Before we get started, have you tried our new Python Code Assistant? It's like having an expert coder at your fingertips. Check it out!
In this guide, we'll build a Python program that is capable of revealing all previously connected devices on a Windows computer. This is perfect for digital forensics in a situation where an adversary is being investigated for malicious Wi-Fi activity. A person might think that by merely forgetting a Wi-Fi network from their computer, it's totally gone. Well, that's not the case, as we'll see.
As wireless networking has become prevalent, the Windows Registry now retains data pertaining to wireless connections - even when you "forget" them from your computer. To see what I mean, open up your cmd and type this command (make sure you run it as an administrator):
$ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" /sThis command searches through the Windows Registry to find and display information about the networks your computer has connected to:
Bear in mind that the image is cropped.
We can see the network name by the "First network" after REG_SZ and the MAC address by the "DefaultGatewayMac" after REG_BINARY. Don't worry about the format of the MAC address, we'll fix that in our code.
So with this command, we can get all devices that a computer has previously connected to. Whether they forgot the network or not. Let's implement this with Python.
As always, open up a Python file, name it meaningfully like win_reg.py and follow along. Today we won't be installing any packages as we'll be using Python's winreg that allows us to access the Windows Registry for system configuration data. It comes preinstalled with Python on any Windows machine.
Also, we're using Python 3. So, first things first. We import winreg and create a function to convert our MAC address as seen above to the standard format e.g 00:11:r4:66:88:44
import winreg # Import registry module.
def val2addr(val): # Convert value to address format.
addr = '' # Initialize address.
try:
for ch in val: # Loop through value characters.
addr += '%02x ' % ch # Convert each character to hexadecimal.
addr = addr.strip(' ').replace(' ', ':')[0:17] # Format address.
except:
return "N/A" # Return N/A if error occurs.
return addr # Return formatted address.Next, we create the function that does the main job - listing the Wi-Fi networks:
def printNets(): # Print network information.
net = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" # Registry key for network info.
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, net) # Open registry key.
print('\n[*] Networks You have Joined:') # Print header.
for i in range(100): # Loop through possible network keys.
try:
guid = winreg.EnumKey(key, i) # Get network key.
netKey = winreg.OpenKey(key, guid) # Open network key.
try:
n, addr, t = winreg.EnumValue(netKey, 5) # Get MAC address.
n, name, t = winreg.EnumValue(netKey, 4) # Get network name.
if addr:
macAddr = val2addr(addr) # Convert MAC address.
else:
macAddr = 'N/A'
netName = str(name) # Convert network name to string.
print(f'[+] {netName} ----> {macAddr}') # Print network info.
except WindowsError: # Handle errors.
pass # Continue loop.
winreg.CloseKey(netKey) # Close network key.
except WindowsError: # Handle errors.
break # Exit loop.
winreg.CloseKey(key) # Close registry key.
printNets() # Call printNets function.The printNets() function accesses the Windows Registry to gather and display network connection details. It iterates through network keys, retrieves MAC addresses and names, and prints the information. Error handling and proper closure of registry keys are ensured within the function. Finally, the function is called to execute the network information retrieval and printing process.
And we're done with the code. Let's run it:
Note: Please make sure to run this script as an administrator. If you're on an IDE such as VSCode or simply command prompt, you have to run it as an administrator.
These are all the networks this computer has connected to. On the same computer, if you go to Wi-Fi settings and click on the known networks, here's what you'll get:
The others have been "Forgotten" so they do not appear here, but they're very much still in the Windows register. So you see how important such a tool is in digital forensics.
In this guide, we've explored how to reveal all previously connected devices on a Windows computer, a crucial aspect of digital forensics. However, the journey into the intricacies of Wi-Fi network analysis doesn't end here. For those intrigued by the possibilities of network discovery, I invite you to check out these highly relevant tutorials:
- How to Build a WiFi Scanner in Python using Scapy: This tutorial shows you how you can build a Wi-Fi scanner using the Scapy library in Python.
- How to Make a Network Scanner using Scapy in Python: Learn to build a tool that scans for devices connected to your network with the help of Scapy.
- How to View Hidden Wi-Fi Networks in Python: This one dives into finding hidden Wi-Fi networks, showcasing how networks with a "Hidden SSID" are not entirely invisible to a determined investigator using tools like Scapy. This tutorial is especially valuable for understanding the nuances of network privacy and the fallacy of hidden SSIDs as a security measure.
- How to List Wi-Fi Networks in Python: This tutorial caters to the practical need of identifying open Wi-Fi networks in busy environments, providing a Python script that leverages system commands (on Windows and Unix-based systems) to list unsecured networks available for connection.
You can get the complete code here.
I hope you enjoyed this one, till next time!
Take the stress out of learning Python. Meet our Python Code Assistant – your new coding buddy. Give it a whirl!
View Full Code Create Code for Me
Got a coding query or need some guidance before you comment? Check out this Python Code Assistant for expert advice and handy tips. It's like having a coding tutor right in your fingertips!