13 replies to this topic

[matth2004]

Hi,

I wanted to know how I would go about finding a WPA Key that's stored on a school laptop which connects to a school's wireless connection. Note that the key is already stored in the laptop, as students aren't allowed to know the key. I really want a type of program which is just an exe and doesn't need to be installed. I found one to retrieve the Windows XP CD Key but havent found one for the WPA Key yet. If you can, do you know any programs that can also recover the WEP Key stored on the computer? I'm pretty sure the school's is WPA.

Regards,
Matt

[tehbizz]

Keys are usually stored in the registry.

[matth2004]

Keys are usually stored in the registry.

Where abouts would they be stored?

Regards,
Matt

[Gregor]

I suspect that it's encrypted. I've just searched my registry for my WPA key and it didn't find it. I'll look into this further as it sounds interesting.

[mirrorshades]

If your school is using WPA in conjunction with RADIUS, then it won't matter if you can find the key because:

1) The access point will periodically update the key on its own, transparently.
2) Even if you have the key, you still wouldn't be able to plug it into a non-authorized device and connect.

If you go into the properties of the wireless adapter, then click on the "wireless networks" tab, you can view the connection properties of your school's SSID. This should give you some idea as to the configuration on the server end.

Edited by mirrorshades, 26 September 2006 - 07:40 AM.

[scriptkiddy]

Hi all... I knew a program that u can use to get the plain text version of the wep key stored in the registry .. iron geek post that topic earlier on general Hacking forum .. but unfortunately i cannot remember its name .. if any of the geeks out there remember that name by any chance plz post it for us

tanks a mill

[friendless]

Interesting...

Well normally I doubt that any standard school would be using RADIUS I could be wrong for most school's i'm aware of and I'm using standard schools such as Junior high or Highschool not per-say a large university, also wouldn't give students access to a laptop freely that they could execute applications in the first place.

However I believe a standard WPA key would be encrypted in either:

HKLM/SYSTEM/WPA

or

HKLM/Software/Microsoft/WZCSVC/parameters/Interfaces/

If someone can check either or these and find out?

Also to note can you tell us if they use the standard WZC windows to connect to the WPA or use a third-party client that say comes with a driver or what not?

Different methods will most likley save it in different locations...

It wouldn't be hard at all to make any kind of an executable to grab this and dump it somewhere

Edited by friendless, 14 February 2008 - 11:57 AM.

[duper]

If your school is using WPA in conjunction with RADIUS, then it won't matter if you can find the key because:

1) The access point will periodically update the key on its own, transparently.
2) Even if you have the key, you still wouldn't be able to plug it into a non-authorized device and connect.

If you go into the properties of the wireless adapter, then click on the "wireless networks" tab, you can view the connection properties of your school's SSID. This should give you some idea as to the configuration on the server end.

Doesn't matter? If you could transmit on the wireless network you could setup a rogue RADIUS server and intercept the credentials of other users that are logging onto the network. RADIUS is an old protocol used for dial-up authentication. It wasn't meant to be used over wireless..and if he's talking about the PSK, this is one of things that the temporal key is derived from if I understand correctly. Perhaps someone else that knows more about WPA could enlighten us. I just can't agree with key disclosure being a non-issue.

[Y0ungBra1n]

wzcook is a program that can extract keys from the registry. I stumbled upon it one day looking up airsnort stuff. Do a google for wzcook.exe

[friendless]

Yay! Any idea if ' wzCOOK.exe ' decrypts the KEY if it's encrypted and another question, IS IT encrypted in the registry (assuming that's where it grabs it from) ?

[mirrorshades]

Doesn't matter? If you could transmit on the wireless network you could setup a rogue RADIUS server and intercept the credentials of other users that are logging onto the network. RADIUS is an old protocol used for dial-up authentication. It wasn't meant to be used over wireless..and if he's talking about the PSK, this is one of things that the temporal key is derived from if I understand correctly. Perhaps someone else that knows more about WPA could enlighten us. I just can't agree with key disclosure being a non-issue.

It wouldn't matter. The key merely controls the encryption, not access to the network. If you know what the key is, you can snoop on the traffic; however, knowing the key won't allow you to connect a device to the network. That's what the RADIUS server does. Also periodically updates the key, so even if you have a valid key, it may not be valid for long.

Would be difficult to set up a rogue RADIUS server and have it work right... the devices that rely on RADIUS for authentication identify the server by the IP address. Thus, you'd need your rogue server to appear to have the IP address of the valid one, and execute the protocol properly. Not to say it couldn't be done, but it would be tricky, I would imagine. (I can't say that I've tried it.)

Referring back to the original question, though, (wow this is an old thread) the OP did just ask about the key... he didn't say he wanted to gain access to the network, maybe I just assumed that in my original reply.

[sshblack]

If you go into the properties of the wireless adapter, then click on the "wireless networks" tab, you can view the connection properties of your school's SSID. This should give you some idea as to the configuration on the server end.

I thought this was defintiely the way to get WEP/WPA keys. Simply type "http://192.168.0.1 into IE or Firefox address bar and it should ask you for admin name and password. Seeing as it's a school, they may have changed the access to this.

Try admin/username = "admin"
password = "password" or "admin"

Should this not gain you access to the router settings then your admin guy has changed the access details and you'll need another way to get access.
If on the other hand it does let you in follow the "wireless network" tab (as explained in quote above) for the wep/wpa key.

[side question, if you gain access to the router settings and the admin has changed the WEP key and it is now in dots or asteriks' are there are cracking programs for decrypting these ********* ?]

[Corleone]

Run this little app on the computer and you will get
all wep/wpa passwords.
Get it here


c

[mirrorshades]

I thought this was defintiely the way to get WEP/WPA keys. Simply type "http://192.168.0.1 into IE or Firefox address bar and it should ask you for admin name and password. Seeing as it's a school, they may have changed the access to this.

Try admin/username = "admin"
password = "password" or "admin"

You're making a lot of assumptions there. At the very least, you'd want to look up the defaults for whatever model of WAP is being used and start there. For example, I have a Netgear WPN802... the default IP address is 192.168.0.231.

If you do manage to gain access to the router, though, you may be able to specify your own key -- or at least give the admin a headache. Likely that whatever you do, though, would show up in some way. (E.g. changing the key would make all other connections using the original key suddenly stop working.)

If on the other hand it does let you in follow the "wireless network" tab (as explained in quote above) for the wep/wpa key.

No, I was referring to the wireless networks tab on the individual's own computer... this will give some information about the type of connection.

[side question, if you gain access to the router settings and the admin has changed the WEP key and it is now in dots or asteriks' are there are cracking programs for decrypting these ********* ?]

I saw one a long time ago (maybe 10 years) that could do it, but it only worked with password fields in applications, not in a web browser. By design, it's not a trivial process.