The forum won't let syworks post this, so I offered him to post it for him. I'll check why.
Wireless IDS is an open source tool written in Python and work on Linux environment. This tool will sniff your surrounding air traffic for suspicious activities such as WEP/WPA/WPS attacking packets. It do the following
- Detect mass deauthentication sent to client / access point which unreasonable amount indicate possible WPA attack for handshakes.
- Continual sending data to access point using broadcast MAC address which indicate a possibility of WEP attacks
- Unreasonable amount of communication between wireless client and access point using EAP authentication which indicate the possibility of WPS bruteforce attack by Reaver / WPSCrack
- Detection of changes in connection to anther access point which may have the possibility of connection to Rogue AP (User needs to assess the situation whether similar AP name)
for other updated information and tools.
No special required equipment is required to use this script as long as you have the following :
1. Root access (admin)
2. Wireless interface which is capable of monitoring
3. Python installed
4. Aircrack-NG suite installed
5. TShark installed
Note: Application 3 - 5 are already pre-installed in Backtrack and Kali Linux.
Download / Installation
- Visit https://github.com/SYWorks/wireless-ids
for all documentation and files or
- download the raw file directly from here
- Save the file 'wids.py' to your Linux Desktop or any directory you like. For my case, i saved it on my desktop and enter the following in the terminal console.
* cd Desktop/
* chmod +x wids.py
Once installation is completed, you may wish to delete the file where you have initially saved as the following had be created:
- Directory : ~/SYWorks/
- Directory : ~/SYWorks/WIDS/
- Directory : ~/SYWorks/WIDS/tmp
- File : ~/SYWorks/WIDS/wids.py
- File : ~/usr/sbin/wids.py
Running the application
- You can run the script at any directory by entering 'wids.py'.
- Once the script is running, it will detect the wireless interface that you have and if you have more than one interface, it will prompt you for response.
- If there is no suspicious activity found, it will display 'Did not detect any suspicious activity..'
- Note : If you want to exit the script, simply hit on 'Ctrl+C' to exit the application.
Detected Possible WEP Attacks
- If a possible WEP attacks detected, it will show the Wireless client / Access Point MAC Address (AP Name) and also any authentication/association request made.
Detected Possible WPA Attacks
- If a possible WPA attacks detected, it will show the Wireless client / Access Point MAC Address (AP Name) that the number of deauthentication packets were detected.
- If handshakes were also detected, it will display the number of handshake packets found.
Detected Possible WPS Attacks
- Whenever a communication between a Wireless client and Access Point using EAP, their MAC Addresses will be displayed with the number of EAP packets were detected.
- It consistent communication of such request, it is likely that a WPS Bruteforce is in progress.
Detected Changes In Clients Connection to Another Access Point
- The script also detect any changes when a wireless client which is initially connected to a access point subsequently switch connection to another access point, which could have the possibility connection to a Rogue AP (User should also note the AP name)
Checking / Updating of Script
- Enter 'wids.py --update' to check online for any updates for the script
- Enter 'wids.py --hh' to display advanced help
Command line Arguments
- Enter 'wids.py --timeout ' to set the captured timeframe.
Removing The Script
- Enter 'wids.py --remove' to remove the script should you wanted to remove the script totally from your computer.
More information can be found on syworks blog: http://syworks.blogspot.sg/2014/01/wireless-ids-intrusion-detection-system.html