new: started implementing RSN PMKID parsing support (ref #436)

2025-08-20 21:43:18 -07:00 · 2019-02-07 15:15:15 +01:00 · 2019-02-07 15:15:15 +01:00 · 0ec645afd3
commit 0ec645afd3
parent e1d72342f6
4 changed files with 39 additions and 3 deletions
--- a/modules/events_view_wifi.go
+++ b/modules/events_view_wifi.go
@ -77,6 +77,10 @@ func (s *EventsStream) viewWiFiHandshakeEvent(e session.Event) {
 		what = fmt.Sprintf("%s handshake", ap.Encryption)
 	}

+	if hand.PMKID != nil {
+		what = fmt.Sprintf("PMKID (%x)", hand.PMKID)
+	}
+
 	fmt.Fprintf(s.output, "[%s] [%s] captured %s -> %s %s to %s\n",
 		e.Time.Format(eventTimeFormat),
 		tui.Green(e.Tag),
--- a/modules/wifi_events.go
+++ b/modules/wifi_events.go
@ -24,4 +24,5 @@ type WiFiHandshakeEvent struct {
 	NewPackets int
 	AP         net.HardwareAddr
 	Station    net.HardwareAddr
+	PMKID      []byte
 }
--- a/modules/wifi_recon.go
+++ b/modules/wifi_recon.go
@ -157,6 +157,9 @@ func (w *WiFiModule) discoverHandshakes(radiotap *layers.RadioTap, dot11 *layers
 			}

 			if station, found := w.Session.WiFi.GetClient(staMac.String()); found {
+				// ref. https://hashcat.net/forum/thread-7717.html
+				rawPMKID := []byte(nil)
+
 				// ref. https://wlan1nde.wordpress.com/2014/10/27/4-way-handshake/
 				if !key.Install && key.KeyACK && !key.KeyMIC {
 					// [1] (ACK) AP is sending ANonce to the client
@ -165,7 +168,7 @@ func (w *WiFiModule) discoverHandshakes(radiotap *layers.RadioTap, dot11 *layers
 						apMac,
 						staMac,
 						key.Nonce)
-					station.Handshake.AddFrame(0, packet)
+					rawPMKID = station.Handshake.AddAndGetPMKID(packet)
 				} else if !key.Install && !key.KeyACK && key.KeyMIC && !allZeros(key.Nonce) {
 					// [2] (MIC) client is sending SNonce+MIC to the API
 					log.Debug("[%s] got frame 2/4 of the %s <-> %s handshake (snonce:%x mic:%x)",
@ -194,14 +197,17 @@ func (w *WiFiModule) discoverHandshakes(radiotap *layers.RadioTap, dot11 *layers
 					}
 				}

-				if doSave && station.Handshake.Complete() {
+				if doSave && (rawPMKID != nil || station.Handshake.Complete()) {
 					w.Session.Events.Add("wifi.client.handshake", WiFiHandshakeEvent{
 						File:       w.shakesFile,
 						NewPackets: numUnsaved,
 						AP:         apMac,
 						Station:    staMac,
+						PMKID:      rawPMKID,
 					})
 				}
+			} else {
+				log.Warning("EAPOL captured for unknown station %s", staMac.String())
 			}
 		}
 	}