new: detection and parsing of deauthentication frames as wifi.deauthentication events

2025-08-20 21:43:18 -07:00 · 2021-03-31 00:47:56 +02:00 · 2021-03-31 00:47:56 +02:00 · 240c4c3219
commit 240c4c3219
parent cea53b969e
4 changed files with 57 additions and 1 deletions
--- a/modules/events_stream/events_view_wifi.go
+++ b/modules/events_stream/events_view_wifi.go
@ -118,9 +118,24 @@ func (mod *EventsStream) viewWiFiClientEvent(output io.Writer, e session.Event)
 	}
 }

+func (mod *EventsStream) viewWiFiDeauthEvent(output io.Writer, e session.Event) {
+	deauth := e.Data.(wifi.DeauthEvent)
+
+	fmt.Fprintf(output, "[%s] [%s] a1=%s a2=%s a3=%s reason=%s (%d dBm)\n",
+		e.Time.Format(mod.timeFormat),
+		tui.Green(e.Tag),
+		deauth.Address1,
+		deauth.Address2,
+		deauth.Address3,
+		tui.Bold(deauth.Reason),
+		deauth.RSSI)
+}
+
 func (mod *EventsStream) viewWiFiEvent(output io.Writer, e session.Event) {
 	if strings.HasPrefix(e.Tag, "wifi.ap.") {
 		mod.viewWiFiApEvent(output, e)
+	} else if e.Tag == "wifi.deauthentication" {
+		mod.viewWiFiDeauthEvent(output, e)
 	} else if e.Tag == "wifi.client.probe" {
 		mod.viewWiFiClientProbeEvent(output, e)
 	} else if e.Tag == "wifi.client.handshake" {
@ -128,6 +143,6 @@ func (mod *EventsStream) viewWiFiEvent(output io.Writer, e session.Event) {
 	} else if e.Tag == "wifi.client.new" || e.Tag == "wifi.client.lost" {
 		mod.viewWiFiClientEvent(output, e)
 	} else {
-		fmt.Fprintf(output, "[%s] [%s] %v\n", e.Time.Format(mod.timeFormat), tui.Green(e.Tag), e)
+		fmt.Fprintf(output, "[%s] [%s] %#v\n", e.Time.Format(mod.timeFormat), tui.Green(e.Tag), e)
 	}
 }
--- a/modules/wifi/wifi.go
+++ b/modules/wifi/wifi.go
@ -661,6 +661,7 @@ func (mod *WiFiModule) Start() error {
 				mod.discoverAccessPoints(radiotap, dot11, packet)
 				mod.discoverClients(radiotap, dot11, packet)
 				mod.discoverHandshakes(radiotap, dot11, packet)
+				mod.discoverDeauths(radiotap, dot11, packet)
 				mod.updateInfo(dot11, packet)
 				mod.updateStats(dot11, packet)
 			}
--- a/modules/wifi/wifi_events.go
+++ b/modules/wifi/wifi_events.go
@ -9,6 +9,14 @@ type ClientEvent struct {
 	Client *network.Station
 }

+type DeauthEvent struct {
+	RSSI     int8   `json:"rssi"`
+	Address1 string `json:"address1"`
+	Address2 string `json:"address2"`
+	Address3 string `json:"address3"`
+	Reason   string `json:"reason"`
+}
+
 type ProbeEvent struct {
 	FromAddr   string `json:"mac"`
 	FromVendor string `json:"vendor"`
--- a/modules/wifi/wifi_recon.go
+++ b/modules/wifi/wifi_recon.go
@ -150,3 +150,35 @@ func (mod *WiFiModule) discoverClients(radiotap *layers.RadioTap, dot11 *layers.
 		}
 	})
 }
+
+func (mod *WiFiModule) discoverDeauths(radiotap *layers.RadioTap, dot11 *layers.Dot11, packet gopacket.Packet) {
+	if dot11.Type != layers.Dot11TypeMgmtDeauthentication {
+		return
+	}
+
+	// ignore deauth frames that we sent
+	if radiotap.ChannelFrequency == 0 {
+		return
+	}
+
+	deauthLayer := packet.Layer(layers.LayerTypeDot11MgmtDeauthentication)
+	if deauthLayer == nil {
+		return
+	}
+
+	deauth, ok := deauthLayer.(*layers.Dot11MgmtDeauthentication)
+	reason := "?"
+	if ok {
+		reason = deauth.Reason.String()
+	}
+
+	mod.Debug("deauth radio %#v", radiotap)
+
+	mod.Session.Events.Add("wifi.deauthentication", DeauthEvent{
+		RSSI:     radiotap.DBMAntennaSignal,
+		Address1: dot11.Address1.String(),
+		Address2: dot11.Address2.String(),
+		Address3: dot11.Address3.String(),
+		Reason:   reason,
+	})
+}