If you’ve ever tried to learn WiFi attacks the traditional way, the workflow looks something like this: order a USB WiFi adapter that supports monitor mode and packet injection, fight with Linux drivers for an evening, set up a test access point you actually own, and then finally start practicing the attack you wanted to learn. WiFi-Forge skips that entire setup tax.

WiFi-Forge banner

WiFi-Forge is an open-source project from Black Hills InfoSec that gives you a safe and legal environment to practice wireless attacks. There’s no hardware to buy, no risk of touching someone else’s network, and no chance of bricking a driver. You boot a virtual lab and start hacking.

Why it exists — the WiFi-learning trap

Three things make traditional WiFi practice painful:

  1. Hardware lottery. Not every USB adapter supports monitor mode plus packet injection cleanly. The reliable ones (Alfa AWUS036, Panda PAU09, etc.) cost $30–60 each and only one works at a time.
  2. Legal grey zone. In most jurisdictions, touching any network you don’t own — even passively listening — is a crime. “Just sniffing” is not a defense.
  3. Reset overhead. Real hardware doesn’t reset with one command. You can’t git checkout your way out of a botched config.

WiFi-Forge collapses all three problems into a single sandbox running on your laptop.

What’s under the hood

WiFi-Forge is built on top of mininet-wifi, an 802.11 network emulator that creates virtual access points, stations, and “airwaves” inside Linux network namespaces. Each AP and client is a real Linux process — you can run iwconfig, airodump-ng, tcpdump, even Reaver and Hashcat against the simulated traffic, and every standard tool behaves exactly as if it were touching real radio waves.

What WiFi-Forge adds on top: pre-built lab topologies, ready-to-run attack scenarios, and a guided structure so you don’t have to design a network from scratch every time you want to practice something.

What you can practice

WiFi-Forge running

The bundled labs cover the common WiFi attack categories:

  • WPA/WPA2 handshake capture — deauth a client, capture the 4-way handshake, crack offline with hashcat or aircrack-ng
  • WPS attacks — PIN brute-force with Reaver, plus Pixie-Dust
  • Evil-twin / Karma — spin up a rogue AP that mimics a target SSID and watch clients auto-connect
  • Deauthentication floods — knock clients off legitimate APs
  • Beacon flooding — spam thousands of fake APs to confuse scanners
  • MAC randomization analysis — see how modern devices try to hide their identity (and where they leak it)
  • PMKID attacks — capture without needing a client to be connected

Each lab boots a specific topology, drops you in a shell, and gives you a small CTF-like objective.

Getting started

git clone https://github.com/blackhillsinfosec/WifiForge
cd WifiForge
sudo ./install.sh
sudo python3 wififorge.py

You’ll need Linux (Ubuntu or Debian works best), Python 3, and root privileges (mininet-wifi uses kernel features). The install script handles the rest of the dependencies — mininet-wifi, aircrack-ng, hashcat, reaver, and so on.

Who it’s for

Wireless lab work

  • OSCP / OSWP students — practice scenarios that mirror exam labs without buying hardware
  • CTF organizers — quickly stand up wireless challenges without provisioning real radios
  • Security trainers — give every student a self-contained lab that resets in seconds
  • Curious developers — finally see what a 4-way handshake actually looks like, with a debugger attached

⚠️ What WiFi-Forge won’t teach you: the physical layer — RF, antenna selection, real-world signal degradation. For that you’ll still eventually want a real card. But for the protocol layer, where 90% of practical attacks live, the simulation is indistinguishable from real traffic.

A note on legality and ethics

This is the kind of project where saying it out loud matters: only use these techniques against networks you own or have explicit written permission to test. WiFi-Forge exists because a simulated lab removes any temptation to “just try it” on the coffee shop next door. The whole point is to learn safely.