Overview
The WifiProfile command enumerates saved WiFi profiles on the system and attempts to extract SSIDs, authentication types, and cleartext passwords/passphrases. This reveals previously connected wireless networks and their credentials, which can be valuable for gaining access to other networks or understanding the user’s physical locations.Syntax
This command does not support remote execution.
Output
Returns WiFi profile information:- Profile name (SSID)
- Authentication type (WPA2-Personal, WPA2-Enterprise, etc.)
- Encryption type (AES, TKIP)
- Cleartext password/passphrase (if available)
- Auto-connect setting
- Connection mode
Use Cases
- Red Team
- Blue Team
- Extract WiFi passwords for network access
- Identify corporate vs guest networks
- Understand user’s physical movement patterns
- Gain access to additional networks
- Identify potential pivot points
Example Output
Remote Execution
WiFi profiles are stored locally in the system and require local access to extract.Detection Considerations
Moderate detection risk - reads WiFi profile XML files.
- File Access: Reads XML files from
C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\ - API Calls: May use WLAN API functions
- Privilege Requirements: Requires administrator privileges to extract passwords
- EDR Telemetry: File access may be logged by security products
Defensive Recommendations
- Monitor access to WiFi profile XML files
- Alert on bulk WiFi credential extraction
- Implement file integrity monitoring on profile directory
- Correlate with other credential theft indicators
Related Commands
- NetworkProfiles - Network profile history
- DNSCache - DNS cache entries
- NetworkShares - Network shares
- InternetSettings - Internet and proxy settings