14 replies to this topic

[FooBar]

Does anyone know how to decrypt the encrypted auth key stored by Wireless Zero (built in windows one).
I found out it stores an xml in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\(your adapter)\(your network).xml

it essentially says

[copy][popup][collapse]?

[-]C Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

<?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">     <name>mynetwork</name>     <SSIDConfig>         <SSID>             <hex>6261--hex shit--6E</hex>             <name>mynetwork</name>         </SSID>         <nonBroadcast>true</nonBroadcast>     </SSIDConfig>     <connectionType>ESS</connectionType>     <connectionMode>auto</connectionMode>     <MSM>         <security>             <authEncryption>                 <authentication>WPA2PSK</authentication>                 <encryption>AES</encryption>                 <useOneX>false</useOneX>             </authEncryption>             <sharedKey>                 <keyType>passPhrase</keyType>                 <protected>true</protected>                 <keyMaterial>01000000D08C9DDF--a lot of random hex shit--6E930EED189A3</keyMaterial>             </sharedKey>         </security>     </MSM> </WLANProfile>

The password should be stored in <keyMaterial></keyMaterial> tag

I successfully just copied and pasted a test one of these between computers, and it connected just fine, so the encryption is definitely reversible.

[falkman]

Its not encrypted, its hashed, unless you have an amazing computer, your not going to crack it. Your better off sniffing the air.

[FooBar]

no i said it can't be encrypted, because you can export / import the xml between laptop computers. windows is able to extract the password out of the hash just fine and connect to the network.

i found the path of the xml by debugging cain's "wireless zero password recovery" tool (using procmon from sysinternals), and it is able to instantly draw the password out of the hash.

[FooBar]

i misread and didn't quite recognize your hashed point.

its not hashed because as i said, windows is able to extract the wireless password (to connect) and so is cain.

[sekio]

that is hashed. it's the WPA key you silly bugger.

[FooBar]

well why the fuck is cain reading that file, and how the fuck is it magically extracting the password from the hash?

and what type of hash is it? it doesn't look like any standard ones ive seen before (way too long)

[LoX]

I believe sekio answered your second question.

[nofrillz]

its a hmac hash of the wireless password salted with the ssid

[FooBar]

ok thank you nofrillz, you kind of answered my question. and i'm assuming it is hmac-md5 that you are refering to?

this also explains a little feature i was wondering about in winrtgen that allows the generation of "WPA" rainbow tables to a specific ssid.

so as I am understanding it..
Wireless Zero Password dialogue --- HMAC-? hashed (saved into xml config file) ----> WPA key -----> router = encrypted

it still does not explain how cain is able to get the password from a salted hmac hash. maybe it goes about a different method, and only gets secondary network details from this .xml file?

Edited by Shea_duh_Wabbit, 04 March 2009 - 06:40 PM.

[Rafael]

Not sure where the other posters are getting their information, but you read up on this element and how to decrypt it on MSDN.
http://msdn.microsof...987(VS.85).aspx

[marvolo1300]

I'm really sorry for resurrecting this thread. Nofrillz, if you're still around, how do you decrypt a HMAC hash?

[RAGE]

I posted code that will do this:
[C++] Dump wireless passwords

[marvolo1300]

I posted code that will do this:
[C++] Dump wireless passwords

I put the .xml file in the right directory but it's not working. Do you have a version of this that will search for the profile in another directory, for example, C:.

UPDATE: I have an idea... lemme see if it works and ill update.
UPDATE: Nvm didnt work...

ty for responding so quickly rage

Edited by marvolo1300, 22 March 2011 - 02:55 AM.

[RAGE]

If your process runs in the context of the LocalSystem account, then you can unencrypt key material by calling CryptUnprotectData.

Info Here

This will only work on the machine that you got the profile xml from (afaik).

[marvolo1300]

I see...tyvm.