-
Notifications
You must be signed in to change notification settings - Fork 315
IX. EAPHammer User Database
EAPHammer's database is really just an interface to hostapd's eap_user file.
For most use cases, just stick with the IX.1 - Basic Usage section found below.
To list entries in the database, use the --list flag as shown below:
./ehdb --list
You can also filter for users that match specific attributes. Please see IX.1.e - Search Filters for additional information.
At minimum, each user that you add to the database needs to have the following attributes:
- Identity (RADIUS jardon. A fancy way of saying "username")
- Password OR nt password hash
To add an identity and password to the database:
./ehdb --add \
--identity USERNAME \
--password Passw0rd!
To add an identity and NT password hash to the database:
./ehdb --add \
--identity USERNAME2 \
--nt-hash ea66bb09dd4806402e54797e3bb10231
There are other attributes that you can specify as well (see IX.2 - Advanced Usage). However, the default attributes will work in the vast majority of situations, so try not to worry about those unless you absolutely have to.
To remove an identity from the database:
./ehdb --delete \
--identity-is USERNAME
To remove all identities from the datbase:
./ehdb --delete \
--delete-all
You can also delete multiple users at once by using search filters. Please see IX.1.e - Search Filters for additional information.
To update a user's password (or other attribute), just use the --add flag. The existing user entry will be updated to reflect your modifications.
You can use search filters to narrow the output of the --list flag and to delete multiple users using the --delete flag.
Filter options for --list and --delete:
- --by-phase PHASE - Filter by phase (1 or 2).
- --identity-is IDENTITY - Filter by identity (exact match)
- --in-identity KEYWORD - Filter for any identities containing a specified keyword.
- --methods-any METHODS - Filter for users that can authenticate using any of the provided methods (comma separated list).
- --methods-all METHODS - Filter for users that can authenticate using all of the provided methods (comma separated list).
- --has-password - Filter for users that have a password in the database.
- --has-nt-hash - Filter for users that have a nt hash in the database.
- --invert - Invert the results of the search.
Aside from --identity, --password, and --nt-hash, you probably won't need to use these options except for rare edge cases. However, they are there if you need them.
Options for adding a user to database:
- --identity IDENTITY - The username for the user you wish to add.
- --password PASSWORD - Specify the user's password. You should probably specify a password for your user unless you are specifying an nt password hash.
- --nt-hash NT_HASH - Specify the nt hash of the user's password. You should probably specify the nt hash for your user unless you are specifying a password instead.
- --methods METHODS - Leave this as the default unless you really know what you are doing. A comma seperated list of the authentication methods that should be used when the user attempts to connect. EAPHammer will attempt to use each of these methods one by one until the victim accepts one.
- --phase {1,2} - You should probably leave this as the default.
-
- XIV.1 - Interactive Mode
-
XIV.2 - Creating Certificates
--cert-wizard create -
XIV.3 - Importing Certificates and Keys
--cert-wizard import - XIV.4 - Listing Previously Imported or Created Certificates
--cert-wizard list - XIV.5 - Regenerating Diffie Hellman (DH) Parameters
--cert-wizard dh - XIV.6 - Overriding EAPHammer's Static Configuration