Skip to main content
Version: 1.1.x

Introduction

All alert types can be individually enabled and disabled in the 802_11_alerts section of your nzyme configuration file. See also Configuration Reference.

Alert Classes#

  • Classic alerts that trigger when the observed configuration of wireless networks deviates from the expected state. For example, when an unexpected BSSID is advertising one of your networks or security/encryption settings changed. See Network Monitoring.
  • Threat landscape alerts that trigger when a known bad device (BANDIT) is unveiled by it's fingerprint or other attributes, for example when someone turns on a WiFi Pineapple in your range.
  • Alerts that trigger when nzyme detects an unexpected change in behaviour of your access points. For example when nzyme suddenly starts to record some frames with unexpectedly low signal strength (an attacker might be sitting in the parking lot) or when the beacon frequency exceeds a configured threshold (evil twin attack).
  • Alerts that trigger after an attacker fell for a deception trap. See: Deception and Traps.

Examples#

WiFi Integrity Monitoring#

The classic use-case for nzyme is to monitor the integrity of your WiFi networks. Integrity means that only devices you own and configure are serving all the devices and endpoints that connect to it. The moment an attacker lures your employees into an access point under their control, the flood gates for all kinds of attacks ranging from wiretapping to phishing are open.

After you define what your network looks like (access point BSSIDs, channels, beacon frequencies, fingerprints) nzyme alerts you whenever it observes a deviation from that state.

See also Network Monitoring.

Threat Landscape Monitoring#

One of the first stages of an attack on your WiFi networks will most likely be the reconnaissance (recon) phase. In this phase, the attacker scans the 802.11 frequencies to gain an overview of access points, clients, device relationships and settings.

The BANDIT_CONTACT alert can detect several popular WiFi attack platforms and toolkits the moment they become active and are in range. This detection works even before they start interacting with your networks.

Not only does nzyme come pre-populated with the fingerprints of many known attack platforms, but you can also create your own bandit definitions based on custom fingerprints or even combined with other attributes like advertised SSIDs or signal strength range. Learn more about bandits in the Bandits and Trackers section.

The Cuckoo's Egg#

Imagine you have identified a rogue access point but it disappeared before you were able to track it down. The rogue access point could be an employee setting up their own access point because the corporate WiFi is too slow, a penetration tester or a real attacker.

Just like Clifford Stoll in the book, you want to be alerted immediately when the rogue device comes back online. With nzyme, you could define the fingerprint of the previously observed rogue access point as a bandit:

Custom Bandit Example

From now on, when nzyme observes a frame from the previously observed rogue access point, you immediately receive a BANDIT_CONTACT alert and can act accordingly.