WAFI password cracking principles and tools

Introduction:

This article will study the internal Password Storage and encryption mechanisms of the stored Wi-Fi account password. It explains how the Wi-Fi password is stored on different platforms and how to use the actual code example for decryption.

Note that it only processes WiFi settings stored in the built-in Windows Wireless Configuration Manager. In addition, it only includes Vista and later operating systems, although it may involve some aspects of Windows XP.

Wireless Network Configuration:

All Windows systems have built-in "Wireless Configuration Manager" to help you manage your wireless connections.
Follow these steps to configure your wireless settings.

1. From the control panel, click "Network
2. Click "network" in the next step.
3. Now, from the left-side pane, click "manage wireless networks"
4. This will start the wireless CONFIGRATION screen and display all the configured Wi-Fi connections.
5. Click "add" and then "manually create network configuration file" to create a new wireless network connection.

The "add wireless network" dialog box is displayed.

Current location of the wireless network password:

Before we start, we need to know that these wireless settings are stored in the system. The Wireless Configuration Manager uses different technologies and storage locations to store these wireless settings on different platforms.

For Windows XP/2003/XP, all wireless settings are stored below the Registry

1 HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WZCSVC \ Parameters \ Interfaces \ {xxxxxxxx-xxxx-xxxxxxxxxxxx}

Here, each wireless device/interface is represented by a unique GUID {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, and all settings for this device are stored Based on the GUID value 'activesetable. The actual content is to use the "Windows Password" encryption function. For details, refer to Microsoft's official documentation:

Http://msdn.microsoft.com/en-us/library/aa380252%28VS.85%29.aspx#data_encryption_and_decryption_functions

For Vista and Windows 7, the Wireless Configuration Manager no longer uses the registry. Instead of all wireless parameters, including the SSID, authentication method token

1 C: \ ProgramData \ Microsoft \ Wlansvc \ Profiles \ Interfaces \ {xxxxxxxx-xxxx-xxxxxxxxxxxx }\{ Random-GUID}. xml

Here, each wireless device is represented by its interface GUID {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} and all wireless settings for that device are stored in XML files with random GUID names.

Wireless storage mechanism:

The information presented here will only apply to Vista and higher unique operating systems.

As we already know, each wireless setting is stored in an XML file. Here is the actual content of such a file

 

<!--?xml version="1.0"?--><wlanprofile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>SecurityXploded</name><ssidconfig><ssid>
 
In the above example, we can see that the wireless network name SSID name is 'securityxploded', and the following storage is in ASCII and HEX format.
The next important thing is verification, encryption, and storage on the node. This Wireless Configuration uses WPA (WPAPSK) for authentication and AES encryption.
Now the most interesting thing is that the wireless network password is stored on the node. The node in the node indicates whether the wireless password is encrypted or stored in plaintext. If the value is True, the password is encrypted. Of course, the password can also appear on the <keymaterial> node.
Wireless network password encryption:
The following is an encrypted WAFI password:


 

 
  
01000000D08C9DDF0115D1118C7A00C0

 
Obviously, this password adopts the Windows Cryptography encryption method. To be more precise, we can use this encryption method to encrypt it manually, and then compare and test the WAFI password. The result is obviously correct. For the Windows Cryptography encryption method, see:
Http://msdn.microsoft.com/en-us/library/aa380252%28VS.85%29.aspx#data_encryption_and_decryption_functions
Another noteworthy thing is that it does not use any "add salt" (MD5 add salt knows what it means) encryption. this makes it easy to decrypt and directly use the CryptUnprotectData method, as shown in the following example:

void DecryptWiFiPassword(BYTE *buffer, DWORD dwSizeBuffer){DATA_BLOB DataIn;DATA_BLOB DataOut;DataIn.pbData = buffer;DataIn.cbData = dwSizeBuffer;if(CryptUnprotectData(&DataIn, 0, NULL, NULL,NULL,0,&DataOut)){printf("\n Wireless Key Password : %s", (char *) DataOut.pbData);}}


One problem here is that you cannot just decrypt it, even if you are the administrator password. To successfully decrypt the password, you must perform the decryption operation in the Administrator's System context.
There are many methods to execute code in the system context. One of the popular methods is to inject-LSASS. EXE in the system process through remote thread code. But this is a dangerous thing, because any defect in the code can damage the entire system. A safer way is to create a Windows Service System Account and execute the above decryption code from the service.
Use the Wi-Fi password to decrypt and restore the wireless password:
WiFiPasswordDecryptor is written based on this principle. WiFiPasswordDecryptor is a free tool that can automatically detect and immediately restore all wireless network passwords, in addition, the password is displayed in plaintext (WEP, WPA, AES, and TKIP ).