Nzyme is a free and open next-generation WiFi defense system.

Related tags

Networking security graylog wifi infosec siem monitor-mode wids wifi-adapters wifi-ids management-frames
Overview

nzyme - WiFi Defense System

Build and Test Codecov License

Screenshot

Introduction

What is nzyme?

The nzyme project uses WiFi adapters in monitor mode to scan the frequencies for suspicious behavior, specifically rogue access points and known WiFi attack platforms. Each recorded wireless frame is parsed and optionally sent to a Graylog log management system for long-term storage that allows you to perform forensics and incident response. Ever wondered what to do if you catch a malicious wireless actor? With nzyme, you will be able to reconstruct what happened, who was targeted, and who was successfully compromised.

Several types of alerts are automatically raised. The employed techniques range from signature based analysis of expected network infrastructure, threat landscape assessment with fingerprinting to setting traps with deception capabilities.

What is nzyme not?

nzyme is not designed to be physically moving around in any way. It is supposed to stay stationary and constantly observe the WiFi radio frequency spectrum. If you are looking for a WiFi recon or wardriving tool, you should check out Kismet.

(It obviously won't break from moving around but the interface and some of the functionality won't make much sense anymore.)

Getting Started

Please visit the getting started page to get started.

Contributing

There are many ways to contribute and all community interaction is absolutely welcome:

  • Open an issue for any kind of bug you think you have found.
  • Open an issue for anything that was confusing to you. Bad, missing or confusing documentation is considered a bug.
  • Open a Pull Request for a new feature or a bugfix. It is a good idea to get in contact first to make sure that it fits the roadmap and has a chance to be merged.
  • Write documentation.
  • Write a blog post.
  • Help a user in the issue tracker or the IRC channel (#nzyme on FreeNode.)
  • Get in contact and say how you use it or what would be a cool addition.
  • Tell the world.

Please be aware of the Code of Conduct that will be enforced across all channels and platforms.

Legal notice

Make sure to comply with local laws, especially with regards to wiretapping, when running nzyme. Note that nzyme is never decrypting any data but only reading unencrypted data on license-free frequencies.

Comments
  • Can't access webpanel

    Can't access webpanel

    Hi i followed installation guide. Only thing I didn't change was interface name(After removing symlink i couldn't connect to ssh). I can't access web panel of nzyme. What should I do? Also I have PiHole on this raspberry Output of sudo systemctl status nzyme

    nzyme.service - Nzyme
   Loaded: loaded (/lib/systemd/system/nzyme.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2021-03-22 14:32:56 CET; 2min 48s ago
     Docs: https://github.com/lennartkoopmann/nzyme
 Main PID: 1184 (nzyme)
    Tasks: 12 (limit: 2062)
   CGroup: /system.slice/nzyme.service
           ├─1184 /bin/sh /usr/share/nzyme/bin/nzyme
           └─1185 /usr/bin/java -jar -Dlog4j.configurationFile=file:///etc/nzyme/log4j2-debian.xml /usr/share/nzyme/nzyme.jar -c /etc/nzyme/nzyme.conf

mar 22 14:32:56 raspberrypi systemd[1]: Started Nzyme.
mar 22 14:33:01 raspberrypi nzyme[1184]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.

    Here is my config:

      role: LEADER

  # The ID or name of this nzyme instance. Must be unique and contain only alphanumeric characters, underscores and dashes.
  id: nzyme-node-01

  # Admin password SHA256 hash. (64 characters) - generate with, for example, sha256sum on Linux: $ echo -n secretpassword | sha256sum
  # You will use this password to log in to the web interface.
  admin_password_hash: hashofpass
  
  # Path to postgreSQL database. Make suer to change username, password and database name. (This is described in the documentation)
  database_path: "postgresql://localhost:5432/nzyme?user=nzyme&password=mypass"

  # Download current list of manufacturers and enable MAC address to manufacturer lookup?
  fetch_ouis: true

  # Path to directory that the tracker will use to store some temporary information. (must be writable)
  data_directory: /usr/share/nzyme

  # We use Python to inject frames for traps.
  python {
    # Path to python executable. (nzyme supports both Python 3 and 2)
    path: /usr/bin/python3.7

    # Script directory. This must be an existing and writable directory. We'll store some generated Python scripts here.
    script_directory: /tmp

    # Script prefix. A prefix for the generate scripts. There is usually no reason to change this setting.
    script_prefix: nzyme_
  }

  alerting {
    # Notifications and callbacks for triggered alerts.
    callbacks: [
      {
        type: email
        enabled: false

        # One of: SMTP, SMTPS or SMTP_TLS
        transport_strategy: SMTP_TLS

        host: smtp.example.org
        port: 587
        username: "your_username"
        password: "your_password"

        from: "nzyme <[email protected]>"
        subject_prefix: "[NZYME]"

        recipients: [
          "Somebody <[email protected]>",
          "Somebody Else <[email protected]>"
        ]
      }
    ]

    # Length of the training period. Do not change this if you don't know what this means.
    training_period_seconds: 300
  }

  # Regularly check if this version of nzyme is outdated?
  versionchecks: true
}

# Web interface and REST API configuration.
interfaces: {
  # Make sure to set this to an IP address you can reach from your workstation.
  rest_listen_uri: "http://192.168.0.2:22900/"

  # This is usually the same as the `rest_listen_uri`. Take a look at the configuration documentation to learn about
  # other use-cases. It will be interesting if you run behind a load balancer or NAT. (basically, it is the address
  # that your web browser will use to try to connect to nzyme and it has to be reachable for it.)
  http_external_uri: "http://192.168.0.2:22900/"

  # Use TLS? (HTTPS) See https://go.nzyme.org/docs-https
  use_tls: false
}

# List of Graylog GELF TCP inputs. (Optional but strongly recommended to enable analytics, forensics and incident response.)
# See https://go.nzyme.org/docs-wifi-threat-hunting
graylog_uplinks: []

# 802.11/Wifi adapters that are designated to read traffic.
# The more monitors you have listening on different channels, the more traffic will be picked up and the more
# traffic will be available as the basis for alerts and analysis.
# See: https://go.nzyme.org/network-monitoring
802_11_monitors: [
  {
    # The 802.11/WiFi adapter name. (from `ifconfig` or `ip link`)
    device: wlan0

    # WiFi interface and 802.11 channels to use. Nzyme will cycle your network adapters through these channels.
    # Consider local legal requirements and regulations.
    # See also: https://en.wikipedia.org/wiki/List_of_WLAN_channels
    channels: [7]

    # There is no way for nzyme to configure your wifi interface directly. We are using direct operating system commands to
    # configure the adapter. Examples for Linux are in the documentation.
    channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"

    # Channel hop interval in seconds. Leave at default if you don't know what this is.
    channel_hop_interval: 1
  }
]

# A list of all your 802.11/WiFi networks. This will be used for automatic alerting.
# It is recommended to leave this empty or on default at first start of nzyme and
# then build it using the data nzyme shows in the web interface. For example, the
# "security" and "fingerprints" strings can be copied from the web interface.
802_11_networks: [
  {
    ssid: mywifinetwork
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "f0:9f:c2:dd:18:f6",
        fingerprints: [ 8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0 ]
      }
    ]
  }
]

# List of enabled 802.11/WiFi alert types. Remove or comment out (#) an alert type to mute it. TODO ADD DOCS LINK
802_11_alerts: [
  unexpected_bssid
  unexpected_ssid
  crypto_change
  unexpected_channel
  unexpected_fingerprint
  beacon_rate_anomaly
  multiple_signal_tracks
  pwnagotchi_advertisement
  bandit_contact
]

# Optional: Traps to set up. See: https://go.nzyme.org/deception-and-traps
802_11_traps: []

# Optional: A device to communicate with nzyme trackers, used to track down physical location of bandits. Please read
# more in the documentation. See: https://go.nzyme.org/bandits-and-trackers
groundstation_device: {}
    opened by PawelGluszek 28
  • Multiple AP with the same SSID and WPA2/3 mixmode returns undesired alerts.

    Multiple AP with the same SSID and WPA2/3 mixmode returns undesired alerts.

    Observation.

    Clients are able to choose WPA3 or WPA2 (mixed mode) on 5.5 SSID but this results in many of these alerts CRYPTO_CHANGE_BEACON
    Using same SSID with different mac results in many UNEXPECTED_SSID_BEACON
    using different mac on same SSID results in many UNEXPECTED_BSSID_BEACON

    AP1 radio 1 SSID Network23 2.4 WPA2-PSK-CCMP c4:41:1e:f8:9b:9c radio 1 SSID Network23_W 2.4 WPA2-PSK-CCMP c4:41:1e:f8:9b:9c radio 2 SSID Network23 5.5 WPA2-PSK-CCMP and WPA3-PSK-PSKSHA256-SAE-CCMP c4:41:1e:f8:9b:9d AP2 radio 1 SSID Network23 2.4 WPA2-PSK-CCMP c4:41:1e:f5:36:44 radio 1 SSID Network23_W 2.4 WPA2-PSK-CCMP c4:41:1e:f5:36:44 radio 2 SSID Network23 5.5 WPA2-PSK-CCMP and WPA3-PSK-PSKSHA256-SAE-CCMP 2 C4:41:1E:F5:36:45

    UNEXPECTED_BSSID_BEACON SSID [Network23_W] was advertised with beacon frame by unexpected BSSID [c6:41:1e:f8:9b:9c] true can also be c4:41:1e:f5:36:44

    CRYPTO_CHANGE_BEACON
    SSID [Network23] was advertised with unexpected security settings [WPA2-PSK-CCMP] SSID [Network23] was advertised with unexpected security settings [WPA3-PSK-PSKSHA256-SAE-CCMP] true can be both on 2.4 and 5.5 with the same SSID

    Most interesting bits from nzyme.conf

      {
    ssid: Network23
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140]
    security: [
               WPA2-PSK-CCMP 
               WPA3-AES-CCMP
              ]
    beacon_rate: 40
    bssids: [
      {
        address: "c4:41:1e:f5:36:44" 
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19
          ]
      }       
      {
        address: "c4:41:1e:f5:36:45" 
        fingerprints: [ 
          775ebfd7baea1ac1d72dca2e6b71c28f91ed12893ef41ebf8babfa4a2809ab92
          ]
      }       
      {
        address: "c4:41:1e:f8:9b:9c"
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19 
          ]
      }
      {
        address: "c4:41:1e:f8:9b:9d"
        fingerprints: [ 
          775ebfd7baea1ac1d72dca2e6b71c28f91ed12893ef41ebf8babfa4a2809ab92
          ]
      }
    ]
  }
  {
    ssid: Network23_W
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "c6:41:1e:f5:36:44"
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19 
          ]
      }
      {
        address: "c4:41:1e:f8:9b:9c"
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19
          ]
      }
    ]
  }
]

    in ui the sec settings a presented like this.

    network23_WPA3

    opened by RobertWi 11
  • Slash in SSID breaks the network details URL

    Slash in SSID breaks the network details URL

    Clicking on the network details link for a network with a / in its SSID results in a 404 error. Replacing the slash in the url with the encoded form %2F results in the expected page being displayed.

    I haven't tested with any other non-alphanumeric characters, but I'm sure there are plenty of other l33t h4xors like me out there who put stupid symbols in their SSIDs...

    bug javascript 
    opened by samuelkf 11
  • Trap PROBE_REQUEST_1 cannot write to STDERR

    Trap PROBE_REQUEST_1 cannot write to STDERR

    Dear cummunity, hi lennart,

    with version 1.1.0 I'm getting this error when I try to setup a trap:

    10:35:41.932 [main] INFO horse.wtf.nzyme.NzymeLeaderImpl - Started web interface and REST API at [http://10.10.1.33:22900/]. Access it at: [http://10.10.1.33:22900/] 10:35:41.955 [probe-loop-0] INFO horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Commencing 802.11 frame processing on [wlan1] ... (⌐■_■)–︻╦╤─ – – pew pew 10:35:42.023 [main] INFO horse.wtf.nzyme.NzymeLeaderImpl - Registering frame interceptors of [horse.wtf.nzyme.dot11.deception.traps.ProbeRequestTrap]. 10:35:43.370 [probe-loop-0] INFO horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Building PCAP handle on interface [wlan1] 10:35:44.426 [probe-loop-0] INFO horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - PCAP handle for [broad-monitor-wlan1] acquired. Cycling through channels <1,2,3,4,5,6,7,8,9,10,11>. 10:35:47.034 [probe-loop-1] INFO horse.wtf.nzyme.dot11.probes.Dot11SenderProbe - PCAP handle for [trap-sender-wlan2-PROBE_REQUEST_1] acquired. Cycling through channels <11>. 10:35:51.279 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - Bluff [horse.wtf.nzyme.dot11.deception.bluffs.ProbeRequest]: Invoked command {/usr/bin/python3.7 /tmp/nzyme_ProbeRequest --interface wlan2 --ssid tmobile --mac B4:8B:19:A6:54:D9}. 10:35:51.280 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - Bluff [horse.wtf.nzyme.dot11.deception.bluffs.ProbeRequest]: 6 lines written to STDERR: 10:35:51.281 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - STDERR: Unable to init server: Could not connect: Connection refused 10:35:51.282 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - STDERR: Unable to init server: Verbindung ist gescheitert: Connection refused 10:35:51.283 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - STDERR: 10:35:51.284 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - STDERR: (nzyme_ProbeRequest:6806): Gdk-CRITICAL **: 10:35:49.433: gdk_cursor_new_for_display: assertion 'GDK_IS_DISPLAY (display)' failed 10:35:51.285 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - STDERR: 10:35:51.286 [probe-loop-1] INFO horse.wtf.nzyme.dot11.deception.bluffs.Bluff - STDERR: (nzyme_ProbeRequest:6806): Gdk-CRITICAL **: 10:35:49.439: gdk_cursor_new_for_display: assertion 'GDK_IS_DISPLAY (display)' failed 10:35:51.288 [probe-loop-1] ERROR horse.wtf.nzyme.dot11.deception.traps.ProbeRequestTrap - Could not set ProbeRequestTrap for SSID [tmobile]. horse.wtf.nzyme.dot11.deception.bluffs.Bluff$BluffExecutionException: STDERR is not empty. at horse.wtf.nzyme.dot11.deception.bluffs.Bluff.execute(Bluff.java:99) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.dot11.deception.traps.ProbeRequestTrap.doRun(ProbeRequestTrap.java:84) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.dot11.deception.traps.Trap.run(Trap.java:75) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.dot11.probes.Dot11SenderProbe.lambda$loop$0(Dot11SenderProbe.java:118) ~[nzyme-1.1.0.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?]

    Any hints? Regards

    JD.

    opened by JohnDoeIsKIng 9
  • ALFA AWUS036ACH throws error when Nzyme starts.

    ALFA AWUS036ACH throws error when Nzyme starts.

    When trying to use the ALFA AWUS036ACH on a Raspberry Pi 3 B with Nzyme I am getting errors. I am opening an issue because README states that this device has been proven with Nzyme.

    The RaspberryPI did not recognize the AWUS036ACH on initial plugin of so I found a post on raspberrypi forums where someone had a made a wifi driver tool found here: https://www.raspberrypi.org/forums/viewtopic.php?p=1210087#p1210087

    Here is the error that was generated by Nzyme:

    13:50:49.030 [main] INFO horse.wtf.nzyme.Nzyme - Building PCAP handle on interface [wlx00c0ca964d63] 13:50:49.075 [main] ERROR horse.wtf.nzyme.Main - Boot error. horse.wtf.nzyme.NzymeInitializationException: Could not build PCAP handle. at horse.wtf.nzyme.NzymeImpl.(NzymeImpl.java:128) ~[nzyme-0.2-SNAPSHOT.jar:?] at horse.wtf.nzyme.Main.main(Main.java:100) [nzyme-0.2-SNAPSHOT.jar:?] Caused by: org.pcap4j.core.PcapNativeException: wlx00c0ca964d63: SIOCGIWPRIV: Argument list too long at org.pcap4j.core.PcapHandle.(PcapHandle.java:166) ~[nzyme-0.2-SNAPSHOT.jar:?] at org.pcap4j.core.PcapHandle.(PcapHandle.java:47) ~[nzyme-0.2-SNAPSHOT.jar:?] at org.pcap4j.core.PcapHandle$Builder.build(PcapHandle.java:1671) ~[nzyme-0.2-SNAPSHOT.jar:?] at horse.wtf.nzyme.NzymeImpl.(NzymeImpl.java:122) ~[nzyme-0.2-SNAPSHOT.jar:?] ... 1 more 13:50:49.091 [shutdown-hook] INFO horse.wtf.nzyme.Main - Shutting down.

    I have Nzyme successfully running with a ALFA AWUS036NH (also listed in README) but this device is only 2.4 ghz (README states that it is 2.4/5ghz that is wrong) and I want to include 5ghz which is why the ALFA AWUS036ACH.

    opened by prasket 9
  • Fingerprint is not recognized

    Fingerprint is not recognized

    Hello,

    i'm getting the following alert;

    
SSID [myipng] was advertised by a device with unexpected fingerprint [278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff]
First seen:
2021-09-19T13:25:48+02:00 (32 minutes ago)
Last seen:
2021-09-19T13:27:29+02:00 (31 minutes ago)

Meta Information

bssid
fc:ec:da:4f:81:01 
ssid
myipng 
bandit_fingerprint
278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff 
channel
 44 
frequency
5220 
antenna_signal
-62 

Frames
2
Subsystem
DOT_11
Alert Type ID
UNEXPECTED_FINGERPRINT_BEACON

    The nzyme.conf looks like that:

    802_11_networks: [
  {
    ssid: myipng
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "fc:ec:da:4f:f1:12"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
       ]
      }
      {
        address: "fc:ec:da:4f:f1:13"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
       ]
      }
      {
        address: "fc:ec:da:4f:81:00"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
      {
        address: "fc:ec:da:4f:81:01"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
    ]
  }
{
    ssid: myipng_guest
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "fe:ec:da:1f:f1:12"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
      {
        address: "fc:ec:da:1f:f1:13"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
     {
        address: "fe:ec:da:1f:81:00"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
      {
        address: "fe:ec:da:1f:81:01"
        fingerprints: [
          0d7a011b357b7b9fa4346f92107aafbcb33c611fdfafc1c91526fcf4b2d67f7f
          1ca4cbab1ed76b3d19065ba8776fa98c5f436f2ad8b9d804d17b59bdd95db22b
          278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff
          3d16696d1adb775745422a7d63f2a847d6599d3605c3af3d022d4ba09b0c8c3d
          4db22a8f5b77336956b8af0fccd30b72cf660904d3ef058d0691bea3dda06b60
          633c97332d33c7d3c8e4ed59d628f8a95364c8482ca651174849cbc159935657
          6dd6b742ebb05073b5ec6f04d763e28b14d1fa2f62198a802d209bdac84d1367
          74f990206b3b3e39622947c5a4b24ed2406061e3e2d85f211ddce3a47c294c51
          90b303404d1bb7dfcc73095655f6f9822dcbc2ac04eb61004c41d660ac838cf4
          a9916fe621b95ef512c75884ee1f0714de39f52ac8e54abd0c397c344d071e1d
          aac6df6031b4318dc091184362af6e04865009ccdffd85b1d92db3ce56f6a6a6
          c3e7bb86fdafcf0c3856f6bf7450a1c86cebca227f9507a243db03155f11c8b8
          e4691ca420980a11d10c3d25f40dcecb1a99519a5e45c7ff83bb2daccc8d7c4d
          faf5c66307132df81ef3b5568161d7250d2baee004297e03d3c1d351d89211c9
        ]
      }
    ]
  }
]

    The fingerprint "278f6b642a0f9176047f833a503c8387f036e53fd5b150bcb7248d4f21ff06ff" on myipng with fc:ec:da:4f:81:01 is correct (?) defined.

    See somebody the problem or is something wrong with the parsing from the nzyme.conf.

    Something that i see also - wenn i click on the Link from the BSSID in Alerts , i see only 1 or 2 fingerprints and not all 14?!

    Thanks

    opened by crs369 8
  • Add parsing for WPA3 crypto type

    Add parsing for WPA3 crypto type

    I turned on mixed WPA2/WPA3 mode on my access points for giggles and ended up with the following alert:

    META INFORMATION
ssid
<SNIP>
bssid
<SNIP>
encountered_security
WPA2-PSK-UNKNOWN-CCMP
channel
11
frequency
2462
antenna_signal
-47

Frames
7,633
Subsystem
DOT_11
Alert Type ID
CRYPTO_CHANGE_PROBERESP

    It looks like there's no enumeration for WPA3 crypto types available. Any chance this could be added?

    opened by andrewbeard 8
  • Configure WPA3+WPA2 security with only one SSID

    Configure WPA3+WPA2 security with only one SSID

    My Fritz!Box wifi access point is configured with WPA3+WPA2 security - as recommended. In nzyme network view I see the same SSID twice - with different BSSIDs and different security settings. The different BSSIDs und fingerprints are to handle in the nzyme config's 802_11_networks chapter and I tried to write the two security settings as array after "security" which is syntactically obvously not wrong. But the security is not assigned the fit address and that's why I get CRYPTO_CHANGE_PROBERESP and CRYPTO_CHANGE_BEACON alerts, because I have WPA3- and also WPA2-connected devices.

    opened by tzepter 6
  • Armbian 21.08.2 Bullseye Could not initialize probe

    Armbian 21.08.2 Bullseye Could not initialize probe

    Hello, the TL-WN722N works fine with aircrack-ng on this orangepi plus 2e.

    I already tried this. setcap cap_net_raw,cap_net_admin=eip /usr/lib/jvm/java-11-openjdk-armhf/bin/java setcap cap_net_raw,cap_net_admin=eip /usr/bin/python3.9

    Interface is not manged by the NetworkManager NetworkManager.conf [main] dns=default rc-manager=file plugins=ifupdown,keyfile [keyfile] unmanaged-devices=mac:f4:f2:xx:xx:xx:xx

    [ifupdown] managed=true

    nzyme.log [probe-loop-0] INFO horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Commencing 802.11 frame processing on [wlxxxxxxx] ... (⌐■_■)–︻╦╤─ – – pew pew [probe-loop-0] INFO horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Building PCAP handle on interface [wlxxxxxxx] [probe-loop-0] ERROR horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Could not initialize probe [broad-monitor-wlxxxxxxx]. Retrying soon. horse.wtf.nzyme.dot11.probes.Dot11ProbeInitializationException: Could not build PCAP handle. at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.initialize(Dot11MonitorProbe.java:122) ~[nzyme-1.1.1.jar:?] at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.lambda$loop$0(Dot11MonitorProbe.java:136) ~[nzyme-1.1.1.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: org.pcap4j.core.PcapNativeException: That device doesn't support monitor mode

    Any ideas? Thanks MoHorst

    opened by MoHorst 6
  • Can't run after installation - debian9

    Can't run after installation - debian9

    Hello, I've tried on multiple systems and can't run nzyme. What I can see in log file (tail -f /var/log/nzyme/nzyme.log): 21:45:40.819 [main] ERROR horse.wtf.nzyme.Main - Invalid configuration. Please refer to the example configuration file or documentation. horse.wtf.nzyme.configuration.InvalidConfigurationException: Parameter [general.python.path] does not point to an executable file: /usr/bin/python3.8 at horse.wtf.nzyme.configuration.leader.LeaderConfigurationLoader.validate(LeaderConfigurationLoader.java:448) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.configuration.leader.LeaderConfigurationLoader.<init>(LeaderConfigurationLoader.java:78) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.Main.main(Main.java:84) [nzyme-1.1.0.jar:?]

    I've found that it was about python path - changing to /usr/bin/python3.5 solved initial point.

    Now what I can see in the log file is: probe-loop-0] ERROR horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - org.pcap4j.core.PcapNativeException: Error occurred in pcap_next_ex(): The interface went down 22:32:11.176 [channel-hopper-0] FATAL horse.wtf.nzyme.channels.ChannelHopper - Could not configure interface [wlo1] to use channel <6>. Return code <250>, STDERR: [Error for wireless request "Set Frequency" (8B04) : SET failed on device wlo1 ; Device or resource busy.] 22:32:11.586 [probe-loop-0] INFO horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Building PCAP handle on interface [wlo1] 22:32:11.675 [probe-loop-0] ERROR horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe - Could not initialize probe [broad-monitor-wlo1]. Retrying soon. horse.wtf.nzyme.dot11.probes.Dot11ProbeInitializationException: Could not build PCAP handle. at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.initialize(Dot11MonitorProbe.java:122) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.lambda$loop$0(Dot11MonitorProbe.java:136) ~[nzyme-1.1.0.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:834) [?:?] Caused by: org.pcap4j.core.PcapNativeException: That device doesn't support monitor mode at org.pcap4j.core.PcapHandle.<init>(PcapHandle.java:166) ~[nzyme-1.1.0.jar:?] at org.pcap4j.core.PcapHandle.<init>(PcapHandle.java:45) ~[nzyme-1.1.0.jar:?] at org.pcap4j.core.PcapHandle$Builder.build(PcapHandle.java:1529) ~[nzyme-1.1.0.jar:?] at horse.wtf.nzyme.dot11.probes.Dot11MonitorProbe.initialize(Dot11MonitorProbe.java:116) ~[nzyme-1.1.0.jar:?] ... 6 more

    And it is disaplyed in red image

    opened by nemapl 6
  • Graylog webserver error

    Graylog webserver error

    so i setted up everything as you had described using a alfa AWUS036H wifi adapter my gray log is receiving messages from the gelf tcp input but when i veiw the messages it gives me this error : Loading field information failed with status: cannot get http://127.0.0.1:9000/api/system/fields (500) kindly help i am new to using graylog looked for solutions and i haven't find one could you kindly guide me on how you really configured your graylog webserver plus the lookup tables should i follow every single step from the documentation?

    opened by iAmG-r00t 6
  • DNS Support: Detection

    DNS Support: Detection

    (Split out of #738)

    Once the alerting engine is ready, build DNS detection:

    • [ ] Requests/Responses for bandits
    • [ ] DNS to/from internet server
    • [ ] Multiple questions/responses in single query/response
    • [ ] Anomaly detection
    • [ ] Domain name with similarity to monitored words (leave out TLD in detection, iterate over all other parts) (T1583.001)
    • [ ] Detect Fast Flux DNS (T1568.001)
    java javascript detection feature needs-definition rust 
    opened by lennartkoopmann 0
  • Configure and make use of eslint

    Configure and make use of eslint

    • [x] Configure eslint properly
      • [x] Confirm that it can find unused components with current config
      • [x] It does not. Use unimported: https://github.com/smeijer/unimported
    • [x] Remove unnecessary rules
    • [x] Fix findings
    • [x] Fix unimported findings
    • [x] Run in CI builds
      • [x] eslint
      • [x] unimported
    infra javascript 
    opened by lennartkoopmann 0
Releases(untagged-470f5c3bcb1666af2926)

  • untagged-470f5c3bcb1666af2926(Jun 24, 2018)

    Changes

    • Nzyme is now checking for the latest stable release and warns you if you are running an outdated version.
    • Several README fixes and improvements since v0.2.0

    Use of the DEB package for Raspberry Pi/Raspbian or other Debian based distributions is strongly encouraged. Use the JAR file for local testing. Protip: The DEB package also works well on Kali Linux.

    Source code(tar.gz)
    Source code(zip)
    nzyme-0.2.1.deb(10.03 MB)
    nzyme-0.2.1.jar(11.14 MB)

  • 0.2(Oct 1, 2017)

    Changes

    • Added new tested and supported WiFi adapters to README.
    • New CLI parameter for easier frame debugging. (--packet-info)
    • Deauthentication and Disassociation reason parsing now working on all platforms.
    • Now reporting the name of the network interface (for example, wlan0) that received the frame in every Graylog message.

    Use of the DEB package for Raspberry Pi/Raspbian or other Debian based distributions is strongly encouraged. Use the JAR file for local testing. Protip: The DEB package also works well on Kali Linux.

    Source code(tar.gz)
    Source code(zip)
    nzyme-0.2.deb(7.66 MB)
    nzyme-0.2.jar(8.51 MB)

  • 0.1(Sep 23, 2017)

Owner
Lennart Koopmann
Started @Graylog2, doing this and that.
Lennart Koopmann
GitHub https://www.nzyme.org/
BAIN Social is a Fully Decentralized Server/client system that utilizes Concepts pioneered by I2P, ToR, and PGP to create a system which bypasses singular hosts for data while keeping that data secure.

SYNOPSIS ---------------------------------------------------------------------------------------------------- Welcome to B.A.I.N - Barren's A.I. Natio

Barren A.I. Wolfsbane 14 Jan 11, 2022
A completely free Discord music bot that is easy for anyone to set up and run on their machine.

PortableAudioBot A Music Discord bot designed to be portable and easy for anyone to setup and run on their machine. Project is still in early access,

madey 3 Oct 1, 2022
GrimAC is an open source anticheat designed for 1.17 and supporting 1.7-1.17.

GrimAC Currently too unstable to use in production. Work is being done on a partial rewrite to simplify the code, run block place/break/interact logic

DefineOutside 511 Jan 2, 2023
Chaos engineering tool for simulating real-world distributed system failures

Proxy for simulating real-world distributed system failures to improve resilience in your applications. Introduction Muxy is a proxy that mucks with y

Matt Fellows 811 Dec 25, 2022
Simple & Lightweight Netty packet library + event system

Minimalistic Netty-Packet library Create packets with ease Bind events to packets Example Packet: public class TestPacket extends Packet { privat

Pierre Maurice Schwang 17 Dec 7, 2022
Apache Dubbo is a high-performance, java based, open source RPC framework.

Apache Dubbo Project Apache Dubbo is a high-performance, Java-based open-source RPC framework. Please visit official site for quick start and document

The Apache Software Foundation 38.2k Dec 31, 2022
This is an open source android based Music Player application developed in Android Studio

Pulse Music An offline music player android app, with modern UI and powerful features If you liked this repo, fork it and leave a STAR. Your support m

Sharath 7 Apr 11, 2022
Short code snippets written by our open source community!

Code Examples This repository contains different code examples in different programming languages. Website https://codes.snowflakedev.org How do I con

SnowflakeDev Community ❄️ 64 Nov 13, 2022
Java library for representing, parsing and encoding URNs as in RFC2141 and RFC8141

urnlib Java library for representing, parsing and encoding URNs as specified in RFC 2141 and RFC 8141. The initial URN RFC 2141 of May 1997 was supers

SLUB 24 May 10, 2022
Pcap editing and replay tools for *NIX and Windows - Users please download source from

Tcpreplay Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traff

AppNeta, Inc. 956 Dec 30, 2022
Android application allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets on a Samsung Galaxy S20

RadioSploit 1.0 This Android application allows to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets from a Samsung Galaxy S20 smartphon

Romain Cayre 52 Nov 1, 2022
Telegram API Client and Telegram BOT API Library and Framework in Pure java.

Javagram Telegram API Client and Telegram Bot API library and framework in pure Java. Hello Telegram You can use Javagram for both Telegram API Client

Java For Everything 3 Oct 17, 2021
Fibers and actors for web development

COMSAT Scalable, Concurrent Web Apps Getting started Add the following Maven/Gradle dependencies: Feature Artifact Servlet integration for defining fi

Parallel Universe 600 Dec 23, 2022
An annotation-based Java library for creating Thrift serializable types and services.

Drift Drift is an easy-to-use, annotation-based Java library for creating Thrift clients and serializable types. The client library is similar to JAX-

null 225 Dec 24, 2022
ssh, scp and sftp for java

sshj - SSHv2 library for Java To get started, have a look at one of the examples. Hopefully you will find the API pleasant to work with :) Getting SSH

Jeroen van Erp 2.2k Jan 8, 2023
Efficient reliable UDP unicast, UDP multicast, and IPC message transport

Aeron Efficient reliable UDP unicast, UDP multicast, and IPC message transport. Java and C++ clients are available in this repository, and a .NET clie

Real Logic 6.3k Dec 27, 2022
Your go-to microservice framework for any situation, from the creator of Netty et al. You can build any type of microservice leveraging your favorite technologies, including gRPC, Thrift, Kotlin, Retrofit, Reactive Streams, Spring Boot and Dropwizard.

Visit the official web site for more information. Armeria Build a reactive microservice at your pace, not theirs. Armeria is your go-to microservice f

LINE 4.1k Dec 31, 2022
Square’s meticulous HTTP client for the JVM, Android, and GraalVM.

OkHttp See the project website for documentation and APIs. HTTP is the way modern applications network. It’s how we exchange data & media. Doing HTTP

Square 43.4k Jan 9, 2023
A Java library for capturing, crafting, and sending packets.

Japanese Logos Pcap4J Pcap4J is a Java library for capturing, crafting and sending packets. Pcap4J wraps a native packet capture library (libpcap, Win

Kaito Yamada 1k Dec 30, 2022