Skip to main content

Nzyme v1.2.0 "Peck Slip" has been released

· 5 min read
Lennart Koopmann
Nzyme Developer

I am excited to announce that nzyme v1.2.0 (Code name “Peck Slip”) has been released.

A lot of work has gone into this release and it brings a lot of new features. The goal of nzyme is to provide a platform that lets you truly protect your wireless networks using unique, reliable detection methods.

Please always report bugs or suggest features in the discussion forum, issue tracker or on the nzyme Discord.

The packages are available on the downloads page.

Reporting#

This release brings reporting functionality to nzyme. You can schedule different types of reports that will optionally also be sent out via email. For reliability, nzyme will attempt to intelligently send out reports if it was not running during the scheduled delivery time.

Screenshot
The report scheduling interface.
Screenshot
Details page of a scheduled report.
Screenshot
Reports can be sent out via email and viewed from the web interface.

The three available report types are:

  • Tactical Summary
    • Provides an overview of all relevant activity of the previous 24 hours. Perfect for an analyst to review all wireless activity and health of the nzyme infrastructure.
  • Wireless Survey
    • Contains a list of all observed wireless networks of the last 24 hours.
  • Wireless Inventory
    • Generates a list of all networks that were configured for monitoring by nzyme, together with a list of all enabled alerts. Great to ensure and document that monitoring was set up properly and according to compliance requirements.

New Alert: Deauth Flood#

The infamous deauthentication attack is often part of a wireless intrusion campaign or can be used to attempt to jam your networks. An attacker could even use such an attack to knock wireless security cameras offline.

The problem with detecting such an attack is that deauthentication and disassociation frames are a valid part of the Wi-Fi standard. You cannot simply alert on any occurrence of such frames.

Some attempts were made to use statistics or even machine learning to automatically detect an unusual amount of deauthentication frames, but I have yet to see an algorithm that does not lead to enormous amounts of false positive alerts.

Screenshot
The new deauthentication frame chart on the home page, together with a configured alert threshold. (red dashed line)

Nzyme is taking a much simpler approach: Starting with this version, you can see a new chart that shows you how many deauthentication and disassociation frames were recorded by nzyme. A new threshold configuration can be used to what amount of such frames would be unusual and trigger nzyme to alert. It’s simple but should be very efficient, especially considering that deauthentication attacks often trigger enormous amounts of frames, significantly over your normal activity.

New Alert: Unknown SSID#

This new alert triggers whenever a new SSID is recorded that has not been recorded previously. It’s a great way to keep an overview over the available networks in your environment and if something maybe shouldn’t be there.

In some environments, this can become too noisy, and you can always decide to simply disable it again.

New Alert: Probe Malfunction#

A Wi-Fi adapter used by nzyme can become unavailable in certain scenarios. For example, someone might unplug it or a driver problem might render it unusable.

This new alert will email you if a probe is not recording frames.

Contact Track Details#

The new contact track details page provides insights into what exactly an identified threat actor is doing. It will show you not only which SSIDs were advertised and what BSSIDs were used, but also with what signal strength the corresponding frames were recorded.

Screenshot
Details of a WiFi Pineapple contact track.

This new page allows you to get a much better understanding of the techniques and procedures of an attacker.

New Alert callback: File#

Alert callbacks let nzyme act when an alert is triggered. Previously, nzyme was only able to send an email, but with this new release, it can also write JSON-encoded alert information into a file.

For example, you could use this new callback to automatically append every alert into a file like /var/log/nzyme/alerts.log and process or forward the information with an agent or other tool.

Asset Inventory#

The new asset inventory lists all networks configured for monitoring by nzyme. This way, you can quickly review the expected network configuration from within the web interface without opening the nzyme configuration file.

Screenshot
The asset inventory page.

Other notable changes#

  • Custom track detector configuration is now documented
  • Favicon was not showing in Chrome-based browsers
  • Forward slash in SSID was breaking links
  • Beacon rate anomaly and bandit contact alerts are now linking to full network details and most active channel
  • Total database size now included in system metrics
  • The maximum time a probe can be idle without receiving a frame is now configurable. The probe is marked as failed and a probe malfunction alert is raised once that idle time is over
  • WPA3 compatibility improvements
  • Numerous bug fixes and improvements

You can find the complete change log on GitHub.

Upgrading#

There are no special steps required for upgrading from previous versions. You can simply extract the new release over an existing one and restart nzyme:

$ sudo dpkg -i nzyme-1.2.0.deb$ sudo systemctl daemon-reload$ sudo systemctl restart nzyme
Join the nzyme GitHub Sponsors to support the project and enjoy early access to new developments and behind the scenes content.