Vulnerable Wireless Labs

📶 Core Areas of Wireless Pentesting

Protocol

Targets

Wi-Fi (802.11)

Routers, APs, clients

Bluetooth/BLE

Wearables, smart devices

Zigbee/Z-Wave

Smart home systems

RF (Sub-GHz)

Garage doors, key fobs, remotes

NFC/RFID

Access cards, mobile payments

Cellular

LTE/5G IMSI catchers (advanced)

🧨 Vulnerable Wireless Labs & Simulators

1. Wifipumpkin3

Wireless rogue AP toolkit for MiTM attacks.
Simulate captive portals, DNS spoofing, phishing Wi-Fi.
Great for social engineering via Wi-Fi.
GitHub: https://github.com/P0cL4bs/WiFi-Pumpkin

2. Airgeddon

Full-featured wireless attack framework.
WPA/WPA2 cracking, Evil Twin APs, DoS, captive portals.
Works with multiple wireless adapters.
GitHub: https://github.com/v1s1t0r1sh3r3/airgeddon

3. Wifiphisher

Tool for automated phishing over Wi-Fi.
Creates fake AP + phishing portals to capture credentials or install malware.
GitHub: https://github.com/wifiphisher/wifiphisher

4. BLE CTF by Attify

Bluetooth Low Energy (BLE) vulnerable lab.
Practice GATT enumeration, MITM, fuzzing, unauthenticated access.
GitHub: https://github.com/attify/ble-ctf

5. HackRF Wireless Replay Labs

Use HackRF + SDR to capture and replay:
- Key fobs
- RF remotes
- Garage openers
Try practical scenarios using:
- rfcat, GNU Radio, URH (Universal Radio Hacker)

6. Kismet + Pi + FakeAP Lab

Build a lab with:
- Raspberry Pi + Alfa AWUS036NHA
- Kismet or Hostapd + captive portal
Practice detection, fake APs, rogue device monitoring

⚒️ Tools for Wireless Pentesting (Wi-Fi, BLE, RF, Zigbee)

Tool

Protocol

Use Case

aircrack-ng suite

Wi-Fi

Cracking WEP/WPA handshakes

hcxdumptool + hcxpcaptool

Wi-Fi

Capturing PMKID hashes

bettercap

Wi-Fi/BLE

MiTM + BLE sniffing

BLEAH / Gattacker

BLE

Sniffing, fuzzing BLE devices

Zigbee2MQTT

Zigbee

Smart home Zigbee sniffing/fuzzing

rfcat

Sub-GHz capture/replay (Yardstick One)

URH (Universal Radio Hacker)

RF reverse engineering

proxmark3

RFID/NFC

Clone, sniff, or emulate RFID tags

Wireshark

Multi

Protocol-level packet analysis

Hostapd-WPE

Wi-Fi (802.1X)

EAP credential capture for WPA-Enterprise networks

🧪 Online Training Platforms with Wireless Content

🔹 TryHackMe – “Wireless Hacking” Room

Focuses on WPA cracking, Evil Twin APs, MITM attacks.
Practical and beginner-friendly.
https://tryhackme.com/room/wirelesshacking

🔹 HackTheBox – Hardware/Radio Challenges

RF, SDR, and BLE challenges occasionally appear.
Advanced, red-team style scenarios.
https://hackthebox.com

🔹 Attify Academy (Wireless & IoT Security) (Paid)

Great for:
- BLE, Zigbee, and Wi-Fi hacking
- Real hardware scenarios
https://academy.attify.com

🧱 Hardware for Wireless Pentesting Labs

Device

Use Case

Alfa AWUS036NHA

Wi-Fi injection, monitor mode

HackRF One

SDR capture and replay (RF, ISM bands)

Yardstick One

Sub-GHz TX/RX (garage doors, sensors)

Flipper Zero

Multi-protocol hacker gadget (RFID, BLE, IR, 433MHz)

Proxmark3 RDV4

Advanced RFID/NFC manipulation

Ubertooth One

Bluetooth Classic sniffing

CrazyRadio PA

BLE injection and sniffing

Raspberry Pi 4

Portable wireless test device or rogue AP host

📚 Wireless Pentesting Learning Path (Structured)

Phase

Focus

Tools

Wi-Fi Basics

aircrack-ng, hcxdumptool

WPA Enterprise Attacks

Hostapd-WPE, EAP phishing

Rogue AP & Phishing

Wifiphisher, WiFiPumpkin3

BLE Enumeration & Exploitation

BLEAH, Bettercap

Zigbee Exploits

Zigbee2MQTT, packet sniffing

RF Signal Capture

HackRF + URH

RFID/NFC Cloning

Proxmark3, Flipper Zero

📦 Want a Custom Wireless Lab Setup?

I can help you build a local wireless hacking lab, including:

✅ Fake AP + captive portal (via Pi or laptop) ✅ BLE vulnerable server & client (e.g., via BLE-CTF) ✅ SDR replay lab using HackRF or Flipper Zero ✅ Wi-Fi WPA handshake cracking and PMKID attacks ✅ Zigbee smart bulb lab (w/ USB coordinator)

7. Wireless Pentesting CTF (by Sektor7 / S4xLabs)

Pre-built wireless CTF challenge VMs simulating WEP/WPA/WPA2 networks.
Includes Evil Twin, captive portals, and client attacks.
Run via VirtualBox or live USB setup.

8. BlueZ + GATT Server (DIY BLE lab)

Set up a Linux-based Bluetooth Low Energy GATT server to test:
- Pairing attacks
- GATT enumeration
- MITM over BLE
GitHub BLE test projects: https://github.com/unknownv2/ble-sim

9. BLE Challenges at Crackmes.one or HTB

Occasionally host downloadable BLE firmware or app-based puzzles.
Practice reverse engineering BLE keys or fuzzing GATT endpoints.

10. RFID/NFC Pentest Kits with Real Cloning Labs

Use Proxmark3 RDV4, Mifare tags, or Flipper Zero to:
- Clone RFID access cards (e.g., Mifare Classic, HID Prox)
- Crack sector keys with nested attacks (hf mf commands)
Free guides: https://github.com/RfidResearchGroup/proxmark3

⚔️ Advanced Wireless Pentesting Tools & Tactics

Tool

Protocol

Use Case

EvilAP (ESP8266/ESP32)

Wi-Fi

DIY low-cost fake AP attack

WaveJam

Jam frequencies with HackRF

NRFConnect / NRF52 Dongle

BLE

Direct communication and sniffing for Nordic-based devices

SigDigger

Open-source RF analysis + spectrum viewer

Kismet + GPSD

Wi-Fi/Bluetooth

Wardriving + real-time signal geolocation

GSM Capture (Osmocom)

GSM

Advanced SDR-based 2G capture and replay

WiFiDeauther (ESP8266)

Wi-Fi

Packet injection, scanning, and deauth attacks via ESP-based microcontroller

📡 Wireless Frequencies & What You Can Hack

Frequency Band

Protocols

Examples

2.4 GHz

Wi-Fi, BLE, Zigbee

Routers, smart bulbs, fitness trackers

5 GHz

Wi-Fi (AC/AX)

Newer routers, mesh systems

Sub-GHz (315/433/868/915 MHz)

RF remotes, IoT

Garage doors, alarms, sensors

13.56 MHz

NFC/RFID

Key cards, transit passes

< 1 MHz

Low-frequency RFID

HID access cards

800–900 MHz

GSM, LoRa

Cell signals, long-range IoT

1.8–2.2 GHz

LTE

Cellular, IMSI catching (advanced)

🧠 Real-World Wireless Attack Scenarios to Simulate

Scenario

What to Practice

WPA2 Enterprise EAP Phishing

Use hostapd-wpe or eaphammer to capture RADIUS creds

Client-Side Evil Twin

Set up fake APs with portals to capture cookies, creds

BLE Spoofing

GATT fuzzing or advertisement spoof (e.g., fake fitness tracker)

RF Replay

Capture + replay signals with HackRF (e.g., garage door openers)

Zigbee Key Extraction

MITM or sniff pairing packets

RFID Badge Clone

Dump and clone hotel or office access cards

IMSI Catcher (2G)

Use Osmocom or srsRAN for GSM tracking (legally controlled!)

📚 Wireless Security Certifications (If You’re Going Pro)

Cert

Focus

Recommended For

OSWP (OffSec Wireless Professional)

Wi-Fi hacking

✅ Beginners & pros

CWSP (Certified Wireless Security Professional)

Wi-Fi protocols + policy

✅ For enterprise defenders

Attify IoT Security Expert

BLE + RF + hardware

✅ IoT focus

SANS SEC617 / GWAPT + Wireless Add-On

Infra-level Wi-Fi & BLE

✅ Red teamers

Hack The Box — Radio Challenges

SDR puzzles

✅ CTF pros

💡 Lab Setup Ideas by Protocol (Local Practice)

🔹 Wi-Fi Pentest Lab

Alfa NIC + Kali + aircrack-ng suite
Fake AP + captive portal via hostapd or airgeddon
Clients: laptop, phone, IoT devices

🔹 BLE Lab

NRF52 dongle + Linux
BLE test app (e.g., BLE Hero)
BLEAH / Gattacker for attack

🔹 RF Replay Lab

HackRF One + remote control toy or garage clicker
Capture in URH → Analyze → Replay signal
Optional: Jam via HackRF rfcat

🔹 RFID/NFC Clone Lab

Proxmark3 RDV4 + Mifare cards
Dump → Crack → Emulate or clone tag
Flipper Zero as alternative for fast testing

🧰 Want a Custom Lab or Walkthrough?

I can help you build a modular wireless hacking lab, such as:

✅ Wi-Fi rogue AP with auto-deauth and captive portal
✅ BLE attacker/emulator for wearable spoofing
✅ RF replay test bed with HackRF or Flipper
✅ RFID/NFC clone station for facility security testing

PreviousCheatsheet NextLLM penetration Testing

Last updated 9 days ago

Was this helpful?