Setting up Nzyme
A couple months ago I was at a talk when I learned about a piece of software that is common in home labs. I listened to a talk by Vodkanaut and he demoed Nzyme and it looked quite interesting, so I spent some time setting up the project as well.
The project in short is a forensic piece of software for WiFi networks. It can log frames and compare to signatures and patterns to provide a constant source of updates of the state of your wireless network. It was built by Lennart Koopmann who was the name behind Graylog2.
The documentation on the project website guides you through the installation and you can follow that without an issue. So I decided to buy a new Raspberry Pi 4 and a Panda Wireless PAU09 N600 - this is one of the devices that is recommended as being able to support monitor mode and working with the project.
One thing I encountered that I highly recommend doing is setting up predictable interface names. As described, this moves things like
wlan0 to something consistent for that device like
wlp1s0u1u2. This helps so you can ensure you are talking to the right adapter that supports monitor mode vs the inline wireless that is common on most Pi's.
wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=31 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on wlp1s0u1u2 IEEE 802.11 Mode:Monitor Frequency:2.484 GHz Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Power Management:off
As the documentation suggests, you may run into some problems having
libpcap automatically configure monitor mode like I did. This means I manually configured my device to keep it in monitor mode, then told nzyme to not worry about it.
So knowing that the automatic configuration of
libpcap wasn't quite working, I leveraged a network config file at the system level and then set
skip_enable_monitor above to
root@raspberrypi:/home/pi# cat /etc/network/interfaces.d/wlp1s0u1u2 auto wlp1s0u1u2 iface wlp1s0u1u2 inet manual wireless-mode monitor
These changes paired together got my external adapter in monitor mode, surviving reboots and booting up with nzyme successfully.
So now it was time to setup a nightly email to send me a report of my network.
So I get a cool email that shows me:
- Alert count
- Health check
- Status of all networks seen in past 24 hours
- Any new networks
- Any new alert/tracker detected
Now nzyme even shines when you decide to monitor a network, so I monitor my home network (
This is probably more paranoia than anything, but I can really see into my network to see if anyone else is attempting to deauth me and/or replicate my network with a spoofed one.
On top of specifically monitoring a network - I can globally listen to a growing list of signatures that recognize unique devices. This would basically be devices built by HAK5 or a Pwnagotchi.
So I turned on my Pwnagotchi and waited a few moments until it popped up as an active alert (
PWNAGOTCHI_ADVERTISEMENT) in nzyme.
So now I have a cool little peace of mind if anyone is trying some clever network attacks near my home network.
The project is open source and looks to be growing with a new major UI refresh designed as "2.0.0". The current version I'm running is 1.2.2 so I'm excited to see what a refreshed interface looks like.