Wireless Attacksevil-twinwpa2-enterprisecredential-stealingeapcaptive-portalkarmaautocrack

EAPHammer

Toolkit for targeted evil twin attacks against WPA2-Enterprise networks. Designed for full scope wireless assessments and red team engagements with minimal manual configuration.

Description

EAPHammer is a specialized toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It provides an easy-to-use interface that enables powerful wireless attacks with minimal manual configuration, making it ideal for comprehensive wireless assessments and red team operations. The tool supports credential stealing attacks against WPA/2-EAP networks through just a few commands, as demonstrated in its Quick Start section.

Key features include a certificate wizard for managing authentication certificates, support for various authentication modes (open, WPA-PSK, WPA-EAP, OWE), karma attacks, and captive portal deployments. It integrates with tools like hostapd, dnsmasq, and responder to create convincing rogue access points that capture credentials and handshakes.

The toolkit emphasizes speed and usability, with options for autocracking captured credentials, EAP password spraying, and customizable portal templates for social engineering attacks.

How It Works

EAPHammer creates rogue access points mimicking legitimate WPA2-Enterprise networks using hostapd and supporting services like dnsmasq for DHCP and a web server for captive portals. It captures authentication attempts, EAP credentials, PMKIDs, and WPA handshakes through evil twin deauthentication attacks and karma functionality that responds to probe requests. The certificate wizard generates or imports enterprise-grade certificates for realistic WPA-EAP impersonation. Captured data can be automatically cracked using hashcat integration or sent to remote cracking rigs. Additional techniques include hostile portals, EAP spraying across user lists, and customizable phishing templates.

Installation

bash

sudo apt install eaphammer

Flags

-h, --helpshow this help message and exit

--debugEnable debug output.

--cert-wizard [{create,import,interactive,list,dh}]Use this flag to run in Cert Wizard mode. Use "--cert-wizard create" to create a new certificate. Use "--cert-wizard interactive" or simply "--cert-wizard" to run Cert Wizard in interactive mode. Use "--cert-wizard import" to import a set of certificates into eaphammer's static configuration. Use "--cert-wizard list" to list all previously imported certs

--list-templatesList available portal templates

--create-templateCreate a new portal template module

--delete-templateDelete a portal template module

--bootstrapBootstrap eaphammer configuration

--credsRun credential capture evil twin attack

--pmkidPMKID attack mode

--eap-sprayEAP password spray attack

--hostile-portalDeploy hostile portal. Use --pivot to run responder without SMB server

--captive-portal-server-onlyRun captive portal server only

--captive-portalDeploy captive portal attack

--lhost LHOSTYour AP's IP address

-i, --interface INTERFACEThe phy interface on which to create the AP

-e, --essid ESSIDSpecify access point ESSID

-b, --bssid BSSIDSpecify access point BSSID

-c, --channel CHANNELSpecify access point channel (default: 1)

--hw-mode HW_MODESpecify access point hardware mode (defaults: g)

--cloaking {none,full,zeroes}Cloaking mode for stealth

--auth {open,wpa-psk,wpa-eap,owe,owe-transition,owe-psk}Authentication mode

--pmf {disable,enable,require}Protected Management Frames setting

--karmaEnable karma attacks

--loud, --singeEnable loud karma mode

--known-beaconsEnable persistent known beacons attack

--autocrackEnable autocrack 'n add for captured credentials

-I, --interface-pool iface_n [iface_n ...]List of interfaces available for password spray attack

--user-list USER_LISTUsername list for EAP spraying

--password PASSWORDPassword to spray across user list

Examples

Display basic help message and usage information

eaphammer -h

Run certificate wizard in interactive mode

eaphammer --cert-wizard

Create a new certificate using cert wizard

eaphammer --cert-wizard create

List all previously imported certificates

eaphammer --cert-wizard list

Execute credential stealing evil twin attack against WPA2-Enterprise network (Quick Start example pattern)

eaphammer --creds -i wlan0 -e "TargetCorp WiFi" --lhost 192.168.1.100

Run PMKID capture attack on specified interface, ESSID, and channel

eaphammer --pmkid -i wlan0 -e "Target WiFi" -c 6

Perform EAP password spray attack across multiple interfaces using username list

eaphammer --eap-spray -I wlan0 wlan1 --user-list users.txt --password Summer2024!

Deploy captive portal attack with custom template

eaphammer --captive-portal -i wlan0 --essid "Free WiFi" --lhost 10.0.0.1 --portal-template mytemplate

Updated 2026-04-16kali.org ↗