WAIDPS 无线攻防



Wireless Auditing, Intrusion Detection and Prevention System




INTRODUCTION

WAIDPS (Wireless Auditing, Intrusion Detection and Prevention System) is written in Python 3 and working well on Penetration Testing distributions, such as Parrot Security OS 4.0.1 or later. This is a multi-purpose tool that is designed for penetration testing as well as wireless intrusion detection and prevention.

It stores all wifi information that harvests from the surrounding. Therefore, it is very useful for penetration testing especially for MAC address filtering and SSID hidden access points.

Meanwhile, it detects (1) association / authentication flooding, (2) mass deauthentication, (3) WEP and WPA/WPA2 as well as WPS attacks, (4) evil-twins and (5) rogue access points.


BACKGROUND

This project is original created by SY Chua of SYWorks Programming. However, it is no longer maintained by him since 2014. The GitHub version is v1.0 R.6 and it is dated Oct 10, 2014. Meanwhile, the demonstration in his tutorials and Youtube videos are displayed v1.0 R.7 dated Oct 11, 2014. It is considered as abandoned project.

On the other hand, this software is a very good design in screen layout and good operation experience. Since v1.0 R.6 will crash especially when handshake is captured and it is not working properly on Kali Linux 2017.2, Samiux fixed the problems and ported to Python 3. It also support IEEE 802.11ac (2.4 and 5 GHz bands).


LICENSE

This project is an open source project and it is released under GPLv3 by Samiux.

A Quick Guide to GPLv3
GNU General Public License Version 3.0


OPERATING SYSTEM

It is well tested on Parrot Security OS 4.0.1. Other penetration testing Linux distributions may work too. However, it does not compatible with Kali Nethunter.





DONATION

If you like our project, please show your support by sending the donation to Paypal (infosecninjas AT gmail DOT com) in USD or HKD currency. You need a Paypal account for the donation.


CHANGELOG

Version 1.0 R.6a (2017-10-19)
[+] Fork from GitHub SYWorks v1.0 R.6
[+] Fix for Kali Linux 2017.2
[+] Fix for Realtek 8812au wireless USB dongle and older
[+] Fix for scanning IEEE 802.11ac/n/b/g devices
[+] Some minor bug fixes

Version 1.0 R.6b (2017-10-20)
[+] Fix for crashes when handshake is captured
[+] Some minor bug fixes

Version 1.0 R.6c (2017-12-03)
[+] Kill processes at the beginning

Version 1.0 R.6d (2017-12-05)
[+] Fix for Github and newer version (aireplay-ng display) (waidps2.py)

Version 1.0 R.6e (2017-12-14)
[+] Fix handshake subroutine on Python 3 script
[+] Add Python 3 support for different script (waidps3.py)

Version 1.0 R.6f (2017-12-16)
[+] Fix handshake subroutine on Python 3 script
[+] Minor improvement

Version 1.0 R.6g (2017-12-17)
[+] Code clean up
[+] Minor improvement

Version 1.0 R.6h (2017-12-19)
[+] Fix undetectable unicode crash on Python 3 script
[+] Minor fix on Python 3 script

Version 1.0 R.6i (2017-12-23)
[+] Fix unicode SSID crash on handshake is captured on Python 3 script

Version 1.0 R.6j (2018-05-28) [Stable]
[+] Fix for Aircrack-NG 1.2


FILE CHECKSUM

sha256sum becc2052598a73df9805f95dde90722618c55e7a2def11c6380871bd1cc41a6b waidps-1.0-r6j.tar.gz


FILE DESCRIPTION

waidps_2.4GHz.py - Python 3 script for Aircrack-NG 1.2 (2.4GHz only)
waidps_5GHz.py - Python 3 script for Aircrack-NG 1.2 (5GHz only)


INSTALLATION

cd ~
mkdir infosec
cd infosec

apt install python-crypto

wget https://www.infosec-ninjas.com/files/waidps-1.0-r6j.tar.gz
tar -xvzf waidps-1.0-r6j.tar.gz

cd waidps
sudo python3 waidps_2.4GHz.py

(sudo ./2.4)

or

sudo python3 waidps_5GHz.py
(sudo ./5)

Follow the instruction on screen to install the required files. It will then run the program directly.

Please leave it scanning for several minutes (warm up) before continue the operation.

You can run it at ~/infosec/waidps/ as root and all the captured files are at /.SYWorks/Saved/ directory.

On every update, please copy the new script(s) to /.SYWorks/WAIDPS/ to make sure the script is working properly.

cp ~/infosec/waidps/*.py /.SYWorks/WAIDPS/


BASIC REQUIREMENTS

- Kernel module mac80211 should be patched for Packet Injection
- Wireless card or dongle can be in Monitor mode
- Wireless card or dongle driver can Packet Injection
- Wireless card or dongle driver should be supported by Linux
- Targets wireless signal better not below than 20% ( or -80 dbm)
- Attacker and target should be in the same mode
- At least one client is associated


TESTED HARDWARE

Fully Compatible
[+] TP-Link TL-WN321G (G mode) [Fully compatible]
[+] PCi GW-US54Mini (G mode) [Fully compatible]

[+] Intel Centrino Ultimate-N 6300 (N mode) [Fully compatible]
[+] Intel PRO/Wireless 5100 AGN (N mode) [Fully compatible]
[+] TP-Link TL-WN821N (N mode) [Fully compatible]

[+] TP-Link Archer T4UHP AC1300 (AC mode) [Fully compatible]


Partially Compatible
[!] TP-Link TL-WN822N (N mode) [Partially compatible]
[!] TP-Link Archer T9UH AC1900 (AC mode) [Partially compatible]


Not Tested
[?] ALFA AWUS1900 (AC mode) (Not tested)
[?] Intel Wireless 3160 (AC mode) (Not tested but reported not working)
[?] ALFA AWUS036ACH (AC mode) (Not tested but reported working)


Not Compatible
[-] D-Link DWA-131 (G mode) [Not compatible]
[-] ALFA AWUS036NHR (N mode) [Not compatible]


FAQ

Q : Why does deauthentication not working?

A : There can be several reasons and one or more can affect you :

* You are physically too far away from the access points and/or client(s). You need enough transmit power for the packets to reach and be heard by the access points and clients. If you do a full packet capture, each packet sent to the client should result in an “ack” packet back. This means the client heard the packet. If there is no “ack” then likely it did not receive the packet.

* Wireless cards work in particular modes such a, b, g, n and ac. If your card is in a different mode than the client card, there is good chance that the client will not be able to correctly receive your transmission. See the previous item for confirming the client received the packet.

* Some clients ignore broadcast deauthentications. If this is the case, you will need to send a deauthentication directly to the particular client.

* Clients may reconnect too fast for you to see that they had been disconnected. If you do a full packet capture, you will be able to look for the reassociation packets in the capture to confirm deauthentication worked.

* When IEEE802.11w (Protected Management Frames) is enabled, access points and clients will ignore the deauthentication and deassociation packets.

* When client is switching channel on a dual band router for better connection speed, you may not catch the client at the right channel.

* When client is busy in transferring data, it may not response to the deauthentication packets.

* When client is too idle, it may not response to the deauthentication packets.


TO-DO-LIST

[+] Test WPS attack
[+] Test WEP attack


REFERENCE

[1] This project is forked from https://github.com/SYWorks/waidps
[2] Official tutorial - Part 1
[3] Official tutorial - Part 2
[4] Official tutorial - Part 3
[5] Official tutorial - Part 4
[6] Official Youtube Playlist
[7] RealTek 8812AU Driver Installation
[8] TP-Link Archer T4UHP (Realtek 8812AU chipset)
[9] ALFA AWUS036ACH (Realtek 8812AU chipset)
[10] ALFA AWUS1900 (Realtek 8814AU chipset)
[11] TP-Link Archer T9UH (Realtek 8814au chipset)
[12] HOWTO : Install HashCat on Ubuntu 16.04.3
[13] HOWTO : Wifi Penetration Testing Without Tears
[14] HOWTO : Wifi Intrusion Detection Without Tears
[15] [RESEARCH] How Secure Of Your Wifi Netowrk