Dan The IOT Man

Easily test Wireless security with the new WiNX Wi-Fi security platform. Scan & sniff wireless traffic, or use it as a fake Wi-Fi router/ captive portal to capture user credentials.

The WiNX is Hacker Arsenal’s latest hardware device for Ethical Hacking and Penetration Testing. The WiNX (and WiNX Portable) is a programmable device that currently has four modes of operation – Scanner, channel hopping Sniffer, Captive Portal and Custom Captive Portal. In this review article, we will take a look at WiNX’s functions and features.

Overview

The first thing that I noticed about the WiNX board that Hacker Arsenal provided to me for review was the compact size. The device is slightly larger than a quarter.

As mentioned the board needs to be programmed to perform any of its four functions, but it does come pre-programmed as a Scanner. When power is applied to the device, it automatically runs a scan, listing SSID, BSSID, channel, RSSI, HT20/40 and Authentication in use. To see this information, you need to connect to the device using a serial monitor program.

The WiNX acts as a USB to Serial bridge, so when you connect it to a USB port, it is configured as a serial COM port (usually COM3). Once your computer recognizes the device, you can then communicate to it with a serial interface program like Putty, or the Arduino Serial Monitor. You can also interface to it with the provided “helper” programs written in Python.

Installing and Usage

The Hacker Arsenal team has created thorough installing and usage documentation and videos, so I will not cover installing and setting up the device. Installing and using the device is covered in depth for Linux, Mac and Windows systems. My best advice is to read the material and watch the videos. They are very easy to follow and give you everything you need to know on setting up, programming and using the WiNX.

Once the device is connected to a USB port, and the computer recognizes it, you are ready to go. Kali Linux seemed to recognize the device out of the gate, though I did need to install device drivers for my Windows 10 system to see it correctly.

Drivers for all operating systems can be found at:

https://www.silabs.com/products/development-tools/software/usb-to-uart-bridge-vcp-drivers

Once the device is recognized the usage is the same across platforms:

• Connect to the device
• Program the desired function
• View the output

The WiNX comes pre-programmed with the Scanner function. We will look at that first, and then briefly discuss the other functions.

Scanner

As soon as power is applied through the USB port (or a USB battery pack) the device automatically begins scanning for Wi-Fi devices.

To see the output of the WiNX, simply connect to it using Putty.

• Set your Connection Type to Serial
• Serial Line to COM3
• And speed to 921600

As seen below:

When you click “Open” you will see the device output:

This is a great tool to see what devices are being used at your company.

The Scanner provides a nice display, but the Sniffer provides us with more information and a PCAP file that can be used in multiple ways.

Sniffer

To change to the Sniffer function, we will need to re-program the WiNX. This again is covered in detail in the documentation and videos, so I will only touch on it briefly.

• Download and extract the Sniffer software from the WiNX website
• Display the README.txt file
• From the README.txt file, copy the python command for your operation system

• Run the Python command to re-write the WiNX Firmware

This command runs very fast.

• Lastly, run the WiNX Sniffer helper command to create the output pcap file

In Kali Linux, the command is “./WiNX-Sniffer-Helper.py -p /dev/ttyUSB0 -f demo.pcap” as seen below:

You can then watch as the WiNX Sniffer hops channels and saves packets to the demo.pcap file:

WiNX automatically changes channels and records packets. Channel hopping happens every few seconds. Packets will only appear on active channels.

The nice thing about the pcap output is that you can pipe this file into any program that accepts pcap input. The WiNX Sniffer video covers how to use it with Wireshark, tshark and even airodump-ng:

The WiNX platform can also be programmed as a fake or custom Wi-Fi Router/Captive portal. We will look at those features next.

Deceptive Captive Portal

The Deceptive Captive Portal emulates a Wi-Fi router & Captive Portal. A Captive Portal is what you see when you use Free Wi-Fi in many places. Once you connect to a Captive Portal, you must provide some sort of credentials to then access the internet. The WiNX board emulates one of these, and once the user enters credentials, saves them to its logs.

The process is similar to before:

• Download the Deceptive Captive Portal software from the WiNX webpage
• Program the Firmware

• Interface to the WiNX to see the output

Once the Captive Portal is programmed, it seems best to use the Arduino IDE Serial Monitor to interface with the device. Again, this is covered in the documentation, so I won’t go into depth here. But simply use the “Serial Monitor” tool from the Arduino IDE, set the Baud Rate to 115200 and connect:

• Set the device SSID with H (# of characters) SSID Name:

• Choose the desired login page to display:

Then type “SEND” to view statistics:

When someone connects to the Wi-Fi network, they see this:

And when they try to login, you get their credentials:

Custom Captive Portal

The Custom Captive Portal works pretty much the exact same way, but you can provide your own custom HTML webpage to be displayed when a user connects. See the WiNX video for full instructions.

https://www.youtube.com/watch?v=T9RBC86MYfY

All HTML must be in a single file. Future versions may allow multiple files for a page. And as before, when it is up and running, WiNX automatically grabs the form input and stores it.

One of the Sample Templates is seen below:

And if they enter credentials they show up in the Serial Monitor:

Raspberry Pi WiNX Sniffer

The beauty of the WiNX is that it is pretty much cross platform. With very little effort I am able to get it working on a Raspberry Pi Zero W running Raspbian Lite. All I needed to do was download the software and with the WiNX programmed in Sniffer mode, just run the Sniffer-Helper program.

NOTE: The WiNX Firmware can be programmed from any platform that you wish. Once the Firmware is programmed, you can use the WiNX on other platforms if you wish.

I programmed the WiNX as a Scanner from my Kali Linux machine, and then plugged it into my Raspberry Pi. I then connected to the Pi Zero through SSH and ran these commands:

• wget http://hackerarsenal.com.s3.amazonaws.com/WiNX-Sniffer.zip
• unzip WiNX-Sniffer.zip
• sudo apt-get install python-serial
• sudo apt-get install tshark
• python ./WiNX-Sniffer-Helper.py -p /dev/ttyUSB0 -f demo.pcap

And it worked like a charm:

I could then use tshark in Raspberry Pi to view the packets.

WiNX Standalone Device

The WiNX Portable allows you to have a portable version of the device. I found that the regular WiNX, can be a Standalone device as well. I programmed the device as a Deceptive Captive Portal and then plugged it directly into one of my Raspberry Pi Battery Packs.

It worked perfectly:

It recorded any credentials entered into the WiNX logs, which I could then read when I plugged the device back into my Kali Linux system.

Conclusion

I really enjoyed working with the WiNX. I love the flexibility of the device, in that you can connect to it through several different operating systems. With the custom portal, you can do some interesting things with it, including pushing a user to a full version of Kali running BeEF or some other program. Or you could just hang it off a battery pack and leave it at a facility where you are running a security test and collect it later for the logs.

I do wish that the device came with a small low-profile case. If you are use it on a pentest, an open board seen lying around might cause some suspicion. I also noticed that it seemed to work best with the Arduino Serial Monitor. It may have just been a settings issue, but I did have trouble sending data to the captive portal using Putty.

I am interested to see what else can be done with the WiNX. Hacker Arsenal does seem pretty open for feedback from the community. I am curious what other interesting uses might be programmed into future versions of the device.

Overall, I am very happy with the WiNX and it will definitely be added to my toolbox of Wi-Fi hardware devices. Check it out for yourself and see if it will work for your security needs. Hacker Arsenal was generous enough to provide my readers with a 10% discount. Just enter the code “10-DantheMan” when purchasing the device at HackerArsenal.com.