M5StickC PLUS2 and NEMO

Building a Rogue AP Demo for Security Training

Posted by Daniel Farid on September 08, 2024 · 4 mins read

I recently put together a little hacking demo using an M5StickC PLUS2 with Nemo firmware, and it turned out to be one of the most effective teaching tools I've used for network security training. Nothing drives a point home quite like watching people hand over their credentials to a device that fits in your pocket.

The Hardware

The M5StickC PLUS2 is a compact ESP32-based development kit - basically a tiny computer you can program to do all sorts of interesting things. For this project, I loaded it with Nemo firmware using the instructions from Noah Axon's GitHub repo at github.com/n0xa/m5stick-nemo. The M5Burner tool made pushing the firmware straightforward - no real issues there.

What Nemo does is turn this little device into a network tool with spoofing capabilities. It can create fake access points, capture credentials, and generally demonstrate how easy it is for attackers to set up malicious infrastructure.

The Demo

I got authorization from the location manager to run this during a network security training session for law enforcement professionals. Important caveat: always get proper authorization before doing anything like this, and take steps to only target your intended audience.

The setup was simple. I configured the M5StickC to spoof a local public SSID - basically creating a WiFi network that looked identical to the legitimate one everyone expected to connect to. When people connected to my fake network, they got redirected to a login page that looked like the real thing.

Then I told the class there was an "issue with the WiFi" and they'd need to re-authenticate.

You can probably guess what happened next. A significant portion of the class entered their credentials into my fake portal without a second thought. Their usernames and passwords were captured instantly.

The Point

The looks on people's faces when I showed them what I'd collected were priceless. Nothing I could have said in a PowerPoint slide would have driven the lesson home as effectively as actually watching it happen to them.

This kind of attack isn't sophisticated. The hardware costs maybe $30, the firmware is free and open source, and the whole thing took me an afternoon to set up. If I can do it, so can anyone with basic technical skills and malicious intent.

Key Takeaways

For the folks in that training - and anyone reading this:

  • Verify networks before connecting. That familiar-looking WiFi name might not be what you think it is. When in doubt, ask someone who manages the network.
  • Be suspicious of unexpected login prompts. If you're suddenly asked to re-authenticate on a network you've been using, that's a red flag.
  • Use a VPN. Encrypted connections help protect your data even on compromised networks.
  • Enable MFA everywhere. Even if someone captures your password, MFA adds another layer of protection.

Looking Forward

This project reinforced why hands-on demonstrations are so valuable for security training. People remember experiences way better than lectures. I'm planning to expand my collection of demo tools - there's a lot of educational value in showing people exactly how attacks work rather than just telling them about it.

The M5StickC PLUS2 with Nemo is a solid addition to any security trainer's toolkit. Small enough to be inconspicuous, powerful enough to make a point.

Logo inspired by @unagironin.

← Previous Post Next Post