Vulnerable Wireless Labs

📶 Core Areas of Wireless Pentesting

Protocol	Targets
Wi-Fi (802.11)	Routers, APs, clients
Bluetooth/BLE	Wearables, smart devices
Zigbee/Z-Wave	Smart home systems
RF (Sub-GHz)	Garage doors, key fobs, remotes
NFC/RFID	Access cards, mobile payments
Cellular	LTE/5G IMSI catchers (advanced)

---

🧨 Vulnerable Wireless Labs & Simulators

1. Wifipumpkin3

• Wireless rogue AP toolkit for MiTM attacks.

• Simulate captive portals, DNS spoofing, phishing Wi-Fi.

• Great for social engineering via Wi-Fi.

• GitHub: https://github.com/P0cL4bs/WiFi-Pumpkin

---

2. Airgeddon

• Full-featured wireless attack framework.

• WPA/WPA2 cracking, Evil Twin APs, DoS, captive portals.

• Works with multiple wireless adapters.

• GitHub: https://github.com/v1s1t0r1sh3r3/airgeddon

---

3. Wifiphisher

• Tool for automated phishing over Wi-Fi.

• Creates fake AP + phishing portals to capture credentials or install malware.

• GitHub: https://github.com/wifiphisher/wifiphisher

---

4. BLE CTF by Attify

• Bluetooth Low Energy (BLE) vulnerable lab.

• Practice GATT enumeration, MITM, fuzzing, unauthenticated access.

• GitHub: https://github.com/attify/ble-ctf

---

5. HackRF Wireless Replay Labs

• Use HackRF + SDR to capture and replay:

  • Key fobs

  • RF remotes

  • Garage openers

• Try practical scenarios using:

  • rfcat, GNU Radio, URH (Universal Radio Hacker)

---

6. Kismet + Pi + FakeAP Lab

• Build a lab with:

  • Raspberry Pi + Alfa AWUS036NHA

  • Kismet or Hostapd + captive portal

• Practice detection, fake APs, rogue device monitoring

---

⚒️ Tools for Wireless Pentesting (Wi-Fi, BLE, RF, Zigbee)

Tool	Protocol	Use Case
aircrack-ng suite	Wi-Fi	Cracking WEP/WPA handshakes
hcxdumptool + hcxpcaptool	Wi-Fi	Capturing PMKID hashes
bettercap	Wi-Fi/BLE	MiTM + BLE sniffing
BLEAH / Gattacker	BLE	Sniffing, fuzzing BLE devices
Zigbee2MQTT	Zigbee	Smart home Zigbee sniffing/fuzzing
rfcat	RF	Sub-GHz capture/replay (Yardstick One)
URH (Universal Radio Hacker)	RF	RF reverse engineering
proxmark3	RFID/NFC	Clone, sniff, or emulate RFID tags
Wireshark	Multi	Protocol-level packet analysis
Hostapd-WPE	Wi-Fi (802.1X)	EAP credential capture for WPA-Enterprise networks

---

🧪 Online Training Platforms with Wireless Content

🔹 TryHackMe – “Wireless Hacking” Room

• Focuses on WPA cracking, Evil Twin APs, MITM attacks.

• Practical and beginner-friendly.

• https://tryhackme.com/room/wirelesshacking

---

🔹 HackTheBox – Hardware/Radio Challenges

• RF, SDR, and BLE challenges occasionally appear.

• Advanced, red-team style scenarios.

• https://hackthebox.com

---

🔹 Attify Academy (Wireless & IoT Security) (Paid)

• Great for:

  • BLE, Zigbee, and Wi-Fi hacking

  • Real hardware scenarios

• https://academy.attify.com

---

🧱 Hardware for Wireless Pentesting Labs

Device	Use Case
Alfa AWUS036NHA	Wi-Fi injection, monitor mode
HackRF One	SDR capture and replay (RF, ISM bands)
Yardstick One	Sub-GHz TX/RX (garage doors, sensors)
Flipper Zero	Multi-protocol hacker gadget (RFID, BLE, IR, 433MHz)
Proxmark3 RDV4	Advanced RFID/NFC manipulation
Ubertooth One	Bluetooth Classic sniffing
CrazyRadio PA	BLE injection and sniffing
Raspberry Pi 4	Portable wireless test device or rogue AP host

---

📚 Wireless Pentesting Learning Path (Structured)

Phase	Focus	Tools
1	Wi-Fi Basics	aircrack-ng, hcxdumptool
2	WPA Enterprise Attacks	Hostapd-WPE, EAP phishing
3	Rogue AP & Phishing	Wifiphisher, WiFiPumpkin3
4	BLE Enumeration & Exploitation	BLEAH, Bettercap
5	Zigbee Exploits	Zigbee2MQTT, packet sniffing
6	RF Signal Capture	HackRF + URH
7	RFID/NFC Cloning	Proxmark3, Flipper Zero

---

📦 Want a Custom Wireless Lab Setup?

I can help you build a local wireless hacking lab, including:

✅ Fake AP + captive portal (via Pi or laptop) ✅ BLE vulnerable server & client (e.g., via BLE-CTF) ✅ SDR replay lab using HackRF or Flipper Zero ✅ Wi-Fi WPA handshake cracking and PMKID attacks ✅ Zigbee smart bulb lab (w/ USB coordinator)

7. Wireless Pentesting CTF (by Sektor7 / S4xLabs)

• Pre-built wireless CTF challenge VMs simulating WEP/WPA/WPA2 networks.

• Includes Evil Twin, captive portals, and client attacks.

• Run via VirtualBox or live USB setup.

---

8. BlueZ + GATT Server (DIY BLE lab)

• Set up a Linux-based Bluetooth Low Energy GATT server to test:

  • Pairing attacks

  • GATT enumeration

  • MITM over BLE

• GitHub BLE test projects: https://github.com/unknownv2/ble-sim

---

9. BLE Challenges at Crackmes.one or HTB

• Occasionally host downloadable BLE firmware or app-based puzzles.

• Practice reverse engineering BLE keys or fuzzing GATT endpoints.

---

10. RFID/NFC Pentest Kits with Real Cloning Labs

• Use Proxmark3 RDV4, Mifare tags, or Flipper Zero to:

  • Clone RFID access cards (e.g., Mifare Classic, HID Prox)

  • Crack sector keys with nested attacks (hf mf commands)

• Free guides: https://github.com/RfidResearchGroup/proxmark3

---

⚔️ Advanced Wireless Pentesting Tools & Tactics

Tool	Protocol	Use Case
EvilAP (ESP8266/ESP32)	Wi-Fi	DIY low-cost fake AP attack
WaveJam	RF	Jam frequencies with HackRF
NRFConnect / NRF52 Dongle	BLE	Direct communication and sniffing for Nordic-based devices
SigDigger	RF	Open-source RF analysis + spectrum viewer
Kismet + GPSD	Wi-Fi/Bluetooth	Wardriving + real-time signal geolocation
GSM Capture (Osmocom)	GSM	Advanced SDR-based 2G capture and replay
WiFiDeauther (ESP8266)	Wi-Fi	Packet injection, scanning, and deauth attacks via ESP-based microcontroller

---

📡 Wireless Frequencies & What You Can Hack

Frequency Band	Protocols	Examples
2.4 GHz	Wi-Fi, BLE, Zigbee	Routers, smart bulbs, fitness trackers
5 GHz	Wi-Fi (AC/AX)	Newer routers, mesh systems
Sub-GHz (315/433/868/915 MHz)	RF remotes, IoT	Garage doors, alarms, sensors
13.56 MHz	NFC/RFID	Key cards, transit passes
< 1 MHz	Low-frequency RFID	HID access cards
800–900 MHz	GSM, LoRa	Cell signals, long-range IoT
1.8–2.2 GHz	LTE	Cellular, IMSI catching (advanced)

---

🧠 Real-World Wireless Attack Scenarios to Simulate

Scenario	What to Practice
WPA2 Enterprise EAP Phishing	Use hostapd-wpe or eaphammer to capture RADIUS creds
Client-Side Evil Twin	Set up fake APs with portals to capture cookies, creds
BLE Spoofing	GATT fuzzing or advertisement spoof (e.g., fake fitness tracker)
RF Replay	Capture + replay signals with HackRF (e.g., garage door openers)
Zigbee Key Extraction	MITM or sniff pairing packets
RFID Badge Clone	Dump and clone hotel or office access cards
IMSI Catcher (2G)	Use Osmocom or srsRAN for GSM tracking (legally controlled!)

---

📚 Wireless Security Certifications (If You’re Going Pro)

Cert	Focus	Recommended For
OSWP (OffSec Wireless Professional)	Wi-Fi hacking	✅ Beginners & pros
CWSP (Certified Wireless Security Professional)	Wi-Fi protocols + policy	✅ For enterprise defenders
Attify IoT Security Expert	BLE + RF + hardware	✅ IoT focus
SANS SEC617 / GWAPT + Wireless Add-On	Infra-level Wi-Fi & BLE	✅ Red teamers
Hack The Box — Radio Challenges	SDR puzzles	✅ CTF pros

---

💡 Lab Setup Ideas by Protocol (Local Practice)

🔹 Wi-Fi Pentest Lab

• Alfa NIC + Kali + aircrack-ng suite

• Fake AP + captive portal via hostapd or airgeddon

• Clients: laptop, phone, IoT devices

🔹 BLE Lab

• NRF52 dongle + Linux

• BLE test app (e.g., BLE Hero)

• BLEAH / Gattacker for attack

🔹 RF Replay Lab

• HackRF One + remote control toy or garage clicker

• Capture in URH → Analyze → Replay signal

• Optional: Jam via HackRF rfcat

🔹 RFID/NFC Clone Lab

• Proxmark3 RDV4 + Mifare cards

• Dump → Crack → Emulate or clone tag

• Flipper Zero as alternative for fast testing

---

🧰 Want a Custom Lab or Walkthrough?

I can help you build a modular wireless hacking lab, such as:

• ✅ Wi-Fi rogue AP with auto-deauth and captive portal

• ✅ BLE attacker/emulator for wearable spoofing

• ✅ RF replay test bed with HackRF or Flipper

• ✅ RFID/NFC clone station for facility security testing