Skip to content

WiFi Fingerprinting

Introduction

The nzyme routines generate a unique fingerprint for each device that advertises a WiFi network. Such a fingerprint might appear as follows:

ec398735dc99267d453908d81bfe06ce04cfa2573d0b9edf1d940f0dbf850a9c

In a practical context, it's reasonable to expect that a device made from similar hardware and operating with identical general configurations will share the same fingerprint. For example, if you operate ten Ubiquity access points that are all the same model and share the same configuration, they should all display the same fingerprint in nzyme.

However, if someone attempts to spoof your network using different hardware (a likely scenario), the fingerprint will differ, regardless of how effectively beacon rate, BSSID, channels, and other attributes have been spoofed.

How are fingerprints calculated?

The two frame types used to advertise WiFi networks (beacon and probe-response) carry information in a Tagged Parameters map. This information aids clients intending to connect to such a network by providing details such as the channels the network operates on, supported transfer rates, and available encryption.

The specifics within the Tagged Parameters can vary significantly depending on the hardware/chipset used and the access point configuration.

Nzyme extracts information from the Tagged Parameters that remains consistent during the operation of a wireless network and constructs a fingerprint using this data. It's important to note that a fingerprint might change if there are hardware replacements or alterations in the access point configuration.

Why can a transmitter have multiple fingerprints?

Despite nzyme selecting attributes of observed WiFi frames that are assumed not to change, some devices still modify them during operation. Any variation in the attributes used in the calculation leads to a different fingerprint.

While most devices are associated with a single fingerprint, some enterprise-grade devices may display two, and a few may even exhibit three or more.

A prevalent cause for multiple fingerprints is that some devices employ different attributes for beacon and probe-response frames.

Nzyme's network monitoring configurations are designed to handle these kinds of scenarios, enabling you to configure multiple fingerprints for each monitored BSSID.

Debugging fingerprints

Sometimes nzyme may record more than one or two fingerprints for a transmitter, rendering the fingerprint-based detection methods virtually unusable. You can enable fingerprint debugging to find out which frame parameters are causing the changes in fingerprints.

All you have to do is to enable TRACE logging for the nzyme-tap process and grep the fingerprint debug output:

  1. Stop nzyme-tap because we will run a custom command to run the tap process with the trace debug flag: sudo systemctl stop nzyme-tap
  2. Start nzyme-tap manually and pass the log level parameter: sudo nzyme-tap --configuration-file /etc/nzyme/nzyme-tap.conf --log-level trace | grep "Fingerprint debug:"
  3. The tap process will print all parameters used for each fingerprint generation to STDOUT. Reach out to the nzyme community channels if you are unsure how to use this information to debug.

Tip

You can also grep for an affected BSSID and/or SSID to reduce the generated output like this:

sudo nzyme-tap --configuration-file /etc/nzyme/nzyme-tap.conf --log-level trace | grep "Fingerprint debug:" | grep F6:E2:C6:35:3B:B9 | grep YourNetwork