Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save sleeyax/e8684c60c9e0b771d96195e0b4d4c8c0 to your computer and use it in GitHub Desktop.
Save sleeyax/e8684c60c9e0b771d96195e0b4d4c8c0 to your computer and use it in GitHub Desktop.
Extracting stored wifi WPA(2)-Enterprise credentials on Windows 10

Extracting WPA(2)-Enterprise credentials

Step by step guide for n00bs.

Requirements

Make sure you have the following software installed:

Guide

Open cmd as administrator, navigate to the directory where you downloaded the extractor tool and run it for the first time:

cd D:\Downloads\EnterpriseWifiPasswordRecover && EnterpriseWifiPasswordRecover.exe.

You will get an output similar to:

{BF946-6E93-4F91-B312-2EB6FAA70F06}
Extracted stage1 for {458BF946-6E93-4F91-B312-2EB6FAA70F06}
{7B32105C-31A1-4700-9537-B975DEBD237A}
Extracted stage1 for {7B32105C-31A1-4700-9537-B975DEBD237A}
{9662200A-3BE5-4FB0-A366-E39016D60019}
Extracted stage1 for {9662200A-3BE5-4FB0-A366-E39016D60019}
{458BF946-6E93-4F91-B312-2EB6FAA70F06}
Extracted stage1 for {458BF946-6E93-4F91-B312-2EB6FAA70F06}
{7B32105C-31A1-4700-9537-B975DEBD237A}
Extracted stage1 for {7B32105C-31A1-4700-9537-B975DEBD237A}
{9662200A-3BE5-4FB0-A366-E39016D60019}
Extracted stage1 for {9662200A-3BE5-4FB0-A366-E39016D60019}
Failed to decrypt {458BF946-6E93-4F91-B312-2EB6FAA70F06} - Run as SYSTEM or ORIGINAL USER!
Failed to decrypt {7B32105C-31A1-4700-9537-B975DEBD237A} - Run as SYSTEM or ORIGINAL USER!
Failed to decrypt {9662200A-3BE5-4FB0-A366-E39016D60019} - Run as SYSTEM or ORIGINAL USER!

The tool is done with the first round now and waits for you to continue as the SYSTEM user.

To log in as the SYSTEM user, execute psexec.exe -i -s powershell.exe. A new powershell window should pop up. From there, execute the command above again. The tool will continue and extract the email address and domain (if present) for you:

Found encrypted password blob...
Failed to decrypt password --- This needs to be run as the user who owns the password
Found the following:
Domain:
Username: [email protected]
Password:

Now to get the password, go back to your cmd window and make sure you are logged in as the user who initially entered the credentials of the wifi network on your computer. Finally, execute the extractor one last time and you're done!

Found encrypted password blob...
Found the following:
Domain:
Username: [email protected]
Password: mysecretpassword123
@Walkman100
Copy link

Worked for me on Windows 10 Enterprise 22H2 19045.4239 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment