In previous articles we have seen how to decrypt dpapi blobs.
Dpapi blobs are not always stored in file blobs.
They can be stored in different places like registry, config file, etc and in various formats such as hexadecimal string, but also base64 strings, etc.
Lets have a look at how Windows stores wifi passwords.
These are stored in xml files in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces.
You can easily be found with : dir %programdata% /s /a /b | findstr /i interfaces.
When logged as the user, you can decrypt it with the below command :
NTHASH-win64 /wlansvc /binary:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{2799BE4D-A2D4-417D-A774-481DBE1FF7FC}\{98B3A77A-3A5A-44A1-81AE-DDB88A168B24}.xml /system
Good news is that we can also decrypt it these offline.
Run the above command.
NTHASH will tell you that it failed to decrypt it BUT it will dump the blob to data.blob.
From there (and using the same steps as in this article):
-use /decodeblob to identify the masterkey guid
-use /decodemk to decrypt the masterkey (locate it with dir %systemroot%\System32\Microsoft\Protect /s /a /b | findstr /i myguid) using the dpapi system key.
-use /decodeblob again but this time supplying the SHA1 key obtained in previous step
-done 🙂