Dumping Stored Enterprise Wifi Credentials with Invoke-WifiSquid

Overview

Primer on the DPAPI and Wireless Credentials

The method header for Protect
The method header for Unprotect

Passkey Networks

Passkey Storage

Yep I’m using powershell
The keyMaterial field has been truncated for obvious reasons

Passkey Decryption

Enterprise Networks

Credential Storage

The full path to an enterprise network

Credential Decryption

Executing commands as another user in PowerShell

Automating the Process with Invoke-WifiSquid

Final Thoughts

Student, hacker, OSCP. My other computer is your computer.