I will find a way, or I will make one.

Oct 6, 2016 - 7 minute read - Comments

Breaking into WPA Enterprise networks with Air-Hammer

Air-Hammer is a new tool I’ve created for performing online, horizontal brute-force attacks against wireless networks secured with WPA Enterprise. This is a completely different attack than the usual “evil twin” attacks against those networks.


Online brute-force attacks against WPA Enterprise appear to be overlooked, if not unheard of, in the current literature on wireless network security and in the security community in general. Although WPA Enterprise is often considered “more secure” than WPA-PSK, it also has a much larger attack surface. While WPA-PSK networks have only one valid password, there may be thousands of valid username and password combinations which grant access to a single WPA Enterprise network. Further, passwords used to access WPA Enterprise networks are commonly selected by end users, many of whom select extremely common passwords.

In this post I’ll describe using Air-Hammer to leverage open-source intelligence (OSINT) and perform brute-force attacks against WPA Enterprise networks.

Jun 16, 2014 - 6 minute read - Comments - wireless

Introducing WoNDeR-List

TLDR: Wordlist of Netgear default WPA keys. Download link is at the bottom.

What is WoNDeR-List?

WoNDeR-List is the wordlist I created to crack the default WPA keys of several models of Netgear wireless routers.

How does it work?

Some Netgear WNDR series routers (including the N900, N750, and N600) come with a factory-set default WPA key in the form of: adjectivenoun###. For example, quietunicorn604 (bold added for clarity). After seeing a few of these I was able to make a few assumptions