Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords

September 28th, 2017 by Oleg Afonin
Category: «Did you know that...?», «Elcomsoft News», «Tips & Tricks»

In this how-to guide, we’ll cover the steps required to access the list of saved wireless networks along with their passwords.

Step 1: Make a password-protected backup

In order to extract the list of Wi-Fi networks from an iOS device, you must first create a password-protected local backup of the iOS device (iPhone, iPad or iPod Touch). While we recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu), Apple iTunes can be also used to make the backup. Make sure to configure a backup password if one is not enabled; otherwise you will be unable to access Wi-Fi passwords.

Important: if you are performing a forensic extraction, we highly recommend using iOS Forensic Toolkit in order to make the backup. Unlike iTunes, iOS Forensic Toolkit does not attempt to “sync” the iOS device being acquired with the computer you connect it to, ensuring that no changes are made to device data. More information on how to use iOS Forensic Toolkit for logical acquisition: iOS Logical Acquisition: The Last Hope For Passcode-Locked Devices?

Note: if you are using iOS Forensic Toolkit to produce a backup, the tool will automatically set a temporary backup password. The password will be “123”; you will need to use this password when opening the backup with Elcomsoft Phone Viewer.

If the device is locked with an unknown passcode, follow this guide: Acquisition of a Locked iPhone with a Lockdown Record


Step 2: Recover backup password

This step is only required if the backup is protected with an unknown password. If you know the password (or specified one during the first step), skip this step and go directly to Step 3.

To recover the password, do the following:

1. Open Elcomsoft Phone Breaker

2. Password recovery wizard | Choose source | iOS device backup

3. The list of available backups will be displayed. At this point, you may select an existing backup from the current PC.

If you are processing the backup extracted on a different computer or created with iOS Forensic Toolkit, select “Choose another” and specify path to the manifest.plist

4. Default attack settings will be available. If you are content with default attack settings, you may begin the attack by clicking the “Start recovery” button.

5. Once the password is discovered, it will be displayed.

Once the password is recovered, you may optionally decrypt the backup in Elcomsoft Phone Breaker. Alternatively, you may open the backup in Elcomsoft Phone Viewer, in which case it will be decrypted automatically (although you will need to supply the backup password).


Step 3: Open the backup in Elcomsoft Phone Viewer

In order to access the list of Wi-Fi networks and view Wi-Fi passwords, you will need to use Elcomsoft Phone Viewer 3.50 or newer.

1. In Elcomsoft Phone Viewer, open the backup.

2. If the backup is encrypted, provide backup password in order to decrypt the backup.
3. Once the backup is opened, select “Wi-Fi”. The list of available Wi-Fi networks along with their passwords will be displayed.

Note: by default, Wi-Fi passwords are masked. To unmask Wi-Fi passwords, click on the “eye” icon next to the masked text in the “Wi-Fi Password” column.



Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »

Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »