Today
we will be taking a look at how we can dump Wireless Credentials. We will cover
Credential Dumping, Red Teaming, Different ways we can get those pesky wireless
credentials.
Table of Content
·
What is Credential Dumping?
·
Credential Dumping in Real Life
·
Credential Dumping and Red Teaming
·
Credential Dumping Methods
o
netsh
o
WirelessKeyView
o
Wifi
Network Properties
o
LaZagne
o
Mimikatz
o
Metasploit
Framework
·
Mitigation
What is Credential
Dumping?
When the term password cracking is used in the
cyber world, it is being used as a broad concept as it shelters all the methods
related to attacking/dumping/retrieving passwords of the victim/target. But
today, in this article we will solely focus on a technique called Credential
Dumping.
Credential dumping is said to be a technique
through which username and passwords are extracted of any login account from
the target system. It is this technique that allows an attacker to get
credentials of multiple accounts from one person. And these credentials can be
of anything such as a bank, email account, social media account, wireless
networks.
Credential Dumping in
Real Life
When an attacker has access to the target system
and through that access, they successfully retrieve the whole bunch of their credentials.
Once you are inside the target’s system, there are multiple methods to retrieve
the credentials of a particular thing. For instance, to redeem all the names
and passwords of the wireless networks to which the operating system has
connected, there are various methods that an attacker can use and we will try
and cover all of those methods here in our article. Now another thing to focus
on is that this dumping of credentials can be done both in internal penetration
testing and external penetration testing, it depends on the methodology,
perspective or subjectivity of the attack on the bases of which the best
suitable method can be decided.
Credential Dumping
Methods
Just like the instance presented
above, we will portray various methods to dump wireless credentials from a
system in this article. So, let’s get started, shall we?
Manual Credential
Dumping
All the Wi-Fi password with their
respective SSID are stored in an XML file. The location of these files is C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***.
Here, you will find that SSID of wifi is saved in clear text whereas
passwords are stored as keys.
Credential Dumping
using netsh
Netsh is a scripting utility provided
by Microsoft itself. It can be used both in command prompt or Windows
PowerShell. Netsh is short for network shell. When executed, it provides
detailed information about the configuration of the network that the system ever
had; including revealing the credentials of wireless networks that it has ever
been connected to. This utility comes with various parameters that can be used
to get various information as per the requirement. This method can be used both
in internal and external penetration testing as netsh commands can be executed
both locally and remotely.
To get the list of the SSIDs that the
device has been connected to use the following command:
netsh wlan show profiles
And as a result of the above command,
you can see the names of the Wi-Fi networks that the system was connected to in
the past or present such as Meterpreter, Linuxlab, etc. The same has been
demonstrated in the image above.
Further, to know the passwords of any
one of the mentioned SSIDs use the following command :
netsh wlan show profile name= key=clear
And just like it is shown in the
image above, the result of the above command will give you the password.
Credential Dumping
using WirelessKeyView
A wireless key view is a simple software
accesses the XML files where wireless passwords are stored and reveals them in
cleartext. This tool was developed to recover lost and forgotten password of a
wireless network. This is the perfect method for credential dumping in internal
network penetration testing. To utilize this method simply download the tool
from here and run
it, you will get all the Wi-Fi names and its password as shown in the image
below:
Credential Dumping
using Wifi Network Properties
Our next method is manual, it is good
when you are introduced to the network to work but for some reason, the
password of the network isn’t revealed to you. Then you can use this method, as
it falls under the category of internal penetration testing methodology. To
reveal the password of a wireless network manually, go to Control Panel >
Network and Internet > Network and Sharing Center and then click on Wi-Fi
(*SSID*). A dialogue box will open, in that box click Wireless
Properties button in the upper pane. Next, go to Security tab and
you can see the password there just as it is shown in the image below:
Credential Dumping
using LaZagne
LaZagne is an open-source tool that
was developed to retrieve all the passwords stored in your machine. We have
covered LaZagne in our other article, which you can read from here.
In our experience, LaZagne is an amazing tool for credential dumping and its
the best tool to be used for external penetration testing. To extract Wi-Fi
password with LaZagne, simply download the tool from here and run it remotely
using it following command :
lazagne.exe Wi-Fi
After running the above command, all
the Wi-Fi-related passwords with their respective SSID will be extracted.
Credential Dumping
using Mimikatz
Another method that can be very
useful in external penetration testing is using Mimikatz. We have covered
various features of Mimikatz in our other article, which you can find here.
Once you have the victim’s session use the following commands to get the passwords:
getsystem
load kiwi
Wi-Fi_list_shared
And very easily you will have all the
passwords at your service as shown in the image above.
Credential Dumping
using Metasploit Framework
Then our next method is to use
Metasploit to retrieving desired passwords. As all of us know that Metasploit
is a framework that provides us with already constructed exploits to make
pentesting convenient. And is an amazing platform for a beginner and expert in
hacking pentesting world.
Now, to dump credentials there comes
an in-built post exploit in the Metasploit and to run the said exploit; go to
the terminal of Metasploit by typing msfconsole and get the session of you to
the target system using any exploit you prefer. And then background the session
use the post-exploit for extracting desired Wi-Fi credentials by using the
following commands:
use post.windows.wlan/wlan_profile
set session 1
exploit
And just as it is shown in the image
above, you will have your credentials.
Mitigation
There
are various measures that you can follow in order to protect yourself from
credential dumping attacks. These measures are given below:
·
Keep you employees/employers aware
·
DO NOT use default SSID of a wireless network
·
Do not save the passwords on the system
·
Always reconnect to a Wi-Fi manually.
·
Have a different network for guests
·
Use VPN
·
Change your Wi-Fi password regularly
·
Use a different IP address instead of the
default one
·
Make sure your modems don’t have reset button
as most of the modems come with the reset button. When the said button is
pressed, it brings back the default settings which doesn't have any security
layer and allows anyone to connect.
So,
these were the methods to dump wireless credentials. Apply the suggested
mitigation to your systems or networks in order to keep yourself safe from
attackers. I hope these were useful and keep tuning in for various hacking
techniques!
We
are well aware these are tough times for everyone and, we, here at hacking
articles hope and pray that everyone is safe and following the measure of
self-quarantine. And for all the hacking/pen-testing enthusiasts we are working
hard to bring more and more new content so that you can learn new things and
use this self-isolation to its best. Stay Safe and take care! Happy Hacking!
0 comments:
Post a Comment