How can I find Protected EAP credentials of a wireless network stored on Windows 7?

wireless-networking credentials wpa2 802.1x peap

I need to remember the authentication credentials (username/password) of the wireless network on which I am connected. There is a way to reveal those informations on Windows 7? The wireless network is protected with WPA2-Enterprise AES, with Protected EAP (PEAP) authentication method; authentication mode is set to "User authentication".

I searched in:

C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[INTERFACE GUID]\[PROFILE].xml

But there is no mention of user or password.


You can find an encrypted (with CryptProtectData function) version of PEAP credentials stored in the binary data value named "MSMUserData" in the registry locations already specified in the NON answer:

Location of PEAP passwords

User HKCU\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

Machine HKLM\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

The data begins with hex values 01 00 00 00 d0 8c 9d df 01.

Exporting the "MSMUserData" value from registry you will obtain a text file containing something like:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles\{GUID}]
"MSMUserData"=hex:01,00,00,00,d0,8c,9d,df,01,...

You must convert the hex values list (right after the ""MSMUserData"=hex:" string) in a binary file. Use this link: https://tomeko.net/online_tools/hex_to_file.php

Once you obtain the binary file (e.g. called file.dat), you can decrypt it using crypt.exe http://www.outerhost.com/www/upload/8t4l1q2g7549/Crypt.zip in addition with PsExec tool https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

running the following command in an elevated command prompt

PsExec.exe -s -i cmd /k crypt.exe file.dat

you will obtain something like:

Decrypted: AAAAAAAAAAAAAAAAAAAAAJAEAAAYAAAAAgAAAJAEAAAAAAAAaQQAACAAAAAAAAAAkAQAA
AAAAAABAAAAGQAAAAAAAAAAAAAAAAAAAAEAAABJBAAAIAAAABkAAAAAAAAAAAAAAAAAAAA1BAAAAgAAA
[...]
A== <<<>>>

Crypt.exe output (after the "Decrypted: " and before the " <<<>>>" strings) is base64 encoded, so you'll need to decode it into hex. Use: https://base64.guru/converter/decode/hex

The decoded output will contain the PEAP username and, at the end, beginning with hex values 01 00 00 00 d0 8c 9d df 01, the encrypted (again with CryptProtectData function) version of the password.

Use again crypt.exe to decrypt this new ciphertext and then decode the output from base64 encoding and you will obtain the PEAP password.

Related

Workaround for Dell "Power supply not recognised" issue
Which free software can I use to deskew scanned images
What are the methods available to get the CPU usage in Linux Command line? [closed]
How can I make it as difficult as possible to connect to the Internet from my "work computer"?
Little girl friendly versions of Linux (or themes for Linux) [closed]
Continually getting https Certificate Errors on all browsers
How to delete file with this name on linux: -]???????q [duplicate]
Downloading Windows Updates takes forever
Excel: Is there a registry setting to suppress the warning messages when saving spreadsheets in CSV format?
Force refresh (re-scan) wireless networks from command line?
Windows recursive touch command
How to set boot disk flag with diskpart