XIII. Password Spraying

EAPHammer allows the user to check for password reuse across multiple RADIUS accounts using its password spraying feature. To leverage this feature, use the --eap-spray flag as shown below:

./eaphammer --eap-spray \
	--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
	--essid example-wifi \
	--password bananas \
	--user-list users.txt

Most of these flags are pretty self-exlanatory. The --eap-spray flag tells eaphammer to perform a password spraying attack. The --essid flag is used to specify the target network, the --password flag is used to specify the password to spray, and the --user-list flag is used to supply a user list file to eaphammer. A user list file is like a wordlist, but contains usernames instead of password candidates. Eaphammer will attempt to authenticate against the network specified by --essid using every username in the file specified by --user-list paired with the password specified by --password.

The --interface-pool flag could be a bit confusing, so let's talk about it in greater detail. A password spraying attack is essentially a network-based bruteforce operation. Although network-based bruteforce attacks are algorithmically similar to their local counterparts, such as dictionary attacks against password hashes, they're a lot slower from a performance perspective. Each login attempt made in our password spraying attack is a network-bound operation. To make matters worse, the EAP authentication process itself takes multiple seconds to complete. We theoretically can speed up this process using multithreading (Python's GIL isn't an issue here), but we still have to deal with the fact that a single wireless interface can only perform a single authentication attempt at a time. The solution is to create a pool of worker threads, and give each thread in the pool its own wireless interface to work with. The --interface-pool flag is used to provide eaphammer with a list of wireless interfaces with which to create this thread pool.

Generally speaking, the more interfaces you use, the faster the attack. Be aware, however, that sending too much traffic to the access point will overwhelm it, causing your attack to take more time rather than less.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XIII. Password Spraying

EAPHammer Wiki

Home

Setup Guide

I. Kali Setup Instructions

II. Parrot OS (Security)

III. Ubuntu

IV. Other Distros

Usage Guide

I. x.509 Certificate Generation

II. Stealing RADIUS Credentials Using EAPHammer

III. Stealing AD Credentials Using Hostile Portal Attacks

IV. Indirect Wireless Pivots

V. Performing Captive Portal Attacks

VI. Attacking 802.11n Networks

VII. Hardware Modes

VIII. Attacking WPA EAP and WPA2 EAP Networks

IX. EAPHammer User Database

X. ESSID Cloaking

XI. Using Karma

XII. PMKID Attacks Against WPA PSK and WPA2 PSK Networks

XIII. Password Spraying

XIV. Cert Wizard

XV. Attacking Opportunistic Wireless Encryption

XVI. Protected Management Frames

XVII. ESSID Stripping Attacks

XVIII. Advanced Granular Controls

Acknowledgements

Clone this wiki locally