How to find out to which Wi-Fi networks a computer were connected to and stored Wi-Fi passwords
If you forget a password from a Wi-Fi network to which your computer is connected, or you want to find out which networks the computer that is in front of you has previously connected to and what passwords they have, this guide is for you. That is, his manual is suitable if you have physical access to the computer. And it does not matter whether it is turned on or off, works under Windows or under Linux, you have access to the hard disk or to the previously made image from the system disk.
How to extract Wi-Fi passwords from in Windows
If you want to find out what is password of the Wi-Fi network you are currently connected to, you can do this from the graphical interface. Go to the "Network and Sharing Center", click on the network name, as shown in the screenshot:
In the window that opens, click "Wireless Network Properties":
Go to the "Security" tab and tick the box "Display input characters":
In order to find out to which wireless networks this computer was connected earlier and what passwords these networks have, there are several ways. One of them is to use the Windows command line, the second is to use third-party software.
Open a command prompt (press Win+x and select "Windows PowerShell (Administrator)"). To view the available profiles, enter the command:
netsh wlan show profile
To display passwords for all networks, enter:
netsh wlan show profile name=* key=clear
To output the password for a particular network, type the following command:
netsh wlan show profile name="network_name" key=clear
In the previous command, replace the network_name with the actual name of the network of interest, for example, in my case:
netsh wlan show profile name="dlink" key=clear
In my case, only four profiles are shown, and only for them passwords in cleartext are shown. However, I know that this computer was connected to more wireless networks. There is a program with a graphical interface for viewing all previously entered passwords of Wi-Fi networks - it is WirelessKeyView. Although the program is closed source code, it is free.
The program is very easy to use - you just need to run it:
Wireless networks and passwords to which the computer was previously connected will be displayed.
How to find Wi-Fi network passwords when the computer is turned off with Windows
In Windows XP, wireless keys are stored in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\[Interface Guid]. They are well encrypted, so they cannot be seen with RegEdit. However, WirelessKeyView can recover passwords for turned off computers running Windows XP, including those for dead systems that cannot boot. To do this, go to the advanced program options and specify the paths to the corresponding folders.
By the way, Windows XP, after you enter the WPA-PSK key, automatically converts it into a 256-bit key. It can be shown by WirelessKeyView, but it cannot convert it back to the original key that was typed. However, this long key can be used to connect to a wireless network in exactly the same way as the original one. In Windows Vista and later, the WPA-PSK password is not converted, so the program can show the original password.
In Windows Vista and later, passwords from wireless networks are stored in c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[Interface Guid]. Passwords are well encrypted and stored in .xml files.
Some additional information, including a sample code for decrypting the password in Windows Vista and later, can be found here. It also says that passwords need to be decrypted in the context of the system, where they were encrypted. In simple terms, they can be decrypted by the user under which they were encrypted, that is they can not be decrypted for a switched-off computer or by copying files to another computer.
How to extract Wi-Fi passwords in Linux
In Linux, you use Network Manager or WPA supplicant to connect to Wi-Fi. Network Manager is a program with a graphical interface, and WPA supplicant provides a Wi-Fi connection for those who prefer to do everything from the command line.
Both of these programs store the connection settings in the cleartext. Nevertheless, before you go to the console, you can use the graphical interface to find out which Wi-Fi networks the Linux computer was connected to. To do this, click on the Wi-Fi icon next to the clock and select "Network connections." You will see the networks to which the computer is connected now or was connected earlier:
To find out the password, select the network you are interested in and click "Edit". Then go to the tab "Wi-Fi Security" and tick the box "Show password":
Please note that we did not even need an administrator password - it is enough to be a normal user.
As already mentioned, Network Manager stores all its connection settings in the cleartext. In the /etc/NetworkManager/system-connections/ folder. To see what its content type:
ls -l /etc/NetworkManager/system-connections/
To view the names and passwords of Wi-Fi networks:
sudo egrep -h -s -A 9 --color -T 'ssid=' /etc/NetworkManager/system-connections/*
WPA supplicant usually stores its settings in the /etc/wpa_supplicant.conf file or in files with a .conf extension in the /etc/wpa_supplicant/ folder. Nevertheless, it is possible to run this program with an option to provide a configuration file with an arbitrary name and in an arbitrary location. If the WPA supplicant starts automatically every time the computer boots, you can examine the /etc/rc.local file for the WPA supplicant command, which will point to the wireless settings file. You can search for a file by looking at the status of the service (you do not need superuser privileges to view the status of services):
systemctl status wpa_supplicant.service
If the WPA supplicant was started manually, then these commands can be searched in the history:
grep supplicant ~/.bash_history
To see what's in the /etc/wpa_supplicant/ folder:
ls -l /etc/wpa_supplicant/ /
To display the contents of a file, use the cat command, for example:
Normally, the WPA supplicant configuration files are readable by everyone, i.e. this does not require superuser privileges.
How to find Wi-Fi passwords in a switched-off Linux (in system image)
If a Linux-based computer is turned off, it is possible to boot from the Live system, or connect a hard disk with the system of interest to the computer that is turned on. If you are conducting a study from Linux, then it is sufficient to mount the target media file system and examine the files mentioned above. You can also do this from Windows, for this, refer to the note "How to view the contents of a Linux disk from Windows and copy files from it".
- How to extract all web site passwords stored in web bowser (63.6%)
- How to find all passwords (web browsers, email programs, etc.) in Windows and Linux (47.3%)
- Indicators of Man-in-the-middle attacks (39.7%)
- Hacking WPA/WPA2 passwords with Aircrack-ng: dictionary attack, cooperation with Hashcat, maskprocessor, statsprocessor, John the Ripper, Crunch, hacking in Windows (19.5%)
- Hashcat manual: how to use the program for cracking passwords (18.4%)
- WiFi-autopwner: script to automate searching and auditing Wi-Fi networks with weak security (RANDOM - 2.7%)