12

I need to remember the authentication credentials (username/password) of the wireless network on which I am connected. There is a way to reveal those informations on Windows 7? The wireless network is protected with WPA2-Enterprise AES, with Protected EAP (PEAP) authentication method; authentication mode is set to "User authentication".

I searched in:

C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[INTERFACE GUID]\[PROFILE].xml

But there is no mention of user or password.

Andrea Giudiceandrea
  • 213
  • 2
  • 10
MrMoog
  • 233
  • 1
  • 2
  • 6

2 Answers2

11

You can find an encrypted (with CryptProtectData function) version of PEAP credentials stored in the binary data value named "MSMUserData" in the registry locations already specified in the NON answer:

Location of PEAP passwords

User HKCU\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

Machine HKLM\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

The data begins with hex values 01 00 00 00 d0 8c 9d df 01.

Exporting the "MSMUserData" value from registry you will obtain a text file containing something like:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles\{GUID}]
"MSMUserData"=hex:01,00,00,00,d0,8c,9d,df,01,...

You must convert the hex values list (right after the ""MSMUserData"=hex:" string) in a binary file. Use this link: https://tomeko.net/online_tools/hex_to_file.php

Once you obtain the binary file (e.g. called file.dat), you can decrypt it using crypt.exe http://www.outerhost.com/www/upload/8t4l1q2g7549/Crypt.zip in addition with PsExec tool https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

running the following command in an elevated command prompt

PsExec.exe -s -i cmd /k crypt.exe file.dat

you will obtain something like:

Decrypted: AAAAAAAAAAAAAAAAAAAAAJAEAAAYAAAAAgAAAJAEAAAAAAAAaQQAACAAAAAAAAAAkAQAA
AAAAAABAAAAGQAAAAAAAAAAAAAAAAAAAAEAAABJBAAAIAAAABkAAAAAAAAAAAAAAAAAAAA1BAAAAgAAA
[...]
A== <<<>>>

Crypt.exe output (after the "Decrypted: " and before the " <<<>>>" strings) is base64 encoded, so you'll need to decode it into hex. Use: https://base64.guru/converter/decode/hex

The decoded output will contain the PEAP username and, at the end, beginning with hex values 01 00 00 00 d0 8c 9d df 01, the encrypted (again with CryptProtectData function) version of the password.

Use again crypt.exe to decrypt this new ciphertext and then decode the output from base64 encoding and you will obtain the PEAP password.

Divyansh Balchandani
  • 3
  • 2
Andrea Giudiceandrea
  • 213
  • 2
  • 10
  • although there are details on how the password is secured, i do wonder the rationale of using 'PsExec' and that _suspicious_ `Crypt.exe`. – Bagus Tesa Nov 28 '17 at 00:55
  • 2
    @BagusTesa: Crypt.exe is a simple Visual Basic .NET program you can build by yourself from the source code included in the linked zip file. The VB.NET module of that program is a code samples from http://www.obviex.com/samples/dpapi.aspx that demonstrate how to call Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData to encrypt and decrypt data. You need PsExec to run crypt.exe in order to decrypt the data using the CryptUnprotectData fuction as LocalSystem. – Andrea Giudiceandrea Dec 01 '17 at 12:51
  • ah i see, thank you for the clarification. i thought it will be better to state those details or even better, put the code on github also. – Bagus Tesa Dec 04 '17 at 01:10
  • 8
    See also "EnterpriseWifiPasswordRecover" on GitHub https://github.com/ash47/EnterpriseWifiPasswordRecover – Andrea Giudiceandrea May 14 '18 at 19:23
  • Is it also possible to save data to this key to prevent users getting a popup for PEAP credentials? If so, what format should the user/password be saved in? – GoldieLocks Jan 10 '19 at 14:48
  • Sorry what does "convert the hex values in a binary file" mean? That's a pretty vague description of a step that makes no sense without your experience – ch4rl1e97 Jan 05 '21 at 18:02
  • @ch4rl1e97 it means to convert each two character literal hexadecimal value to a single byte of a corresponding value and sequentially put it in a file. Did you try to search for "convert the hex values in a binary file" using a web search engine? – Andrea Giudiceandrea Jan 06 '21 at 21:45
  • I tried that though I've no idea on which tool does it "properly". Everything I've found just turns it into a string so I guess I just dump that into a txt file? Regardless I've realised I don't know which user account on the machine is the one that actually owns the password so it's a little moot. That tool you linked above is promising but it seems development is dead which is a real shame :( I'll give it another go with crypt though. – ch4rl1e97 Jan 11 '21 at 10:51
  • found tomeko.net which has a tool! It failed on the output file though. Does this need to be run from the context of the password owner/on the same machine? The machine that has the credentials stored does not have the appropriate .NET "stuff" installed plus the above issue of not being sure which account owns it, especially given that it was found in HKLM rather than any HKCU. – ch4rl1e97 Jan 11 '21 at 11:27
  • "Hexadecimal -> file (binary)" is what you need and the process is independent from any context. – Andrea Giudiceandrea Jan 11 '21 at 19:30
  • I stuck on the following step: "The decoded output will contain the PEAP username and, at the end, beginning with hex values 01 00 00 00 d0 8c 9d df 01, the encrypted (again with CryptProtectData function) version of the password. Use again crypt.exe to decrypt this new ciphertext". Crypt gives: DPAPI was unable to decrypt data. CryptUnprotectData failed. Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. – Andrey Kazak Jul 25 '23 at 21:08
  • @AndreyKazak, have you correctly created a binary file from the decoded to hex base64 encoded string, since cript.exe needs a binary file as input? – Andrea Giudiceandrea Jul 26 '23 at 12:59
0

Password for WPA2-Enterprise AES is stored in Registry
It can be stored for a user or computer
It's Encrypted but removing the data will remove the stored Username and password.

Retrieving passwords of stored Wifi networks non Peap is still possible. if you are an admin use the command line "netsh" is the tool to use
Location of PEAP passwords
User
HKCU\Software\Microsoft\Wlansvc\UserData\Profiles\[GUID]

Machine
HKLM\Software\Microsoft\Wlansvc\UserData\Profiles\[GUID]

NON
  • 1
  • 1
    Please be a little more specific with your detail, consider adding some reference and proof supporting what you state, and confirming this answer is not already answered in one of the existing answers on the post. – Vomit IT - Chunky Mess Style Oct 05 '17 at 14:11