Password Attackseap-md5dictionary-attackwirelessauthenticationcracking

eapmd5pass

eapmd5pass extracts challenge-response pairs from EAP-MD5 authentication exchanges and performs offline dictionary attacks to crack user passwords. It works with live monitor-mode interfaces or libpcap capture files.

Description

EAP-MD5 is a legacy authentication mechanism lacking sufficient protection for user credentials, exposing them to offline dictionary attacks. eapmd5pass targets this vulnerability by capturing EAP-MD5 exchanges from wireless networks.

The tool reads from a live network interface in monitor mode or a stored libpcap file, extracting the challenge and response portions of the authentication exchange. It then mounts an offline dictionary attack using a provided wordlist to recover the user's password.

Use cases include testing wireless networks still using EAP-MD5 for authentication, demonstrating the insecurity of this protocol, and assessing password strength in such environments.

How It Works

eapmd5pass captures EAP-MD5 packets containing the challenge and MD5-hashed response (which is MD5(challenge + username + password)). It extracts these values along with the EAP ID and username. An offline dictionary attack is then performed by computing MD5(challenge + username + candidate_password) for each wordlist entry and comparing against the captured response. The tool supports both live sniffing on monitor-mode interfaces and offline analysis of libpcap files.

Installation

bash

sudo apt install eapmd5pass

Flags

-i <iface>interface name

-r <pcapfile>read from a named libpcap file

-w <wordfile>use wordfile for possible passwords

-b <bssid>BSSID of target network (default: all)

-U <username>Username of EAP-MD5 user

-C <chal>EAP-MD5 challenge value

-R <response>EAP-MD5 response value

-E <eapid>EAP-MD5 response EAP ID value

Examples

Display help and usage information for the tool

eapmd5pass -h

Capture live EAP-MD5 exchanges on monitor-mode interface wlan0mon and perform dictionary attack using rockyou wordlist

eapmd5pass -i wlan0mon -w /usr/share/wordlists/rockyou.txt

Read EAP-MD5 data from libpcap file capture.pcap and attack using passwords.txt wordlist

eapmd5pass -r capture.pcap -w passwords.txt

Process pcap file for specific BSSID AA:BB:CC:DD:EE:FF with dictionary attack

eapmd5pass -r capture.pcap -b AA:BB:CC:DD:EE:FF -w dict.txt

Offline attack using manually provided username, challenge, response, and EAP ID with wordlist

eapmd5pass -U user -C 0123456789abcdef -R fedcba9876543210 -E 1 -w wordlist.txt

Live capture on mon0 interface targeting specific BSSID with custom dictionary

eapmd5pass -i mon0 -w /path/to/custom-dict.txt -b 00:11:22:33:44:55

Extract and attempt to crack EAP-MD5 from pcap file using default wordlist behavior

eapmd5pass -r eapmd5_capture.pcap

Updated 2026-04-16kali.org ↗