Intrusion
Detection
At present, WAIDS is able to
detect the following wireless attacks and will subsequently add other detection
found in the previous WIDS.
·
Association /
Authentication flooding
·
Detect mass
deauthentication which may indicate a possible WPA attack for handshake
·
Detect possible
WEP attack using the ARP request replay method
·
Detect possible
WEP attack using chopchop method
·
Detect possible
WPS pin bruteforce attack by Reaver, Bully, etc.
·
Detection of
Evil-Twin
·
Detection of
Rogue Access Point
In the IDS module, it
comprise of 2 sections
- Suspicious Activity Listing – Data count
- Alert Message
Note : Suspicious Activity
Listing may only be applicable to advanced user who can base on the result and
configure their own detection. (Knowledge of the whole script is required)
On the “Attack Detected”
section, it will display more information of the attack such as attacker range,
possibility of attack, saving of attack packets, etc as compare to the previous
WIDS. More screenshots of various type of attacks will be uploaded.
Interactive
Mode
The interactive mode allow
user to perform many functions related to packets examination and analysis.
User can do listing of database in the interactive mode such as “LIST DB” which
is use to list out stored database and “OPEN ” to open such
file. User can also enter the interactive mode to save the current captured
packets or load existing pcap file for analysis. To enter into the interactive
mode, press [Enter] followed by “I”. Once you entered the Interactive Mode, you
can type [Help] for detail.
Filter Function
The filter function may
consider important in the analysis portion as it will filtered base on the
setting you set. Type [Filter ?] for detail.
Adding/Removing MAC Filter
Adding/Removing Ignore Filter
Ignore filter is use to for
the analyzer to ignore the data type that have been specified.
Adding/Removing Contain Filter
Contain filter is use to for
the analyzer to search and list out the specified value and all other data will
be bypass.
Show Dump Function
The show dump function will
show packets captured basing on the filter. There are 3 options
- SHOW DUMP -
Show TCPDump and TShark packet result
- SHOW DUMP1 -
Show TCPDump result
- SHOW DUMP 2 -
Show TShark result
SHOW DUMP1 (With Deauth
Filter)
SHOW DUMP1 (No Deauth
Filter)
SHOW DUMP2 (With Deauth
Filter)
SHOW DUMP2 (No Deauth
Filter)
Show List Function
Show List Function is use to
list of the data count of each MAC address detected. Type [Show List] for
detail
SHOW LIST1
SHOW LIST 3 / 4
[Show List 3] is filter
possible detail basing on IDS setting and [Show List 4] are base on Threshold
detail. Type [Set Threshold] to set the detail or [SET IDS] to set IDS
sensitivity setting.
ANALYZER
Intrusion
Prevention Module
The IPS module is used to
deauth any attacker MAC addresses. By doing so, the attacker may not be able to associated to any Access Point prior to the WEP/WPS attack. Press [Enter] to enter
Command Selection Menu and the press [P]. Enter the MAC address to stop.
After the IPS started, a new
window will be open. To stop the deauth, simply close the new window. Do take
note that IDS will detect Deauth flood.
2 comments:
Fahim
redmi
Post a Comment