Here comes the next alpha release of the nzyme v2.0.0 series: alpha.14. We have added new features, kicked off the first stage of the Ethernet functionality and introduced an experimental Bluetooth subsystem.
Changelog
- New Feature: SSH session detection
- New Feature: SOCKS tunnel detection
- New Feature: DNS overview page, entropy outlier log and transaction log, including filtering and searching
- New Feature: Introducing nzyme Connect for GeoIP, OUI and Bluetooth SIG data supply
- New Feature: Detection of WiFi/802.11 randomized MAC addresses
- New Feature: Detection of O.MG Cables (802.11/WiFi)
- New Feature: Experimental Bluetooth Subsystem
- Improvement: 802.1Q (VLANs) support
- Improvement: GeoIP integration for most parts of existing Ethernet subsystem
- Improvement: Improved web interface speed and drastically reduced background polling
- Improvement: Mass-selection of alerts in alerts table
- Many other bugfixes and improvements
Important: You are witnessing the first steps into our Ethernet subsystem. Many parts of it are not interconnected very well, it is missing many analysis features and an entire alerting engine. However, we invite you to start using it. Future versions will build on top, and you will not need to start over after installing future releases.
Please take the time and read this blog post. It gives you very important context around all the new functionality and about what to expect next.
New Feature: SSH session and SOCKS tunnel detection
Building on top of the existing TCP session reassembly logic, nzyme can now detect SSH sessions and SOCKS tunnels. This is done using deep packet inspection, does not require decryption and works without any additional configuration.
All detected SSH sessions and SOCKS tunnels appear in the nzyme web interface and deep link back to their underlying TCP sessions.
Note that the analysis and filtering functionality is still extremely limited. We are adding support for additional Tunnel and Remote Access protocols like RDP, VNC, OpenVPN, Wireguard and others in the future.
Head over to the nzyme Ethernet documentation to learn more and get started.
New Feature: DNS Overview Page, Entropy Outlier Log and Transaction Log
The DNS parser of nzyme has been around for a while, but now the web interface caught up and lets you analyze the collected DNS data more. The functionality you see on the DNS pages is far from complete, but should give you an indication of where other Ethernet features are headed.
DNS Entropy Outlier Log
By analyzing the entropy of DNS queries and responses, nzyme can identify outliers—those with unusually high entropy values. These outliers may suggest that the DNS traffic is being used for purposes other than standard domain name resolution, such as tunneling.
Each nzyme tap is keeping a rolling window of average entropy and calculates a z-score to detect outliers. Those outliers are presented on the DNS overview page of your nzyme web interface.
DNS Transaction Log
The transaction log lists all recorded DNS queries and their respective responses. The new filter UI lets you drill down to understand the data.
The same filter UI will be re-used for a lot of other Ethernet, WiFi and Bluetooth data sources in the future.
New Feature: Introducing nzyme Connect
Previously, nzyme connected to the IEEE servers to fetch MAC OUI information. On top of that, you were able to sign up for IPInfo.io and request an API key that nzyme could use to download their free GeoIP database.
However, we have no control over those APIs, potential changes to them, or rate limits. In fact, we started to put a significant burden on the IEEE servers.
Furthermore, some data, such as alert definitions (a coming Connect feature), must be readily available and cannot wait for the next packaged nzyme release.
Going forward, this data will be delivered from the new nzyme Connect APIs. You can sign up for nzyme Connect and get a single API key to receive the aforementioned data directly from us.
To learn more, visit the nzyme Connect website.
(We promise not to use your email address for anything except account-related communication like password resets. You are not ending up in some CRM and we will not bother you. Connect is supposed to make things easier and is not some kind of scheme to collect your information.)
New Feature: Detection of WiFi/802.11 randomized MAC addresses
Modern devices are now using MAC address randomization when they are not connected to a WiFi network and are searching for available networks in the vicinity. This technique is employed to enhance the privacy of the device owner.
Starting with this release, nzyme detects and marks randomized MAC addresses. The list of WiFi clients in range can be filtered to include or exclude such randomized addresses.
You can learn more about randomized MAC addresses in the nzyme Knowledge Base.
New Feature: Detection of O.MG Cables (802.11/WiFi)
This experimental new bandit signature detects the popular O.MG cables. Those cables look just like any other USB cable but are used to covertly deploy payloads on target computers.
Starting with this release, nzyme can detect the WiFi access point served by O.MG cables and plugs.
This is an experimental feature because, at this time, we are unsure about potential false-positives from similar chipsets. Please let us know if you run into any false-positives. We ran this detection across Las Vegas at BSides and DEF CON for an entire week and only encountered true-positives.
New Feature: Experimental Bluetooth Subsystem
This release also introduces the new experimental Bluetooth subsystem. At this time, the Bluetooth functionality in nzyme is only displaying discovered devices in range of your nzyme taps. The goal in this early state is to ensure that the underlying data collection engine works.
Nzyme does not yet perform any device interrogation, and presented details of discovered devices may be limited. The alerting and analysis functionality around Bluetooth devices is extremely limited as well.
The Bluetooth subsystem will work with any Bluetooth chipset supported by Linux. Most onboard chipsets and USB adapters should work fine. It should be noted that the Raspberry Pi 4 and 5 on-board Bluetooth chips appear to work perfectly.
Check out the nzmye Bluetooth documentation to get started.
What’s next?
We are going to let the new Ethernet functionality soak a little bit and will focus on finishing the WiFi functionality
in alpha.15
and alpha.16
. The goal is to be in a beta (feature-complete) state for WiFi/802.11 by then. My guess
is that this will take 4-6 weeks from here on out. After that, we will dial in on the Ethernet subsystem and bring
some improvements to the Bluetooth functionalities as well.
Download & Upgrading
All packages are available for download on the downloads page. Upgrading is easy. Please follow the release notes on the downloads page.
New installations should follow the installation documentation.
How can I help?
You are some of the first users to try out nzyme v2.0.0, and we are looking for any kind of feedback:
- What didn’t work, what bugs did you experience?
- What was confusing or seemingly unnecessarily complex?
- What is missing?
- What do you think should be changed?
Again, this is an early release and no feelings will be hurt.
You can file issues on GitHub, join the nzyme Discord or post in the discussion forums to provide your feedback or ask questions.