VCA-WIR-101 — Wireless Penetration Testing
Wireless is everywhere and it is mostly invisible. A building’s attack surface includes every frame in the air around it: Wi-Fi, Bluetooth, Zigbee, LoRa, sub-GHz ISM, cellular, and the quieter protocols riding on top. The course is explicitly not “how to crack your neighbor’s Wi-Fi.” It is how a licensed wireless pen tester, invited onto a client’s premises, characterizes and tests the wireless security posture of that client’s environment.
Course Overview
The course focuses primarily on 802.11 (Wi-Fi) because that is where most authorized wireless-security work happens in small-business and enterprise engagements, but it introduces Bluetooth/BLE and sub-GHz surfaces well enough that graduates can investigate a novel wireless protocol when they encounter one.
Learning Outcomes
- Operate an RF-capable workstation — wireless NIC in monitor mode, antenna gain/polarization, directional antennas for site assessment.
- Passively observe 802.11 networks: capture and interpret management frames, associate/disassociate events, probe requests, handshakes.
- Identify the security posture of observed networks — open / WEP / WPA-PSK / WPA2-PSK / WPA3 / Enterprise (802.1X).
- Conduct authorized WPA/WPA2 handshake captures and offline password-cracking attempts using
aircrack-ng,hashcat, and structured dictionaries. - Identify and test rogue-access-point and evil-twin detection mechanisms.
- Survey Bluetooth and BLE advertising and paired-device behavior using
gatttool,btmon, and an nRF52-class SDR. - Survey sub-GHz (315/433/868/915 MHz) emissions using an SDR (RTL-SDR or HackRF), identifying protocols by waveform family.
- Produce a client-style wireless engagement report — site map, observed networks, findings, remediation.
Weekly Schedule
| Week | Topic | Laboratory |
|---|---|---|
| 1 | RF fundamentals — frequency, modulation, antennas, regulatory (FCC Part 15, 97, 95) | Build a rubber-ducky antenna; characterize with an SDR |
| 2 | 802.11 architecture — frame types, addressing, management-plane | Capture and annotate a full 802.11 association sequence |
| 3 | Wireless reconnaissance — site survey, Kismet, Wireshark 802.11 dissectors | Full site survey of a Virtus lab space |
| 4 | 802.11 security protocols — WEP, WPA-PSK, WPA2, WPA3-SAE, 802.1X | Identify security mode of every network observed in Week 3 |
| 5 | WPA/WPA2 handshake capture and offline cracking — preconditions, hashcat, wordlist engineering | Crack an instructor-provided handshake |
| 6 | Midterm practical — scoped wireless assessment of a lab network | Proctored exam |
| 7 | Rogue APs, evil twins, karma attacks — detection and test methodology | Build a karma detector; test against instructor-run rogue AP |
| 8 | Bluetooth and BLE — pairing modes, services, GATT, advertising | Enumerate and characterize lab BLE devices |
| 9 | Sub-GHz surveys — RTL-SDR receive, HackRF TX; protocol recognition | Capture, classify, document three sub-GHz protocols |
| 10 | Engagement topics — RF coverage maps, interference testing, spectrum hygiene | Client-style RF survey with mapped results |
| 11 | Report writing and client communication | Finalize and present engagement report |
Capstone — Simulated Wireless Engagement
A five-day simulated wireless engagement against a Virtus-owned lab space. Deliverables:
- Wireless engagement report — site map, network inventory, per-network findings, Bluetooth findings, sub-GHz findings, remediation.
- Executive briefing — 15-minute presentation to faculty in client-technical-lead role, plus Q&A.
Required Hardware
| Item | Purpose | Cost |
|---|---|---|
| Alfa AWUS036ACH USB Wi-Fi NIC (monitor-mode, 802.11ac) | 802.11 capture and injection | ~$50 |
| RTL-SDR Blog V4 | Sub-GHz receive | ~$40 |
| nRF52840 dongle (Nordic) | Bluetooth / BLE investigation | ~$15 |
| Directional Wi-Fi antenna (2.4/5 GHz panel or yagi) | Site survey | ~$35 |
Per-student kit cost beyond the baseline RE-101 workstation: roughly $140. HackRF One is program-supplied for Week 9.
Legal and Ethical Framework
Wireless work has sharper legal edges than IP-network pen testing because RF emissions propagate past property boundaries by default. The course explicitly addresses FCC regulation, CFAA and state equivalents, engagement boundaries, and directional-survey ethics. Students sign the AUP, maintain per-session authorization logs, and perform all transmit activity on lab-owned, RF-shielded equipment where practical.
Certification Alignment
OffSec OSWP SANS GAWN
Primary: OffSec OSWP (PEN-210) — VCA-WIR-101 covers more than OSWP requires (BLE, sub-GHz, site-survey methodology, report register). Students who complete VCA-WIR-101 are prepared to sit OSWP.
Honestly stated: OSWP is not as widely recognized by employers as OSCP or CompTIA PenTest+, and its material skews historical (WEP-era). Virtus teaches WPA/WPA2 as primary content because that is what exists in the field.
Interested in VCA-WIR-101?
Email academy@virtuscybersecurity.com with your register and why.