Nzyme - Collects 802.11 management frames
Nzyme collects 802.11 management frames directly from the air and sends them to a Graylog (Open Source log management) setup for WiFi IDS, monitoring, and incident response. It only needs a JVM and a WiFi adapter that supports monitor mode.
Think about this like a long-term (months or years) distributed Wireshark/tcpdump that can be analyzed and filtered in real-time, using a powerful UI.
If you are new to the fascinating space of WiFi security, you might want to read my Common WiFi Attacks And How To Detect Them blog post.
A longer blog post with nzyme examples and use-cases is published on my blog: Introducing Nzyme: WiFi Monitoring, Intrusion Detection And Forensics
What kind of data does it collect?
Nzyme collects, parses and forwards all relevant 802.11 management frames. Management frames are unecrypted so anyone close enough to a sending station (an access point, a computer, a phone, a lightbulb, a car, a juice maker, ...) can pick them up with nzyme.
- Association request
- Association response
- Probe request
- Probe response
- Beacon
- Disassociation
- Authentication
- Deauthentication
What do I need to run it?
Everything you need is available from Amazon Prime and is not very expensive. There even is a good chance you have the parts around already.
One or more WiFi adapters that support monitor mode on your operating system.
The most important component is one (or more) WiFi adapters that support monitor mode. Monitor mode is the special state of a WiFi adapter that makes it read and report all 802.11 frames and not only certain management frames or frames of a network it is connected to. You could also call this mode sniffing mode: The adapter just spits out everything it sees on the channel it is tuned to.
The problem is, that many adapter/driver/operating system combinations do not support monitor mode.
The internet is full of compatibility information but here are the adapters I run nzyme with on a Raspberry Pi 3 Model B:
- ALFA AWUS036NH - 2.4Ghz and 5Ghz (Amazon Prime, about $40)
- ALFA AWUS036NEH - 2.4Ghz (Amazon Prime, about $50)
- ALFA AWUS036ACH - 2.4Ghz and 5Ghz (Amazon Prime, about $50)
- Panda PAU05 - 2.4Ghz (Amazon Prime, about $15)
If you have another one that supports monitor mode, you can use that one. Nzyme does by far not require any specific hardware.
A small computer to run nzyme on.
I recommend to run nzyme on a Raspberry Pi 3 Model B. This is pretty much the reference architecture, because that is what I run it on. A Raspberry Pi 3 Model B running Nzyme with three WiFi adapters in monitor mode has about 25% CPU utilization in the busy frequencies of Downtown Houston, TX.
In the end, it shoulnd’t really matter what you run it on, but the docs and guides will most likely refer to a Raspberry Pi with a Raspbian on it.
A Graylog setup
You need a Graylog setup with ah GELF TCP input that is reachable by your nzyme sensors. GELF is a Graylog-specific and structured log format. Because nzyme sends GELF, you don't have to set up any kind of parsing rules in Graylog and still have all fields available as key:value pairs for powerful search and analysis.
You can start a GELF input for nzyme using your Graylog Web Interface. Navigate to System -> Inputs, select GELF TCP in the dropdown menu and hit Launch new input. A modal dialog will open and ask you a few questions about, for example, which address to bind on and what port to use. The input will be immediately available for nzyme after pressing Save.
Post a Comment