Skip to main content
Version: 1.1.x

Bandits

Introduction#

The WiFi channels are full of signals and stations emitting information. Most information is also very easy to spoof. To be able to identify specific targets, we need to be able to combine multiple identifiers and instruct nzyme to detect them.

For example, we want to be able to be alerted whenever a device with a specific fingerprint comes online (one single identifier on the fingerprint) or when a station starts to advertise a SSID within a given range of signal strength (two identifiers: SSID, signal strength).

With a clear bandit definition, we can also instruct a nzyme tracker to locate that very specific device, no matter how noisy the environment is.

If there are two WiFi Pineapples in the area, spoofing different networks and we want to locate both of them independently, we'd create a bandit definition that identifies them based on the SSIDs they are broadcasting.

If we simply want to be alerted whenever any WiFi Pineapple comes online, we rely on the built-in bandit definition that identifies the WiFi Pineapple fingerprints. See also Bandit Contact Alert

Screenshot

Contacts#

A contact is a record of an identified bandit. Whenever nzyme identifies a bandit, a new contact is created.

Tracks#

Nzyme groups contacts into tracks. Each recorded frame of a bandit contact is considered part of a track. A track expires if no frames were recorded for 10 minutes. If, after a track expires, a new contact with the same bandit is made, a new track is created.

Tracks contain meta information like when the contact was first and last seen, how many frames were recorded and what the last signal strength was.

Track Sources#

A contact track always has a source that is tracking it. This could be your nzyme leader or any number of trackers.

Built-In Bandit Definitions#

Nzyme ships with a set of built-in bandit definitions that will identify several firmware and hardware combinations of WiFi Pineapples, Wifiphisher and ESP8266-based deauthentication boards.

You can see the built-in definitions on the Bandits page of you nzyme web interface.

Note that built-in bandits cannot be modified.

Supported Bandit Identifiers#

A bandit always has at least one, sometimes multiple identifiers that define what nzyme is looking for. If more than one identifier is present, all identifiers are AND connected, meaning that they all must match for a bandit to be identified.

FINGERPRINT#

Identifies a bandit by it's fingerprint.

SSID#

Identifies a bandit by the SSIDs it is advertising with either beacon or probe-response frames.

SIGNAL_STRENGTH#

Identifies a bandit by it's recorded signal strength. Be careful when using this with trackers because the signal strength will vary based on the tracker location.

PWNAGOTCHI_IDENTITY#

If a bandit is a Pwnagotchi attack platform, this identifier identifies it by it's broadcasted identity. Pwnagotchis broadcast their existence using a protocol that nzyme can read. These broadcasts include a unique ID (the PWNAGOTCHI_IDENTITY) and that is what this identifier is looking for.

The IDENTITY is included in the metadata of a PWNAGOTCHI_ADVERTISEMENT alert and can be copied from it.

Creating your own Bandit Definitions#

You can create your own bandit definitions directly from within the nzyme web interface.

Navigate to the Bandits page and click Create Bandit:

Screenshot

On the details page of your new bandit, you can add as many identifiers as you wish by clicking on the Create Identifier button:

Screenshot

Alerts#

Nzyme will raise a BANDIT_CONTACT alert for each new identified bandit track.