Turning a cheap ESP32 board into a Hacker Arsenal’s WiNX Portable clone.
All of us have heard about or used Hacker Gadgets like the WiFi Pineapple, PoisonTap, Rubber Ducky, Minipwner, Pwn Plug, ESPdeauther, etc. These small devices are great to use for penetration testing engagements, security awareness demos, social engineering tasks or just explaining security implications in a fun way to non-security professionals! but what does it take to build one? In this article, we will teach you how to build one of these devices: a $59 WiNX Portable Clone for less than $15 from scratch.
The WiNX Portable is the lasted addition to the pentester or hacker toolbox. The creation of famous hacker Vivek Ramachandran and is sold in his Hacker Arsenal store at $59 before it was sold-out. The WiNX and WiNX Portable are multi-purpose Wi-Fi attack-defense platform which can be used for several scenarios based on the firmware on the device (WiFi Honeypot, Captive Portal, WiFi Sniffer, Wifi Scanner and more).
One of the first things I noticed while reading through their shop was that the hardware was identical to the $15 WeMos WiFi + Bluetooth Battery ESP32 Development Tool I have lying around. The ESP32 is a WiFi capable Arduino compatible CPU, like the ESP8266, but runs a dual core that also supports Bluetooth and more GPIO. The WeMos Development board includes a dual power option: 18650 lithium battery or from MicroUSB power/charging port.
Taking a look at the download section in hacker arsenal, I see that firmware files are available and include instructions for using the ESP32 python serial port flasher.
- Honeypots, Captive Portals, and Deception
- Wi-Fi Sniffer
- Custom Captive Portals
The Wemos module contains a CP2102 serial adapter that is automatically recognized. So why not give it a try?
python esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_freq 80m --flash_mode dio --flash_size 4MB 0x1000 bootloader.bin 0x8000 WiNX-Deception.ino.partitions.bin 0xe000 boot_WiNX-Deception.bin 0x10000 WiNX-Deception.ino.bin
It works! Updating the firmware is as simple as uploading the WiNX firmware files using the above commands. Once you do it is as simple as logging in via serial terminal and setting it up WiNX. After loading the deception firmware and power cycle I can see a new wifi SSID “Internet” where whatever the page that I visit invites to enter my user and password.
Although the scanner and sniffer firmwares also are interesting, they require a always-connected PC. Where our WiNX clone really shines is as a captive offensive portal. It allows to display several predefined login pages or to load our own custom html. The credentials are internally recorded and can then be extracted via serial port. The settings and data are persistent and retained across reboots. This allows the device to run on 18650 battery or USB powerbank for days while collecting data. With such a small price and battery life multiple of these devices can be dropped into the target area waiting for a victim.
In addition, our board can be used as an standard ESP32 development kit, taking advantage of its WiFi and BLE capabilities for example to create an ibeacon emulator.