-
Notifications
You must be signed in to change notification settings - Fork 2
WIDS ptBR
André Henrique edited this page Jun 8, 2026
·
1 revision
Idioma: Português (pt-BR) | English: WIDS
O WIDS (Wireless Intrusion Detection System) do WXF é uma implementação Python nativa que monitora o tráfego 802.11 em busca de padrões comuns de ataque wireless sem necessidade de ferramentas externas.
| Módulo | Descrição |
|---|---|
wids/wifi_ids |
WIDS Python nativo: detecção de flood deauth, evil twin, AP desonesto, beacon flood |
wifi_lab/wireless_ids |
IDS leve: baseline BSSID + detecção de AP desonesto (básico) |
| Tipo de Ataque | Método de Detecção | Severidade |
|---|---|---|
| Flood deauth | Taxa de frames deauth > limiar (padrão: 10/10s) | ALTA |
| Flood disassociation | Taxa de frames disassoc > limiar | ALTA |
| Evil twin / AP desonesto | SSID conhecido em BSSID diferente | ALTA |
| KARMA / SSID coringa | Resposta de probe para qualquer SSID | ALTA |
| Flood de beacon | SSIDs únicos > limiar em janela deslizante | MEDIA |
| Novo AP no SSID monitorado | SSID aparece em BSSID não listado | MEDIA |
| Coleta PMKID | Frames de chave EAPOL sem associação prévia | MEDIA |
| Força bruta WPS | Tentativas repetidas de autenticação WPS do mesmo MAC | MEDIA |
| Deauth fora de associação | Deauth de BSSID não reconhecido | BAIXA |
| Inconsistência de canal | AP operando em canal inesperado | BAIXA |
wxf > use generic/wids/wifi_ids
wxf (WirelessIDS) > show options
Options:
INTERFACE wlan0mon Interface em modo monitor
BASELINE_FILE none Arquivo JSON com lista branca de APs conhecidos
DEAUTH_THRESH 10 Frames deauth por 10s para acionar alerta
BEACON_THRESH 50 SSIDs únicos em janela de 5s para acionar flood de beacon
ALERT_LOG /tmp/wids_alerts.json Arquivo de saída de alertas
VERBOSE false Imprimir todos os frames (não apenas alertas)
SIMULATE false Executar cenários de ataque simulados
wxf (WirelessIDS) > set INTERFACE wlan0mon
wxf (WirelessIDS) > set ALERT_LOG /logs/wids_office_20260608.json
wxf (WirelessIDS) > run
[*] WirelessIDS starting on wlan0mon
[*] Baseline: none (alert on first observation)
[*] Deauth threshold: 10/10s | Beacon threshold: 50 SSIDs/5s
[*] Listening...
Primeiro, construa um baseline a partir de um scan normal:
wxf (WirelessIDS) > run baseline --output /etc/wids_baseline.json --duration 60
[*] Building baseline for 60 seconds on wlan0mon...
[+] Baseline entry: AA:BB:CC:DD:EE:FF | SSID: OfficeWiFi | ch:6 | sec:WPA2
[+] Baseline entry: 11:22:33:44:55:66 | SSID: GuestWifi | ch:11 | sec:WPA2
[+] Baseline entry: FF:EE:DD:CC:BB:AA | SSID: PrinterAP | ch:1 | sec:WPA2
[+] Baseline saved: 3 APs to /etc/wids_baseline.json
Em seguida, monitore contra o baseline:
wxf (WirelessIDS) > set BASELINE_FILE /etc/wids_baseline.json
wxf (WirelessIDS) > run
[*] WirelessIDS starting with baseline (3 known APs)
[*] Any SSID on unlisted BSSID will trigger HIGH alert
[!] ALERT: DEAUTH_FLOOD [HIGH]
Time: 2026-06-08T09:32:11Z
BSSID: AA:BB:CC:DD:EE:FF (OfficeWiFi)
Client: 11:22:33:44:55:66
Frames: 45 deauth in 10s (threshold: 10)
Action: Channel 6 | Frame reason: 0x07
Evidence: logged to /logs/wids_office_20260608.json #001
[!] ALERT: EVIL_TWIN [HIGH]
Time: 2026-06-08T09:45:00Z
Legit AP: AA:BB:CC:DD:EE:FF (OfficeWiFi) ch:6 WPA2
Rogue AP: DE:AD:BE:EF:CA:FE (OfficeWiFi) ch:11 OPEN
Delta: same SSID, different BSSID, different security
Evidence: logged to /logs/wids_office_20260608.json #002
[!] ALERT: BEACON_FLOOD [MEDIUM]
Time: 2026-06-08T10:01:45Z
Source: 22:33:44:55:66:77 (randomized MACs)
Observed: 847 unique SSIDs in 5s (threshold: 50)
Sample SSIDs: "FBI_Surveillance_Van_3", "linksys_xxxx", "free_wifi_xxxx"...
Tool: likely mdk4 beacon flood
Evidence: logged to /logs/wids_office_20260608.json #003
[!] ALERT: ROGUE_AP [HIGH]
Time: 2026-06-08T10:15:00Z
SSID: OfficeWiFi-5G
BSSID: 99:88:77:66:55:44
Reason: SSID not in baseline
Security: WPA2 (could be captive portal)
Evidence: logged to /logs/wids_office_20260608.json #004
[!] ALERT: KARMA_ROGUE [HIGH]
Time: 2026-06-08T10:30:00Z
BSSID: CC:BB:AA:99:88:77
Behavior: Responding to probe requests for ANY SSID
Observed: Probe req for "HomeWifi" -> response from CC:BB:AA:99:88:77
Probe req for "Starbucks" -> response from CC:BB:AA:99:88:77
Probe req for "Airport_Free" -> response from CC:BB:AA:99:88:77
Tool: likely wifiphisher / hostapd-karma
Evidence: logged to /logs/wids_office_20260608.json #005
Teste a detecção WIDS sem gerar ataques reais:
wxf (WirelessIDS) > set SIMULATE true
wxf (WirelessIDS) > run
[*] WirelessIDS SIMULATE mode
[*] Replaying synthetic attack scenarios...
[SIMULATE] Scenario 1: DEAUTH_FLOOD
[SIMULATE] BSSID: AA:BB:CC:DD:EE:FF | client: 11:22:33:44:55:66 | frames: 45/10s
[!] ALERT triggered: DEAUTH_FLOOD severity=HIGH
[SIMULATE] Scenario 2: EVIL_TWIN
[SIMULATE] Legit: AA:BB:CC:DD:EE:FF (OfficeWiFi) WPA2 ch:6
[SIMULATE] Rogue: DE:AD:BE:EF:CA:FE (OfficeWiFi) OPEN ch:11
[!] ALERT triggered: EVIL_TWIN severity=HIGH
[SIMULATE] Scenario 3: BEACON_FLOOD
[SIMULATE] 847 unique SSIDs in 5s from 22:33:44:55:66:77
[!] ALERT triggered: BEACON_FLOOD severity=MEDIUM
[SIMULATE] Scenario 4: KARMA_ROGUE
[SIMULATE] CC:BB:AA:99:88:77 responding to all probes
[!] ALERT triggered: KARMA_ROGUE severity=HIGH
[*] All 4 test scenarios triggered alerts correctly.
[*] To enable live monitoring: set SIMULATE false
Os alertas são gravados em JSON no arquivo ALERT_LOG configurado:
[
{
"id": 1,
"timestamp": "2026-06-08T09:32:11Z",
"type": "DEAUTH_FLOOD",
"severity": "HIGH",
"bssid": "AA:BB:CC:DD:EE:FF",
"ssid": "OfficeWiFi",
"client": "11:22:33:44:55:66",
"detail": {
"frame_count": 45,
"window_seconds": 10,
"threshold": 10,
"channel": 6,
"reason_code": 7
}
}
]wxf > use generic/evidence_vault/evidence_vault
wxf (EvidenceVault) > set SESSION_ID wids_monitoring_2026_06
# Após a sessão WIDS:
wxf (EvidenceVault) > run capture \
--type wids_alert_log \
--file /logs/wids_office_20260608.json \
--note "WIDS monitoring - office perimeter, 2026-06-08 08:00 to 12:00"
[+] Evidence #0001 recorded (SHA-256 hash of alert log)
Páginas relacionadas: Evidências e Forense | Wardriving | Ataques Wi-Fi
Autor: André Henrique (@mrhenrike) | União Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware