All the hardware you need is available from Amazon Prime and is not very expensive. There is even a good chance you own the parts already.
This documentation assumes that you have a basic understanding of Linux and it's command line interface. Nzyme itself assumes that you have a basic level of understanding of how WiFi networks work and what the security challenges are.
This documentation attempts to also guide you through learning more about wireless security. You can find all related articles here.
Lennart hosted a Twitch stream about WiFi security and uploaded the recording to YouTube:
A few general things to know before you get started:
- Success will highly depend on how well supported your WiFi adapters and drivers are. You have to be able to configure the adapters into monitor mode. Use the recommended adapters listed below for best results. You can get them from Amazon Prime and have them ready in one or two days.
- Nzyme works well with both the OpenJDK or the Oracle JDK and requires at least Java 11.
- Wifi adapters can draw quite some current and I have seen Raspberry Pis shut down when connecting more than 3 ALFA adapters. Consider this before buying tons of adapters.
- The installation guides assume that you have hardened your operating system and went through the standard configuration like time zone, locales, etc.
The most important component are WiFi adapters that support monitor mode. Monitor mode is the special state of a WiFi adapter that makes it read and report all 802.11 frames and not only certain management frames or frames of a network it is connected to. You could also call this mode sniffing mode: The adapter just reports everything it sees on the channel it is tuned to.
The problem is that many adapter/driver/operating system combinations do not support monitor mode.
The internet is full of compatibility information but here are the adapters that nzyme is known to work well with:
- ALFA AWUS036NH - 2.4Ghz
- ALFA AWUS051NH v.2 - 2.4Ghz and 5Ghz
- ALFA AWUS036NEH - 2.4Ghz
- Panda PAU05 - 2.4Ghz
- Panda PAU06 - 2.4Ghz
- Panda PAU07 - 2.4Ghz and 5Ghz
- Panda PAU09 - 2.4Ghz and 5Ghz
Additionally, the community has reported these adapters to work with nzyme:
- ALFA AWUS036ACS (community post with instructions)
If you have another one that supports monitor mode, you will likely be able to use that one.
I recommend to run nzyme on a Raspberry Pi 4 with 4 GB of RAM. A field test at DEF CON 27 (>200 access points and >2,500 devices in reach) with 3 ALFA network adapters showed that it can handle running nzyme at about 30-40% CPU load and plenty of memory to spare. Less busy environments also run fine on the Raspberry Pi 3 models.
In the end, it doesn't matter what kind of device you run it on.
For threat hunting, you can connect a Graylog setup with a GELF TCP input that is reachable by your nzyme sensors. GELF is a Graylog-specific and structured log format. Because nzyme sends GELF, you don't have to set up any kind of parsing rules in Graylog and still have all fields available as key:value pairs for powerful search and analysis.
Once a Graylog setup is connected, each collected WiFi frame will be available for search and analysis. Think of it like a long-term PCAP.