Wireless IDS [Intrusion Detection System]
Wireless IDS Description
Wireless IDS is an open source tool written in Python and work on Linux environment. This tool will sniff your surrounding air traffic for suspicious activities such as WEP/WPA/WPS attacking packets. It do the following
- Detect mass deauthentication sent to client / access point which unreasonable amount indicate possible WPA attack for handshakes.
- Continual sending data to access point using broadcast MAC address which indicate a possibility of WEP attacks
- Unreasonable amount of communication between wireless client and access point using EAP authentication which indicate the possibility of WPS bruteforce attack by Reaver / WPSCrack
- Detection of changes in connection to anther access point which may have the possibility of connection to Rogue AP (User needs to assess the situation whether similar AP name)
- Detects possible Rogue Access Point responding to probe by wireless devices in the surrounding.
Subsequent revision (Detection)
- Display similar Access Point's name (SSID) which could have the possibility of WiFi 'Evil Twins'.
- Display of probing SSID by wireless devices
- Detection of Korek Chopchop packets sent by Aircrack-NG (WEP attacks)
- Detection of Fragmentation PRGA packets sent by Aircrack-NG (WEP attacks)
- Detection of possible WPA Downgrade attack by MDK3
- Detection of possible Michael Shutdown exploitation (TKIP) by MDK3
- Detection of Beacon flooding by MDK3
- Detection of possible Authentication DoS by MDK3
- Detection of possible association flooding
- Detection of WPA Migration Attack by Aircrack-NG (WPA Attack)
Subsequent revision (Functions)
- Allow logging of events to file.
- Allow disabling of displaying of probing devices
Wireless IDS Help
Usage : ./wids.py [options] <args> Running application without parameter will fire up the interactive mode. Options: -h --help - Show basic help message and exit -hh - Show advanced help message and exit --update - Check for updates --remove - Uninstall application -l --loop <arg> - Run the number of loop before exiting -i --iface <arg> - Set Interface to use -t --timeout <arg> - Duration to capture before analysing the captured data -hp --hidepropbe - Hide displaying of Probing devices. -la --log-a - Append to current scanning log detail -lo --log-o - Overwrite existing scanning logs --log - Similar to --log-o
Wireless IDS Usage Example
./wids.py --update ./wids.py -i wlan0 -t 120 ./wids.py --loop 10 --timeout 30 ./wids.py --iface wlan1 --timeout 20
How to install Wireless IDS
git clone https://github.com/SYWorks/wireless-ids.git cd wireless-ids/ sudo chmod +x wids.py sudo ./wids.py
Wireless IDS Screenshots
Detected Possible WEP Attacks
- If a possible WEP attacks detected, it will show the Wireless client / Access Point MAC Address (AP Name) and also any authentication/association request made.
Detected Possible WPA Attacks
- If a possible WPA attacks detected, it will show the Wireless client / Access Point MAC Address (AP Name) that the number of deauthentication packets were detected.
- If handshakes were also detected, it will display the number of handshake packets found.
Detected Possible Rogue Access Point
- WIDS also analyse the access point name for frequent changes which could be the possibility of 'Rogue AP' responding to probe by wireless devices.
Detected Possible Evil Twins - New
- With the similar AP names detected, WIDS will display these APs with similar names which could have the possibility of Evil Twins.
- Not all similar AP names are evil twins as some routers can have two or more similar name set by users.
- It is the user discretion to decide whether is it a evil twins.
Wireless IDS Tutorials
- Three ways to put wireless interface in Monitor mode and Managed mode
- Requirements ~ Download ~ Installation
- Attacking ~ Detection Diagrams
- Help ~ Update ~ Commandline ~ Uninstall
- USB Wi-Fi Adapters with monitor mode and wireless injection (100% compatible with Kali Linux) 2021