Skip to main content
Version: Next

Configuration Reference

Nzyme Leader Configuration#

A leader is the default deployment mode of nzyme. See general.role below.

The leader example configuration file can be found here.

general.role#

Can be set to either LEADER (the default nzmye type that spins up a web interface and monitors your wireless environmentorTRACKER` (a nzyme mode with which you can physically locate threat actors). See Bandits and Trackers.

general.id#

The ID or name of this nzyme instance. Must be unique and contain only alphanumeric characters, underscores and dashes.

general.admin_password_hash#

This is the SHA256 hash of your nzyme administrator password. You can create the hash of your password like this:

$ echo -n secretpassword | sha256sum

(The default nzyme username is admin)

general.database_path#

This is the connection string that nzyme uses to connect to the PostgreSQL database. This is a full example with all relevant options included:

postgresql://localhost:5432/nzyme?user=nzyme&password=YOUR_PASSWORD

In this case, nzyme would connect to PostgreSQL at localhost, on port 5432, use the nzyme and authenticate using the user nzyme with password YOUR_PASSWORD.

If you do not have authentication enabled or required, you could leave out the username and password like this:

postgresql://localhost:5432/nzyme

general.fetch_ouis#

Set to true or false. If enabled, nzyme will download and keep a current list of OUIs (the part of a MAC address that identifies the vendor) from the IEEE.

The list of OUIs is used to display vendor names in the web interface. If disabled, all vendor names will be set to "unknown".

general.data_directory#

Path to directory that nzyme will use to store some temporary information. (must be writable)

general.python.path#

Path to the local Python installation. It is recommended to use Python 3, but Python 2 is also supported.

Nzyme uses Python to inject frames for Deception and Traps.

general.python.script_directory#

Nzyme uses Python to inject frames for Deception and Traps. It generate custom Python scripts and this directory is where it will store them. Must be an existing and writable directory.

general.python.script_prefix#

A prefix for the generated script filenames. Only relevant if you run multiple nzyme instances with the same general.python.script_directory.

alerting.callbacks#

See Alert Callbacks.

alerting.training_period_seconds#

An initial training period in which some alerts might not be raised until a baseline has been established. No need to change this if you don't know what it does.

general.versionchecks#

Set to true or false. If enabled, nzyme will automatically check for the most recent stable release and warn you on the System Status page if you are running an outdated version of nzyme.

802_11_monitors.*#

Nzyme monitors are constanly scanning the WiFi environment on specified channels. Think of these like the eyes and ears of nzyme. Nzyme will attempt to put the WiFi adapter used as a monitor into monitor mode. Monitor mode is a special mode in which a WiFi adapter will read and report all frames it records (like promiscuous mode for wired ethernet adapters). See also Requirements.

The 802_11_monitors configuration is an array (using the [ ] brackets) and can hold multiple entries like this:

802_11_monitors: [  {    device: wlx00c0ca971201    channels: [1,2,3,4,5,6]    channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"    channel_hop_interval: 1  }
  {    device: wlx00c0ca971202    channels: [7,8,9,10,11]    channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"    channel_hop_interval: 1  }]

802_11_monitors.#.device#

The local interface name to use. You can see all available interfaces using the iwconfig command on Linux. Must be a supported WiFi adapter that works well in monitor mode. See also Requirements.

802_11_monitors.#.channels#

An array of channels to scan. Split these up between multiple WiFi adapters / monitors and make sure to not overlap between channels. Nzyme will refuse to start if a monitor is configured to scan a channel that another monitor is already assigned to scan.

Example:

channels: [1,2,3,4,5,6,7,8,9,10,11,36,38,40]

You can find the supported channels of your WiFi adapters using the iwlist command:

$ iwlist wlx00c0ca971201 channelwlx00c0ca971201  11 channels in total; available frequencies :          Channel 01 : 2.412 GHz          Channel 02 : 2.417 GHz          Channel 03 : 2.422 GHz          Channel 04 : 2.427 GHz          Channel 05 : 2.432 GHz          Channel 06 : 2.437 GHz          Channel 07 : 2.442 GHz          Channel 08 : 2.447 GHz          Channel 09 : 2.452 GHz          Channel 10 : 2.457 GHz          Channel 11 : 2.462 GHz          Current Frequency:2.422 GHz (Channel 3)

Most adapters will support the 2.4 GHz channels, some adapters also support the % GHz channels. See also List of WLAN channels on Wikipedia and the list of tested adapters on the Requirements page.

802_11_monitors.#.channel_hop_command#

The command used by nzyme to switch the channel the WiFi adapter is operating on. See also Channel Hopping.

Example:

sudo /sbin/iwconfig {interface} channel {channel}

The placeholder {interface} will be replaced with the interface name and {channel} will be replaced with the channel to switch to.

Note that in this example sudo must be able to execute without waiting for a password to be supplied. If your sudo configuration requires a password to be entered, it is recommended to allow the execution of /sbin/iwconfig without a password prompt:

$ sudo visudo
# Add this line BELOW the "%sudo   ALL=(ALL:ALL) ALL" line:your_username   ALL=(ALL:ALL) NOPASSWD: /sbin/iwconfig

802_11_monitors.#.channel_hop_interval#

Interval for Channel Hopping in seconds. The default of 1 is a good choice in most cases.

802_11_monitors.#.skip_enable_monitor#

When set to true, nzyme will not attempt to configure the interface into monitor mode. Some drivers and libpcap packages do not work well together and a device that supports monitor mode might be reported as not supporting it. In that case, set this setting to true and configure the interface manually using something like iwconfig [interface] set mode monitor or even aircrack-ng tooling.

(Default: false)

802_11_networks#

The list of networks to monitor and alert for in case of changes or detected intrusion attempts. See Network Monitoring for more details and examples.

802_11_alerts#

List of enabled alerts. You can see all enabled and disabled alerts on the System Overview page of your nzyme web interface. More details can be found in the Alerts section of this documentation.

802_11_traps#

Traps to set up for detection by deception. See Deception and Traps.

groundstation_device#

Device to use for communication with nzyme tracker devices for physical location of threat actors. See Bandits and Trackers.

Nzyme Tracker Configuration#

A nzyme tracker has a reduced configuration but also comes with a few extra variables.

The tracker example configuration file can be found here.

general.role#

Same as for LEADER role. See above.

general.id#

Same as for LEADER role. See above.

general.data_directory#

Same as for LEADER role. See above.

general.hids#

A list of enabled HIDs (human interface devices) to interact with the tracker while you carry it. See Bandits and Trackers to learn more about HIDS. At least one HID must be enabled.

uplink_device#

The device used to communicate with the groundstation_device of the LEADER. See Bandits and Trackers.

802_11_monitors#

Same as for LEADER role. See above.