new: detection and parsing of deauthentication frames as wifi.deauthe…

…ntication events
bettercap · Mar 30, 2021 · 240c4c3 · 240c4c3
1 parent cea53b9
commit 240c4c3
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 1 deletion.
diff --git a/modules/events_stream/events_view_wifi.go b/modules/events_stream/events_view_wifi.go
@@ -118,16 +118,31 @@ func (mod *EventsStream) viewWiFiClientEvent(output io.Writer, e session.Event)
  }
 }
 
+func (mod *EventsStream) viewWiFiDeauthEvent(output io.Writer, e session.Event) {
+ deauth := e.Data.(wifi.DeauthEvent)
+
+ fmt.Fprintf(output, "[%s] [%s] a1=%s a2=%s a3=%s reason=%s (%d dBm)\n",
+ e.Time.Format(mod.timeFormat),
+ tui.Green(e.Tag),
+ deauth.Address1,
+ deauth.Address2,
+ deauth.Address3,
+ tui.Bold(deauth.Reason),
+ deauth.RSSI)
+}
+
 func (mod *EventsStream) viewWiFiEvent(output io.Writer, e session.Event) {
  if strings.HasPrefix(e.Tag, "wifi.ap.") {
  mod.viewWiFiApEvent(output, e)
+ } else if e.Tag == "wifi.deauthentication" {
+ mod.viewWiFiDeauthEvent(output, e)
  } else if e.Tag == "wifi.client.probe" {
  mod.viewWiFiClientProbeEvent(output, e)
  } else if e.Tag == "wifi.client.handshake" {
  mod.viewWiFiHandshakeEvent(output, e)
  } else if e.Tag == "wifi.client.new" || e.Tag == "wifi.client.lost" {
  mod.viewWiFiClientEvent(output, e)
  } else {
- fmt.Fprintf(output, "[%s] [%s] %v\n", e.Time.Format(mod.timeFormat), tui.Green(e.Tag), e)
+ fmt.Fprintf(output, "[%s] [%s] %#v\n", e.Time.Format(mod.timeFormat), tui.Green(e.Tag), e)
  }
 }
diff --git a/modules/wifi/wifi.go b/modules/wifi/wifi.go
@@ -661,6 +661,7 @@ func (mod *WiFiModule) Start() error {
  mod.discoverAccessPoints(radiotap, dot11, packet)
  mod.discoverClients(radiotap, dot11, packet)
  mod.discoverHandshakes(radiotap, dot11, packet)
+ mod.discoverDeauths(radiotap, dot11, packet)
  mod.updateInfo(dot11, packet)
  mod.updateStats(dot11, packet)
  }

diff --git a/modules/wifi/wifi_events.go b/modules/wifi/wifi_events.go
@@ -9,6 +9,14 @@ type ClientEvent struct {
  Client *network.Station
 }
 
+type DeauthEvent struct {
+ RSSI int8 `json:"rssi"`
+ Address1 string `json:"address1"`
+ Address2 string `json:"address2"`
+ Address3 string `json:"address3"`
+ Reason string `json:"reason"`
+}
+
 type ProbeEvent struct {
  FromAddr string `json:"mac"`
  FromVendor string `json:"vendor"`

diff --git a/modules/wifi/wifi_recon.go b/modules/wifi/wifi_recon.go
@@ -150,3 +150,35 @@ func (mod *WiFiModule) discoverClients(radiotap *layers.RadioTap, dot11 *layers.
  }
  })
 }
+
+func (mod *WiFiModule) discoverDeauths(radiotap *layers.RadioTap, dot11 *layers.Dot11, packet gopacket.Packet) {
+ if dot11.Type != layers.Dot11TypeMgmtDeauthentication {
+ return
+ }
+
+ // ignore deauth frames that we sent
+ if radiotap.ChannelFrequency == 0 {
+ return
+ }
+
+ deauthLayer := packet.Layer(layers.LayerTypeDot11MgmtDeauthentication)
+ if deauthLayer == nil {
+ return
+ }
+
+ deauth, ok := deauthLayer.(*layers.Dot11MgmtDeauthentication)
+ reason := "?"
+ if ok {
+ reason = deauth.Reason.String()
+ }
+
+ mod.Debug("deauth radio %#v", radiotap)
+
+ mod.Session.Events.Add("wifi.deauthentication", DeauthEvent{
+ RSSI: radiotap.DBMAntennaSignal,
+ Address1: dot11.Address1.String(),
+ Address2: dot11.Address2.String(),
+ Address3: dot11.Address3.String(),
+ Reason: reason,
+ })
+}