new: added native wifi handshakes capture from wifi.recon module

2025-08-20 21:43:18 -07:00 · 2019-02-05 19:42:13 +01:00 · 2019-02-05 19:42:13 +01:00 · a6cfb2413f
commit a6cfb2413f
parent 23f340d8eb
9 changed files with 273 additions and 30 deletions
--- a/modules/wifi_recon.go
+++ b/modules/wifi_recon.go
@ -11,6 +11,8 @@ import (

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
+
+	"github.com/evilsocket/islazy/tui"
 )

 var maxStationTTL = 5 * time.Minute
@ -23,6 +25,13 @@ type WiFiProbe struct {
 	RSSI       int8
 }

+type WiFiHandshakeEvent struct {
+	File       string
+	NewPackets int
+	AP         net.HardwareAddr
+	Station    net.HardwareAddr
+}
+
 func (w *WiFiModule) stationPruner() {
 	w.reads.Add(1)
 	defer w.reads.Done()
@ -121,3 +130,76 @@ func (w *WiFiModule) discoverClients(radiotap *layers.RadioTap, dot11 *layers.Do
 		}
 	})
 }
+
+func allZeros(s []byte) bool {
+	for _, v := range s {
+		if v != 0 {
+			return false
+		}
+	}
+	return true
+}
+
+func (w *WiFiModule) discoverHandshakes(radiotap *layers.RadioTap, dot11 *layers.Dot11, packet gopacket.Packet) {
+	if keyLayer := packet.Layer(layers.LayerTypeEAPOLKey); keyLayer != nil {
+		if key := keyLayer.(*layers.EAPOLKey); key.KeyType == layers.EAPOLKeyTypePairwise {
+			staMac := net.HardwareAddr{}
+			apMac := net.HardwareAddr{}
+			if dot11.Flags.FromDS() {
+				staMac = dot11.Address1
+				apMac = dot11.Address2
+			} else if dot11.Flags.ToDS() {
+				staMac = dot11.Address2
+				apMac = dot11.Address1
+			}
+
+			if station, found := w.Session.WiFi.GetClient(staMac.String()); found {
+				// ref. https://wlan1nde.wordpress.com/2014/10/27/4-way-handshake/
+				if !key.Install && key.KeyACK && !key.KeyMIC {
+					// [1] (ACK) AP is sending ANonce to the client
+					log.Debug("[%s] got frame 1/4 of the %s <-> %s handshake (anonce:%x)",
+						tui.Green("wifi"),
+						apMac,
+						staMac,
+						key.Nonce)
+					station.Handshake.AddFrame(0, packet)
+				} else if !key.Install && !key.KeyACK && key.KeyMIC && !allZeros(key.Nonce) {
+					// [2] (MIC) client is sending SNonce+MIC to the API
+					log.Debug("[%s] got frame 2/4 of the %s <-> %s handshake (snonce:%x mic:%x)",
+						tui.Green("wifi"),
+						apMac,
+						staMac,
+						key.Nonce,
+						key.MIC)
+					station.Handshake.AddFrame(1, packet)
+				} else if key.Install && key.KeyACK && key.KeyMIC {
+					// [3]: (INSTALL+ACK+MIC) AP informs the client that the PTK is installed
+					log.Debug("[%s] got frame 3/4 of the %s <-> %s handshake (mic:%x)",
+						tui.Green("wifi"),
+						apMac,
+						staMac,
+						key.MIC)
+					station.Handshake.AddFrame(2, packet)
+				}
+
+				numUnsaved := station.Handshake.NumUnsaved()
+				doSave := numUnsaved > 0
+				if doSave && w.shakesFile != "" {
+					log.Debug("saving handshake frames to %s", w.shakesFile)
+					if err := w.Session.WiFi.SaveHandshakesTo(w.shakesFile, w.handle.LinkType()); err != nil {
+						log.Error("error while saving handshake frames to %s: %s", w.shakesFile, err)
+					}
+				}
+
+				if doSave && station.Handshake.Complete() {
+					w.Session.Events.Add("wifi.client.handshake", WiFiHandshakeEvent{
+						File:       w.shakesFile,
+						NewPackets: numUnsaved,
+						AP:         apMac,
+						Station:    staMac,
+					})
+				}
+			}
+		}
+	}
+}