I'm currently looking at a Windows 7 box for a client who believes their computer has been compromised via their wireless network.
Using RegRipper, I've identified a single wireless network entry with the network list, used from the date of the operating installation to last shutdown.
I wanted to check what (if any) wireless security was in place, so browsed to the file at
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[GUID]\[GUID].xml
and found that the file there, whilst it did contain information relating to the wireless network, appeared to have been deleted two months previous to the last use of the network (according to the SOFTWARE hive).
Anybody seen this?
Thanks
Check the event log instead if you're trying to get details of the wireless network.
If this were my case I'd probably start from the other end, what kind of intrusion are we talking about? Are there any signs of a meterpreter style agent on the computer? What exactly does he think has been done?
Seeing if the wireless network is "secure" is going to be nigh on impossible without at least the router itself or some packet captures and I'm assuming that neither is available. IIRC the event logs record the encryption in place when you make a connection and this may be the only way you can determine if any encryption was in use at the time of the alleged intrusion. Even if the router had WPA2 in place the default passwords for home routers are generally pretty pitiful and WPS makes a mockery of strong passwords.
You'd probably get further by pentesting a VM of the box.
I'm currently looking at a Windows 7 box for a client who believes their computer has been compromised via their wireless network.
A couple of questions…
Was the box compromised?
What makes the customer believe that a compromise occurred via the wireless network?
Further, showing that the box was, in fact, connected to a wireless network doesn't really do anything to show when or how it was compromised. I'm thinking that there's some other information that needs to be shared…