I am trying to decrypt WEP profile's key using CryptUnprotectData. The way I fetched the profile key is by exporting the profile using netsh.
netsh wlan export profile name="MyWEP" folder="./"
For now, I manually copied the key material from the .xml file generated by the netsh command to my program. And the way, I am decrypting is -
DATA_BLOB DataOut, DataVerify;
DataOut.cbData = encryptData.length();
DataOut.pbData = (BYTE*)("I_Manually_Copy_The_WEP_Key_Here");
if (CryptUnprotectData( &DataOut,
NULL,
NULL,
NULL,
NULL,
0,
&DataVerify))
{
printf("The decrypted data is: %s\n", DataVerify.pbData);
}
else
{
printf("Failed. Error Code: %d", GetLastError());
}
But I am getting the error code 13 citing Invalid Data. What am I doing wrong ? On Win 7 and later, I can directly use WlanGetProfile with the parameter WLAN_PROFILE_GET_PLAINTEXT_KEY . But I have NO option on Vista than to use the CryptUnprotectData function. I have seen similar posts here, here but didn't get much useful information. Also, I am using the same system with same user log on credentials. Could any one please suggest me how to proceed ?
PS: I have posted the same question on Windows Desktop SDK forums, but haven't got response yet. Trying my luck on SO.
I like questions about Windows Security. So if I occasionally see such one I try to solve it.
In your case you did already the first step by the usage of
netsh.exe wlan export profile ...
to export the data from the WLAN profile in XML file. The file contains<keyMaterial>
element. The data inside of the element are binary data encoded as the Hex: (something like01000000D08C9DDF0115D1118C7A00C0...
).So what you need to do first of all is to decode the string to binary data. You can use CryptStringToBinary with
CRYPT_STRING_HEX
parameter to decode the string to binary.The next step will be to fill
DATA_BLOB
with the binary data and callCryptUnprotectData
to get the result, but... There are small problem. How you can read in the documentation of WlanGetProfile the followingSo to be able to unencrypt the key we have to call CryptUnprotectData in LocalSystem security context. If your program already run under LocalSystem context you can do this directly. If it's not so, but you have administrative rights or you have at least Debug privilege, you can "to borrow" the LocalSystem token from some other process running on the computer. For example one can get the process token of "winlogon.exe" process and impersonate it.
The following demo program enumerate processes using NtQuerySystemInformation method (see my old answer) which I personally prefer. One can use EnumProcesses or other well-known ways to do the same. Here is the code which worked at me