A while back, Joshua Wright wrote a fantastic paper called “Vista Wireless Power Tools for the Penetration Tester”. At the end of paragraph 2.5, “Analyzing Wireless Profiles”, Josh writes, “The PSK itself and other metadata is stored in the keyMaterial element. At this time, it is not known how to decrypt the PSK, however, since this profile is cross-system compatible, the penetration tester can simply add this profile to their own Vista system to obtain authenticated access to the network, as shown in 2.7.” As I read this I thought to myself, “While importing the profile is good and all, decrypting the key is actually stupid easy.” Time to update the paper Josh! Let me show you why.
First, let’s follow some steps that Josh covers in the paper. We start by taking a look at the profiles stored by Windows Wireless Zero Configuration:

psk_profiles.png

Next, we export the profile we are interested in:

psk_export.png

Now take a look at the profile:

psk_profile.png

Notice the authentication type is WPA2PSK and the encryption type is AES. Whew, cracking this could be really tough. I suppose we could try to brute force the key so that our grand children’s grand children would have it. Or we might get lucky with a good word list. But seeing as this is a complete setup… we won’t. So what can we do? Well first, let’s continue along with Josh’s guidance and import the profile into our “attacker” Windows system. Rather than try to find a traditional way to transfer the file, I prefer to copy and paste the contents of the profile into an xml file on my local system, then import it. The next command is executed on the attackers Windows system after the profile has been copied, er pasted, over.

psk_import.png

Cool, now we can connect to the network with the saved profile. GAME OVER. Thanks Josh!!!…
(scroll down)

But wait… I promised to show you the key in clear text didn’t I. OK… OK… here comes the magic.
Encrypted…

psk_encrypted.png

Decrypted…

psk_decrypted.png

Simplest encryption attack EVAAAAAR!!!!
Just in case you were wondering how I got there:
1. Go to “Manage wireless networks” through the “Network and Sharing Center”.
2. Right click on the target profile and select “Properties”.
3. Go to the Security tab and check “Show characters”.
And, yes. This work on Windows 7 as well. I used Windows 7 to create the screen shots for this blog entry. As always, ENJOY!
Join me for the following events!
Boston, MA – SANS Security 542: Web App Penetration Testing and Ethical Hacking beginning May 7th.
Toledo, OH – SANS Security 560: Network Penetration Testing and Ethical Hacking beginning March 26th!
REGISTER TODAY FOR DISCOUNTS! Up to 50% on SEC560!

About the author

Leave a Reply