Description
Requirements
No special equipment is required to use this script as long as you have the following :
1. Root access (admin)
2. Wireless interface which is capable of monitoring3. Python installed
4. Aircrack-NG suite installed
5. TShark installed
Note: Application 3 - 5 are already pre-installed in Backtrack and Kali Linux.
Download / Installation
Once installation is completed, you may wish to delete the file where you have initially saved as the following had be created:
Optional Download
Detected Possible WEP Attacks
Detected Korek Chopchop WEP Cracking Method
Detected WPA Migration Attack
Detected Possible WPS Attacks
Detected Changes In Clients Connection to Another Access Point
Detected Authentication DoS
Step-by-step Attacking/Detection diagram
Displaying Help
Command line Arguments
Removing The Script
Wireless IDS is an open source tool written in Python and work on Linux environment. This tool may be useful to those penetration testers, trainers and for those who interest and want to know more about wireless hacking..WIDs will sniff your surrounding air traffic for suspicious activities such as WEP/WPA/WPS attacking packets. It do the following
- Detect mass deauthentication sent to client / access point which unreasonable amount indicate possible WPA attack for handshakes.
- Continual sending data to access point using broadcast MAC address which indicate a possibility of WEP attacks
- Unreasonable amount of communication between wireless client and access point using EAP authentication which indicate the possibility of WPS bruteforce attack by Reaver / WPSCrack
- Detection of changes in connection to anther access point which may have the possibility of connection to Rogue AP (User needs to assess the situation whether similar AP name)
Newly Added Features !!!
- Display similar Access Point's name (SSID) which could have the possibility of WiFi 'Evil Twins'.
- Display of probing SSID by wireless devices
- Detection of Korek Chopchop packets sent by Aircrack-NG (WEP attacks)
- Detection of Fragmentation PRGA packets sent by Aircrack-NG (WEP attacks)
- Detection of possible WPA Downgrade attack by MDK3
- Detection of possible Michael Shutdown exploitation (TKIP) by MDK3
- Detection of Beacon flooding by MDK3
- Detection of possible Authentication DoS by MDK3
- Detection of possible association flooding
- Detection of WPA Migration Attack by Aircrack-NG (WPA Attack)
- Allow logging of events to file.
- Allow disabling of displaying of probing devices
- Wireless devices / Access point's manufacturer Identification basing on the MAC OUI database.
Visit https://www.facebook.com/syworks for other updated information and tools.
Requirements
1. Root access (admin)
2. Wireless interface which is capable of monitoring3. Python installed
4. Aircrack-NG suite installed
5. TShark installed
Note: Application 3 - 5 are already pre-installed in Backtrack and Kali Linux.
Download / Installation
- Visit https://github.com/SYWorks/wireless-ids for all documentation and files or
- download the raw file directly from here
- Save the file 'wids.py' to your Linux Desktop or any directory you like. For my case, i saved it on my desktop and enter the following in the terminal console.
- cd Desktop/
- chmod +x wids.py
- ./wids.py
Once installation is completed, you may wish to delete the file where you have initially saved as the following had be created:
- Directory : ~/SYWorks/
- Directory : ~/SYWorks/WIDS/
- Directory : ~/SYWorks/WIDS/tmp
- File : ~/SYWorks/WIDS/wids.py
- File : ~/usr/sbin/wids.py
Optional Download
- You can also download the MAC OUI Database 'mac-oui.db' and place it at the same directory of WIDS (~/SYWorks/WIDS/)
Running the application
- You can run the script at any directory by entering 'wids.py'.
- Once the script is running, it will detect the wireless interface that you have and if you have more than one interface, it will prompt you for response.
- If there is no suspicious activity found, it will display 'Did not detect any suspicious activity..'
- Note : If you want to exit the script, simply hit on 'Ctrl+C' to exit the application.
Detected Possible WEP Attacks
- If a possible WEP attacks detected, it will show the Wireless client / Access Point MAC Address (AP Name) and also any authentication/association request made.
- Korek Chopchop method is a method used by Aircrack-NG suite to attack on a WEP encrypted network.
- Basing on the unique signature in the packets, WIDS is able to detect such attacking method.
- Fragmentation PRGA method is another method used by Aircrack-NG suite to attack on a WEP encrypted network.
- Basing on these unique signature in the packets, WIDS is able to detect such attacking method.
Detected Possible WPA Attacks
- If a possible WPA attacks detected, it will show the Wireless client / Access Point MAC Address (AP Name) that the number of deauthentication packets were detected.
- If handshakes were also detected, it will display the number of handshake packets found.
Detected WPA Migration Attack
- The Aireplay-NG WPA Migration Mode also use an unique method by sending request to Access Point using fake MAC address trying to authenticate with AP. These flooding is also being pickup by WIDS
Detected Possible WPS Attacks
- Whenever a communication between a Wireless client and Access Point using EAP, their MAC Addresses will be displayed with the number of EAP packets were detected.
- It consistent communication of such request, it is likely that a WPS Bruteforce is in progress.
Detected Changes In Clients Connection to Another Access Point
- The script also detect any changes when a wireless client which is initially connected to a access point subsequently switch connection to another access point, which could have the possibility connection to a Rogue AP (User should also note the AP name)
Detected Possible Rogue Access Point
- WIDS also analyse the access point name for frequent changes which could be the possibility of 'Rogue AP' responding to probe by wireless devices
- Such Rouge APs could be scripted by Airbase-ng, Pineapples, etc..
- With the similar AP names detected, WIDS will display these APs with similar names which could have the possibility of Evil Twins.
- Not all similar AP names are evil twins as some routers can have two or more similar name set by users.
- It is the user discretion to decide whether is it a evil twins.
- When a high number of QOS Data packet is sent to a WPA/TKIP encrypted network, there could be a possibility of attack by TKIPTUN-NG .
- WIDS is able to detect possible attack using MDK3 Michael shutdown exploitation (TKIP) options
- With too much authentication request from wireless clients, WIDS will display if there is a possibility of Authentication DoS by authentication flood by MDK3
- WIDS will also display possible Beacon flooding attacking by MDK3
- WIDS also detect possible WPA Downgrade Test attack option by MDK3
- WIDS also allow to display detected wireless devices that probing for any SSID or not participating in any connection of network.
Step-by-step Attacking/Detection diagram
Attacks
|
Detection
|
1) Attacker setting up his fake access point
similar to victim’s AP name
|
1) Evil
Twin Detection
|
2) Attacker sent deauthentication to client
& Access Point
|
2) Deauth Flooding Detection
|
|
3) Victim carelessly connected to the fake access point set by attacker
|
3) Change in connection from one AP to another
|
Checking / Updating of Script
- Enter 'wids.py --update' to check online for any updates for the script
Displaying Help
- Enter 'wids.py --hh' to display advanced help
Command line Arguments
- Enter 'wids.py --timeout
' to set the captured timeframe.
- Enter 'wids.py --log
' to save all event to a file (log.txt) which can be found on "~/SYWorks/WIDS/"
- Enter 'wids.py -l 1
' or 'wids.py -l 2 ' ... to run WIDS only the specified times specified.
- Enter 'wids.py -hp
' or 'wids.py --hideprobe ' to disable the displaying of probing devices (Default - Display Probing by wireless devices)
- Enter 'wids.py --remove' to remove the script should you wanted to remove the script totally from your computer.