-
Notifications
You must be signed in to change notification settings - Fork 2
WIDS
André Henrique edited this page Jun 8, 2026
·
2 revisions
The WXF WIDS (Wireless Intrusion Detection System) is a native Python implementation that monitors 802.11 traffic for common wireless attack patterns without requiring external tools.
| Module | Description |
|---|---|
wids/wifi_ids |
Native Python WIDS: deauth flood, evil twin, rogue AP, beacon flood detection |
wifi_lab/wireless_ids |
Lightweight IDS: BSSID baseline + rogue AP detection (basic) |
| Attack Type | Detection Method | Severity |
|---|---|---|
| Deauth flood | Deauth frame rate > threshold (default: 10/10s) | HIGH |
| Disassociation flood | Disassoc frame rate > threshold | HIGH |
| Evil twin / rogue AP | Known SSID on different BSSID | HIGH |
| KARMA / wildcard SSID | Probe response to any SSID | HIGH |
| Beacon flood | Unique SSIDs > threshold in rolling window | MEDIUM |
| New AP on monitored SSID | SSID appears on unlisted BSSID | MEDIUM |
| PMKID harvesting | EAPOL key frames without prior association | MEDIUM |
| WPS brute force | Repeated WPS auth attempts from same MAC | MEDIUM |
| Deauth outside association | Deauth from unrecognized BSSID | LOW |
| Channel mismatch | AP operating on unexpected channel | LOW |
wxf > use generic/wids/wifi_ids
wxf (WirelessIDS) > show options
Options:
INTERFACE wlan0mon Monitor mode interface
BASELINE_FILE none JSON file with known AP whitelist
DEAUTH_THRESH 10 Deauth frames per 10s to trigger alert
BEACON_THRESH 50 Unique SSIDs in 5s window to trigger beacon flood
ALERT_LOG /tmp/wids_alerts.json Alert output file
VERBOSE false Print all frames (not just alerts)
SIMULATE false Run simulated attack scenarios
wxf (WirelessIDS) > set INTERFACE wlan0mon
wxf (WirelessIDS) > set ALERT_LOG /logs/wids_office_20260608.json
wxf (WirelessIDS) > run
[*] WirelessIDS starting on wlan0mon
[*] Baseline: none (alert on first observation)
[*] Deauth threshold: 10/10s | Beacon threshold: 50 SSIDs/5s
[*] Listening...
First build a baseline from a normal scan:
wxf (WirelessIDS) > run baseline --output /etc/wids_baseline.json --duration 60
[*] Building baseline for 60 seconds on wlan0mon...
[+] Baseline entry: AA:BB:CC:DD:EE:FF | SSID: OfficeWiFi | ch:6 | sec:WPA2
[+] Baseline entry: 11:22:33:44:55:66 | SSID: GuestWifi | ch:11 | sec:WPA2
[+] Baseline entry: FF:EE:DD:CC:BB:AA | SSID: PrinterAP | ch:1 | sec:WPA2
[+] Baseline saved: 3 APs to /etc/wids_baseline.json
Then monitor against it:
wxf (WirelessIDS) > set BASELINE_FILE /etc/wids_baseline.json
wxf (WirelessIDS) > run
[*] WirelessIDS starting with baseline (3 known APs)
[*] Any SSID on unlisted BSSID will trigger HIGH alert
[!] ALERT: DEAUTH_FLOOD [HIGH]
Time: 2026-06-08T09:32:11Z
BSSID: AA:BB:CC:DD:EE:FF (OfficeWiFi)
Client: 11:22:33:44:55:66
Frames: 45 deauth in 10s (threshold: 10)
Action: Channel 6 | Frame reason: 0x07
Evidence: logged to /logs/wids_office_20260608.json #001
[!] ALERT: EVIL_TWIN [HIGH]
Time: 2026-06-08T09:45:00Z
Legit AP: AA:BB:CC:DD:EE:FF (OfficeWiFi) ch:6 WPA2
Rogue AP: DE:AD:BE:EF:CA:FE (OfficeWiFi) ch:11 OPEN
Delta: same SSID, different BSSID, different security
Evidence: logged to /logs/wids_office_20260608.json #002
[!] ALERT: BEACON_FLOOD [MEDIUM]
Time: 2026-06-08T10:01:45Z
Source: 22:33:44:55:66:77 (randomized MACs)
Observed: 847 unique SSIDs in 5s (threshold: 50)
Sample SSIDs: "FBI_Surveillance_Van_3", "linksys_xxxx", "free_wifi_xxxx"...
Tool: likely mdk4 beacon flood
Evidence: logged to /logs/wids_office_20260608.json #003
[!] ALERT: ROGUE_AP [HIGH]
Time: 2026-06-08T10:15:00Z
SSID: OfficeWiFi-5G
BSSID: 99:88:77:66:55:44
Reason: SSID not in baseline
Security: WPA2 (could be captive portal)
Evidence: logged to /logs/wids_office_20260608.json #004
[!] ALERT: KARMA_ROGUE [HIGH]
Time: 2026-06-08T10:30:00Z
BSSID: CC:BB:AA:99:88:77
Behavior: Responding to probe requests for ANY SSID
Observed: Probe req for "HomeWifi" -> response from CC:BB:AA:99:88:77
Probe req for "Starbucks" -> response from CC:BB:AA:99:88:77
Probe req for "Airport_Free" -> response from CC:BB:AA:99:88:77
Tool: likely wifiphisher / hostapd-karma
Evidence: logged to /logs/wids_office_20260608.json #005
Test WIDS detection without generating actual attacks:
wxf (WirelessIDS) > set SIMULATE true
wxf (WirelessIDS) > run
[*] WirelessIDS SIMULATE mode
[*] Replaying synthetic attack scenarios...
[SIMULATE] Scenario 1: DEAUTH_FLOOD
[SIMULATE] BSSID: AA:BB:CC:DD:EE:FF | client: 11:22:33:44:55:66 | frames: 45/10s
[!] ALERT triggered: DEAUTH_FLOOD severity=HIGH
[SIMULATE] Scenario 2: EVIL_TWIN
[SIMULATE] Legit: AA:BB:CC:DD:EE:FF (OfficeWiFi) WPA2 ch:6
[SIMULATE] Rogue: DE:AD:BE:EF:CA:FE (OfficeWiFi) OPEN ch:11
[!] ALERT triggered: EVIL_TWIN severity=HIGH
[SIMULATE] Scenario 3: BEACON_FLOOD
[SIMULATE] 847 unique SSIDs in 5s from 22:33:44:55:66:77
[!] ALERT triggered: BEACON_FLOOD severity=MEDIUM
[SIMULATE] Scenario 4: KARMA_ROGUE
[SIMULATE] CC:BB:AA:99:88:77 responding to all probes
[!] ALERT triggered: KARMA_ROGUE severity=HIGH
[*] All 4 test scenarios triggered alerts correctly.
[*] To enable live monitoring: set SIMULATE false
Alerts are written as JSON to the configured ALERT_LOG file:
[
{
"id": 1,
"timestamp": "2026-06-08T09:32:11Z",
"type": "DEAUTH_FLOOD",
"severity": "HIGH",
"bssid": "AA:BB:CC:DD:EE:FF",
"ssid": "OfficeWiFi",
"client": "11:22:33:44:55:66",
"detail": {
"frame_count": 45,
"window_seconds": 10,
"threshold": 10,
"channel": 6,
"reason_code": 7
}
}
]wxf > use generic/evidence_vault/evidence_vault
wxf (EvidenceVault) > set SESSION_ID wids_monitoring_2026_06
# After WIDS session:
wxf (EvidenceVault) > run capture \
--type wids_alert_log \
--file /logs/wids_office_20260608.json \
--note "WIDS monitoring - office perimeter, 2026-06-08 08:00 to 12:00"
[+] Evidence #0001 recorded (SHA-256 hash of alert log)
Related pages: Evidence & Forensics | Wardriving | Wi-Fi Attacks
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware