elgesl / keepass-mswifiimport

A plugin for KeePass 2 which allows to import the wifi profiles saved in Windows.
https://elgesl.github.io/keepass-mswifiimport/
GNU General Public License v3.0
45 stars 4 forks source link

Skip unsupported/invalid XML files (exports without keyMaterial) #10

Open x11x opened 8 months ago

x11x commented 8 months ago

I have WLan profiles on my system that are not WPA2-PSK, and hence the XML that netsh exports doesn't have <keyMaterial> element in it. For example, open networks, and networks using WPA2-Enterprise/EAP/etc.

When I try to use "Read from system" to import, I get "Error in XML file ..." error. So I dump them manually using netsh wlan export and realize that not all files have <keyMaterial> element, and have a different structure/schema, (elements containing EAP stuff) which causes errors for this plugin. I can import the regular WPA2-PSK ones with <keyMaterial> in them fine.

I have limited understanding of EAP, but I believe Windows stores credentials using the Credential Manager and netsh does not seem to include the credentials in its XML export.

It would be nice if this plugin supported extracting/inserting credentials from Credential Manager to make these other types of connection profiles work correctly, but that is probably a bigger job.

It would be good to fix the immediate problem by just skipping the unsupported XML files, so that users can still use "Read from system", or bulk import XML files, and have the supported ones imported, and the unsupported ones skipped. Otherwise, you can't use it at all if you have any profiles on your system other than WPA2-PSK, it seems. Open networks should definitely be skipped as they wouldn't have any secrets that needed storing in Keepass, unless I'm mistaken?

Edit: Looks like the open networks work fine, they just get imported without a Password field, and other parameters are saved in the Advanced fields. So please disregard what I said above about skipping open networks.

However, I am still having problems with WPA2-Enterprise/EAP/802.1x profiles. Here is an example:

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>Foo</name>
    <SSIDConfig>
        <SSID>
            <hex>466F6F</hex>
            <name>Foo</name>
        </SSID>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <MSM>
        <security>
            <authEncryption>
                <authentication>WPA2</authentication>
                <encryption>AES</encryption>
                <useOneX>true</useOneX>
            </authEncryption>
            <PMKCacheMode>enabled</PMKCacheMode>
            <PMKCacheTTL>720</PMKCacheTTL>
            <PMKCacheSize>128</PMKCacheSize>
            <preAuthMode>disabled</preAuthMode>
            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                <authMode>user</authMode>
                <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1"><ServerValidation><ServerNames></ServerNames><TrustedRootCAHash>96 f6 f1 6a 5a f4 9c 9e 79 5f ef 31 af de fb 15 bf b3 20 96 c6 a4 34 6b e 95 5d 55 2a d3 c0 73</TrustedRootCAHash><DisablePrompt>false</DisablePrompt></ServerValidation><Phase2Authentication><PAPAuthentication/></Phase2Authentication><Phase1Identity><IdentityPrivacy>true</IdentityPrivacy><AnonymousIdentity>anonymous</AnonymousIdentity></Phase1Identity></EapTtls></Config></EapHostConfig></EAPConfig>
            </OneX>
        </security>
    </MSM>
    <MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
        <enableRandomization>false</enableRandomization>
    </MacRandomization>
</WLANProfile>

As you can see, there are no credentials in there that can be imported. Trying to import to Keepass using this plugin gives "There is an error in XML document (25, 812).". Same thing happens when I try to use "Read from system" (and it doesn't import the other valid profiles).

x11x commented 8 months ago

Investigating more where credentials are stored for EAP/802.1x connections, they don't seem to be in Credential Manager, but in the registry under HKCU\Software\Microsoft\Wlansvc\UserData\Profiles\{GUID}\MSMUserData, encoded and encrypted (using dpapi CryptProtectData function), as described in this answer. A few hoops to jump through to extract the data, but does not look too difficult. But maybe EAP/802.1x support should be a different issue anyway?