Skip to main content
Version: Next

Fingerprinting

A fingerprint could look like this:

ec398735dc99267d453908d81bfe06ce04cfa2573d0b9edf1d940f0dbf850a9c

In practice, you can assume that a device made of similar hardware and running with the same general configuration will have the same fingerprint. For example, if you run 10 Ubiquity access points and they are all the same model, and they are all configured the same, then they should all show the same fingerprint in nzyme. If, however, someone is trying to spoof your network using different hardware (which is likely), then the fingerprint differs, no matter how well beacon rate, BSSID, channels and other attributes are spoofed.

What can I do with fingerprints?#

You can be alerted if a device advertises your network with an unexpected fingerprint and you can also be alerted if a known WiFi attack platform (for example a WiFi Pineapple) is active somewhere within the range of your nzyme sensors.

Please follow the documentation for the related alert types:

How exactly are fingerprints calculated?#

The two frame types used to advertise WiFi networks (beacon and probe-response) contain information in a Tagged Parameters map. This kind of information is helpful for clients that intend to connect to such a network. For example, the Tagged Parameters tell your phone what channels the network operates on, which transfer rates are supported or what encryption is available.

The individual information in the Tagged Parameters differs wildly based on the used hardware/chipset and configuration of the access point.

Tagged Parameters in Wireshark

Nzyme picks information from the Tagged Parameters that does not change during the operation of a wireless network. (but might change if you switch out hardware or change the access point configuration)

Currently, the considered information elements are:

  • Supported Rates (ID 1)
  • Country Information (ID 7)
  • HT Capabilities (ID 45)
  • RSN (ID 48)
  • Extended Supported Rates (ID 50)
  • Extended Capabilities (ID 127)
  • Vendor Specific Parameters (ID 221) 00:50:F2-4 (WPS) and 00:50:F2-1 (WPA)

Why can a transmitter have multiple fingerprints?#

Even though nzyme chooses attributes of observed WiFi frames that are not supposed to change, some devices still change them. Any difference of attributes that the calculation uses leads to a different fingerprint.

Most devices record with one fingerprint, some enterprise-grade devices show two fingerprints, and some even end up with three.

A common cause for multiple fingerprints is that some devices use different attributes for beacon and probe-response frames.

Future versions of nzyme might let you define how the fingerprint calculation uses frame attributes, but this is not available yet.