feat: add PMKID support for client-less attacks and enhance capture

AGENTS.md

@@ -28,11 +28,25 @@ src/
 │   └── security.rs      # Security utilities
 └── screens/
     ├── crack.rs         # Cracking UI + engine selector
-    └── scan_capture.rs # Scanning & capture UI
+    └── scan_capture.rs  # Scanning & capture UI
 ```
 
 ## Key Implementation Details
 
+### Two Attack Methods
+
+1. **4-Way Handshake** ([`src/core/network.rs`](src/core/network.rs))
+   - Captures M1 (ANonce) and M2 (SNonce + MIC) EAPOL frames
+   - Requires client device to reconnect to AP
+   - Traditional WPA/WPA2 attack method
+
+2. **PMKID** ([`src/core/network.rs`](src/core/network.rs))
+   - Extracts PMKID from RSN Information Element in beacon frames
+   - **Clientless**: No devices need to be connected
+   - Faster and stealthier than handshake capture
+
+Both methods produce a `.pcap` file that can be cracked offline.
+
 ### Native CPU Engine ([`src/core/bruteforce.rs`](src/core/bruteforce.rs))
 
 - **Zero-allocation**: PasswordBuffer on stack, no heap allocations
@@ -91,10 +105,10 @@ cat src/core/hashcat.rs
 ### After Every Iteration
 
 ```bash
-# Format code
-cargo fmt --all
+# Format code (CI command - must pass)
+cargo fmt -- --check
 
-# Run clippy (must pass)
+# Run clippy (CI command - must pass with zero warnings)
 cargo clippy --all-targets --all-features -- -D warnings
 
 # Build release
@@ -161,11 +175,16 @@ sudo ./target/release/brutifi
 ### Essential Commands
 
 ```bash
-# Format + Lint + Build (all-in-one)
-cargo fmt --all && cargo clippy --all-targets --all-features -- -D warnings && cargo build --release
+# CI Commands (exactly as CI runs them)
+cargo fmt -- --check                                    # Format check
+cargo clippy --all-targets --all-features -- -D warnings # Lint (zero warnings)
+cargo build --verbose                                    # Build
+cargo test --verbose                                     # Test
 
-# Run tests
-cargo test
+# Development Commands
+cargo fmt --all                                          # Auto-format code
+cargo clippy --all-targets --all-features -- -D warnings # Check for warnings
+cargo build --release                                    # Release build
 
 # Run app
 sudo ./target/release/brutifi
@@ -197,11 +216,16 @@ When in doubt:
 
 ---
 
-**Remember**: After every code change, always run:
+**Remember**: After every code change, always run these **exact CI commands**:
 
+```bash
+cargo fmt -- --check                                    # Check formatting (CI exact)
+cargo clippy --all-targets --all-features -- -D warnings # Check lints (CI exact)
+```
+
+If formatting fails, auto-fix with:
 ```bash
 cargo fmt --all
-cargo clippy --all-targets --all-features -- -D warnings
 ```
 
-These checks are enforced by CI and must pass before merging.
+These checks are **enforced by CI** and must pass before merging.

README.md

@@ -1,6 +1,6 @@
 # BrutiFi 🔐
 
-> Modern desktop application for WPA/WPA2 security testing on macOS with real-time feedback
+> Simple desktop application for WPA/WPA2 password cracking on macOS
 
 [![Release](https://github.com/maxgfr/bruteforce-wifi/actions/workflows/release.yml/badge.svg)](https://github.com/maxgfr/bruteforce-wifi/releases)
 [![CI](https://github.com/maxgfr/bruteforce-wifi/actions/workflows/ci.yml/badge.svg)](https://github.com/maxgfr/bruteforce-wifi/actions)
@@ -9,116 +9,83 @@
 
 **⚠️ EDUCATIONAL USE ONLY - UNAUTHORIZED ACCESS IS ILLEGAL ⚠️**
 
-A high-performance macOS desktop GUI application for testing WPA/WPA2 password security through offline bruteforce attacks. Built with Rust and Iced, featuring dual cracking engines (Native CPU and Hashcat GPU) for maximum performance.
+A simple macOS desktop app for testing WiFi password security. Scan networks, capture handshakes, and crack passwords using CPU or GPU acceleration.
 
 ## ✨ Features
 
-### Core Capabilities
-
-- 🖥️ **Modern Desktop GUI** - Built with Iced framework for smooth, native experience
+- 🖥️ **Simple Desktop GUI** - Clean 2-screen interface built with Iced
 - 🚀 **Dual Cracking Engines**:
-  - **Native CPU**: Custom PBKDF2 implementation with Rayon parallelism (~10K-100K passwords/sec)
-  - **Hashcat GPU**: 10-100x faster acceleration with automatic device detection
+  - **Native CPU**: Custom PBKDF2 (~10K-100K passwords/sec)
+  - **Hashcat GPU**: 10-100x faster with automatic device detection
 - 📡 **WiFi Network Scanning** - Real-time discovery with channel detection
-- 🎯 **Handshake Capture** - EAPOL frame analysis with visual progress indicators
-- 🔑 **Dual Attack Modes**:
-  - 🔢 Numeric bruteforce (PIN codes: 8-12 digits)
+- 🎯 **Two Attack Methods**:
+  - **4-Way Handshake**: Traditional EAPOL frame capture (requires client reconnection)
+  - **PMKID**: Clientless attack from beacon frames (no clients needed)
+- 🔑 **Two Crack Modes**:
+  - 🔢 Numeric bruteforce (8-12 digit PINs)
   - 📋 Wordlist attacks (rockyou.txt, custom lists)
-- 📊 **Live Progress** - Real-time speed metrics, attempt counters, and ETA
-- 🔒 **100% Offline** - No data transmitted anywhere
-
-### Platform Support
-- 🍎 **macOS Native** - Apple Silicon and Intel support
+- 📊 **Live Progress** - Real-time speed, attempts, and ETA
+- 🔒 **100% Offline** - No data transmitted
 
 ## 📦 Installation
 
 ### macOS
 
 #### Quick Installation
 
-1. Download the DMG from the latest release (Apple Silicon or Intel).
-2. Open the DMG and drag **BrutiFi.app** to **Applications**.
-3. Launch the app — macOS will ask for the admin (root) password at startup to enable capture.
+1. Download the DMG from the latest release (Apple Silicon or Intel)
+2. Open the DMG and drag **BrutiFi.app** to **Applications**
+3. Launch the app — macOS will ask for admin password to enable capture
 
-#### Remove Quarantine Attribute (Required for GitHub downloads)
-
-When downloading from GitHub, macOS adds a quarantine attribute. You must remove it to launch the app:
+#### Remove Quarantine (Required for GitHub downloads)
 
 ```bash
 xattr -dr com.apple.quarantine /Applications/BrutiFi.app
 ```
 
-> This removes security warnings, but WiFi capture in monitor mode still requires root privileges on macOS.
-
 ### From Source
 
 ```bash
 git clone https://github.com/maxgfr/bruteforce-wifi.git
 cd bruteforce-wifi
 cargo build --release
-./target/release/bruteforce-wifi
+./target/release/brutifi
 ```
 
 ## 🚀 Usage
 
-### Complete Workflow
+### Simple 2-Step Workflow
 
-```text
-1. Scan Networks → 2. Select Target → 3. Capture Handshake → 4. Crack Password
+```
+1. Scan & Capture → Generates .pcap file with handshake/PMKID
+2. Crack → Bruteforce password from .pcap
 ```
 
-### Step 1: Scan for Networks
-
-Launch the app and click "Scan Networks" to discover nearby WiFi networks:
-
-- **SSID** (network name)
-- **Channel number**
-- **Signal strength**
-- **Security type** (WPA/WPA2)
-
-### Step 2: Select & Capture Handshake
-
-Select a network → Click "Continue to Capture"
-
-**Before capturing:**
-
-1. **Choose output location**: Click "Choose Location" to save the .pcap file
-   - Default: `capture.pcap` in current directory
-   - Recommended: Save to Documents or Desktop for easy access
-2. **Disconnect from WiFi** (macOS only):
-   - Option+Click WiFi icon → "Disconnect"
-   - This improves capture reliability
-
-Then click "Start Capture"
-
-The app monitors for the WPA/WPA2 4-way handshake:
-
-- ✅ **M1** - ANonce (from AP)
-- ✅ **M2** - SNonce + MIC (from client)
-- 🎉 **Handshake Complete!**
-
-> **macOS Note**: Deauth attacks don't work on Apple Silicon. Manually reconnect a device to trigger the handshake (turn WiFi off/on on your phone).
-
-### Step 3: Crack Password
-
-Navigate to "Crack" tab:
+### Step 1: Scan & Capture
 
-#### Engine Selection
+1. Click **"Scan"** to discover nearby WiFi networks
+2. Select a target network from the list
+3. (Optional) Disconnect from WiFi for better capture: `Option+Click WiFi → Disconnect`
+4. Click **"Start Capture"**
 
-- **Native CPU**: Software-only cracking, works everywhere
-- **Hashcat GPU**: Requires hashcat + hcxtools installed, 10-100x faster
+The app automatically captures either:
+- ✅ **PMKID** (clientless, instant)
+- ✅ **4-Way Handshake** (M1 + M2 frames)
 
-#### Attack Methods
+> **macOS Note**: Deauth attacks don't work on Apple Silicon. Manually reconnect a device to trigger handshake (turn phone WiFi off/on).
 
-- **Numeric Attack**: Tests PIN codes (e.g., 00000000-99999999)
-- **Wordlist Attack**: Tests passwords from files like rockyou.txt
+### Step 2: Crack Password
 
-#### Real-time Stats
+1. Navigate to **"Crack"** tab
+2. Select cracking engine:
+   - **Native CPU**: Works everywhere
+   - **Hashcat GPU**: 10-100x faster (requires `brew install hashcat hcxtools`)
+3. Choose attack method:
+   - **Numeric**: Tests 8-12 digit PIN codes
+   - **Wordlist**: Tests passwords from file (e.g., rockyou.txt)
+4. Click **"Start Cracking"**
 
-- Progress bar with percentage
-- Current attempts / Total
-- Passwords per second
-- Live logs (copyable)
+Watch real-time progress with speed and ETA!
 
 ## 🛠️ Development
 
@@ -130,43 +97,26 @@ Navigate to "Crack" tab:
 ### Build Commands
 
 ```bash
-# Development build with fast compile times
+# Development build
 cargo build
 
-# Optimized release build
+# Release build
 cargo build --release
 
 # Run the app
 cargo run --release
 
-# Format code (enforced by CI)
+# Format code
 cargo fmt --all
 
-# Lint code (enforced by CI)
+# Lint code
 cargo clippy --all-targets --all-features -- -D warnings
 
 # Run tests
 cargo test
 ```
 
-### Build macOS DMG (Local)
-
-You can build a macOS DMG installer locally from the source code:
-
-```bash
-# Build DMG (automatically detects architecture)
-./scripts/build_dmg.sh
-```
-
-This will create:
-- `BrutiFi-{VERSION}-macOS-arm64.dmg` (Apple Silicon)
-- `BrutiFi-{VERSION}-macOS-arm64.dmg.sha256` (checksum)
-
-**Note**: The application is signed with ad-hoc signing by default, which is sufficient for local use and testing. No additional code signing is required.
-
-### Optional: Hashcat Integration
-
-For GPU-accelerated cracking, install:
+### Optional: Hashcat GPU Acceleration
 
 ```bash
 brew install hashcat hcxtools
@@ -176,43 +126,44 @@ brew install hashcat hcxtools
 
 ### Disclaimer
 
-#### Educational Use Only
-
-This tool is for educational and authorized testing only.
+**Educational Use Only**
 
 ✅ **Legal Uses:**
-
-- Testing your own WiFi network security
+- Testing your own WiFi network
 - Authorized penetration testing with written permission
 - Security research and education
-- CTF competitions and challenges
 
 ❌ **Illegal Activities:**
-
-- Unauthorized access to networks you don't own
+- Unauthorized network access
 - Intercepting communications without permission
-- Any malicious or unauthorized use
 
-**Unauthorized access to computer networks is a criminal offense** in most jurisdictions (CFAA in USA, Computer Misuse Act in UK, etc.). Always obtain explicit written permission before testing.
+**Unauthorized access is a criminal offense.** Always obtain explicit written permission.
+
+## 🔧 Alternatives
 
-## 🙏 Acknowledgments & inspiration
+**Looking for more advanced features?**
 
-This project was inspired by several groundbreaking tools in the WiFi security space:
+BrutiFi focuses on **simplicity** with just 2 core attacks (PMKID + Handshake). For a more comprehensive WiFi auditing tool with additional attack vectors, check out:
 
-- [AirJack](https://github.com/rtulke/AirJack) - As `brutifi` but in a Python-based CLI
-- [Aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) - Industry-standard WiFi
-- [Pyrit](https://github.com/JPaulMora/Pyrit) - Pre-computed tables for WPA-PSK attacks
-- [Cowpatty](https://github.com/joswr1ght/cowpatty) - Early WPA-PSK cracking implementation
+- **[Wifite2](https://github.com/kimocoder/wifite2)** - Complete automated wireless auditing tool
+  - WPS attacks (Pixie Dust, PIN brute-force)
+  - WPA3 attacks (Transition downgrade, SAE)
+  - Evil Twin phishing
+  - Multiple attack automation
+  - Linux-focused CLI tool
 
-These tools demonstrated the feasibility of offline WPA/WPA2 password attacks and inspired the creation of a modern, user-friendly desktop application.
+## 🙏 Acknowledgments
 
-Special thanks to the following libraries and tools:
+Inspired by:
+- [AirJack](https://github.com/rtulke/AirJack) - Python-based CLI inspiration
+- [Aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) - Industry standard
+- [Hashcat](https://github.com/hashcat/hashcat) - GPU acceleration
+- [hcxtools](https://github.com/ZerBea/hcxtools) - Format conversion
 
-- [Iced](https://github.com/iced-rs/iced) - Cross-platform GUI framework
-- [Rayon](https://github.com/rayon-rs/rayon) - Data parallelism library
-- [pcap-rs](https://github.com/rust-pcap/pcap) - Rust bindings for libpcap
-- [Hashcat](https://github.com/hashcat/hashcat) - GPU-accelerated password recovery
-- [hcxtools](https://github.com/ZerBea/hcxtools) - Wireless security auditing tools
+Built with:
+- [Iced](https://github.com/iced-rs/iced) - GUI framework
+- [Rayon](https://github.com/rayon-rs/rayon) - Parallelism
+- [pcap-rs](https://github.com/rust-pcap/pcap) - Packet capture
 
 ## 📄 License
 

src/app.rs

@@ -168,7 +168,6 @@ impl BruteforceApp {
             Message::CopyPassword => self.handle_copy_password(),
 
             // General
-            Message::ReturnToNormalMode => self.handle_return_to_normal_mode(),
             Message::Tick => self.handle_tick(),
         }
     }
@@ -204,7 +203,7 @@ impl BruteforceApp {
             None
         };
 
-        // Navigation header - simplified to 2 steps
+        // Navigation header - 2 tabs
         let nav = container(
             row![
                 nav_button("1. Scan & Capture", Screen::ScanCapture, self.screen),