt the Wireless keys & passwords. Another notable thing is that it does not use any salt or magic key for encryption. This makes decryption simple and straightforward using CryptUnprotectData as shown in the example below.
// |
There are many ways to execute the code under SYSTEM context, one of the popular way is to inject the code via remote thread in system process - LSASS.EXE. But this one is more risky, as any flaw in code can bring down the entire system. Much safer way is to create Windows service as System account and then execute the above decryption code from that service.
Recover Wireless Passwords using WiFi Password Decryptor
WiFi Password Decryptor is the FREE tool to automatically detects & decrypts Wireless passwords stored on your system.
It instantly recovers all the WiFi passwords and displays various security settings (WEP/WPA/AES/TKIP etc) along with password in clear text.
It works on both 32 bit & 64 bit platforms, starting from Vista to latest operating system, Windows 10.
0 comments:
Post a Comment