The WiFi channels are full of signals and stations emitting information. Most information is also very easy to spoof. To be able to identify specific targets, we need to be able to combine multiple identifiers and instruct nzyme to detect them.
For example, we want to be able to be alerted whenever a device with a specific fingerprint comes online (one single identifier on the fingerprint) or when a station starts to advertise a SSID within a given range of signal strength (two identifiers: SSID, signal strength).
With a clear bandit definition, we can also instruct a nzyme tracker to locate that very specific device, no matter how noisy the environment is.
If there are two WiFi Pineapples in the area, spoofing different networks and we want to locate both of them independently, we'd create a bandit definition that identifies them based on the SSIDs they are broadcasting.
If we simply want to be alerted whenever any WiFi Pineapple comes online, we rely on the built-in bandit definition that identifies the WiFi Pineapple fingerprints. See also Bandit Contact Alert
A contact is a record of an identified bandit. Whenever nzyme identifies a bandit, a new contact is created.
Nzyme groups contacts into tracks. Each recorded frame of a bandit contact is considered part of a track. A track expires if no frames were recorded for 10 minutes. If, after a track expires, a new contact with the same bandit is made, a new track is created.
Tracks contain meta information like when the contact was first and last seen, how many frames were recorded and what the last signal strength was.
A contact track always has a source that is tracking it. This could be your nzyme leader or any number of trackers.
Contact tracks recorded by a
LEADER instance can be viewed in more detail.
For each contact track, nzyme will record how often which SSIDs have been advertised by which BSSIDs, together with the associated average signal strength. Data is collected in 60 second intervals/buckets.
You can use this information to better understand what attack patterns a bandit used and, using the signal strength, possibly even detect if multiple devices were used or if they physically moved.
Nzyme ships with a set of built-in bandit definitions that will identify several firmware and hardware combinations of WiFi Pineapples, Wifiphisher and ESP8266-based deauthentication boards.
You can see the built-in definitions on the Bandits page of you nzyme web interface.
Note that built-in bandits cannot be modified.
A bandit always has at least one, sometimes multiple identifiers that define what nzyme is looking for. If more than
one identifier is present, all identifiers are
AND connected, meaning that they all must match for a bandit to be
Identifies a bandit by it's fingerprint.
Identifies a bandit by the SSIDs it is advertising with either
Identifies a bandit by it's recorded signal strength. Be careful when using this with trackers because the signal strength will vary based on the tracker location.
If a bandit is a Pwnagotchi attack platform, this identifier identifies it by it's broadcasted identity. Pwnagotchis
broadcast their existence using a protocol that nzyme can read. These broadcasts include a unique ID
PWNAGOTCHI_IDENTITY) and that is what this identifier is looking for.
IDENTITY is included in the metadata of a
PWNAGOTCHI_ADVERTISEMENT alert and can be copied from it.
You can create your own bandit definitions directly from within the nzyme web interface.
Navigate to the Bandits page and click Create Bandit:
On the details page of your new bandit, you can add as many identifiers as you wish by clicking on the Create Identifier button:
Nzyme will raise a BANDIT_CONTACT alert for each new identified bandit track.