Friday, April 25, 2014

WAIDPS [Wireless Auditing, Intrusion Detection & Prevention System] Tutorial / Explanations - Part 3

Intrusion Detection
At present, WAIDS is able to detect the following wireless attacks and will subsequently add other detection found in the previous WIDS.
·         Association / Authentication flooding
·         Detect mass deauthentication which may indicate a possible WPA attack for handshake
·         Detect possible WEP attack using the ARP request replay method
·         Detect possible WEP attack using chopchop method
·         Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.
·         Detection of Evil-Twin
·         Detection of Rogue Access Point

In the IDS module, it comprise of 2 sections
  • Suspicious Activity Listing – Data count
  • Alert Message

Note : Suspicious Activity Listing may only be applicable to advanced user who can base on the result and configure their own detection. (Knowledge of the whole script is required)

On the “Attack Detected” section, it will display more information of the attack such as attacker range, possibility of attack, saving of attack packets, etc as compare to the previous WIDS. More screenshots of various type of attacks will be uploaded.


Interactive Mode
The interactive mode allow user to perform many functions related to packets examination and analysis. User can do listing of database in the interactive mode such as “LIST DB” which is use to list out stored database and “OPEN ” to open such file. User can also enter the interactive mode to save the current captured packets or load existing pcap file for analysis. To enter into the interactive mode, press [Enter] followed by “I”. Once you entered the Interactive Mode, you can type [Help] for detail.

Filter Function
The filter function may consider important in the analysis portion as it will filtered base on the setting you set. Type [Filter ?] for detail.


Adding/Removing MAC Filter

Adding/Removing Ignore Filter
Ignore filter is use to for the analyzer to ignore the data type that have been specified.

Adding/Removing Contain Filter
Contain filter is use to for the analyzer to search and list out the specified value and all other data will be bypass.


Show Dump Function
The show dump function will show packets captured basing on the filter. There are 3 options
  • SHOW DUMP           - Show TCPDump and TShark packet result
  • SHOW DUMP1        - Show TCPDump result
  • SHOW DUMP 2       - Show TShark result

SHOW DUMP1 (With Deauth Filter)

SHOW DUMP1 (No Deauth Filter)

SHOW DUMP2 (With Deauth Filter)

SHOW DUMP2 (No Deauth Filter)

Show List Function
Show List Function is use to list of the data count of each MAC address detected. Type [Show List] for detail


[Show List 3] is filter possible detail basing on IDS setting and [Show List 4] are base on Threshold detail. Type [Set Threshold] to set the detail or [SET IDS] to set IDS sensitivity setting.


Intrusion Prevention Module
The IPS module is used to deauth any attacker MAC addresses. By doing so, the attacker may not be able to associated to any Access Point prior to the WEP/WPS attack. Press [Enter] to enter Command Selection Menu and the press [P]. Enter the MAC address to stop.

After the IPS started, a new window will be open. To stop the deauth, simply close the new window. Do take note that IDS will detect Deauth flood.

No comments: