The release of the Nzyme 1.2.0 toolkit, designed to monitor the air of wireless networks in order to detect malicious activity, deploy rogue access points, unauthorized connections, and perform typical attacks, has been introduced. The project code is written in Java and distributed under the SSPL (Server Side Public License), which is based on AGPLv3, but is not open due to discriminatory requirements regarding the use of the product in cloud services.
Traffic capture is carried out by switching the wireless adapter to the monitoring mode for transit network frames. It is possible to transfer intercepted network frames to the Graylog system for long-term storage in case the data is required for analysis of incidents and malicious actions. For example, the program allows you to detect the appearance of unauthorized access points, and if an attempt to compromise the wireless network is detected, it will show who was the target of the attack and which users were compromised.
The system can generate several types of alerts, and also supports various methods for detecting anomalous activity, including checking network components using fingerprint identifiers and creating traps. Alerts are supported when a network structure is violated (for example, a previously unknown BSSID appears), security-related network parameters change (for example, changing encryption modes), detecting the presence of typical attack devices (for example, WiFi Pineapple), fixing a call to a trap, or detecting an abnormal change in behavior (for example, when individual frames appear with an atypical weak signal level or a violation of threshold values ββfor the intensity of packet arrival).
In addition to malicious activity analysis, the system can be used for general monitoring of wireless networks, as well as for physical detection of the source of detected anomalies through the use of trackers that allow progressive identification of a malicious wireless device based on its specific attributes and signal level changes. Management is performed through the web-interface.
In the new version:
- Added support for generating and emailing reports on detected anomalies, fixed networks and general status.
- Added support for warnings about detection of attempts to commit attacks to block the work of surveillance cameras based on the mass sending of deauthentication packets.
- Added support for warnings about previously unseen SSIDs.
- Added support for warnings about failures in the monitoring system, for example, when the wireless adapter is disconnected from the computer running Nzyme.
- Improved compatibility with WPA3 based networks.
- Added the ability to set callback handlers to respond to a warning (for example, they can be used to write information about anomalies to a log file).
- A resource inventory list has been added, which displays the parameters of the deployed networks that are being monitored.
- An attacker's profile page has been added, providing information about the systems and access points with which the attacker interacted, as well as statistics about the signal strength and sent frames.
Source: opennet.ru