Retrieving WPA2 Keys on Windows

Retrieving WPA2 Keys on Windows

Ever wanted pull up the password for a WiFi network your computer remembers but you don’t? If you’re anything like me, the computer remembers far more than I do. Luckily, Windows not only stores these keys in plaintext, but some of them can even be retrieved without administrator access! (Is that good? I think it is but something tells me it might not be…)

And of course, let’s go one step further and make a neat little script to pull out all of these keys and present them in a convenient way.

Using the Command Line

In recent versions of Windows, the netsh utility has been the awkward-syntax tool of choice for various network related system administration. The particular module we’re interested is the wlan section. Using this tool, we are able to list all the networks installed on the system, as well as some of the keys (depending on who installed them, how they were installed, and what privilege level you’re operating at)

At its most basic, all wireless profiles can be viewed using this command:

netsh wlan show profile

This will output a full list of almost every wireless connection remembered by your system. If you’ve had your machine as long as I have, there’s probably about twenty to thirty networks in there!

Now to view the key itself, simply add the name of the profile and the key=clear parameter. Depending on the configuration of the profile, your machine, and your own privilege, this may require elevation.

netsh wlan show profile name=MyCoolNetwork key=clear

…And under the “Security Settings” section the key in clear text should appear. Neat!

But that’s pretty pedestrian. We’re not about to go through each profile one by one and list out all the passwords by hand, that takes too much time! Instead, let’s make a tool to extract all of the passwords with PowerShell.

Using PowerShell scripting

This is the solution I came up with. This script pulls out the full list of profiles on the system, then iterates through them and, if they contain a key, add the password to a hashtable with the SSID.

To accomplish this, the script iterates through all the profiles installed on the system in order, and depending on whether it contains a key will either prompt the user with a plaintext key or a hint about the authentication mode used to connect to the network.

#requires -RunAsAdministrator

$regex = '(^.+: )'
$creds = @{}

$network_profile_list = netsh wlan show profiles
$profiles = $network_profile_list -match $regex -replace $regex

foreach ($i in $profiles) { 
    $password = $null 

    $network_profile = netsh wlan show profile name=$i key=clear
    $network_key = ($network_profile `
          | Select-String "Security key") -replace $regex 

    if ( $network_key -match "Present" ) {
        $password = ($network_profile `
          | Select-String "Key Content") -replace $regex

    else {
        $password = ($network_profile `
          | Select-String "Authentication") -replace $regex 

# -> Output
$creds | Format-Table 

And just like that, we can extract the information needed from Windows using netsh and some clever PowerShell scripting.

Of course, this will only work with PSK authentication. Some networks use more advanced network auth such as .1x and Radius, which won’t be retrievable with this technique.