If you have been to one of my Wireshark or Wi-Fi classes then you know I often criticize Microsoft Windows for some of its – well – inexplicable approaches to usage and security. Here is yet another example.
Windows stores several important pieces of information in Wi-Fi profiles to facilitate automatic connections to known networks and manage network preferences. Each Wi-Fi profile contains:
Let’s say someone has a Rubber Ducky, or some Arduino device, that they want to plug into your system and get your Wi-Fi passwords.
Can they do it?
Absolutely.
Let me show you how to do this manually from your Command prompt.
Let’s start by being logged into your Windows computer/laptop. You must be logged in. You do not need administrator privileges.
Open a command prompt Window (Windows-R > cmd or Start> Run> cmd)
Change to the temporary directory for your user:
cd %temp%
This should look something like the following:
C:\Users\amwal>cd %temp% C:\Users\amwal\AppData\Local\Temp>
Now lets export the Wi-Fi profiles with the wi-fi passwords:
netsh wlan export profile key=clear
This command will write an xml file for every profile on the machine. Truthfully this could take a while, especially if there are dozens of Wi-Fi profiles on the system.
Here you can see my system exported 7 profiles:
There may be a bunch of different files in this directory, but if we enter the following command, we should see the xml files:
dir *.xml
As you can see there is one .xml file for every Wi-Fi profile on my system.
If you open one of these files in notepad or Wordpad or Notepad++ (I used Notepadd++ so I get the colorization), it will look something like this:
We can see that the WPA2 passphrase is right there in clear text!
Now some systems have no password, like this one:
We can perform one more clever step to put all the passwords from these .xml files into one file:
powershell Select-String -Path Wi-Fi*.xml -Pattern 'keyMaterial' > Wi-Fi-Passwords
This will add a file called Wi-Fi-Passwords to the directory:
OK, not let’s look at that file in Notepad or Wordpad or Notepad++:
Now I have blurred the passwords on the screenshot above (except the one I revealed for some La Quinta Inn), but you will see on your machine, we have a nice little list of the Systems and their passwords!!
You could now copy this file onto a thumb drive or send it to a web capture portal or who knows what!!
Alright, let’s get rid of this stuff and clean up.
- Close any test editors and files you have open.
- In the command prompt, delete the Wi-Fi*.* files:
Done!
I hope you find this article and its content helpful.