Friday, October 10, 2014

Intrusion Detection (Updates)

My apology, I was somehow very busy for past few months and did not update on the WAIDPS. Although, there are many new features (New WEP attacking mode, WPS attacking mode enhancement, decrypting and viewing of live packets captured in monitoring module etc) added to the WAIDPS but as mentioned, I am busy, I unable to put all at once.. Below are updates on Intrusion Detection Module.

Intrusion Detection (Updates)

WAIDPS has included the following wireless attacks by MDK3 as shown below.
  • MDK3 Beacon Flooding (Different ESSID)
  • MDK3 Beacon Flooding (Similar ESSID)
  • MDK3 Authentication DoS with multiple clients
  • MDK3 Authentication DoS to multiple Access Points
  • MDK3 Authentication DoS to multiple Access Points with multiple clients
  • MDK3 Basic Probing & ESSID Bruteforcing
  • MDK3 Downgrade Test
  • MDK3 WIDS/WIPS/WDS Confusion

With the inclusion of all the above attacks, WAIDPS can now detect the following wireless attacks
·         Association / Authentication flooding
·         Detect mass deauthentication which may indicate a possible WPA attack for handshake
·         Detect possible WEP attack using the ARP request replay method
·         Detect possible WEP attack using chopchop method
·         Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.
·         Detection of Evil-Twin
·         Detection of Rogue Access Point
·         Beacon Flooding
·         MDK3 Basic Probing & ESSID Bruteforcing
·         MDK3 Downgrade Test
·         MDK3 WIDS/WIPS/WDS Confusion


 Screenshot of a Beacon Flooding by MDK3


Authentication Flooding to targeted AP by MDK3

Authentication DoS to Multiple Access Points by MDK3

MDK3 Basic Probing & ESSID Bruteforce Mode

MDK3 WIDS/WIPS/WDS Confusion attack detection

3 comments:

Anonymous said...

great work Post it on /r/netsec
Post it on HackoGram or tag them

Unknown said...

Hi ...
Could you please post me how to carry out these flooding attacks in the first place using tools like mdk3 and all??
It will be very helpful indeed

kehre said...

I have a problem with "waidps" and "wireless-ids": I tried to run them on my Arch Linux system, but both scripts fail, as they try to use "wlp2s0:" (with a colon at the end) instead of "wlp2s0" as interface name. Since waidps seems more up-to-date I hope you can fix it so I can use it :) Thanks.