A fingerprint could look like this:
In practice, you can assume that a device made of similar hardware and running with the same general configuration will have the same fingerprint. For example, if you run 10 Ubiquity access points and they are all the same model, and they are all configured the same, then they should all show the same fingerprint in nzyme. If, however, someone is trying to spoof your network using different hardware (which is likely), then the fingerprint differs, no matter how well beacon rate, BSSID, channels and other attributes are spoofed.
You can be alerted if a device advertises your network with an unexpected fingerprint and you can also be alerted if a known WiFi attack platform (for example a WiFi Pineapple) is active somewhere within the range of your nzyme sensors.
Please follow the documentation for the related alert types:
The two frame types used to advertise WiFi networks (
probe-response) contain information in a
Tagged Parameters map. This kind of information is helpful for clients that intend to connect to such a network.
For example, the Tagged Parameters tell your phone what channels the network operates on, which transfer rates are
supported or what encryption is available.
The individual information in the Tagged Parameters differs wildly based on the used hardware/chipset and configuration of the access point.
Nzyme picks information from the Tagged Parameters that does not change during the operation of a wireless network. (but might change if you switch out hardware or change the access point configuration)
Currently, the considered information elements are:
- Supported Rates (ID 1)
- Country Information (ID 7)
- HT Capabilities (ID 45)
- RSN (ID 48)
- Extended Supported Rates (ID 50)
- Extended Capabilities (ID 127)
- Vendor Specific Parameters (ID 221) 00:50:F2-4 (WPS) and 00:50:F2-1 (WPA)
Even though nzyme chooses attributes of observed WiFi frames that are not supposed to change, some devices still change them. Any difference of attributes that the calculation uses leads to a different fingerprint.
Most devices record with one fingerprint, some enterprise-grade devices show two fingerprints, and some even end up with three.
A common cause for multiple fingerprints is that some devices use different attributes for
Future versions of nzyme might let you define how the fingerprint calculation uses frame attributes, but this is not available yet.