惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
U
Unit 42
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Vercel News
Vercel News
S
Security @ Cisco Blogs
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
I
Intezer
MongoDB | Blog
MongoDB | Blog
AI
AI
MyScale Blog
MyScale Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
W
WeLiveSecurity
博客园 - 叶小钗
S
SegmentFault 最新的问题
N
News | PayPal Newsroom
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
DataBreaches.Net
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
H
Help Net Security
美团技术团队
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Vulnerabilities – Threatpost
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
J
Java Code Geeks
量子位
Martin Fowler
Martin Fowler
博客园_首页

Posts on Noah Bailey

How to turn anything into a router Deploy to Cloudfront from GitHub using OpenID Connect Backup Postgres databases with Kubernetes CronJobs The spelling error made 200 billion times a day Restarting Kubernetes pods using a CronJob You've just bought a new domain. Now what? Who Sawed My Motherboard??? Linux on the P8 Aliexpress Mini Laptop Recovering Mysql/Mariadb after a nasty crash Using EXIF data to pick my next lens Converting and developing RAW photos on Linux automatically Thank you, 2016 iPhone Don't Make It Work Self-hosted Surveillance with ZoneMinder Backups, Monitoring, and Security for small Mastodon servers Block web scanners with ipset & iptables Executing commands over SSH with GitHub Actions Debian Sid on encrypted ZFS Protect your dangerously insecure redis server Debian: the luxurious boring lifestyle Monitor radiation with a Raspberry Pi Simple Linux server alerts: Know your performance, errors, security, syslog, and security NUC crashes on debian 11 - How I fixed it Basic Linux server security with fail2ban, ossec, and firewall Windows 11 will create heaps of needless trash Domesticated Kubernetes Networking The Cursed Certificate Our mostly disposable and entirely stupid world Trying out OpenBSD (as a Linux geek) Making VoIP Calls with Antique Rotary Phones Monitoring WAN speed with speedtest-cli and ElasticSearch Monitoring WAN latency with InfluxDB The Zeroshell botnet returns Installing Gentoo on a vintage Thinkpad T60 Malware emails 2: Russian boogaloo TP-Link Device Weirdness ElasticSearch broke all my nice things (a story of cascading failure) A New Botnet is Targeting Network Infrastructure Malware on the Wire: Monitoring Network Traffic with Suricata and ClamAV Cloud Threat Protection with OSSEC and Suricata Malware Emails From Jerks Surviving the Apocalypse with an Offline Wikipedia Server Being Attacked by Bots Linux Router, Firewall and IDS Appliance You Probably Don't Need a VPN Fix an Oversharded Elasticsearch Cluster Automating KVM Virtualization Update all your linux servers as fast as possible Cleanup Systemd Journald Storage Stop Putting Your SSH Keys on Github! Clustering KVM with Ceph Storage Stealing Windows Sessions FreeRadius Active Directory Integration Deploy MDT Litetouch on Linux with TFTPD and Syslinux Generating MSI transform files with Orca The Inflatable Dinghy Generating Cisco IOS config files with Python Homebrew SAN Getting Cloudy
Retrieving WPA2 Keys on Windows
2018-12-13 · via Posts on Noah Bailey

Ever wanted pull up the password for a WiFi network your computer remembers but you don’t? If you’re anything like me, the computer remembers far more than I do. Luckily, Windows not only stores these keys in plaintext, but some of them can even be retrieved without administrator access! (Is that good? I think it is but something tells me it might not be…)

And of course, let’s go one step further and make a neat little script to pull out all of these keys and present them in a convenient way.

Using the Command Line

In recent versions of Windows, the netsh utility has been the awkward-syntax tool of choice for various network related system administration. The particular module we’re interested is the wlan section. Using this tool, we are able to list all the networks installed on the system, as well as some of the keys (depending on who installed them, how they were installed, and what privilege level you’re operating at)

At its most basic, all wireless profiles can be viewed using this command:

netsh wlan show profile

This will output a full list of almost every wireless connection remembered by your system. If you’ve had your machine as long as I have, there’s probably about twenty to thirty networks in there!

Now to view the key itself, simply add the name of the profile and the key=clear parameter. Depending on the configuration of the profile, your machine, and your own privilege, this may require elevation.

netsh wlan show profile name=MyCoolNetwork key=clear

…And under the “Security Settings” section the key in clear text should appear. Neat!

But that’s pretty pedestrian. We’re not about to go through each profile one by one and list out all the passwords by hand, that takes too much time! Instead, let’s make a tool to extract all of the passwords with PowerShell.

Using PowerShell scripting

This is the solution I came up with. This script pulls out the full list of profiles on the system, then iterates through them and, if they contain a key, add the password to a hashtable with the SSID.

To accomplish this, the script iterates through all the profiles installed on the system in order, and depending on whether it contains a key will either prompt the user with a plaintext key or a hint about the authentication mode used to connect to the network.

#requires -RunAsAdministrator

$regex = '(^.+: )'
$creds = @{}

$network_profile_list = netsh wlan show profiles
$profiles = $network_profile_list -match $regex -replace $regex

foreach ($i in $profiles) { 
    $password = $null 

    $network_profile = netsh wlan show profile name=$i key=clear
    $network_key = ($network_profile `
          | Select-String "Security key") -replace $regex 

    if ( $network_key -match "Present" ) {
        $password = ($network_profile `
          | Select-String "Key Content") -replace $regex
    } 

    else {
        $password = ($network_profile `
          | Select-String "Authentication") -replace $regex 
    }
    
    $creds.add($i,$password)*>$null        
}

# -> Output
$creds | Format-Table 

And just like that, we can extract the information needed from Windows using netsh and some clever PowerShell scripting.

Of course, this will only work with PSK authentication. Some networks use more advanced network auth such as .1x and Radius, which won’t be retrievable with this technique.