Before we get started, have you tried our new Python Code Assistant? It's like having an expert coder at your fingertips. Check it out!
In this guide, we'll build a Python program that is capable of revealing all previously connected devices on a Windows computer. This is perfect for digital forensics in a situation where an adversary is being investigated for malicious Wi-Fi activity. A person might think that by merely forgetting a Wi-Fi network from their computer, it's totally gone. Well, that's not the case, as we'll see.
As wireless networking has become prevalent, the Windows Registry now retains data pertaining to wireless connections - even when you "forget" them from your computer. To see what I mean, open up your cmd and type this command (make sure you run it as an administrator):
$ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" /s
This command searches through the Windows Registry to find and display information about the networks your computer has connected to:
Bear in mind that the image is cropped.
We can see the network name by the "First network" after REG_SZ
and the MAC address by the "DefaultGatewayMac" after REG_BINARY
. Don't worry about the format of the MAC address, we'll fix that in our code.
So with this command, we can get all devices that a computer has previously connected to. Whether they forgot the network or not. Let's implement this with Python.
As always, open up a Python file, name it meaningfully like win_reg.py
and follow along. Today we won't be installing any packages as we'll be using Python's winreg that allows us to access the Windows Registry for system configuration data. It comes preinstalled with Python on any Windows machine.
Also, we're using Python 3. So, first things first. We import winreg
and create a function to convert our MAC address as seen above to the standard format e.g 00:11:r4:66:88:44
import winreg # Import registry module.
def val2addr(val): # Convert value to address format.
addr = '' # Initialize address.
try:
for ch in val: # Loop through value characters.
addr += '%02x ' % ch # Convert each character to hexadecimal.
addr = addr.strip(' ').replace(' ', ':')[0:17] # Format address.
except:
return "N/A" # Return N/A if error occurs.
return addr # Return formatted address.
Next, we create the function that does the main job - listing the Wi-Fi networks:
def printNets(): # Print network information.
net = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" # Registry key for network info.
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, net) # Open registry key.
print('\n[*] Networks You have Joined:') # Print header.
for i in range(100): # Loop through possible network keys.
try:
guid = winreg.EnumKey(key, i) # Get network key.
netKey = winreg.OpenKey(key, guid) # Open network key.
try:
n, addr, t = winreg.EnumValue(netKey, 5) # Get MAC address.
n, name, t = winreg.EnumValue(netKey, 4) # Get network name.
if addr:
macAddr = val2addr(addr) # Convert MAC address.
else:
macAddr = 'N/A'
netName = str(name) # Convert network name to string.
print(f'[+] {netName} ----> {macAddr}') # Print network info.
except WindowsError: # Handle errors.
pass # Continue loop.
winreg.CloseKey(netKey) # Close network key.
except WindowsError: # Handle errors.
break # Exit loop.
winreg.CloseKey(key) # Close registry key.
printNets() # Call printNets function.
The printNets()
function accesses the Windows Registry to gather and display network connection details. It iterates through network keys, retrieves MAC addresses and names, and prints the information. Error handling and proper closure of registry keys are ensured within the function. Finally, the function is called to execute the network information retrieval and printing process.
And we're done with the code. Let's run it:
Note: Please make sure to run this script as an administrator. If you're on an IDE such as VSCode or simply command prompt, you have to run it as an administrator.
These are all the networks this computer has connected to. On the same computer, if you go to Wi-Fi settings and click on the known networks, here's what you'll get:
The others have been "Forgotten" so they do not appear here, but they're very much still in the Windows register. So you see how important such a tool is in digital forensics.
In this guide, we've explored how to reveal all previously connected devices on a Windows computer, a crucial aspect of digital forensics. However, the journey into the intricacies of Wi-Fi network analysis doesn't end here. For those intrigued by the possibilities of network discovery, I invite you to check out these highly relevant tutorials:
You can get the complete code here.
I hope you enjoyed this one, till next time!
Liked what you read? You'll love what you can learn from our AI-powered Code Explainer. Check it out!
View Full Code Generate Python Code
Got a coding query or need some guidance before you comment? Check out this Python Code Assistant for expert advice and handy tips. It's like having a coding tutor right in your fingertips!