How can I find Protected EAP credentials of a wireless network stored on Windows 7?

10

6

I need to remember the authentication credentials (username/password) of the wireless network on which I am connected. There is a way to reveal those informations on Windows 7? The wireless network is protected with WPA2-Enterprise AES, with Protected EAP (PEAP) authentication method; authentication mode is set to "User authentication".

I searched in:

C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[INTERFACE GUID]\[PROFILE].xml

But there is no mention of user or password.

MrMoog

Posted 2015-02-16T10:47:06.630

Reputation: 113

did you solve it? I have the same question although I only need to find usernames. I found this relevant page for Windows XP: https://support.microsoft.com/en-us/kb/823731 Surely there must be some similar registry key in Win7!!

– Kidburla – 2015-09-23T16:31:34.450

@Kidburla no, I didn't solved it. – MrMoog – 2015-09-23T17:24:09.530

same problem here! – Shady Sherif – 2017-09-13T06:15:36.407

Answers

7

You can find an encrypted (with CryptProtectData function) version of PEAP credentials stored in the binary data value named "MSMUserData" in the registry locations already specified in the NON answer:

Location of PEAP passwords

User HKCU\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

Machine HKLM\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

The data begins with hex values 01 00 00 00 d0 8c 9d df 01.

Exporting the "MSMUserData" value from registry you will obtain a text file containing something like: 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles\{GUID}]
"MSMUserData"=hex:01,00,00,00,d0,8c,9d,df,01,...

You must convert the hex values list (right after the ""MSMUserData"=hex:" string) in a binary file.

Once you obtain the binary file (e.g. called file.dat), you can decrypt it using crypt.exe http://www.outerhost.com/www/upload/8t4l1q2g7549/Crypt.zip in addition with PsExec tool https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

running the following command in a elevated command prompt

PsExec.exe -s -i cmd /k crypt.exe file.dat

you will obtain something like:

Decrypted: AAAAAAAAAAAAAAAAAAAAAJAEAAAYAAAAAgAAAJAEAAAAAAAAaQQAACAAAAAAAAAAkAQAA
AAAAAABAAAAGQAAAAAAAAAAAAAAAAAAAAEAAABJBAAAIAAAABkAAAAAAAAAAAAAAAAAAAA1BAAAAgAAA
[...]
A== <<<>>>

Crypt.exe output (after the "Decrypted: " and before the " <<<>>>" strings) is base64 encoded, so you'll need to decode it.

The decoded output will contain the PEAP username and, at the end, beginning with hex values 01 00 00 00 d0 8c 9d df 01, the encrypted (again with CryptProtectData function) version of the password.

Use again crypt.exe to decrypt this new ciphertext and then decode the output from base64 encoding and you will obtain the PEAP password.

Andrea Giudiceandrea

Posted 2015-02-16T10:47:06.630

Reputation: 73

although there are details on how the password is secured, i do wonder the rationale of using 'PsExec' and that suspicious Crypt.exe. – Bagus Tesa – 2017-11-28T00:55:50.583

2

@BagusTesa: Crypt.exe is a simple Visual Basic .NET program you can build by yourself from the source code included in the linked zip file. The VB.NET module of that program is a code samples from http://www.obviex.com/samples/dpapi.aspx that demonstrate how to call Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData to encrypt and decrypt data. You need PsExec to run crypt.exe in order to decrypt the data using the CryptUnprotectData fuction as LocalSystem.

– Andrea Giudiceandrea – 2017-12-01T12:51:19.027

ah i see, thank you for the clarification. i thought it will be better to state those details or even better, put the code on github also. – Bagus Tesa – 2017-12-04T01:10:38.717

5

See also "EnterpriseWifiPasswordRecover" on GitHub https://github.com/ash47/EnterpriseWifiPasswordRecover

– Andrea Giudiceandrea – 2018-05-14T19:23:03.193

Is it also possible to save data to this key to prevent users getting a popup for PEAP credentials? If so, what format should the user/password be saved in? – GoldieLocks – 2019-01-10T14:48:25.460

0

Password for WPA2-Enterprise AES is stored in Registry
It can be stored for a user or computer
It's Encrypted but removing the data will remove the stored Username and password.

Retrieving passwords of stored Wifi networks non Peap is still possible. if you are an admin use the command line "netsh" is the tool to use
Location of PEAP passwords
User
HKCU\Software\Microsoft\Wlansvc\UserData\Profiles\[GUID]

Machine
HKLM\Software\Microsoft\Wlansvc\UserData\Profiles\[GUID]

NON

Posted 2015-02-16T10:47:06.630

Reputation: 1

1Please be a little more specific with your detail, consider adding some reference and proof supporting what you state, and confirming this answer is not already answered in one of the existing answers on the post. – Pimp Juice IT – 2017-10-05T14:11:37.997

Asked: 2015-02-16T10:47:06.630

Viewed: 21 158 times

Active: 2017-12-16T22:58:42.010