My Lab

Topology

Two VLANs: VLAN 10 for control/capture, VLAN 20 for the RF test zone. A trunked switch separates traffic; RF is contained with pads/box.

Bill of Materials

• Wi-Fi: WiFi Pineapple Pager (tri-band), Wi-Fi 6E test AP, 2× USB adapters (one monitor/injection-capable + one 6E-capable), omni + directional antennas, 10/20/30 dB attenuators
• SDR: HackRF One + PortaPack H4M, wideband antennas, SMA pigtails, band-pass filters, dummy loads
• BLE/RFID/NFC: Flipper Zero (+ IR), Proxmark3 RDV, HF/LF tag kit, BLE beacons
• Sub-GHz: rtl_433 stack, URH, assortment of ISM remotes/sensors (lab-only)
• IR: IR receiver/emitter pair; remote collection
• HW Hacking: Logic analyzer (Saleae/FX2), CH341A + SOIC clip, ST-Link/J-Link, Bus Pirate, JTAGulator
• Infra: Raspberry Pi 4/5 (Kismet/tcpdump/exporters), managed switch (802.1Q), NAS, NTP time source, ESD mat

VLAN & IP Plan

# VLANs
vlans:
  - id: 10
    name: "control"
    subnet: "10.10.10.0/24"
    dhcp: "10.10.10.100-200"
  - id: 20
    name: "rf-lab"
    subnet: "10.10.20.0/24"
    dhcp: "10.10.20.100-200"

# Host addressing
hosts:
  pi:        10.10.10.20
  laptop:    dhcp
  pineapple: 10.10.20.10
  ap:        10.10.20.11
  nas:       10.10.10.30
  ntp:       10.10.10.40

Radio Profiles

# Wi-Fi lab SSIDs
wifi:
  ssids:
    - name: "Lab-24"
      band: "2.4 GHz"
      channel: 6
      width: 20
      auth: "WPA2-PSK"
      pmf: "optional"
    - name: "Lab-5G"
      band: "5 GHz"
      channel: 44
      width: 40
      auth: "WPA2-PSK"
      pmf: "required"
    - name: "Lab-6E"
      band: "6 GHz"
      channel: 37
      width: 80
      auth: "WPA3-SAE"
      pmf: "required"

# BLE beacons
ble:
  beacons:
    - type: "iBeacon"
      uuid: "f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
      major: 100
      minor: 1
      interval_ms: 500
      tx_power_dBm: -12
    - type: "Eddystone-URL"
      url: "https://hackerplayground.com"
      interval_ms: 700
      tx_power_dBm: -16

# Lab RFID/NFC tags
rfid:
  hf:
    - type: "NTAG213"  # lab tag
      uid: "04:11:22:33:44:55:66"
  lf:
    - type: "T5577"    # configurable test tag

# Sub-GHz samples
subghz:
  sensors:
    - type: "433 MHz weather"
      capture: "Sun 10:00-10:15"
      note: "rtl_433 decode validation"

# IR samples
ir:
  remotes:
    - protocol: "NEC"
      device: "Lab-TV"
      keys: ["POWER","VOL+","VOL-"]

Services & Automation

Passive-first. All active testing happens only against my lab SSIDs/devices, inside containment, with a ticket & timebox.

systemd: Kismet (Pi)

[Unit]
Description=Kismet server (passive recon)
After=network-online.target
Wants=network-online.target

[Service]
User=kismet
Group=kismet
ExecStart=/usr/bin/kismet -c wlanmon0 --no-ssl --log-prefix /srv/pcap/kismet/kismet
Restart=on-failure

[Install]
WantedBy=multi-user.target

systemd: Rolling PCAP (tcpdump)

[Unit]
Description=Rolling PCAP capture (lab channels)
After=network-online.target

[Service]
User=pcap
Group=pcap
ExecStart=/usr/sbin/tcpdump -i wlanmon0 -s 0 -w /srv/pcap/wifi/%Y-%m-%dT%H:%M:%S_wlanmon0.pcap -G 900 -W 96
Restart=always

[Install]
WantedBy=multi-user.target

logrotate for PCAPs (daily)

/srv/pcap/**.pcap {
  daily
  rotate 7
  missingok
  notifempty
  compress
  delaycompress
  dateext
  dateformat -%Y%m%d
  sharedscripts
  postrotate
    /usr/bin/find /srv/pcap -type f -name "*.pcap.gz" -mtime +30 -delete
  endscript
}

Nightly export (cron)

# m h dom mon dow   command
15 2 * * * rsync -a --delete /srv/pcap/ nas:/archives/pcap/
20 2 * * * /usr/local/bin/kismet-export --devices-csv /srv/exports/devices_$(date +\%F).csv

Runbooks

Wi-Fi: Recon → Capture (lab)

1. Set lab SSIDs/bands per profiles; keep Tx power minimal; attach inline attenuator if close-range.
2. Start Kismet (passive) + rolling PCAP on the lab channel.
3. Reconnect your test client to validate association/roaming logs. Save PCAP + metadata.

BLE: Beaconing → GATT

1. Survey advertisements; broadcast lab beacons inside containment at low power.
2. Map GATT on a lab device with a standard client (reads/writes/notify) and record permissions.

RFID/NFC: Catalog → Emulate (lab)

1. Inventory lab tags/readers; record ATR/UIDs where applicable.
2. Use Proxmark client commands to analyze tags; emulate only against your own readers.

Sub-GHz: Identify → Decode

1. rtl_433 to identify known sensors; log frames and timestamps.
2. Unknown signals: capture I/Q with HackRF for offline analysis (URH/GNU Radio).

Safety, Measurement & Data Handling

• Containment: Prefer 20–40 dB attenuation or Faraday enclosure; keep antennas inside the RF zone.
• EIRP hygiene: Track antenna gain + cable loss; keep effective power well below legal limits.
• Time: NTP (optionally GPS) across Pi, laptop, Pineapple/AP to correlate logs.
• Retention: Compress & rotate PCAPs; archive “keepers” with metadata (date, band, channel, test ID).
• Red lines: No interference outside lab SSIDs/zones. No third-party tags/readers. Always documented scope.

Notes & Findings

• 2025-08-29: RBAC on Pi prevents accidental root captures; Kismet device CSV exported nightly with ~1–2% churn.
• 2025-08-20: 6 GHz clients hid SSIDs until correct country code was enforced; AP + client locale must match.
• 2025-08-10: BLE pairing UX varies by OS; screenshots logged under /srv/logs/ble-ux/.

Change Log

• 2025-08-29: Added systemd services, logrotate, nightly exports; refreshed topology diagram.
• 2025-08-20: Introduced Faraday box + 20 dB inline pad for BLE beacons.
• 2025-08-01: Initial lab publish.

TODO

• Chart device inventory trends (daily CSV → small dashboard).
• Add throughput/latency baselines per band/channel width for lab clients.
• Document Proxmark test tag workflows (lab tags only).

Photo Gallery

Place photos in /assets/img/ and reference below.