have a raspberry pi 5 with a alfa wifi usb adapter and a flipper zero connected running the default raspberry pi OS lets configure this for maximum security testing use cases so its a portable network and IOT penetration testing workhorse
- Wi-Fi environment survey – Passively inventory all nearby APs/clients (channels, bands, signal strength) to understand the RF landscape before testing.
- Signal coverage mapping – Walk around with the Pi to build a heatmap of Wi-Fi coverage and identify dead zones or overly “loud” APs.
- Encryption posture review – Catalog which SSIDs use WPA2, WPA3, open, etc. to find legacy or misconfigured networks that need upgrading.
- Default SSID / config detection – Spot APs still using vendor-default SSIDs or settings that might indicate weak overall security.
- Open & guest network assessment – Identify open/guest SSIDs and test login flows, captive portals, and isolation (without harvesting real creds).
- Hidden SSID enumeration (defensive) – Discover hidden SSIDs so you can document them and ensure they’re actually needed and secured.
- Client isolation verification – Join guest networks with different devices and confirm they can’t talk to each other (no lateral movement).
- Dual-band / band-steering validation – Confirm devices are correctly being pushed to 5/6 GHz and that 2.4 GHz is limited where needed.
- Ad-hoc / Wi-Fi Direct discovery – Find peer-to-peer networks (e.g., printers, cameras, laptops) that bypass your main Wi-Fi controls.
- DHCP & IP space enumeration – Map subnets and DHCP scopes on each SSID to find shadow networks or overlapping address spaces.
- Association/auth flood resilience testing – Safely simulate high volumes of connection attempts to see how your controllers and monitoring react.
- Deauth/roaming resilience checks – Study how clients and infrastructure behave when connections drop or roam frequently (no need to abuse this).
- SSID/VLAN mapping validation – Confirm each SSID lands on the correct VLAN and that VLAN ACLs align with your security model.
- East–west segmentation checks – From Wi-Fi, validate which subnets and services are reachable vs. blocked, and tune segmentation policies.
- Egress policy testing from Wi-Fi – Verify firewall egress rules from wireless networks: which ports/protocols can actually leave.
- Rate limiting & IDS/IPS tuning – Generate controlled suspicious patterns (e.g., port scans, weird DNS) to test detection and alert quality.
- Passive packet capture of authorized networks – Capture traffic (especially management/control frames) for troubleshooting and config review.
- Cleartext protocol discovery – Identify HTTP, FTP, Telnet, and other insecure protocols still in use by clients or IoT gear.
- IoT device behavior profiling – Observe which cloud endpoints IoT devices call, how often, and over what protocols.
- DNS traffic analysis – Look for suspicious domains, DNS tunneling patterns, or devices using hardcoded external resolvers.
- mDNS/SSDP/UPnP inventory – See which devices loudly advertise themselves and whether they leak model, firmware, or serial info.
- Broadcast & multicast chatter analysis – Identify overly chatty devices that harm performance or leak unnecessary information.
- QoS & bandwidth usage insights – Measure which devices/flows hog wireless bandwidth and whether QoS is working as intended.
- BLE device discovery & inventory – Use Pi + Flipper to scan BLE beacons and advertisements from wearables, trackers, smart home gear, etc.
- BLE metadata privacy review – Inspect BLE advertising data for device names, IDs, or other PII leaking in the clear.
- Pairing policy assessment – Test how easy it is to pair to speakers, locks, and peripherals and whether they enforce confirmation or PINs.
- Rogue beacon/tracker detection – Watch for unknown BLE beacons (e.g., trackers) that shouldn’t be in your environment.
- BLE range & signal profiling – Measure effective BLE range for sensitive devices (door locks, badges) and adjust placement/security.
- Sub-GHz device inventory – Identify 300–900 MHz devices such as remote switches, gates, sensors, and alarms in your own lab/property.
- Fixed vs. rolling-code evaluation (defensive) – Test which of your remotes still use weak fixed codes vs. more robust rolling schemes.
- Garage door & gate system review – Verify whether your own access systems rely on outdated RF protocols that need upgrading.
- IR remote mapping – Capture IR codes for TVs, projectors, AC units in your lab to understand what’s controllable and centralize control.
- NFC tag inventory – Scan NFC tags/cards for plain-text secrets, default keys, or weak access control settings.
- Badge/credential robustness checks (authorized only) – Evaluate test badges/cards to see how easily they could be cloned or emulated.
- Smart lock radio surface review – Map the wireless interfaces (BLE, Wi-Fi, NFC) exposed by smart locks and confirm their auth flows.
- Internal web app reconnaissance – From Wi-Fi, enumerate internal web portals, management interfaces, and dashboards.
- Lightweight web vulnerability scanning – Run authorized scanners against internal sites to discover outdated software or obvious misconfigs.
- IoT admin interface review – Connect to printers, cameras, NAS boxes, etc., and review their web admin panels for default creds/settings.
- API endpoint mapping – Identify REST/JSON endpoints used by IoT or internal apps and build a map for later in-depth pentesting.
- TLS/certificate hygiene checks – Scan for self-signed or expired certs, weak ciphers, and inconsistent hostname validation.
- Mobile app traffic inspection (lab only) – Put the Pi in the path (e.g., as Wi-Fi AP + proxy) to inspect how your own apps talk to backends.
“One-button” wireless audit script – Automate your standard recon/telemetry tasks into a single command that generates a human-readable report that covers all wireless protocols into a full detailed but easy to read report Wifi, Bluetooth and all other protocols possible.