1

I'm looking for technical details on how Windows, Linux, and macOS all store the SSIDs and passwords for every wireless network you've ever connected to. I've tried searching for this, but my Google-fu is not so strong on this one. All I'm getting are results showing you how to view wireless networks or import/export the keys.

I'm not interested in the mechanism the OS provides for management. What I want to know is where and how these OSes physically store the credential information. Is it the keychain or Registry (on macOS or Windows respectively), or some config file on the drive? And what kind of data is it? Individual .plist/.ini/.xml files with encrypted hashes? A single binary blob that only the wlan service understands?

They're obviously stored in a system-wide location since they connect before any user logs in. And they're also protocol-agnostic, so they'll still work if you switch between WPA2 and WPA3.

And what security mechanisms (if any) prevent an attacker from copying this data to another computer? Is there machine-specific salt that would invalidate the hashes, or would the attacker then have access to the same WiFi networks?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Wes Sayeed
  • 777
  • 1
  • 5
  • 7
  • Windows: https://www.google.com/search?q=where+does+windows+store+wifi+passwords 6th hit: https://superuser.com/questions/1433261/how-does-windows-7-8-10-store-and-protect-wifi-password – schroeder Aug 08 '23 at 07:54
  • Mac: https://www.google.com/search?q=where+does+macos+store+keychain+files the top hit is Apple Support – schroeder Aug 08 '23 at 07:57
  • Linux: https://www.google.com/search?q=where+does+linux+store+wifi+passwords 2nd hit: https://unix.stackexchange.com/questions/179543/where-does-linux-store-wifi-passwords – schroeder Aug 08 '23 at 07:58
  • Found all of that, and those hits replicate the answer below, in less than 4 minutes. I'm not sure what you were googling ... So, I'm going to assume that those were not your core questions. As for your last paragraph, the duplicate I linked was the 2nd hit for the search term: https://www.google.com/search?q=do+clients+hash+wifi+password which the answer below also echoes. – schroeder Aug 08 '23 at 07:59

1 Answers1

7

In general, passwords can only be hashed on the server side, because hashing algorithms are one-way algorithms. The client must be able to present the password and the server compares the calculated hash to the stored hash. Therefore, a client must know the actual password, so it must store it somehow in the original form; whether it is plain text or encrypted.

Windows

Windows stores the wireless security settings including the passphrase in an encrypted form in .xml files located in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[Interface Guid]\. E.g.,

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>Example</name>
    <SSIDConfig>
        <SSID>
            <hex>0123456789ABCD</hex>
            <name>Example</name>
        </SSID>
        <nonBroadcast>false</nonBroadcast>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <MSM>
        <security>
            <authEncryption>
                <authentication>WPA2PSK</authentication>
                <encryption>AES</encryption>
                <useOneX>false</useOneX>
            </authEncryption>
            <sharedKey>
                <keyType>passPhrase</keyType>
                <protected>true</protected>
                <keyMaterial>[encrypted-passPhrase]</keyMaterial>
            </sharedKey>
        </security>
    </MSM>
</WLANProfile>

However, Windows will reveal the unencrypted password to you on command. On an elevated (run as administrator) command prompt:

netsh wlan show profiles name="Example" key=clear | findstr "Key Content"

Linux

On Linux this depends on the distribution & how the networks are managed in it.

For example, Ubuntu uses Network Manager for this. The network configurations are located in /etc/NetworkManager/system-connections/. There are .nmconnection or .nm files per connection, and its 802-11-wireless-security section has the credentials, e.g.,

[connection]
id=Example
uuid=1fa9d924-3b13-4e47-b819-61dfdb10bfc8
type=wifi
interface-name=wlan0
permissions=
timestamp=1691469401

[wifi]
mac-address-blacklist=
mode=infrastructure
seen-bssids=01:23:45:67:89:AB;
ssid=Example


[wifi-security]
key-mgmt=wpa-psk
psk=here-is-the-wifi-passphrase-in-plain-text

MacOS

The passwords including the Wi-Fi passwords are stored in Keychains, the password management system for MacOS. Physically the passwords are stored in encrypted .keychain files in ~/Library/Keychains/ (and subdirectories), /Library/Keychains/ & /Network/Library/Keychains/. The Keychain Access application can be used to view the passwords.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
  • For Windows, do you know how the password is encrypted? My best guess would be DPAPI (or possibly DPAPI-NG) with the machine-wide key, but it's possible it would be something other than that and I'm curious if you know. (For the OP: DPAPI is the per-user or per-machine encryption scheme used to implement Windows' equivalent of the MacOS keychain, among other features. The per-user keys are derived from or at least protected by the user's password; the per-machine ones are unique per installation but basically just stored in an access-restricted part of the registry.) – CBHacking Aug 08 '23 at 06:29
  • Nope. I'm curious, too, if someone happens to know. – Esa Jokinen Aug 08 '23 at 06:31