Video Tutorial For WAIDPS Available On YouTube....

I have uploaded several video on Youtube on installation and functionality of WAIDPS ( Wireless Auditing Intrusion Detection & Prevention System).

More will be coming up... stay tuned



https://www.youtube.com/watch?v=aGTQAWoeujA&list=PLrekpjW7JwW-T0CeXP8GwudtJmTJ6KZ8O&index=1

WEP Auditing (Updates)

Two new WEP hacking features have been added to WAIDPS.

·         KoreK Chopchop Attack

·         Fragmentation Attack

Both methods need a wireless client to be present. Detail on both attack can be found on Aircrack-NG page (http://www.aircrack-ng.org/doku.php?id=korek_chopchop & http://www.aircrack-ng.org/doku.php?id=fragmentation)

Example of a KoreK Chopchop Attack

The screenshot below show the selection of the option. Simply press [Enter] while WEP attacking is in progress to bring up the "Auditing Menu". Select [O1]  for KoreK Chopchop attack.

Once the option is entered, it will start to read packets from any Client MAC address. After chosen a packet to use, decryption will begin. It may take up to a minute or more.

Once decryption of ARP packet is completed, a Keystream (XOR) packet will be saved with the AP name. WAIDPS will automatically replay the generated packet shown above. Cracking of the WEP will be as per normal which replaying of the ARP packet till it is cracked.

Example on Replaying of Existing Keystream  (KoreK)

If an existing decrypted ARP packet is found, user do not need to redo the KoreK Chopchop again. User can select the existing decrypted ARP packet to create another new Keystream file as shown below.

Example of a Fragmentation Attack

Cracking using the Fragmentation Attack is similar to the KoreK Chopchop attack. Simply press [Enter] while WEP attacking is in progress to bring up the "Auditing Menu". Select [O2]  for Fragmentation Attack.

Once the 1500 bytes of PRGA (pseudo random generation algorithm) is obtained. It will create a ARP packet and WAIDPS will automatically replay the generated packet shown above. Cracking of the WEP will be as per normal which replaying of the ARP packet till it is cracked.

Example on Replaying of Existing Keystream  (Fragmentation)

Similar to Korek chopchop, if an existing keystream is found, user do not need to launch the Fragmentation attack again. Simply use the existing keystream to generate a ARP packet for replaying.

NOTE: KoreK Chopchop and Fragmentation attack require a client to be connected to the Access Point. It may not be as easy as seem to be.. in most cases, attack failed due to unsupported chipset, improper patch for injection and much more other reason. Refer to Aircrack-NG page for detail.

Please support my page by liking it - https://www.facebook.com/syworks

Visit GitHub        - https://github.com/SYWorks/waidps

Direct Download - https://raw.githubusercontent.com/SYWorks/waidps/master/waidps.py

Intrusion Detection (Updates)

My apology, I was somehow very busy for past few months and did not update on the WAIDPS. Although, there are many new features (New WEP attacking mode, WPS attacking mode enhancement, decrypting and viewing of live packets captured in monitoring module etc) added to the WAIDPS but as mentioned, I am busy, I unable to put all at once.. Below are updates on Intrusion Detection Module.

Intrusion Detection (Updates)

WAIDPS has included the following wireless attacks by MDK3 as shown below.

• MDK3 Beacon Flooding (Different ESSID)
• MDK3 Beacon Flooding (Similar ESSID)
• MDK3 Authentication DoS with multiple clients
• MDK3 Authentication DoS to multiple Access Points
• MDK3 Authentication DoS to multiple Access Points with multiple clients
• MDK3 Basic Probing & ESSID Bruteforcing
• MDK3 Downgrade Test
• MDK3 WIDS/WIPS/WDS Confusion

With the inclusion of all the above attacks, WAIDPS can now detect the following wireless attacks

·         Association / Authentication flooding

·         Detect mass deauthentication which may indicate a possible WPA attack for handshake

·         Detect possible WEP attack using the ARP request replay method

·         Detect possible WEP attack using chopchop method

·         Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.

·         Detection of Evil-Twin

·         Detection of Rogue Access Point

·         Beacon Flooding

·         MDK3 Basic Probing & ESSID Bruteforcing

·         MDK3 Downgrade Test

·         MDK3 WIDS/WIPS/WDS Confusion

 Screenshot of a Beacon Flooding by MDK3

Authentication Flooding to targeted AP by MDK3

Authentication DoS to Multiple Access Points by MDK3

MDK3 Basic Probing & ESSID Bruteforce Mode

MDK3 WIDS/WIPS/WDS Confusion attack detection

List of Commands for WAIDPS [Wireless Auditing & Intrusion Detection Prevention System]

Having too much functions available in the WAIDPS, below are the list of commands available for WAIDPS for easier viewing. Hit on <Enter> to display [Command Selection Menu] on main screen.

Command Selection Menu

    B    About Application

    C    Application Configuration

          0 / L    Change Regulatory

                      *    Enter Country Code (BO)

          1 / R    Refreshing rate of information

                      *    Refresh detail after number of seconds (30)

          2 / T    Time before removing inactive AP/Station

                      H    Hide AP/Station

                                  *    Number of minutes before hiding inactive AP/Station (1)

                      R    Remove AP/Station

                                  *    Number of minutes before removing inactive AP/Station (120)

          3 / H    Hide inactive Access Point/Station

                      A    Access Point

                                  Y/n    Hide inactive Access Point (Y)

                      S    Station

                                  Y/n    Hide inactive Station (Y)

          4 / B    Beep if alert found

                      Y/n    Beep if alert found (Y)

          5 / S    Sensitivity of IDS (Intrusion Detection System - Detection Sensitivity)

                      0 / D    Display Current Setting

                      1 / H    Highly Sensitive

                      2 / M    Medium Sensitive

                      3 / L    Low Sensitive

                      4 / C   Custom setting of sensitivity

                                  *    Threshold for Data86

                                  *    Threshold for DataARP (ARP)

                                  *    Threshold for Data94

                                  *    Threshold for Data98

                                  *    Threshold for Association

                                  *    Threshold for Disassociation

                                  *    Threshold for Reassociation

                                  *    Threshold for Authentication

                                  *    Threshold for Deauthentication

                                  *    Threshold for Deauthentication (Aircrack-NG)

                                  *    Threshold for EAPOL Protocal

                                  *    Threshold for EAPOL Start

                                  *    Threshold for EAP Communication

                                  *    Threshold for Qos Data

                                  *    Threshold (Only in Analysis)

                                  *    Refresh Timeout Rate

          6 / A    Save Pcap when Attack detected

                      Y/n    To save packets (Pcap) file if IDS detected an attack (Y)

          7 / M    Save Pcap when Monitored MAC/Name seen

                      y/N    To save packets (Pcap) file if Harvestor found the specified MAC or ESSID 

          8 / W    Whitelist Setting (Bypass alert for MAC/Name)

                      1 / M    MAC Address [BSSID/STATION]

                                  A    Add MAC address

                                              $    Specify the MAC Address to monitor (xx:xx:xx:xx:xx)

                                  D    Delete MAC Address

                                              $    Specify the MAC Address to remove from list (xx:xx:xx:xx:xx)

                                  C    Clear all Monitoring Items

                      2 / N    Name of Access Point / Probe Names

                                  A    Add ESSID/Probe Name

                                              $    Enter the Name to Whitelist (Case sensitive)

                                  D    Delete MAC Address

                                              $    Enter the Name to remove from the Whitelist (Case sensitive)

                                  C    Clear all Names from the Whitelist

                      9 / C    Clear all Monitoring Items (MAC address & Names)

          9 / D    Dictionary Detail and Setting

                      1 / A    Add dictionary location

                                  $    Enter the location of the dictionary

                      2 / S    Set default dictionary

                                  $/*    Enter the dictionary to be set as default (For cracking)

                      3 / D    Delete dictionary location

                                  $/*    Enter the dictionary to be remove from dictionary listing

    D    Output Display

          0 / H    Hide both Access Points & Stations Listing Display

          1 / A    Display Access Points Listing Only

          2 / S    Display Station Listing Only

          3 / B    Display Both Access Points & Stations Listiong (Separated View

          4 / P    Advanced View with Probes Request (Merging associated Station with AP)

          5 / O    Advanced View without probing request (Merging associated Stations with AP)

          6 / C    Display one time bar chart of Access Points information

          7 / N    Show Association/Connection Alert (Toggle Yes/No)

          8 / U    Show Suspicious Activity Listing Alert (Toggle Yes/No)

          9 / I     Show Intrusion Detection/Attacks Alert (Toggle Yes/No)

          + / D    Display client which associated with more than one access point

    F    Filter Network Display

          1 / A    Access Point

                      1 / E    Encryption Type

                                  $    Encryption Filter (WPA / WPA2 / WPA* / WEP / OPN / OTH / ALL)

                      2 / S    Signal Range

                                  1 / V    VGood

                                  2 / G    Good

                                  3 / A    Average

                                  4 / P    Poor

                                  5 / U    Unknown

                                  9 / X    Clear Filter

                      3 / C    Channel

                                  *    Enter the Channel to filter

                      4 / N    Client

                                  Y/N    Display of Access Point with Clients (Yes/No)

                      5 / W    WPS

                                  Y/N    Display only Access Point with WPS (Yes/No)

                      6 / I    ESSID

                                  $    Enter the ESSID to filter

                      7 / B    BSSID

                                  $    Enter the BSSID to filter

                      9 / X    Clear Filter

          2 / S    Station / Client

                      1 / P    Probes

                                  Y/N    Display only if station having probe name (Yes/No)

                      2 / S    Signal Range

                                  1 / V    VGood

                                  2 / G    Good

                                  3 / A    Average

                                  4 / P    Poor

                                  5 / U    Unknown

                                  9 / X    Clear Filter

                      3 / A    Associated Station

                                  Y/N    Display on if station associated (Yes/No)

                      4 / U    Unassociated Station

                                  Y/N    Display on if station is not associated (Yes/No)

                      9 / X    Clear Filter

          3 / U    Unassociated Station

                      1 / P    Probes

                                  Y/N    Display only if unassociated station having probe name (Yes/No)

                      2 / S    Signal Range

                                  1 / V    VGood

                                  2 / G    Good

                                  3 / A    Average

                                  4 / P    Poor

                                  5 / U    Unknown

                                  9 / X    Clear Filter

                      9 / X    Clear Filter

    H    History Logs (Displaying Active Logs History)

          1 / C    Association / Connection Alert Log

          2 / S    Display Suspicious Activity Listing

          3 / A    Display Attack Log

          4 / L    Display Combination Logs (All Listing)

    L    Lookup MAC/Name Detail (Lookup BSSID / Station MAC / ESSID / Probes)

          1 / M    MAC Address

                      $    Enter the MAC to lookup for (xx:xx:xx:xx:xx:xx)

          2 / N    Names of Access Point / Probes

                      $    Enter the Name to lookup for

    M    Monitor MAC Address / Names (Adding MAC or Names to be monitoring list)

          1 / M    MAC Address

                      A    Add MAC

                                  $    Enter the MAC to be monitored (xx:xx:xx:xx:xx:xx)

                      D    Delete MAC

                                  $    Enter the MAC to be removed from monitoring list (xx:xx:xx:xx:xx:xx)

                      C    Clear MAC (Remove all MAC addresses from the monitoring list)

          2 / N    Name of Access Point / Probe Names

                      A    Add ESSID / Probe Name

                                  $    Enter the ESSID / Probe Name to be added to the monitoring list

                      D    Delete ESSID / Probe Name

                                  $    Remove the ESSID / Probe Name from the monitoring list

                      C    Clear Name (Remove all names from the monitoring list)

          3 / L    Live Monitoring of Access Point

                      $    Enter the Access Point MAC Address (BSSID) to monitor (xx:xx:xx:xx:xx:xx)

                                  >    Refer to Live Monitoring

          9 / C    Clear all Monitoring Items (MAC addresses & Names)

    O    Operation Options

          0 / R     Shutdown all interfaces and Restart application again

          1 / P     Probe Access Point Name (For probing on Hidden SSID)

                      $    Enter the ESSID to Probe

          2 / N    Refresh Now (Refresh current network harvesting process)

          3 / S    Restart application (All active listing will be cleared)

                      y/N    Active listing will be cleared, are you sure you want to exit ? (N)

          4 / T    Restore all setting (All configuration will be reset, application will restart)

                      y/N    All setting will be removed, are you sure (N)

    A    Auditing Network (Cracking of WEP/WPA/WPS or Live Monitoring of AP)

          >    Refer to Auditing Network

    I    Interactive Mode (Packet Analysis) - IDS

          >    Refer to Interactive Mode

    P    Intrusion Prevention - IPS

          $    Enter the Attacker MAC Address (xx:xx:xx:xx:xx:xx) - Deauthing MAC address once detected trying to associated to access point.

          *    Enter the loopcount before IPS stop (9999999)

          *    Waiting time before sending another deauth signal (1)

    X    Exit Application

WAIDPS [Wireless Auditing, Intrusion Detection & Prevention System] Tutorial / Explanations - Part 4

 

Network Cracking (Auditing) Module

WAIDPS also include with the Network auditing Module which allow user to crack a WEP encrypted access point (AP), capturing of WPA/WPA2 Handshake for cracking of WPA Passphase and also bruteforcing the PIN of a Wi-Fi Protected Setup (WPS) enabled router which thereafter revealing the WPA passphase. Apart from cracking of encrypted acess point, WAIDPS also include a “Live Monitoring” of Access Point which will show the detail of wireless clients associated to the specific Access Point.

WARNING : The Network Cracking Module is strictly for auditing your own network or mutual consent of auditing someone network. It is ILLEGAL to attack on someone access point and it is the user's responsibility to obey all applicable laws. Developer assumes no liability and is not responsible for any misuse of WAIDPS.

Network Auditing Main Menu

In order to get into the ‘Network Auditing’ selection menu, user can press [Enter] on the main menu followed by [A] to get into the auditing module. In the Auditing menu, it will display the list of detected access points sorted in the order of WEP, WPS enabled router, WPA Access Point with clients and WPA Access Point. To display more information on the operation, type [Help].

Note : Please allow the WiFi Harvester to harvest for access points and clients detail in the main screen before selecting the “Auditing Network” module.

Cracking of WEP Encrypted Access Point

WAIDPS allow user to crack a WEP encrypted access point with various attacking methods such as ARP replay, interactive ARP replay, Korek & Hirte attack (Developing). It also provide the options of deauthing existing clients and spoofing of MAC address. To select the target to attack, simply enter the number reflected or the MAC address of the Access Point (BSSID). User can also filter the encryption type by typing “WEP”.

 

 Once the target Access Point (AP) is selected, WAIDPS will display the existing AP/Clients detail and also information found on the database which was previously harvested by the “WiFi Harvester”. WAIDPS has also spoofed the MAC address of the attacking interface and also allowing user to spoof their MAC address.

After all information at set, WAIDPS will first attempt to associate with the AP by performing a “Fake Authentication” with the AP. After associated with the AP, WAIDPS will then continue with the default ARP Request Replay attacks. At the same time of attacking the AP, WAIDPS will also attempt to crack the WEP key after obtaining sufficient IVs. Once the WEP encryption is cracked, the WEP key is be displayed and stored in a database for reference.

Example of displaying of cracked Access Point in the Auditing main menu

  

Apart from the default ARP Request Replay attack mode, WAIDPS also provide other attacking mode such as interactive replay, KoreK Chopchop, Café Latte, Fragmentation and Hirte attack method (Not ready yet). User can enter the WEP Auditing Menu by press [Enter] during the attacking process. Other than the attack methods, in the WEP auditing menu, it also allow user to deauth clients, spoofing of attacking MAC address and also other method of cracking the WEP key.

Cracking of WEP Encrypted Access Point (Usage of previous captured IVs)

WAIDPS will also store the previously captured IVs for subsequent use in cracking of WEP key if user does not have enough time to crack the WEP key. These IVs dump will be added to the current IVs to increase the number of IVs for faster chance of cracking.

  

 

Cracking of WEP Encrypted Access Point (Beating MAC Filtered AP)

Some Access Point may have the MAC Filtering option turn on prevent unauthorized client from associating with the AP and also harden cracking of the encryption by newbie. WAIDPS will display error message of possible “MAC Filtered Access Point” if a MAC filtered AP is detected during the fake authentication process.

WAIDPS will provide user with the option of spoofing the existing client MAC address or MAC address found in database that was previously harvested. Simply press [Enter] to display the WEP Auditing Menu and select “4” - Spoof MAC Address to spoof the attacking interface MAC address.

Cracking of WEP Encrypted Access Point (Shared Key Authentication – SKA AP)

A “Shared Key Authentication” (SKA) WEP encrypted network is much more complex than the commonly used “Open” WEP network. WAIDPS will display error message reporting a possible SKA WEP encrypted access point. An existing legitimate client must be present in-order to obtain the 140 Bytes keysteam. User can manually send deauth signal to the AP trying to obtain the keysteam or WAIDPS will automatically attempt to send deauth signal in order to obtain the keysteam. To increase the chances of beating SKA, user can also spoof the existing client MAC address.

Cracking of WPA Encrypted Access Point

In order to crack the WPA encrypted access point, user must first obtain a 4-way handshake between the legitimated client and access point.  Similar the WEP cracking, WAIDPS will display the AP information and also allowing user to spoof MAC address before proceeding with the deauthentication of clients to obtain the handshakes.

WAIDPS will attempt to send broadcast deauthentication signal to the Access Point and attempt to detect connected clients. Once client is detected, WAIDPS will then proceed to send deauthentication signal to the specific client MAC address attempting to capture the handshake. Similar to WEP attack, user can display the list of options by pressing on [Enter] during the capturing process.

After sending deauthentication signal to the AP and clients, WAIDPS will detect the present of handshake and list out the detail individually by client MAC. Once a successful handshake is captured, the captured handshake file will be saved to “/SYWorks/Saved/” directory. WAIDPS will then proceed with the cracking of WPA passphase basing on the captured handshake detail.

If the passphase is found in the default dictionary, WAIDPS will then display the cracked passphase and also store into a database for reference.

  

Cracking of WPA Encrypted Access Point (Manually selecting handshake file)

If any existing handshake was captured on a specific access point, it will show “[Handshake]” directly behind the ESSID on the main auditing screen. User can then select the access point to perform a manual cracking of handshake file using other dictionary.

Customising Dictionary Location

User can specify the location of other dictionaries to be use for cracking by typing “C” – Application Configuration on the WAIDPS main menu, thereafter selecting “9” for Dictionary Detail and Setting.

Cracking of WPS Enabled Access Point

Cracking of WPS enabled access point option is only available for WPA/WPA2 encrypted network since WEP is consider to be easily cracked. Similar to the WEP/WPA cracking, user can enter the list number of the access point or MAC address of the AP (BSSID) to select the target. Options are provided for user to select whether to proceed with “WPS Bruteforce” or “WPA handshake”. Bruteforcing detail will be shown on the screen to enable user have a better analysis of the PIN tried, remain PINs and also other status of the bruteforcing process.

 

Once the WPS PIN is found, WAIDPS will display the WPS PIN and WPA Passphase of the cracked network and also store the detail into the database for reference.

Cracking of WPS Enabled Access Point (Manually entering PIN)

During the cracking process, user can also manually enter the WPS PIN to try by pressing on [Enter] to display the menu and then “P” to enter the PIN. This is particularly useful when the WPA passphase is changed but not the WPS PIN.

Live Monitoring of Access Point

WAIDPS also provide user with the option to perform a live monitoring of a Access Point to get the activities status of AP and wireless clients associated to the AP. It will display the detail of the detected devices and whether the devices are active or not sending any data. To monitor the specific access point, user can put a “M” infront of the listing number or “M” infront of the BSSID.

WAIDPS [Wireless Auditing, Intrusion Detection & Prevention System] Tutorial / Explanations - Part 3

Intrusion Detection

At present, WAIDS is able to detect the following wireless attacks and will subsequently add other detection found in the previous WIDS.

·         Association / Authentication flooding

·         Detect mass deauthentication which may indicate a possible WPA attack for handshake

·         Detect possible WEP attack using the ARP request replay method

·         Detect possible WEP attack using chopchop method

·         Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.

·         Detection of Evil-Twin

·         Detection of Rogue Access Point

In the IDS module, it comprise of 2 sections

• Suspicious Activity Listing – Data count
• Alert Message

 

Note : Suspicious Activity Listing may only be applicable to advanced user who can base on the result and configure their own detection. (Knowledge of the whole script is required)

On the “Attack Detected” section, it will display more information of the attack such as attacker range, possibility of attack, saving of attack packets, etc as compare to the previous WIDS. More screenshots of various type of attacks will be uploaded.

  

Interactive Mode

The interactive mode allow user to perform many functions related to packets examination and analysis. User can do listing of database in the interactive mode such as “LIST DB” which is use to list out stored database and “OPEN ” to open such file. User can also enter the interactive mode to save the current captured packets or load existing pcap file for analysis. To enter into the interactive mode, press [Enter] followed by “I”. Once you entered the Interactive Mode, you can type [Help] for detail.

Filter Function

The filter function may consider important in the analysis portion as it will filtered base on the setting you set. Type [Filter ?] for detail.

  

Adding/Removing MAC Filter

Adding/Removing Ignore Filter

Ignore filter is use to for the analyzer to ignore the data type that have been specified.

Adding/Removing Contain Filter

Contain filter is use to for the analyzer to search and list out the specified value and all other data will be bypass.

 

  

Show Dump Function

The show dump function will show packets captured basing on the filter. There are 3 options

• SHOW DUMP           - Show TCPDump and TShark packet result
• SHOW DUMP1        - Show TCPDump result
• SHOW DUMP 2       - Show TShark result

SHOW DUMP1 (With Deauth Filter)

SHOW DUMP1 (No Deauth Filter)

SHOW DUMP2 (With Deauth Filter)

SHOW DUMP2 (No Deauth Filter)

Show List Function

Show List Function is use to list of the data count of each MAC address detected. Type [Show List] for detail

SHOW LIST1

SHOW LIST 3 / 4

[Show List 3] is filter possible detail basing on IDS setting and [Show List 4] are base on Threshold detail. Type [Set Threshold] to set the detail or [SET IDS] to set IDS sensitivity setting.

ANALYZER

Intrusion Prevention Module

The IPS module is used to deauth any attacker MAC addresses. By doing so, the attacker may not be able to associated to any Access Point prior to the WEP/WPS attack. Press [Enter] to enter Command Selection Menu and the press [P]. Enter the MAC address to stop.

After the IPS started, a new window will be open. To stop the deauth, simply close the new window. Do take note that IDS will detect Deauth flood.