Dumping Stored Enterprise Wifi Credentials with Invoke-WifiSquid

Overview

In this post, I’m going to show you how to find and decrypt stored WPA2-PSK and WPA2-Enterprise network credentials on compromised Windows machines. First I’ll cover the technical background, and then I’ll go over the tool I wrote to automate this often tedious task for you.

Primer on the DPAPI and Wireless Credentials

Windows encrypts wireless credentials using the DPAPI’s Protectfunction and decrypts them using the Unprotect function. The function calls are quite simple:

The method header for Protect
The method header for Unprotect

Passkey Networks

Passkey Storage

Windows stores XML configuration files for passkey networks (as well as public networks and some other types) inside of the WLAN Service’s program files. C:\Programdata\Microsoft\Wlansvc\Profiles\Interfaces . Inside the Interfaces folder, there will be one or more subfolders (assuming the device has a wireless adapter) for each adapter. The subfolders are named as GUIDs, so they’ll look something like this:

Yep I’m using powershell
The keyMaterial field has been truncated for obvious reasons

Passkey Decryption

Once we translate the string to a byte array appropriately, we can pass it to the DPAPI’s Unprotect function (or CryptUnprotectData for C/C++) along with a null value for the random entropy, and the LocalMachine data protection scope. Theoretically, since any process can access the LocalMachine scope, any process should be able to decrypt these keys.

Enterprise Networks

Credential Storage

Enterprise network credentials are stored differently than passkey and public networks. While there will still be an XML profile file (as described above) for the network, there will not be a keyMaterial field that can be processed. Instead, enterprise network keys are stored in the registry of the user who owns the key. If you’re logged in as the user, that’ll be in the HKEY_CURRENT_USER (or HKCU ) hive, otherwise it will be in the HKEY_USERS (or HKU ) hive under a subkey that is the user’s SID. The full path is going to be HKEY_USERS\<SID>\Software\Microsoft\Wlansvc\Userdata\Profiles . It may possibly be under HKEY_USERS\<SID>\Software\Microsoft\Wlansvc\Profiles , although I have not seen this.

The full path to an enterprise network

Credential Decryption

To begin decrypting the credentials, you need to read this key, and then pass it to the Unprotect function with a null entropy value, and the LocalMachine scope. This first decryption step will make available the username and the domain name. One of two circumstances is possible: the password is further encrypted and still must be decrypted, or the password is now fully unencrypted (unlikely but perhaps possible.

Executing commands as another user in PowerShell

To solve this problem, of executing the last step of the decryption as the user that the profile belongs to, I looked at a number of solutions. The other tool I found punts on this problem and says to switch users. There are a couple ways of achieving this including prompting the user for their credentials (that’s probably not stealthy), supplying their password if you know it, or something similar.

Automating the Process with Invoke-WifiSquid

Unlike the tool that I found which is in C#, I elected to write this tool in PowerShell so that it’s portable across architectures, doesn’t require compilation, and can be executed in memory without touching the disk ( Powershell IEX,, anyone?). Invoke-WifiSquid automates the entire process of locating profile files and decrypting passkeys, and then it digs through users’ registries to locate keys for any enterprise networks.

Final Thoughts

This tool was kind of a quick-and-dirty attempt at writing a script to automate this process. The code is probably not laid out super well, and I will continue working on it. Here are a few to-do’s I’m working on and will push soon:

  • Testing on more platforms — so far, I have only tested it on Windows 10
  • Automatic elevation to SYSTEM from Administrator (maybe with a PowerShell implementation of PsExec?)

Student, hacker, OSCP. My other computer is your computer.