This was originally posted on LinkedIn by Kyle Goode. In effort to get the blog section more populated I’ve reached out to some authors and asked if they’d be okay having their content put on this site. Kyle was gracious enough to let me grab his posts and highlight them here. Make sure to give him a follow on LinkedIn.
Nzyme is a unique open-source Wi-Fi security solution. I have been a user since its 1.0 version, and to this day, I haven’t come across another platform that focuses as effectively on Wi-Fi security. While most access points can detect rogue access points, few offer the same level of capability as Nzyme.
Nzyme introduces the concept of "bandits," which scan and alert on common Wi-Fi penetration testing tools such as the Pwnagotchi, Wi-Fi Pineapple, and Flipper Zero ESP32. These tools are uniquely fingerprinted by the platform. Owning any of these "bandits" makes it easy and efficient to develop and test alert rules in real time.
Currently, alerts are limited to SMTP and can be categorized into two types:
System-based alerts: Triggered if parts of the platform, such as taps, start failing.
Security-based alerts: Triggered when a bandit is detected in the environment, malicious deauthentication packets are transmitted, or rogue access points are detected.
The Nzyme platform consists of a PostgreSQL database, the core Nzyme platform (called the Nzyme node), and a Wi-Fi dongle (called a Nzyme tap). These components are primarily run on Debian- or Ubuntu-based systems. While Raspbian is often recommended, regular Debian works just as well. Taps are Ubuntu-only but are also compatible with Debian systems.
Evolution from 1.0 to 2.0
In the 1.0 version, Nzyme was fully integrated, running as a single service. With the 2.0 alpha versions, the architecture has evolved to support a multi-node setup. You can now run a single Nzyme node and deploy as many Nzyme taps as needed for comprehensive network coverage. These components are distributed as separate packages.
One exciting feature introduced in 2.0 is trilateration, which requires at least three taps on the same floor of a building. Trilateration allows you to pinpoint the location of rogue devices, such as bandits. This is particularly useful if a threat actor gains physical access to your building and places a malicious device in an inconspicuous location, a common technique used by penetration testers. The 1.0 version even provided guidance on building a handheld tracking device for bandits, though I wasn’t brave enough to attempt it at the time.
The 2.0 version also adds support for Ethernet monitoring. By using a span/mirror/tap port on a switch, you can monitor network activity, such as DNS tunneling, beaconing, and remote connections like SSH. While I typically rely on Suricata with Snort rules and Zeek with RITA for comprehensive network monitoring, Nzyme’s Ethernet capability provides a simpler configuration and adds redundancy. Additionally, ARP analysis appears to be a planned feature in future versions.
System Monitoring and API Integration
Nzyme allows you to create monitored networks for your environment. As I’ve mentioned in a previous article, I’m a big fan of Prometheus for system monitoring and metric gathering. Nzyme offers a native exporter for Prometheus, making it easy to integrate into existing monitoring solutions.
Nzyme has also introduced Nzyme Connect, an API for obtaining GeoIP, MAC address OUI, and vendor information. Additionally, it offers Bluetooth device discovery. Although this feature is still in its early stages, I’m excited to connect it with my Ubertooth to explore its capabilities further. Nzyme Connect also serves as a SaaS platform for monitoring your Nzyme nodes and taps, with enterprise support now available. For added convenience, prebuilt Wi-Fi kits are offered, eliminating the need for manual configuration.
Future Features and Wishlist
I am eagerly anticipating the stable release of Nzyme 2.0 and the additional features that will come with it. One feature I hope to see in the future is webhook integrations with popular messaging apps like Slack and Teams. This would streamline alerting and incident response for security teams.
Nzyme continues to solidify its position as a versatile and powerful Wi-Fi security solution. Whether you're a security professional, penetration tester, or simply someone concerned about wireless security, Nzyme offers tools to protect your environment against rogue devices and malicious activities. I’m excited to see where this platform goes next.