Jump to content


Photo
- - - - -

How to find the WPA Key


  • Please log in to reply
13 replies to this topic

#1 matth2004

matth2004

    Will I break 10 posts?

  • Members
  • 7 posts

Posted 18 September 2006 - 06:34 PM

Hi,

I wanted to know how I would go about finding a WPA Key that's stored on a school laptop which connects to a school's wireless connection. Note that the key is already stored in the laptop, as students aren't allowed to know the key. I really want a type of program which is just an exe and doesn't need to be installed. I found one to retrieve the Windows XP CD Key but havent found one for the WPA Key yet. If you can, do you know any programs that can also recover the WEP Key stored on the computer? I'm pretty sure the school's is WPA.

Regards,
Matt

#2 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 18 September 2006 - 06:39 PM

Keys are usually stored in the registry.

#3 matth2004

matth2004

    Will I break 10 posts?

  • Members
  • 7 posts

Posted 26 September 2006 - 05:50 AM

Keys are usually stored in the registry.


Where abouts would they be stored?

Regards,
Matt

#4 Gregor

Gregor

    elite

  • Members
  • 109 posts

Posted 26 September 2006 - 06:15 AM

I suspect that it's encrypted. I've just searched my registry for my WPA key and it didn't find it. I'll look into this further as it sounds interesting.

#5 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 26 September 2006 - 07:28 AM

If your school is using WPA in conjunction with RADIUS, then it won't matter if you can find the key because:

1) The access point will periodically update the key on its own, transparently.
2) Even if you have the key, you still wouldn't be able to plug it into a non-authorized device and connect.

If you go into the properties of the wireless adapter, then click on the "wireless networks" tab, you can view the connection properties of your school's SSID. This should give you some idea as to the configuration on the server end.

Edited by mirrorshades, 26 September 2006 - 07:40 AM.


#6 scriptkiddy

scriptkiddy

    H4x0r

  • Members
  • 39 posts

Posted 14 February 2008 - 11:38 AM

Hi all... I knew a program that u can use to get the plain text version of the wep key stored in the registry .. iron geek post that topic earlier on general Hacking forum .. but unfortunately i cannot remember its name .. if any of the geeks out there remember that name by any chance plz post it for us

tanks a mill

#7 friendless

friendless

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 336 posts
  • Gender:Male
  • Location:Indiana

Posted 14 February 2008 - 11:51 AM

Interesting...

Well normally I doubt that any standard school would be using RADIUS I could be wrong for most school's i'm aware of and I'm using standard schools such as Junior high or Highschool not per-say a large university, also wouldn't give students access to a laptop freely that they could execute applications in the first place.

However I believe a standard WPA key would be encrypted in either:

HKLM/SYSTEM/WPA

or

HKLM/Software/Microsoft/WZCSVC/parameters/Interfaces/

If someone can check either or these and find out?

Also to note can you tell us if they use the standard WZC windows to connect to the WPA or use a third-party client that say comes with a driver or what not?

Different methods will most likley save it in different locations...

It wouldn't be hard at all to make any kind of an executable to grab this and dump it somewhere

Edited by friendless, 14 February 2008 - 11:57 AM.


#8 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 14 February 2008 - 01:54 PM

If your school is using WPA in conjunction with RADIUS, then it won't matter if you can find the key because:

1) The access point will periodically update the key on its own, transparently.
2) Even if you have the key, you still wouldn't be able to plug it into a non-authorized device and connect.

If you go into the properties of the wireless adapter, then click on the "wireless networks" tab, you can view the connection properties of your school's SSID. This should give you some idea as to the configuration on the server end.


Doesn't matter? If you could transmit on the wireless network you could setup a rogue RADIUS server and intercept the credentials of other users that are logging onto the network. RADIUS is an old protocol used for dial-up authentication. It wasn't meant to be used over wireless..and if he's talking about the PSK, this is one of things that the temporal key is derived from if I understand correctly. Perhaps someone else that knows more about WPA could enlighten us. I just can't agree with key disclosure being a non-issue.

#9 Y0ungBra1n

Y0ungBra1n

    The floor is made of lava!

  • Agents of the Revolution
  • 1,239 posts
  • Gender:Male
  • Location:Sal Tlay Ka Siti

Posted 14 February 2008 - 04:43 PM

wzcook is a program that can extract keys from the registry. I stumbled upon it one day looking up airsnort stuff. Do a google for wzcook.exe B)

#10 friendless

friendless

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 336 posts
  • Gender:Male
  • Location:Indiana

Posted 14 February 2008 - 04:52 PM

Yay! Any idea if ' wzCOOK.exe ' decrypts the KEY if it's encrypted and another question, IS IT encrypted in the registry (assuming that's where it grabs it from) ?

#11 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 04 March 2008 - 11:12 PM

Doesn't matter? If you could transmit on the wireless network you could setup a rogue RADIUS server and intercept the credentials of other users that are logging onto the network. RADIUS is an old protocol used for dial-up authentication. It wasn't meant to be used over wireless..and if he's talking about the PSK, this is one of things that the temporal key is derived from if I understand correctly. Perhaps someone else that knows more about WPA could enlighten us. I just can't agree with key disclosure being a non-issue.

It wouldn't matter. The key merely controls the encryption, not access to the network. If you know what the key is, you can snoop on the traffic; however, knowing the key won't allow you to connect a device to the network. That's what the RADIUS server does. Also periodically updates the key, so even if you have a valid key, it may not be valid for long.

Would be difficult to set up a rogue RADIUS server and have it work right... the devices that rely on RADIUS for authentication identify the server by the IP address. Thus, you'd need your rogue server to appear to have the IP address of the valid one, and execute the protocol properly. Not to say it couldn't be done, but it would be tricky, I would imagine. (I can't say that I've tried it.)

Referring back to the original question, though, (wow this is an old thread) the OP did just ask about the key... he didn't say he wanted to gain access to the network, maybe I just assumed that in my original reply.

#12 sshblack

sshblack

    SUP3R 31337

  • Members
  • 178 posts
  • Location:MKinUK

Posted 05 March 2008 - 06:36 AM

If you go into the properties of the wireless adapter, then click on the "wireless networks" tab, you can view the connection properties of your school's SSID. This should give you some idea as to the configuration on the server end.



I thought this was defintiely the way to get WEP/WPA keys. Simply type "http://192.168.0.1 into IE or Firefox address bar and it should ask you for admin name and password. Seeing as it's a school, they may have changed the access to this.

Try admin/username = "admin"
password = "password" or "admin"

Should this not gain you access to the router settings then your admin guy has changed the access details and you'll need another way to get access.
If on the other hand it does let you in follow the "wireless network" tab (as explained in quote above) for the wep/wpa key.

[side question, if you gain access to the router settings and the admin has changed the WEP key and it is now in dots or asteriks' are there are cracking programs for decrypting these ********* ?]

#13 Corleone

Corleone

    elite

  • Members
  • 111 posts
  • Location:Belgium

Posted 05 March 2008 - 07:13 AM

Run this little app on the computer and you will get
all wep/wpa passwords.
Get it here


c

#14 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 05 March 2008 - 08:42 AM

I thought this was defintiely the way to get WEP/WPA keys. Simply type "http://192.168.0.1 into IE or Firefox address bar and it should ask you for admin name and password. Seeing as it's a school, they may have changed the access to this.

Try admin/username = "admin"
password = "password" or "admin"

You're making a lot of assumptions there. At the very least, you'd want to look up the defaults for whatever model of WAP is being used and start there. For example, I have a Netgear WPN802... the default IP address is 192.168.0.231.

If you do manage to gain access to the router, though, you may be able to specify your own key -- or at least give the admin a headache. Likely that whatever you do, though, would show up in some way. (E.g. changing the key would make all other connections using the original key suddenly stop working.)

If on the other hand it does let you in follow the "wireless network" tab (as explained in quote above) for the wep/wpa key.

No, I was referring to the wireless networks tab on the individual's own computer... this will give some information about the type of connection.

[side question, if you gain access to the router settings and the admin has changed the WEP key and it is now in dots or asteriks' are there are cracking programs for decrypting these ********* ?]

I saw one a long time ago (maybe 10 years) that could do it, but it only worked with password fields in applications, not in a web browser. By design, it's not a trivial process.




BinRev is hosted by the great people at Lunarpages!