Wireless IDS [Intrusion Detection System] - Tutorial / Explaination

Description

Wireless IDS is an open source tool written in Python and work on Linux environment. This tool may be useful to those penetration testers, trainers and for those who interest and want to know more about wireless hacking..WIDs will sniff your surrounding air traffic for suspicious activities such as WEP/WPA/WPS attacking packets. It do the following

• Detect mass deauthentication sent to client / access point which unreasonable amount indicate possible WPA attack for handshakes.
• Continual sending data to access point using broadcast MAC address which indicate a possibility of WEP attacks
• Unreasonable amount of communication between wireless client and access point using EAP authentication which indicate the possibility of WPS bruteforce attack by Reaver / WPSCrack
• Detection of changes in connection to anther access point which may have the possibility of connection to Rogue AP (User needs to assess the situation whether similar AP name)

Newly Added Features !!! 

• Display similar Access Point's name (SSID) which could have the possibility of WiFi 'Evil Twins'.
• Display of probing SSID by wireless devices
• Detection of Korek Chopchop packets sent by Aircrack-NG (WEP attacks)
• Detection of Fragmentation PRGA packets sent by Aircrack-NG (WEP attacks)
• Detection of possible WPA Downgrade attack by MDK3
• Detection of possible Michael Shutdown exploitation (TKIP) by MDK3
• Detection of Beacon flooding by MDK3
• Detection of possible Authentication DoS by MDK3
• Detection of possible association flooding
• Detection of WPA Migration Attack by Aircrack-NG (WPA Attack)

• Allow logging of events to file.
• Allow disabling of displaying of probing devices
• Wireless devices / Access point's manufacturer Identification basing on the MAC OUI database.

Visit https://www.facebook.com/syworks for other updated information and tools.

Requirements

No special equipment is required to use this script as long as you have the following :

1. Root access (admin)
2. Wireless interface which is capable of monitoring3. Python installed
4. Aircrack-NG suite installed
5. TShark installed

Note: Application 3 - 5 are already pre-installed in Backtrack and Kali Linux.


Download / Installation

• Visit https://github.com/SYWorks/wireless-ids for all documentation and files or
• download the raw file directly from here
• Save the file 'wids.py' to your Linux Desktop or any directory you like. For my case, i saved it on my desktop and enter the following in the terminal console.
• cd Desktop/
• chmod +x wids.py
• ./wids.py

Once installation is completed, you may wish to delete the file where you have initially saved as the following had be created:

• Directory : ~/SYWorks/
• Directory : ~/SYWorks/WIDS/
• Directory : ~/SYWorks/WIDS/tmp
• File         : ~/SYWorks/WIDS/wids.py
• File         : ~/usr/sbin/wids.py

Optional Download

• You can also download the MAC OUI Database 'mac-oui.db' and place it at the same directory of WIDS (~/SYWorks/WIDS/)

Running the application

• You can run the script at any directory by entering 'wids.py'.
• Once the script is running, it will detect the wireless interface that you have and if you have more than one interface, it will prompt you for response.
• If there is no suspicious activity found, it will display 'Did not detect any suspicious activity..'
• Note : If you want to exit the script, simply hit on 'Ctrl+C' to exit the application.

Detected Possible WEP Attacks

• If a possible WEP attacks detected, it will show the Wireless client / Access Point MAC  Address (AP Name) and also any authentication/association request made.

Detected Korek Chopchop WEP Cracking Method 

• Korek Chopchop method is a method used by Aircrack-NG suite to attack on a WEP encrypted network.
• Basing on the unique signature in the packets, WIDS is able to detect such attacking method.

Detected Fragmentation PRGA WEP Cracking Method 

• Fragmentation PRGA method is another method used by Aircrack-NG suite to attack on a WEP encrypted network.
• Basing on these unique signature in the packets, WIDS is able to detect such attacking method.

Detected Possible WPA Attacks

• If a possible WPA attacks detected, it will show the Wireless client / Access Point MAC  Address (AP Name) that the number of deauthentication packets were detected.
• If handshakes were also detected, it will display the number of handshake packets found.

Detected WPA Migration Attack 

• The Aireplay-NG WPA Migration Mode also use an unique method by sending request to Access Point using fake MAC address trying to authenticate with AP. These flooding is also being pickup by WIDS

Detected Possible WPS Attacks

• Whenever a communication between a Wireless client  and Access Point using EAP, their MAC  Addresses will be displayed with the number of EAP packets were detected.
• It consistent communication of such request, it is likely that a WPS Bruteforce is in progress.  

Detected Changes In Clients Connection to Another Access Point

• The script also detect any changes when a wireless client which is initially connected to a access point subsequently switch connection to another access point, which could have the possibility connection  to a Rogue AP (User should also note the AP name)

Detected Possible Rogue Access Point

• WIDS also analyse the access point name for frequent changes which could be the possibility of 'Rogue AP' responding to probe by wireless devices 
• Such Rouge APs could be scripted by Airbase-ng, Pineapples, etc..

Detected Possible Evil Twins

• With the similar AP names detected, WIDS will display these APs with similar names which could have the possibility of Evil Twins. 
• Not all similar AP names are evil twins as some routers can have two or more similar name set by users. 
• It is the user discretion to decide whether is it a evil twins.

Detected TKIPTUN-NG Attack

• When a high number of QOS Data packet is sent to a WPA/TKIP encrypted network, there could be a possibility of attack by TKIPTUN-NG .

Detected Michael Shutdown Exploitation Attacks

• WIDS is able to detect possible attack using MDK3 Michael shutdown exploitation (TKIP) options

Detected Authentication DoS

• With too much authentication request from wireless clients, WIDS will display if there is a possibility of Authentication DoS by authentication flood by MDK3 

Detected Beacon Flooding

• WIDS will also display possible Beacon flooding attacking by MDK3

Detected WPA Downgrade Test Attack

• WIDS also detect possible WPA Downgrade Test attack option by MDK3

Displaying of Probing Wireless Devices

• WIDS also allow to display detected wireless devices that probing for any SSID or not participating in any connection of network.

Diagram of Hacking/Detection Process

Step-by-step Attacking/Detection diagram

Attacks	Detection
1)  Attacker setting up his fake access point similar to victim’s AP name	1) Evil Twin Detection

2) Attacker sent deauthentication to client & Access Point	2) Deauth Flooding Detection

3) Victim carelessly connected to the fake access point set by attacker	3) Change in connection from one AP to another

Checking / Updating of Script

• Enter 'wids.py --update' to check online for any updates for the script

Displaying Help

• Enter 'wids.py --hh' to display advanced help

Command line Arguments

• Enter 'wids.py --timeout ' to set the captured timeframe.

• Enter 'wids.py --log' to save all event to a file (log.txt) which can be found on "~/SYWorks/WIDS/"

• Enter 'wids.py -l 1'  or 'wids.py -l 2' ... to run WIDS only the specified times specified.

• Enter 'wids.py -hp'  or 'wids.py --hideprobe' to disable the displaying of probing devices (Default - Display Probing by wireless devices)

Removing The Script

• Enter 'wids.py --remove' to remove the script should you wanted to remove the script totally from your computer.