Skip to main content
Version: 1.1.x

Traps

Introduction to Traps#

Traps are pre-built deception strategies that are easy to configure. Make sure to read the Introduction to Deception before you start to configure traps.

All traps are configured in your nzyme.conf file.

This page explains all available trap types.

Trap: BEACON_1#

This trap sends beacon frames and will appear to an attacker like an available wireless network. In fact, you will see this trap in the list of networks on your phone or workstation. There is no logic behind the facade of this network so authentication attempts would be unanswered and fail.

The goal of this trap is to lure the attacker into spoofing a network that does not exist. For example, let's imagine your real corporate WiFi is called Flancrest_Enterprises_Wireless. If we use this trap to create a fake network called Flancrest_Enterprises_Lobby or Flancrest_Enterprises_Admin, an attacker will see it in their list of networks during reconnaissance.

If we make the attacker believe that our trap networks are a legitimate target, they might try to imitate it. The moment they send any frames advertising any of our trap networks, nzyme will raise an alert because there is no legitimate reason to send frames for this network.

Additionally, a less sophisticated attacker who is just hoping to attract any client by spraying all SSIDs they can find in the area, will most likely fall into this trap.

Configuration#

802_11_traps: [  # Configure as many traps as you wish. Note that each trap needs it's own WiFi adapter.  {    # The name of the 802.11/WiFi adapter that should be used to send data. Cannot be used for    # another trap or monitor.    device: wlx00c0ca971216
    # 802.11/WiFi channels to use. Nzyme will cycle your network adapters through these channels.    channels: [11]
    # There is no way for nzyme to configure your wifi interface directly. We are using direct    # operating system commands to configure the adapter. Examples for Linux are in the    # documentation.    channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"
    # Channel hop interval in seconds. Leave at default if you don't know what this is.    channel_hop_interval: 1
    # Skip the automatic monitor mode configuration of this interface. Only enable this if for    # some reason libpcap can't properly configure this interface into monitor mode. In that case,    # you can try to set it manually instead.    skip_enable_monitor: false
    # Which kind of trap to set.    trap: {      # Sends crafted beacons for a non-existent network that an attacker might want to target.      # Any probe-response or beacon for it is considered malicious and will cause an alert.      type: BEACON_1
      # Transmitter address for crafted beacons. This example looks like it's an Ubiquity access      # point. (B4:FB:E4)      transmitter: "B4:FB:E4:C8:D4:8F"
      # Fingerprint of the crafted beacons we send. This is used to avoid alerting on our own      # beacons. Must be adapated only if you change the beacon payload. Read more in the      # documentation if false alerts appear to be triggered caused by recording our own frames.      fingerprint: ec9aeadf1db0eaafafd1d42e08afd5c48b862e24c0080edec0cc1e6ca2f19e10
      # The SSIDs to use in the crafted beacons.      ssids: [        Flancrest_Enterprises_Wireless        Flancrest_Enterprises_Lobby      ]
      # How often to send the beacons, in milliseconds.      delay_milliseconds: 100    }  }]

Trap: PROBE_REQUEST_1#

This trap is very similar to the BEACON_1 trap, except that it does not send beacon frames to imitate and existing network but probe-request frames instead. This means that it imitates a wireless device looking for known networks.

If an attacker is trying to target a specific wireless device, like an iPhone of a specific person, a carefully selected list of network names can make the attacker fall into our trap. For example, if a high-profile employee has the last name Miller, has a mountain house and travels a lot, you could configure this trap to use a few network names to let the attacker narrow in on this device: United_WiFi, Miller_Home, AMEX_Lounge, Hilton_Honors. An attacker would assume that this is your employee with the last name Miller. If you add one more network name that doesn't exist, you can set a true trap. If you add a truly random network name like Flancrest_Enterprises_Printer_556s2w, an attacker might included it in the names of networks to spoof. The moment this network name is advertised, nzyme raises an alarm because there is no legitimate reason to advertise this fake network.

Configuration#

{  # The name of the 802.11/WiFi adapter that should be used to send data.  device: wlx00c0ca971216
  # 802.11/WiFi channels to use. Nzyme will cycle your network adapters through these channels.  channels: [11]
  # There is no way for nzyme to configure your wifi interface directly. We are using direct  # operating system commands to configure the adapter. Examples for Linux are in the documentation.  channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"
  # Channel hop interval in seconds. Leave at default if you don't know what this is.  channel_hop_interval: 1      # Skip the automatic monitor mode configuration of this interface. Only enable this if for  # some reason libpcap can't properly configure this interface into monitor mode. In that case,  # you can try to set it manually instead.  skip_enable_monitor: false
  # Which kind of trap to set.  trap: {    # Sends crafted probe-requests for a non-existent network that an attacker might want to    # target. Any probe-response r beacon for it is considered malicious and will cause an alert.    type: PROBE_REQUEST_1        # Transmitter address for crafted probe-requests. This example looks like it's an iPhone.    # (E0:33:8E)    transmitter: "E0:33:8E:C8:D4:8F"
    # The SSIDs to use in the crafted beacons.    ssids: [      United_WiFi      Hilton_Honors      Miller_Home      Flancrest_Enterprises_Printer_556s2w    ]     # How often to send the beacons, in milliseconds.    delay_seconds: 1  }}

More Trap Types#

Future versions of nzyme will include additional and more sophisticated types of traps.