wifiscan 0.4.0

Wireless network scanner TUI with monitor mode, handshake capture, deauth, and evil twin
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202

use std::collections::HashMap;
use std::time::Instant;

use crate::types::ApMap;

// ── Alert Types ─────────────────────────────────────────────────────────────

#[derive(Debug, Clone)]
pub enum AlertKind {
    EvilTwin { essid: String, bssid1: String, bssid2: String },
    DeauthFlood { bssid: String, essid: String },
    NewAP { bssid: String, essid: String },
    OpenNetwork { bssid: String, essid: String },
    WepNetwork { bssid: String, essid: String },
    ChannelOverlap { channel: u8, count: usize },
    HandshakeCaptured { bssid: String, essid: String },
}

#[derive(Debug, Clone)]
pub struct Alert {
    pub kind: AlertKind,
    pub timestamp: Instant,
    pub message: String,
    pub dismissed: bool,
}

impl Alert {
    pub fn new(kind: AlertKind) -> Self {
        let message = match &kind {
            AlertKind::EvilTwin { essid, bssid1, bssid2 } =>
                format!("Evil twin: '{}' seen on {} and {}", essid, bssid1, bssid2),
            AlertKind::DeauthFlood { essid, .. } =>
                format!("Deauth flood detected targeting '{}'", essid),
            AlertKind::NewAP { essid, bssid } =>
                format!("New AP: '{}' ({})", essid, bssid),
            AlertKind::OpenNetwork { essid, bssid } =>
                format!("Open network: '{}' ({})", essid, bssid),
            AlertKind::WepNetwork { essid, bssid } =>
                format!("WEP network: '{}' ({}) - trivially crackable", essid, bssid),
            AlertKind::ChannelOverlap { channel, count } =>
                format!("Channel {} congested: {} APs", channel, count),
            AlertKind::HandshakeCaptured { essid, bssid } =>
                format!("Handshake captured: '{}' ({})", essid, bssid),
        };
        Self { kind, timestamp: Instant::now(), message, dismissed: false }
    }

    pub fn age_secs(&self) -> u64 {
        self.timestamp.elapsed().as_secs()
    }
}

// ── Alert Engine ────────────────────────────────────────────────────────────

pub struct AlertEngine {
    pub alerts: Vec<Alert>,
    known_bssids: HashMap<String, Instant>,
    evil_twin_seen: HashMap<String, Vec<String>>,  // essid -> vec of bssids
    max_alerts: usize,
}

impl AlertEngine {
    pub fn new() -> Self {
        Self {
            alerts: Vec::new(),
            known_bssids: HashMap::new(),
            evil_twin_seen: HashMap::new(),
            max_alerts: 200,
        }
    }

    pub fn active_alerts(&self) -> Vec<&Alert> {
        self.alerts.iter()
            .filter(|a| !a.dismissed && a.age_secs() < 300)
            .collect()
    }

    pub fn dismiss_all(&mut self) {
        for a in &mut self.alerts {
            a.dismissed = true;
        }
    }

    fn push(&mut self, alert: Alert) {
        self.alerts.push(alert);
        if self.alerts.len() > self.max_alerts {
            self.alerts.remove(0);
        }
    }

    /// Run detection passes against current AP state. Call periodically from the UI loop.
    pub fn scan(&mut self, ap_map: &ApMap) {
        let map = ap_map.lock().unwrap();

        // Track new APs
        for (bssid, ap) in map.iter() {
            if !self.known_bssids.contains_key(bssid) {
                self.known_bssids.insert(bssid.clone(), Instant::now());

                if !ap.essid.is_empty() && ap.essid != "<hidden>" {
                    // New AP alert (only after initial scan period)
                    if self.known_bssids.len() > 5 {
                        self.push(Alert::new(AlertKind::NewAP {
                            bssid: bssid.clone(),
                            essid: ap.essid.clone(),
                        }));
                    }

                    // Open network warning
                    if ap.encryption.display == "Open" {
                        self.push(Alert::new(AlertKind::OpenNetwork {
                            bssid: bssid.clone(),
                            essid: ap.essid.clone(),
                        }));
                    }

                    // WEP warning
                    if ap.encryption.display.starts_with("WEP") {
                        self.push(Alert::new(AlertKind::WepNetwork {
                            bssid: bssid.clone(),
                            essid: ap.essid.clone(),
                        }));
                    }
                }
            }
        }

        // Evil twin detection: same ESSID, different BSSID, different encryption
        self.evil_twin_seen.clear();
        for (bssid, ap) in map.iter() {
            if ap.essid.is_empty() || ap.essid == "<hidden>" { continue; }
            self.evil_twin_seen
                .entry(ap.essid.clone())
                .or_default()
                .push(bssid.clone());
        }

        let mut twin_alerts: Vec<Alert> = Vec::new();
        for (essid, bssids) in &self.evil_twin_seen {
            if bssids.len() < 2 { continue; }

            let mut enc_set: HashMap<String, Vec<String>> = HashMap::new();
            for bssid in bssids {
                if let Some(ap) = map.get(bssid) {
                    enc_set.entry(ap.encryption.display.clone())
                        .or_default()
                        .push(bssid.clone());
                }
            }
            if enc_set.len() > 1 {
                let bssid_list: Vec<&String> = bssids.iter().take(2).collect();
                let already_alerted = self.alerts.iter().any(|a| {
                    matches!(&a.kind, AlertKind::EvilTwin { essid: e, .. } if e == essid)
                        && a.age_secs() < 300
                });
                if !already_alerted {
                    twin_alerts.push(Alert::new(AlertKind::EvilTwin {
                        essid: essid.clone(),
                        bssid1: bssid_list[0].clone(),
                        bssid2: bssid_list[1].clone(),
                    }));
                }
            }
        }
        for alert in twin_alerts {
            self.push(alert);
        }

        // Channel congestion
        let mut channel_counts: HashMap<u8, usize> = HashMap::new();
        for ap in map.values() {
            if ap.channel > 0 && ap.age_secs() < 60 {
                *channel_counts.entry(ap.channel).or_default() += 1;
            }
        }
        for (&ch, &count) in &channel_counts {
            if count >= 15 {
                let already = self.alerts.iter().any(|a| {
                    matches!(&a.kind, AlertKind::ChannelOverlap { channel, .. } if *channel == ch)
                        && a.age_secs() < 120
                });
                if !already {
                    self.push(Alert::new(AlertKind::ChannelOverlap { channel: ch, count }));
                }
            }
        }
    }

    /// Call when a handshake is captured
    pub fn handshake_captured(&mut self, bssid: &str, essid: &str) {
        self.push(Alert::new(AlertKind::HandshakeCaptured {
            bssid: bssid.to_string(),
            essid: essid.to_string(),
        }));
    }
}

impl Default for AlertEngine {
    fn default() -> Self {
        Self::new()
    }
}