EAPHammer is a tool that was developed to test the security of WPA2-Enterprise networks. It was created by Gabriel Ryan (s0lst1c3) and is designed to exploit vulnerabilities in the Extensible Authentication Protocol (EAP), commonly used in enterprise Wi-Fi networks.
WPA2-Enterprise is a security protocol that provides more robust authentication and encryption mechanisms than the standard WPA2 used in home and small office networks. It relies on a RADIUS server for authentication, and EAP is the protocol used for communication between the client and the server.
- Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
- Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
- Perform captive portal attacks
- Built-in Responder integration
- Support for Open networks and WPA-EAP/WPA2-EAP
- No manual configuration is necessary for most attacks.
- No manual configuration necessary for the installation and setup process
- Leverages the latest version of hostapd (2.8)
- Support for evil twins and karma attacks
- Generate timed Powershell payloads for indirect wireless pivots
- Integrated HTTP server for Hostile Portal attacks
- Support for SSID cloaking
- Fast and automated PMKID attacks against PSK networks using hcxtools
- Password spraying across multiple usernames against a single ESSID
How to Install EAPHammer
git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup ./raspbian-setup ./parot-setup
EAPHammer Downgrade Attack
It leverages a technique called “EAP Downgrade Attack” to force clients to use weaker EAP methods, such as EAP-MD5 or EAP-LEAP, instead of the more secure EAP methods like EAP-TLS or PEAP.
By downgrading the authentication method, the attacker can then attempt to exploit vulnerabilities in the weaker EAP methods to gain unauthorized access to the network.
./eaphammer -i wlan0 --channel 5 --auth wpa-eap --essid OffWifi --creds
As described above, it impersonates legitimate networks to lure devices into connecting to the attacker-controlled AP.
./eaphammer -i wlan0 --essid offwifi --cloaking full -c 7 --auth open --hostile-portal --karma
Specifically, it focuses on performing PMKID attacks, which target the Pre-Shared Key (PSK) used in WPA/WPA2-PSK (Wi-Fi Protected Access) encrypted networks. PMKID stands for Pairwise Master Key Identifier, which is a unique identifier used to derive the Pairwise Master Key (PMK) for encrypting data between a client and an access point in a Wi-Fi network.
./eaphammer --pmkid --interface wlan0 --bssid fc:ad:83:77:fe:ab --channel 10
While EAPHammer primarily focuses on attacking the authentication mechanisms of WPA/WPA2-Enterprise networks, it doesn’t directly relate to ESSID cloaking. ESSID cloaking is a separate configuration that aims to hide the network’s SSID from casual view, making it slightly harder for unauthorized users to detect the network.
./eaphammer -i wlan0 -e CompanyXYZ -c 1 --auth open --hostile-portal --cloaking full
Captive Portal Attacks
EAPHammer can redirect victims to a captive portal page, where they might be prompted to enter their credentials or perform other actions, potentially exposing sensitive information.
./eaphammer --bssid fc:ad:83:77:fe:ab --essid CompanyXYZ --channel 149 --interface wlan0 --captive-portal
./eaphammer --eap-spray --interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 --essid CompanyXYZ --password qwerty1234 --user-list users.txt
It’s important to note that EAPHammer is an offensive security tool and should only be used in authorized and controlled environments for legitimate security testing purposes.
Using it to attack networks without proper authorization is illegal and unethical.