> For the complete documentation index, see [llms.txt](https://sudoninja.gitbook.io/sudoninjabook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sudoninja.gitbook.io/sudoninjabook/security-area/wireless-penetration-testing/vulnerable-wireless-labs.md). # Vulnerable Wireless Labs πŸ“Ά Core Areas of Wireless Pentesting | Protocol | Targets | | ------------------ | ------------------------------- | | **Wi-Fi (802.11)** | Routers, APs, clients | | **Bluetooth/BLE** | Wearables, smart devices | | **Zigbee/Z-Wave** | Smart home systems | | **RF (Sub-GHz)** | Garage doors, key fobs, remotes | | **NFC/RFID** | Access cards, mobile payments | | **Cellular** | LTE/5G IMSI catchers (advanced) | *** ### 🧨 Vulnerable Wireless Labs & Simulators #### 1. **Wifipumpkin3** * **Wireless rogue AP toolkit** for MiTM attacks. * Simulate captive portals, DNS spoofing, phishing Wi-Fi. * Great for social engineering via Wi-Fi. * GitHub: *** #### 2. **Airgeddon** * Full-featured **wireless attack framework**. * WPA/WPA2 cracking, Evil Twin APs, DoS, captive portals. * Works with multiple wireless adapters. * GitHub: *** #### 3. **Wifiphisher** * Tool for **automated phishing over Wi-Fi**. * Creates fake AP + phishing portals to capture credentials or install malware. * GitHub: *** #### 4. **BLE CTF by Attify** * **Bluetooth Low Energy (BLE)** vulnerable lab. * Practice GATT enumeration, MITM, fuzzing, unauthenticated access. * GitHub: *** #### 5. **HackRF Wireless Replay Labs** * Use **HackRF + SDR** to capture and replay: * Key fobs * RF remotes * Garage openers * Try practical scenarios using: * `rfcat`, `GNU Radio`, `URH (Universal Radio Hacker)` *** #### 6. **Kismet + Pi + FakeAP Lab** * Build a lab with: * Raspberry Pi + Alfa AWUS036NHA * Kismet or Hostapd + captive portal * Practice detection, fake APs, rogue device monitoring *** ### βš’οΈ Tools for Wireless Pentesting (Wi-Fi, BLE, RF, Zigbee) | Tool | Protocol | Use Case | | -------------------------------- | -------------- | -------------------------------------------------- | | **aircrack-ng suite** | Wi-Fi | Cracking WEP/WPA handshakes | | **hcxdumptool + hcxpcaptool** | Wi-Fi | Capturing PMKID hashes | | **bettercap** | Wi-Fi/BLE | MiTM + BLE sniffing | | **BLEAH / Gattacker** | BLE | Sniffing, fuzzing BLE devices | | **Zigbee2MQTT** | Zigbee | Smart home Zigbee sniffing/fuzzing | | **rfcat** | RF | Sub-GHz capture/replay (Yardstick One) | | **URH (Universal Radio Hacker)** | RF | RF reverse engineering | | **proxmark3** | RFID/NFC | Clone, sniff, or emulate RFID tags | | **Wireshark** | Multi | Protocol-level packet analysis | | **Hostapd-WPE** | Wi-Fi (802.1X) | EAP credential capture for WPA-Enterprise networks | *** ### πŸ§ͺ Online Training Platforms with Wireless Content #### πŸ”Ή **TryHackMe – β€œWireless Hacking” Room** * Focuses on WPA cracking, Evil Twin APs, MITM attacks. * Practical and beginner-friendly. * *** #### πŸ”Ή **HackTheBox – Hardware/Radio Challenges** * RF, SDR, and BLE challenges occasionally appear. * Advanced, red-team style scenarios. * [https://hackthebox.com](https://hackthebox.com/) *** #### πŸ”Ή **Attify Academy (Wireless & IoT Security)** *(Paid)* * Great for: * BLE, Zigbee, and Wi-Fi hacking * Real hardware scenarios * [https://academy.attify.com](https://academy.attify.com/) *** ### 🧱 Hardware for Wireless Pentesting Labs | Device | Use Case | | ------------------- | ---------------------------------------------------- | | **Alfa AWUS036NHA** | Wi-Fi injection, monitor mode | | **HackRF One** | SDR capture and replay (RF, ISM bands) | | **Yardstick One** | Sub-GHz TX/RX (garage doors, sensors) | | **Flipper Zero** | Multi-protocol hacker gadget (RFID, BLE, IR, 433MHz) | | **Proxmark3 RDV4** | Advanced RFID/NFC manipulation | | **Ubertooth One** | Bluetooth Classic sniffing | | **CrazyRadio PA** | BLE injection and sniffing | | **Raspberry Pi 4** | Portable wireless test device or rogue AP host | *** ### πŸ“š Wireless Pentesting Learning Path (Structured) | Phase | Focus | Tools | | ----- | ------------------------------ | ---------------------------- | | 1 | Wi-Fi Basics | aircrack-ng, hcxdumptool | | 2 | WPA Enterprise Attacks | Hostapd-WPE, EAP phishing | | 3 | Rogue AP & Phishing | Wifiphisher, WiFiPumpkin3 | | 4 | BLE Enumeration & Exploitation | BLEAH, Bettercap | | 5 | Zigbee Exploits | Zigbee2MQTT, packet sniffing | | 6 | RF Signal Capture | HackRF + URH | | 7 | RFID/NFC Cloning | Proxmark3, Flipper Zero | *** ### πŸ“¦ Want a Custom Wireless Lab Setup? I can help you build a **local wireless hacking lab**, including: βœ… Fake AP + captive portal (via Pi or laptop)\ βœ… BLE vulnerable server & client (e.g., via BLE-CTF)\ βœ… SDR replay lab using HackRF or Flipper Zero\ βœ… Wi-Fi WPA handshake cracking and PMKID attacks\ βœ… Zigbee smart bulb lab (w/ USB coordinator) #### 7. **Wireless Pentesting CTF (by Sektor7 / S4xLabs)** * **Pre-built wireless CTF challenge VMs** simulating WEP/WPA/WPA2 networks. * Includes Evil Twin, captive portals, and client attacks. * Run via VirtualBox or live USB setup. *** #### 8. **BlueZ + GATT Server (DIY BLE lab)** * Set up a Linux-based Bluetooth Low Energy GATT server to test: * Pairing attacks * GATT enumeration * MITM over BLE * GitHub BLE test projects: *** #### 9. **BLE Challenges at Crackmes.one or HTB** * Occasionally host downloadable **BLE firmware or app-based puzzles**. * Practice reverse engineering BLE keys or fuzzing GATT endpoints. *** #### 10. **RFID/NFC Pentest Kits with Real Cloning Labs** * Use **Proxmark3 RDV4**, Mifare tags, or Flipper Zero to: * Clone RFID access cards (e.g., Mifare Classic, HID Prox) * Crack sector keys with nested attacks (hf mf commands) * Free guides: *** ### βš”οΈ **Advanced Wireless Pentesting Tools & Tactics** | Tool | Protocol | Use Case | | ----------------------------- | --------------- | ---------------------------------------------------------------------------- | | **EvilAP (ESP8266/ESP32)** | Wi-Fi | DIY low-cost fake AP attack | | **WaveJam** | RF | Jam frequencies with HackRF | | **NRFConnect / NRF52 Dongle** | BLE | Direct communication and sniffing for Nordic-based devices | | **SigDigger** | RF | Open-source RF analysis + spectrum viewer | | **Kismet + GPSD** | Wi-Fi/Bluetooth | Wardriving + real-time signal geolocation | | **GSM Capture (Osmocom)** | GSM | Advanced SDR-based 2G capture and replay | | **WiFiDeauther (ESP8266)** | Wi-Fi | Packet injection, scanning, and deauth attacks via ESP-based microcontroller | *** ### πŸ“‘ **Wireless Frequencies & What You Can Hack** | Frequency Band | Protocols | Examples | | ----------------------------- | ------------------ | -------------------------------------- | | 2.4 GHz | Wi-Fi, BLE, Zigbee | Routers, smart bulbs, fitness trackers | | 5 GHz | Wi-Fi (AC/AX) | Newer routers, mesh systems | | Sub-GHz (315/433/868/915 MHz) | RF remotes, IoT | Garage doors, alarms, sensors | | 13.56 MHz | NFC/RFID | Key cards, transit passes | | < 1 MHz | Low-frequency RFID | HID access cards | | 800–900 MHz | GSM, LoRa | Cell signals, long-range IoT | | 1.8–2.2 GHz | LTE | Cellular, IMSI catching (advanced) | *** ### 🧠 **Real-World Wireless Attack Scenarios to Simulate** | Scenario | What to Practice | | -------------------------------- | ---------------------------------------------------------------- | | **WPA2 Enterprise EAP Phishing** | Use `hostapd-wpe` or `eaphammer` to capture RADIUS creds | | **Client-Side Evil Twin** | Set up fake APs with portals to capture cookies, creds | | **BLE Spoofing** | GATT fuzzing or advertisement spoof (e.g., fake fitness tracker) | | **RF Replay** | Capture + replay signals with HackRF (e.g., garage door openers) | | **Zigbee Key Extraction** | MITM or sniff pairing packets | | **RFID Badge Clone** | Dump and clone hotel or office access cards | | **IMSI Catcher (2G)** | Use Osmocom or srsRAN for GSM tracking (legally controlled!) | *** ### πŸ“š Wireless Security Certifications (If You’re Going Pro) | Cert | Focus | Recommended For | | --------------------------------------------------- | ------------------------ | -------------------------- | | **OSWP (OffSec Wireless Professional)** | Wi-Fi hacking | βœ… Beginners & pros | | **CWSP (Certified Wireless Security Professional)** | Wi-Fi protocols + policy | βœ… For enterprise defenders | | **Attify IoT Security Expert** | BLE + RF + hardware | βœ… IoT focus | | **SANS SEC617 / GWAPT + Wireless Add-On** | Infra-level Wi-Fi & BLE | βœ… Red teamers | | **Hack The Box β€” Radio Challenges** | SDR puzzles | βœ… CTF pros | *** ### πŸ’‘ Lab Setup Ideas by Protocol (Local Practice) #### πŸ”Ή **Wi-Fi Pentest Lab** * Alfa NIC + Kali + aircrack-ng suite * Fake AP + captive portal via `hostapd` or `airgeddon` * Clients: laptop, phone, IoT devices #### πŸ”Ή **BLE Lab** * NRF52 dongle + Linux * BLE test app (e.g., BLE Hero) * BLEAH / Gattacker for attack #### πŸ”Ή **RF Replay Lab** * HackRF One + remote control toy or garage clicker * Capture in URH β†’ Analyze β†’ Replay signal * Optional: Jam via HackRF `rfcat` #### πŸ”Ή **RFID/NFC Clone Lab** * Proxmark3 RDV4 + Mifare cards * Dump β†’ Crack β†’ Emulate or clone tag * Flipper Zero as alternative for fast testing *** ### 🧰 Want a Custom Lab or Walkthrough? I can help you build a **modular wireless hacking lab**, such as: * βœ… Wi-Fi rogue AP with auto-deauth and captive portal * βœ… BLE attacker/emulator for wearable spoofing * βœ… RF replay test bed with HackRF or Flipper * βœ… RFID/NFC clone station for facility security testing --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sudoninja.gitbook.io/sudoninjabook/security-area/wireless-penetration-testing/vulnerable-wireless-labs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.