This post from Pauldotcom explains how to perform dictionary offline attacks against EAP-MD5 (802.1X protected networks)  authentication packets.

Once we have a packet capture with the authentication packets, the post offers two possibilities:

  • Patched version of xtest to read the passwords through a pipe (John the Ripper produces the password list)
  • A small Scapy script  called  eapmd5crack.py