When you are performing penetration tests for your customers, you need to build your personal arsenal. Tools, pieces of hardware and software are collected here and there depending on your engagements to increase your toolbox. To perform Wireless intrusion tests, I’m a big fan of the WiFi Pineapple. I’ve one for years (model MK5). It’s not the very latest but it still does a good job. But, recently, after a discussion with a friend, I bought a new wireless toy: the WiNX!
The device is very small (3.5 x 3 CM) based on an ESP-WROOM32 module. It comes with a single interface: a micro USB port to get some power and provide the serial console. No need to have a TCP/IP stack or a browser to manage it, you can just connect it to any device that has a USB port and a terminal emulator (minicom, putty, screen, …). It could be not very user-friendly to some of you but I really like this! The best solution that I found until now is to use the Arduino IDE and its serial monitor tool. You can type your commands in the dedicated field and get the results in the main window:
The device can be flashed with different versions of the firmware that offer the following core features. You can use the WiNX as:
- a WiFi scanner
- a WiFi sniffer
- a WiFi honeypot
Of course, my preferred mode is the honeypot. If the firmware comes with default example of captive portals, it’s very easy to design your own. The only restrictions are the size of the HTML page (must be less than 150KB) and it must include all the components (CSS, images – Base64 encoded). The form may contain your own fields (ex: add a token, CAPTCHA, CC number, etc) and must just post to the “/”, the web server, to see all the fields logged on the internal storage.
Here is an example of a deceptive page that I made for testing purposes:
To use the device, you just need to plug it into a computer and it boots in a few seconds. Even better, you can use with a power bank and leave it in a discreet place! Cheap, small, easy to manage, I’d definitively recommend adding this gadget to your arsenal!