With the introduction of iOS 11 and macOS High Sierra, a new feature was added: Sharing WiFi Passwords.
This awesome and convenient feature comes with one draw back: The passwords are stored in Keychain encrypted. From my decent knowledge of wifi networks, macOS must be able to decrypt the encrypted key into the plaintext password in order to use it to connect.
How can I decrypt the Keychain key to get the password in plaintext?
Best Answer
The summary answer is that the password doesn't need to be passed as the authentication can take advantage of a derived value that combines the SSID and the passphrase into a longish hexadecimal string (or value since everything is a number in the end) and stores that. You would need to reverse engineer or crack that intentional one way process to remove the password component of the end product.
Here is an article that describes your question.
Alright, for example here is the password I used:
SomeSnazzyPassphrase!
And here it is in the keychain after iOS shares it to a MacCEAF1EE4F3050D25F2EF057A66CFD4570559C95656450407136347B75960255E
Before we understand how to reverse it, we must understand how we got there.
First of all we're using a program called
wpa_passphrase
, which is used in combination of your SSID and Passphrase, to generate that long encoded string.This is how we obtained the large "password" above:
wpa_passphrase <ssid> [passphrase]
For example
wpa_passphrase MySSID SomeSnazzyPassphrase!
And we have the PSK
hashedcreated to beCEAF1EE4F3050D25F2EF057A66CFD4570559C95656450407136347B75960255E
Now as wpa_supplicant uses an AES-based cipher, reversing that isn't going to be easy. In fact, I'm just going to go out on a limb and say it's practically impossible.