WAIDPS [Wireless Auditing, Intrusion Detection & Prevention System] Tutorial / Explanations - Part 2

Association / Connection Alert

Association / Connection Alert is consider cautious reporting and it doesn’t mean any form of attacking is going on. It is use to update user on stations association detail. It will display alert when detected any changes in the station devices as listed below.

a)     Devices initially not associated to any Access Point and now associated to one (Possible association before attack)

b)     Devices initially associated to Access Point [A] and now associated to Access Point [B] (Possible Rogue AP)

c)      Devices initially associated to an Access Point now not associated to it (Possible deauthentication / forcing station to connect to another AP)

d)     Devices are both Access Point and Station (Mobile phone Hotspot / Rogue AP)

e)     Similar Access Points name [ESSID] (Evil-Twin) – See note

Note : Basing on signal analysis, script will display whether the station is near to you or the access point.

(a) New Association

New association will be display when it detected a device which is initially not associated to any access point and now detected associated to an access point.

(b) & (c) Station Switching Connection

It the ‘Station Switching Connection’ alert, it comprise to two alerts, that is station got disassociated from access point and the other is station initially associated to Access Point A and now switched association to Access Point B.

(d) Dual Device Type

Script will display ‘Dual Device Type’ alert when it detected that a MAC address it detected to be both an Access Point and also a station. In most cases, dual device are usually mobile phone hotspot.

(e) Similar Access Points name

User must make own assessment as it doesn’t mean multiple access point with a similar ESSID is Evil-Twin. Similar ESSID are commonly found in places such as big company, airport, malls, hotels, campus etc, as the area is big and need many other access points to cover the area.

Situation of an Evil-Twin usually start off with mass deauthentication to clients forcing them to disconnect from the legitimate access point and connect to their rogue access point which signal is more stronger than the legitimate one. In most cases, Evil-Twin is “Open” network unless attacker knows the passphase of the legitimate access point.

Viewing of Association / Connection Alert Log

User does not need to be sitting in front of the monitor just to observe the alert. WAIDPS will log every active alert detail to the database and also into the active memory. User can view back the logs using 2 methods

a)     Viewing History log (Only current scan, once exit, it will be cleared)

b)     Viewing Database file (Store into database everytime it detect any alert)

(a) Viewing History log (Active)

To view the current active log, press [Enter] to enter the [Command Selection Menu]. Press ‘H’ to display active logs history and select ‘C’ to view the association/connection alert log. (Note : This option display only result from active scan and once script exited, the data will be cleared.)

Procedure : [Enter] à [H] à [C]

(b) Viewing Database file
User can also view the saved file log located in /SYWorks/Database/ which was captured previously since the beginning by entering into the interactive mode. , press [Enter] to enter the [Command Selection Menu]. Press ‘I’ to enter into the [Interactive Mode]. In the command prompt, enter “list log” to view the available logs and enter “open WIADPS-Connection.log” to open the file with default file viewer.

Procedure : [Enter] à [I] à [list log] à [open WIADPS-Connection.log]

Note : Usually WAIDPS-Cautious.log will grow until very big file, user can make backup of the file by typing “backup WAIDPS-Cautious.log” and the file will be backup with the backup date at the end.  After backup, the original file “WAIDPS-Cautious.log” will be emptied.

Procedure : [Enter] à [I] à [backup WIADPS-Connection.log]