Skip to main content
Version: Next

Common Permission Problems

PCAP handle: Operation not permitted#

Probe initialization can fail when Java is not allowed to create a PCAP handle on your wireless interface. This would look like this:

18:42:35.714 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.probes.Dot11Probe - Building PCAP handle on interface [wlx9cefd5fbc13d]18:42:35.715 [probe-loop-1] ERROR horse.wtf.nzyme.dot11.probes.Dot11Probe - Could not initialize probe [broad-monitor-wlx9cefd5fbc13d]. Retrying soon.horse.wtf.nzyme.dot11.probes.Dot11ProbeInitializationException: Could not build PCAP handle.    at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.initialize(Dot11MonitorProbe.java:149) ~[classes/:?]    at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.lambda$loop$0(Dot11MonitorProbe.java:163) ~[classes/:?]    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]    at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]    at java.lang.Thread.run(Thread.java:834) [?:?]Caused by: org.pcap4j.core.PcapNativeException: socket: Operation not permitted    at org.pcap4j.core.PcapHandle.<init>(PcapHandle.java:166) ~[pcap4j-core-1.8.2.jar:?]    at org.pcap4j.core.PcapHandle.<init>(PcapHandle.java:45) ~[pcap4j-core-1.8.2.jar:?]    at org.pcap4j.core.PcapHandle$Builder.build(PcapHandle.java:1529) ~[pcap4j-core-1.8.2.jar:?]    at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.initialize(Dot11MonitorProbe.java:143) ~[classes/:?]    ... 6 more

The key is the PcapNativeException: socket: Operation not permitted part. You can allow Java to bind a PCAP handle using the setcap command. Make sure that you are applying it on your actualy java executable and not a symlink that many distributions will set up. Also keep in mind that a Java upgrade that switches out the executable might require you to run setcap again.

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java

Restart nzyme after applying the setcap command.

Trap execution: Operation not permitted#

Nzyme might fail when executing deception traps. For maximum flexibility, nzyme uses Python scripts to send crafted WiFi frames and Python needs permission to interact with your WiFi adapter on such a low level.

If the correct permissions are not assigned, you will see an error like this:

17:11:01.942 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff - Bluff [horse.wtf.nzyme.dot11.deception.bluffs.ProbeRequest]: Invoked command {/usr/bin/python3.8 /tmp/nzyme_ProbeRequest --interface wlx00c0ca971216 --ssid ECorp_Omaha --mac E0:33:8E:36:AC:FA}.17:11:01.942 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff - Bluff [horse.wtf.nzyme.dot11.deception.bluffs.ProbeRequest]: 12 lines written to STDERR:17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR: Traceback (most recent call last):17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:   File "/tmp/nzyme_ProbeRequest", line 25, in <module>17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:     probe_request(args.interface, args.ssid, args.mac)17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:   File "/tmp/nzyme_ProbeRequest", line 7, in probe_request17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:     sendp(RadioTap()/17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:   File "/home/tun3/.local/lib/python3.8/site-packages/scapy/sendrecv.py", line 335, in sendp17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:     socket = socket or conf.L2socket(iface=iface, *args, **kargs)17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:   File "/home/tun3/.local/lib/python3.8/site-packages/scapy/arch/linux.py", line 467, in __init__17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:     self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))  # noqa: E50117:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:   File "/usr/lib/python3.8/socket.py", line 231, in __init__17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR:     _socket.socket.__init__(self, family, type, proto, fileno)17:11:01.943 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff -        STDERR: PermissionError: [Errno 1] Operation not permitted17:11:01.944 [probe-loop-1] ERROR horse.wtf.nzyme.dot11.deception.bluffs.Bluff - Could not execute bluff [horse.wtf.nzyme.dot11.deception.bluffs.ProbeRequest].horse.wtf.nzyme.dot11.deception.bluffs.Bluff$BluffExecutionException: STDERR is not empty.    at horse.wtf.nzyme.dot11.deception.bluffs.Bluff.execute(Bluff.java:99) ~[classes/:?]    at horse.wtf.nzyme.dot11.deception.bluffs.Bluff.executeFailFast(Bluff.java:110) ~[classes/:?]    at horse.wtf.nzyme.dot11.deception.traps.ProbeRequestTrap.doRun(ProbeRequestTrap.java:53) ~[classes/:?]    at horse.wtf.nzyme.dot11.deception.traps.Trap.run(Trap.java:58) ~[classes/:?]    at horse.wtf.nzyme.dot11.probes.Dot11SenderProbe.lambda$loop$0(Dot11SenderProbe.java:120) ~[classes/:?]    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]    at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]    at java.lang.Thread.run(Thread.java:834) [?:?]17:11:01.947 [probe-loop-1] INFO  horse.wtf.nzyme.dot11.deception.bluffs.Bluff - Attempted command invocation: [/usr/bin/python3.8 /tmp/nzyme_ProbeRequest --interface wlx00c0ca971216 --ssid ECorp_Omaha --mac E0:33:8E:36:AC:FA]

The key to the issue here is socket.error: [Errno 1] Operation not permitted. We can assign the correct permissions using the Linux setcap command. All you need to know is the path to the Python executable that nzyme is using.

You can either look at the error above and see that it tried to execute /usr/bin/python3.8 or look into your nzyme.conf file:

python {  # Path to python executable.  path: /usr/bin/python3.8
  # Script directory. This must be an existing and writable directory. We'll store some generated Python scripts here.  script_directory: /tmp
  # Script prefix. A prefix for the generate scripts. There is usually no reason to change this setting.  script_prefix: nzyme_}

Make sure that you are not pointing nzyme at a symlink to a Python executable. Many Linux distributions use symlinks to switch between active Python versions. For example, on Ubuntu, /usrbin/python links to /usr/bin/python3.8 if you are using Python 3. The setcap command must be pointed at the actual executable and not a symlink.

Use setcap to assign the permissions to the Python executable:

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/python3.8

For reference, we are assigning the following permissions:

CAP_NET_RAW  * Use RAW and PACKET sockets;  * bind to any address for transparent proxying.  CAP_NET_ADMIN  Perform various network-related operations:    * interface configuration;    * administration of IP firewall, masquerading, and accounting;    * modify routing tables;    * bind to any address for transparent proxying;    * set type-of-service (TOS);    * clear driver statistics;    * set promiscuous mode;    * enabling multicasting;    * use setsockopt(2) to set the following socket options:      SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the      range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

Error in read loop: openPort() Permission denied.#

If you are using a LoRa adapter for tracker communication and see this error, your Linux group settings are wrong:

11:31:06.840 [groundstation-listener-0] WARN horse.wtf.nzyme.bandits.trackers.devices.SX126XLoRaHat - Error in read loop.jssc.SerialPortException: Port name - /dev/ttyUSB0; Method name - openPort(); Exception type - Permission denied.   at jssc.SerialPort.openPort(SerialPort.java:170) ~[jssc-2.8.0.jar:?]   at horse.wtf.nzyme.bandits.trackers.devices.SX126XLoRaHat.handle(SX126XLoRaHat.java:189) ~[classes/:?]   at horse.wtf.nzyme.bandits.trackers.devices.SX126XLoRaHat.readLoop(SX126XLoRaHat.java:104) ~[classes/:?]   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]   at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]   at java.lang.Thread.run(Thread.java:834) [?:?]

You have to add the user to a group that is permitted to open serial devices in /dev. On Ubuntu, this is the dialout group and you can add your user like this:

$ sudo usermod -a -G dialout YOUR_USERNAME

You have to log out and log in again after adding the user to the group. Some users reported a strange behavior where a full restart on the system was required for the changes to take effect.