How-To Geek

MiniPwner Is a Cheap Penetration Tester and Portable Wi-Fi Node

MiniPwner is an inexpensive and portable device designed to allow the user to quickly gain access to a wired network for penetration testing or do a little war-walking to discover open Wi-Fi networks.

It’s a rather clever little DIY project that cobbles together a portable Wi-Fi router, a USB flash drive, a micro-USB backup battery intended for cellphone use, and a software configuration package. Once you’ve got it all hooked together, what can you do with it? From the MiniPwner guide:

Pen Testing Drop Box: In this mode, the MiniPwner used to establish rogue access to a target network during a penetration test. The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)

Once it is plugged in, the penetration tester can log into the MiniPwner and begin scanning and attacking the network. The MiniPwner can simultaneously establish SSH tunnels through the target network, and also allow the penetration tester to connect to the MiniPwner via Wifi.

The MiniPwner can run some software directly from the box, such as nmap to map the target network or the samba client to connect to windows shares. Other tools, such as Metasploit or Nessus can be run through the box using a VPN tunnel.

Wireless war-walking: The battery-powered MiniPwner is small enough to fit in your jeans pocket and can run for hours. In wireless war-walking mode you start kismet or aircrack-ng on the MiniPwner and record details about all of the wireless networks detected by the device.

Captive Wifi Portal or Rogue Access Point: Use the Karma application to discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.

Hit up the link below for instructions on how to build your own as well as a full list of all the software included in the bundle.

MiniPwner [via Hack A Day]

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 01/13/12

Comments (14)

  1. Anonymous

    I realize that making and even using stuff like this isn’t exactly breaking the law or anything. But can anyone tell me any legitimate honorable use for this other than to test your own network or troubleshoot a client’s network (things that only a few readers might actually be involved in)? What other possible legitimate use is there? What other honorable reasons can there be?

    Quite frankly, I fail to see any real need that most people would have. I don’t see any practical use other than to sneak around places that could get you into trouble if/when caught. But mostly I see it as a way to try and leach off someone else’s Internet connection, possibly spy on them, or even do malicious things like plant viruses or steal/alter information. And without due process of law which includes a legal concept called “consent”, most of those things are illegal!

    In fact, there are heavy penalties and fines for breaking into other people’s systems. Even if your reason to break in is to check a quick email it’s still theft! Without “consent” or a legal warrant it’s often prosecuted (when caught, of course) under existing laws such as wire-tap, cable theft or even as outright espionage with terrorist intent! Sounds silly, right? But have you noticed the current political landscape lately? Even an innocent email message over someone else’s connection could land you in prison – possibly at a certain U.S. base in Cuba! So I ask: why do it?

  2. 99er

    A lot of it is to educate, educate oneself and others.

    Of course your going to have some bad apples in the tree, trust me if the good ones didn’t invent these devices you would almost be certain the bad ones would.

  3. Dennis Leefarr

    Completely unnecessary project,with the risks far outweighing the benefits. Should be removed from the site

  4. quagmire

    Jason, I’m sorry man, I usually defend your articles when someone calls them ludicrous or a waste of time, but this one … if one removes the word ‘tester’ from your article it becomes an open invitation and encouragement to STEAL personal information and ATTACK system networks. Such a device has really one purpose only. As for ‘discovering open wi-fi networks’, any wi-fi enabled device does this with its native software/hardware.
    I think I speak for many HTG readers and give you THREE thumbs down on this one lad. I am very disappointed in your ethical abuse of journalistic ‘license’. And no, it’s NOT about free speech if one openly promotes illegalities and devices that can ‘capture credentials or exploit client-side vulnerabilities on the host’ … in other words, YOUR BANK Jason!

  5. GrrrrrrDrrrArgggggg

    To everyone that has said that this device and article has no legal uses and upsides, I beg to differ and hear me out. Those of us in net security have to be up on these things. Falling even one step behind means a client just got ripped off and is looking to terminate their contract with you. I myself use homebrew stuff like this for the soul purpose of showing clients just how sneaky and frightening some of this stuff is (I use a android smartphone with a host of utilities most of the time, but I have also made other things) I try not to use them as scare tactics, unfortunately that is how they come across sometimes, but I try to use them as examples that this stuff exists and they need to be prepared for it. (as well as anyone can be)

  6. 99er

    quagmire, you should look more into the device and the theory and practice behind it before making assumptions and criticizing

    You know what assumptions make, right? Considering your speaking on behalf of “many” HTG readers then I suppose the same applies.

    Speak for yourself.

  7. quack

    I found this article to be very educating. I plan to build one myself for demonstration purposes at work. BTW I believe I speak for many MORE HTG readers then does quagmire.

  8. Alex Thorp

    This article receives my stamp of approval despite what the naysayers might think.
    1. This article raises awareness of what is out there and possible.
    2. I read comments about the legality of something like this. There are many legal uses both for pen-testing, and as a Portable Wi-Fi Node. These little devices can be configured to fit many rolls. a portable NAS? There have been many times where I go places and need to share a config file or some other file with a group. Running a device like this with a little usb drive that contains the files makes it super easy. That is just once example.
    3. I completely agree with: GrrrrrrDrrrArgggggg
    4. I wasn’t actually going to comment, because I don’t have much to say about the device that the article is about, but quagmire does NOT speak for me.
    5. if you made it here you should get a cookie, but sadly I have no way to distribute a cookie to you, so instead Thanks for reading my other points. :)

  9. Doh

    Not only did I learn about this neat little trinket, I also learned multiple ways a person might try to gain access to my networks. Now I can take measures to counteract such an attack.

  10. Doh

    So to all you yahoos and bumpkins that say this article should be removed, here’s your sign! And you just go on being ignorant, because information is power, and without the power to defend yourself, you will lose.

    And that just means more business for me!

  11. Doh

    I’m a s.p.e.c.i.a.l.i.s.t and already knew of this type of device, I e.x.a.g.g.e.r.a.t.e for effect.

    I just use iFile.

  12. Doh

    How is that word a spammy word?!?!

    Non sequitur! You’re facts are uncoordinated…

  13. Alex Thorp

    There are some things that I don’t want going out over the internet. iFile seems to be for the iphone only?
    I know there are file server programs available for Android, and some work great, I was just suggesting a possible legitimate use. :)

  14. Joshua Carlin

    There are two ways to look at this:

    1) Pretend it doesn’t exist, it’s something to do with that scary hacking thing.

    2) Read the article and learn how to protect yourself against these devices and the threats that they pose.

    Security testers will use these when they are hired by companies and organisations to test for vulnerabilities. If only malicious users know about these, they cannot be stopped.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!