1

I am trying to automate the Wi-Fi connection for testing purposes. Using netsh command in PowerShell I can generate the xml file and connect to any Personal Wi-Fi.

But getting issue with the Enterprise (802.1X). I can generate the xml file with the initial configuration. But username and password are not stored in it. I found that they are stored and encrypted in: HKCU\Software\Microsoft\Wlansvc\UserData\Profiles{GUID} Apparently it is encrypted using CryptProtectData.

I have uploaded the key from one SSID connected with my current user using 802.1X and trying to decrypt it to figure out what is the string that need to be encrypted. Here's the script so far:

Add-Type -AssemblyName System.Security

$HEXA ='01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 
00 a8 55 8d b0 1a c5 48 4e 8e 35 ff...'

##hexa to byte
$HEXA_array= $HEXA.split(" ")
$bytes_object = $HEXA_array | FOREACH {[BYTE][CHAR]
([CONVERT]::toint16($_,16))}

##Create an array of Byte
$i=0
foreach ($element in $bytes_object){$i++}
$Byte_Array = New-Object Byte[] $i

#system.object to system.byte
$i=0
foreach ($element in $bytes_object)
{
$Byte_Array[$i]=$element
$i++
}

write-host "Type of Byte_Array: " $Byte_Array.getType().FullName #

#decrypt
$bytes2 = [System.Security.Cryptography.ProtectedData]::Unprotect(
    $Byte_Array, 
    $null, 
    [System.Security.Cryptography.DataProtectionScope]::CurrentUser)

But I am getting the below error: Exception calling "Unprotect" with "3" argument(s): "The parameter is incorrect"

EDIT: The error is not appearing once I launch the script with the Local System user. I can see the username, but it is followed with unreadable characters. The entropy is set to $null (2nd parameter) and wondering if it could cause the issue

Thank you,

NicolasL
  • 21
  • 5
  • You didn't tell us what line the invalid syntax is on. Is there a reason you deleted a [perfectly good question](https://superuser.com/questions/1207527/powershell-802-1x-credentials-wireless-wi-fi)? If you continue to remove question just because they recieved downvotes, you will very quickly find yourself, being unable to ask new questions. – Ramhound May 10 '17 at 13:51
  • [PowerShell: Quick Easy Encryption/Decryption](http://andyarismendi.blogspot.com/2011/09/powershell-quick-easy.html) – Ramhound May 10 '17 at 14:02
  • Hi Ramhound, I should have replied with the script.. sorry for deleting/recreating. The error occur when calling [System.Security.Cryptography.ProtectedData]::Unprotect Thanks – NicolasL May 10 '17 at 14:10
  • The error is telling you exactly whats wrong, parameter 3, isn't correct. What is likely the case is your `CurrentUser` DataProtectionScope argument is NULL. – Ramhound May 10 '17 at 14:21
  • [Encrypting your text-based files using PowerShell](https://gallery.technet.microsoft.com/scriptcenter/Encrypting-your-text-based-d939876b) – Ramhound May 10 '17 at 14:23
  • Hi Ramhound, I looked at the link provided and it is pretty much the same as I did to encrypt/decrypt. I have a script created to encrypt the data and it uses the script above to decrypt it without issues. The issue is when I call the registry key (here saved in $HEXA) to decrypt it, I get the error mentioned. When you said that the argument is NULL, would you assume that the key was not encrypted with the CurrentUser as a parameter at first? Thanks – NicolasL May 12 '17 at 14:49
  • I don't know; I am not going to debug your script. – Ramhound May 12 '17 at 17:58
  • *wondering if it could cause the issue* so change the entropy to something other than null and find out – Ramhound May 12 '17 at 18:28

2 Answers2

1

The user/password for WPA-Enterprise is encrypted using two users. I first decrypted the whole string using Local System. Then decrypted again using current user. Entropy is set to $Null in both case. The third parameter will depends on your system OS.

NicolasL
  • 21
  • 5
0

You can find more information on WPA2-Enterprise credentials encryption scheme of MSMUserData in my answer https://superuser.com/a/1259271/780533 to the "How can I find Protected EAP credentials of a wireless network stored on Windows 7?" question. In particular, the "unreadable characters" (note that them begin with 01 00 00 00 d0 8c 9d df ...) following the username in the decrypted MSMUserData are the encrypted password so you need to decrypt again using CryptProtectData.

Andrea Giudiceandrea
  • 213
  • 2
  • 10