Nzyme performs intelligent device fingerprinting and behavioral analytics to detect rogue actors. Classic signature-based detection methods are just too easy to circumvent in WiFi environments.
Build a nzyme tracker to physically locate a rogue actor using bandit definitions. First, define the characteristics of the rogue device you want to find, then send someone with a tracker to locate it.
Threat Hunting and Forensics
By sending structured information about each recorded WiFi management frame to Graylog, you can dive into wireless threat hunting or answer questions like "who connected to this rogue access point?".
What is nzyme?
The nzyme project uses WiFi adapters in monitor mode to scan the frequencies for suspicious behavior, specifically rogue access points and known WiFi attack platforms. Each recorded wireless frame is parsed and optionally sent to a Graylog log management system for long-term storage that allows you to perform forensics and incident response. Ever wondered what to do if you catch a malicious wireless actor? With nzyme, you will be able to reconstruct what happened, who was targeted, and who was successfully compromised.
Several types of alerts are automatically raised. The employed techniques range from signature based analysis of expected network infrastructure, threat landscape assessment with fingerprinting to setting traps with deception capabilities.
What is nzyme not?
nzyme is not designed to be physically moving around in any way. It is supposed to stay stationary and constantly observe the WiFi radio frequency spectrum. If you are looking for a WiFi recon or wardriving tool, you should check out Kismet.
(It obviously won't break from moving around but the interface and some of the functionality won't make much sense anymore.)
nzyme Q&A, Demo at Paul's Security Weekly (April 2021)