PMK acquired indicator doesn't last

[vladionescu]

Prerequisites

Red Encryption field, indicating we have a PMK, doesn't last. I'm not sure why. Relevant code:

bettercap/modules/wifi/wifi_show.go

Lines 59 to 61 in 2cdd3d2

	if ap, found := mod.Session.WiFi.Get(station.HwAddress); found && (ap.HasHandshakes() || ap.HasPMKID()) {
	encryption = tui.Red(encryption)
	}

Environment

Please provide:

• Bettercap version you are using. master (2cdd3d2)
• OS version and architecture you are using. Debian 9, amd64
• Go version if building from sources. 1.11.5-linux-amd64
• Command line arguments you are using. -iface wlan0
• Caplet code you are using or the interactive session commands. wifi.recon on ; wifi.show

Steps to Reproduce

1. Setup the ticker as in your latest post on PMKID hoarding: https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/

sudo bettercap -iface wlan0
> wifi.recon on
> set wifi.show.sort clients desc
> set ticker.commands 'clear; wifi.show'
> ticker on

2. Acquire some handshakes by waiting or wifi.deauth, or get some PMKIDs with wifi.assoc.
3. Notice Encryption field turns red on the networks where a handshake or PMKID is captured.

Expected behavior: Field stays red until I close bettercap/switch pcap files.

Actual behavior: Field goes back to black after ~60 seconds.

--

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

[evilsocket]

this happens when the stations associated with the handshakes and/or PMKIDs are pruned away due to inactivity ... technically it's not a bug, but i'll try to change the logic a bit in order to keep the red mark regardless 👍