RSS

Show HN: Mezz, a curl-able WiFi sandbox for IoT pentesting

ABGEO1 pts0 comments

GitHub - ABGEO/mezz: A self-contained wifi sandbox for inspecting your own IoT devices · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

ABGEO

mezz

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>7 Commits<br>7 Commits

.github/workflows

.github/workflows

docs

docs

images

images

.env.example

.env.example

.gitignore

.gitignore

LICENSE

LICENSE

Makefile

Makefile

README.md

README.md

docker-compose.yaml

docker-compose.yaml

View all files

Repository files navigation

Mezz

Mezz is a self-contained wifi sandbox for inspecting your own IoT devices. The name comes<br>from mezzanine, the half-floor between two main floors of a building. This<br>network sits in the same place: between your devices and the rest of your home network.

Caution<br>Mezz is provided for educational purposes and authorized penetration testing only. Use it on networks and devices you<br>own, or on which you have explicit written permission to test. The author accepts no responsibility for any misuse or<br>for damage caused by use of this software.

What it does

Turns a Linux host with two NICs (one wifi, one wired uplink) into a small isolated network:

a wifi access point on its own subnet

DHCP and DNS for any client that connects (wifi or wired)

NAT out through your wired uplink

a local domain, so clients resolve as kitchen-pi.lan etc.

per-query DNS logging, so you can see exactly what your fridge is talking to

It's defensive only. Made for inspecting devices you own, not for impersonating someone else's network.

Prerequisites

a Linux host (kernel with iptables, bridge, and nl80211; any modern distro is fine)

Docker Engine 20.10+ with the Compose v2 plugin

a wifi NIC that supports AP mode . Verify with iw list | grep -A 10 "Supported interface modes" and look for<br>* AP. If your radio doesn't list AP mode, it can't be Mezz's access point. Realtek USB sticks are the most common<br>offenders; see docs/realtek.md.

a wired uplink (WAN_IFACE) for NAT

(optional) a second wired NIC if you want to plug RJ45 IoT devices into the same LAN as the wifi clients

root on the host. net-init runs privileged because writing /proc/sys/net/ipv4/ip_forward needs RW /proc/sys

If NetworkManager or wpa_supplicant is currently using the wifi NIC for a normal client connection, release it<br>first or hostapd will fail to start. The exact incantations are in<br>docs/interfaces.md.

Quick start

Grab the compose file and a starter .env from this repo, then bring it up:

mkdir mezz && cd mezz

curl -O https://raw.githubusercontent.com/ABGEO/mezz/main/docker-compose.yaml<br>curl -o .env https://raw.githubusercontent.com/ABGEO/mezz/main/.env.example

# Edit .env. At minimum set WAN_IFACE / WIFI_IFACE to match your host.<br># See docs/interfaces.md for how to find the right values.<br>$EDITOR .env

docker compose up -d

To revert host network state:

docker compose run --rm net-init teardown

If something doesn't come up, start with docs/troubleshooting.md. Most issues are<br>environmental (a daemon holding the wifi NIC, a misnamed interface, or an adapter that doesn't do AP mode).

Extending dnsmasq

Drop *.conf files into a local directory and mount it over /etc/dnsmasq.d in the lan service (see the commented<br>volumes: block in docker-compose.yaml). Useful for static DHCP leases, custom upstream rules, etc.

Optional services

Mezz ships extra containers behind Docker Compose profiles. Pick what you want with COMPOSE_PROFILES in .env (<br>comma-separated, e.g. mitm or mitm,tcpdump). The base set (net-init, ap, lan) always runs.

Profile<br>What it adds

mitm<br>mitmproxy in transparent mode for LAN HTTP/HTTPS interception

mitm

Set both in .env:

COMPOSE_PROFILES=mitm<br>MITM_ENABLED=true

COMPOSE_PROFILES=mitm brings up the mitmproxy container; MITM_ENABLED=true tells net-init to add the iptables<br>redirect (LAN tcp/{80,443} -> mitmproxy). Without the env flag the container runs but no traffic reaches it. Web UI is<br>on http://:${MITM_WEB_PORT} (default 8081); set MITM_WEB_PASSWORD to...

mezz wifi compose docker devices docs

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.