Wireless Security

Retrieving Clear Text Wireless Keys From Compromised Systems


A while back, Joshua Wright wrote a fantastic paper called “Vista Wireless Power Tools for the Penetration Tester”. At the end of paragraph 2.5, “Analyzing Wireless Profiles”, Josh writes, “The PSK itself and other metadata is stored in the keyMaterial element. At this time, it is not known how to decrypt the PSK, however, since this profile is cross-system compatible, the penetration tester can simply add this profile to their own Vista system to obtain authenticated access to the network, as shown in 2.7.” As I read this I thought to myself, “While importing the profile is good and all, decrypting the key is actually stupid easy.” Time to update the paper Josh! Let me show you why.
First, let’s follow some steps that Josh covers in the paper. We start by taking a look at the profiles stored by Windows Wireless Zero Configuration:


Next, we export the profile we are interested in:


Now take a look at the profile:


Notice the authentication type is WPA2PSK and the encryption type is AES. Whew, cracking this could be really tough. I suppose we could try to brute force the key so that our grand children’s grand children would have it. Or we might get lucky with a good word list. But seeing as this is a complete setup… we won’t. So what can we do? Well first, let’s continue along with Josh’s guidance and import the profile into our “attacker” Windows system. Rather than try to find a traditional way to transfer the file, I prefer to copy and paste the contents of the profile into an xml file on my local system, then import it. The next command is executed on the attackers Windows system after the profile has been copied, er pasted, over.


Cool, now we can connect to the network with the saved profile. GAME OVER. Thanks Josh!!!…
(scroll down)

But wait… I promised to show you the key in clear text didn’t I. OK… OK… here comes the magic.




Simplest encryption attack EVAAAAAR!!!!
Just in case you were wondering how I got there:
1. Go to “Manage wireless networks” through the “Network and Sharing Center”.
2. Right click on the target profile and select “Properties”.
3. Go to the Security tab and check “Show characters”.
And, yes. This work on Windows 7 as well. I used Windows 7 to create the screen shots for this blog entry. As always, ENJOY!
Join me for the following events!
Boston, MA – SANS Security 542: Web App Penetration Testing and Ethical Hacking beginning May 7th.
Toledo, OH – SANS Security 560: Network Penetration Testing and Ethical Hacking beginning March 26th!

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.