Windows Wifi EAP-Credentials

Encryption and decryption of Wifi EAP-Credentials in Windows

Posted by Mats on March 28, 2021

What the heck is EAP?

EAP or "Extensible Authentication Protocol" is a general authentication protocol that supports various authentication methods. For example, username and password, a digital certificate or with the Sim card.

However, I am mainly concerned with the username and password used for WLAN authentication, such as RADIUS.

My objective

Read and decrypt the WLAN EAP credentials under Windows 10!

Unfortunately I could not find a way to do this with the usual Windows tools like "Powershell" or "net wlan".
Therefore, I first dealt with how and where the data is stored and how I can get to them.

Research & Decryption

The credentials are stored in the registry under the following path:


          
            {XXXXXX-XXXX-XXXX-XXXXXXXXXX} stands for the GUID. 
            
The registry key "MSMUserData" is in binary format.

                For the current local user credentials listed in the "HKEY_CURRENT_USER" hive and for the general credentials listed in the "HKEY_LOCAL_MACHINE" hive.
  
          
For the purpose of analyzing the data more closely I wrote two small Powershell commands these "export" the data "cleanly" in "C:\MSMUserData.dat".

            
            

            
            Again {XXXXXX-XXXX-XXXX-XXXXXXXXXX} stands for the GUID.  
            
The MSMUserData.dat:

            
            

            
            
very cryptic, right?

            This binary file is encrypted with the Windows ProtectedData Class.

            The Windows Class uses the "user" or "machine" credentials to encrypt or decrypt data.

            So we need to execute our next program with the "machine" or "user" -rights that encrypted this "MSMUserData" data in the past.

            
Let's write a simple Program in C# to decode this!

            
            

            
            
After we run our C# program properly with machine rights the output is now the unprotected data from the registry key "MSMUserData" in our MSMUserData.bin file.

            
We could display the output in an ordinary HEX-Editor but I wrote a little Python script with the same effect.
            
Additionally, the script searches for the byte "0x01, 0x00, 0x00, 0x00, 0xD0, 0x8C, 0x9D, 0xDF, 0x01" sequence
            
where the user password begins and writes it to the file "PWData.dat".

            
 If the credentials belong to a normal user, we need to decrypt the "PWData.dat" file again with the "CurrentUser" scope and rights in the C# script above, for simplicity this example is only encrypted with the "LocalMachine" scope.
            
So then let's do it:

            
            

            
            
And the approximate readable output from the script:

            
            

            
                 
            
 And there you go, we have decrypted the user credentials, bravo!
            
 As we see in our example output in lines 13 and 29. 


            
Conclusion

            
 We embarked on a quest to decrypt this data as the standard Windows tools were unable to provide a straightforward solution. 
 Our research led us to the Windows registry where we identified the storage location for these critical credentials.


            
The key "MSMUserData" in the registry held the encrypted data in binary format. To tackle this encryption we developed a set of tools starting with PowerShell commands to export the data cleanly into "C:\MSMUserData.dat." However, this was only the beginning of our journey. 


            
Unveiling the mysteries of the encrypted binary data required a shift in perspective. We introduced a C# program to decrypt "MSMUserData.dat", a task that necessitated the execution of the program with the same scope and rights used to encrypt the data originally, either "user" or "machine" credentials. 


            
The output of this process, the "MSMUserData.bin" file, while decrypted was still in a cryptic format. To make the information more comprehensible we employed a Python script that not only provided a human-readable output but also identified the starting point of the user password. 


            
It is important to note that for user credentials decryption with "CurrentUser" scope and rights would be necessary in practice. In our example we simplified the process by using "LocalMachine" scope.


            
In conclusion, our journey to decrypt WLAN EAP credentials in Windows 10 has been a successful endeavor. 
            
We've unveiled the security measures surrounding this critical data and developed tools to access it when needed. 
            
The ability to decrypt and understand this information opens up new possibilities for managing and securing network access, demonstrating the power of knowledge and persistence in the realm of digital security.