Overview
Duration: 5 days (Weeks 12-13, approximately 10 hours of structured work) Format: Individual engagement with shared infrastructure Deliverable: Technical report + live demonstration (10 minutes) + all lab artifacts
The capstone is a constrained wireless security engagement. Students attack a purpose-built lab wireless environment, build a working RF communication channel from scratch using GNU Radio, and analyze a rolling-code system. They then write a professional findings report in the format expected from a wireless security consultant.
This is not a CTF. Students are evaluated on methodology, discipline, and communication quality, not just whether they cracked the passphrase.
Rules of Engagement
Authorized targets:
VCA-WIR101-CAPSTONE-AP— WPA2-PSK 802.11ac access point (instructor-configured, isolated LAN)VCA-WIR101-CAPSTONE-AP-WPA3— WPA3-SAE 802.11ax access point (same isolated LAN, second SSID)VCA-WIR101-CAPSTONE-SDR-TGT— GNU Radio signal source broadcasting on 433.2 MHz (inside Faraday cage)- Instructor rolling-code demo device (inside Faraday cage, instructor-operated)
Explicitly out of scope:
- Any production Wi-Fi network (campus, residential, commercial)
- Any consumer RF device (garage door openers, key fobs, tire pressure monitors, vehicle immobilizers)
- The 2.4 GHz or 5 GHz spectrum outside the lab's isolated wireless network
- Any system not listed in the authorized target list above
Students must sign the capstone authorization form before Day 1. Any out-of-scope activity results in an immediate 0 and referral to the ethics incident protocol.
Timeline
Day 1 — Reconnaissance and Wi-Fi Capture
Morning: Passive wireless reconnaissance
- Survey the lab spectrum using airodump-ng (both 2.4 and 5 GHz bands)
- Document all detected SSIDs, BSSIDs, channel assignments, encryption types, and signal strengths
- Identify the authorized capstone targets within the survey
Afternoon: Active 802.11 attack preparation
- Perform a PMKID capture attempt against
VCA-WIR101-CAPSTONE-AP - Perform a 4-way handshake capture (with deauthentication) against the same AP
- Record both captures in PCAP format; extract hashes with hcxpcapngtool
Deliverable (end of Day 1): Reconnaissance report (1-2 pages): targets discovered, encryption types, initial attack surface assessment.
Day 2 — Credential Recovery + WPA3 Analysis
Morning: Offline dictionary attack
- Run hashcat against both the PMKID hash and the 4-way handshake hash (
-m 22000) - Document attack configuration, wordlist selection rationale, estimated keyspace
- Record whether the passphrase was recovered; document the passphrase strength assessment
Afternoon: WPA3-SAE analysis
- Attempt association and traffic capture against
VCA-WIR101-CAPSTONE-AP-WPA3 - Document what is and is not visible in the capture versus the WPA2 capture
- Write a comparative analysis: WPA2-PSK vs WPA3-SAE attack surface differences, citing Dragonblood CVEs where relevant
Deliverable (end of Day 2): Hash recovery report + WPA2/WPA3 comparison memo.
Day 3 — SDR Track: Sub-GHz Reception and PSK Channel Build
Morning: Sub-GHz signal reception
- Tune the RTL-SDR to 433.2 MHz; record a 30-second IQ capture of
VCA-WIR101-CAPSTONE-SDR-TGT - Load the capture in Python; demodulate the ASK/FSK signal; decode the bitstream
- Identify the transmission pattern (periodic beacon, on-demand trigger, etc.)
Afternoon: PSK communication channel
Build a BPSK 3-way handshake in GNU Radio:
- SYN frame: TX sends 0x01 as BPSK-modulated signal on 433.92 MHz (inside Faraday cage)
- SYN-ACK frame: RX (second SDR or loopback) demodulates, extracts 0x01, responds with 0x03
- ACK frame: Original TX demodulates 0x03, responds with 0x02
The handshake is complete when both sides log the exchange. Students must show the GNU Radio flowgraph, the frequency-domain plot of the transmitted signal, and the decoded frame log.
Virtual path alternative: Use GNU Radio in loopback mode (no live TX): flowgraph chains BPSK Mod → Channel Model (noise) → BPSK Demod in a single file. Deliver flowgraph + screenshot of successful decode.
Deliverable (end of Day 3): Sub-GHz demodulation analysis + GNU Radio flowgraph + 3-way handshake decode log.
Day 4 — Rolling-Code Analysis
Morning: Rolling-code observation
- Using the RTL-SDR and URH (Universal Radio Hacker), record 5 consecutive transmissions from the instructor rolling-code demo device
- Analyze the capture: identify the fixed preamble, the rolling counter, and the fixed device identifier
- Plot the counter values; confirm each transmission increments the counter
Afternoon: Rolljam concept demonstration
Instructor demonstrates the Rolljam attack against the demo device:
- Jammer-receiver captures Code 1 while transmitting a jamming signal (Code 1 not accepted by receiver)
- Jammer-receiver forwards Code 1 while capturing Code 2 (Code 1 accepted; attacker retains Code 2)
- Code 2 is replayed later to open the "door"
Students document the attack mechanism in their report, explaining:
- Why simple replay of Code 1 fails after Code 2 has been accepted
- Why the seed-based PRNG allows an attacker who knows the seed to predict all future codes
- What the defense is (rolling-code window exhaustion detection, challenge-response protocols)
Students do NOT perform the Rolljam themselves; they observe the demonstration, capture the spectrum evidence, and write the analysis.
Deliverable (end of Day 4): Rolling-code analysis (5 captures, counter progression chart) + Rolljam mechanism writeup.
Day 5 — Report Finalization + Demonstration
Morning: Report assembly and editing
- Consolidate all daily deliverables into the Final Findings Report (see format below)
- Peer-review swap: exchange draft reports with one other student; provide written feedback
- Incorporate feedback; finalize
Afternoon: Live demonstration (10 minutes per student)
- 5 minutes: walk instructor through the GNU Radio PSK flowgraph live (or recorded playback for virtual students)
- 5 minutes: present one finding from the wireless reconnaissance and explain the remediation
Final Findings Report Format
The report must follow this structure. Length target: 8-12 pages excluding appendices.
Cover Page
- Engagement title, date range, student name, course identifier, authorized targets list
Executive Summary (1 page)
- 3-5 bullet points summarizing the most critical findings
- Overall risk rating (Critical / High / Medium / Low)
- One paragraph explaining the business impact if this were a production environment
Scope and Rules of Engagement (0.5 page)
- Authorized targets and boundaries
- Statement of authorization
Methodology (0.5 page)
- Phases of the engagement (recon, capture, crack, analysis)
- Tools used (with versions)
Findings (3-5 pages) Each finding follows this template:
Finding N: [Title]
Severity: Critical / High / Medium / Low / Informational
CVSS v3.1 Score: [score if applicable]
Affected Asset: [SSID / target identifier]
Description: What was found and how
Evidence: [Screenshot, capture file reference, hash, decoded bitstream]
Remediation: Specific, actionable fix — not "use strong passwords"
Verification: How to confirm the fix works
SDR Track Analysis (1-2 pages)
- Sub-GHz signal demodulation results
- PSK 3-way handshake documentation
- Rolling-code mechanism analysis
Remediation Summary Table
| Finding | Severity | Remediation | Effort |
|---|---|---|---|
| ... | ... | ... | Low / Med / High |
Appendices
- A: Tool output (hashcat run, airodump-ng CSV, hcxpcapngtool output)
- B: GNU Radio flowgraph screenshot
- C: IQ capture metadata (SigMF or manual: center freq, sample rate, capture duration)
- D: Rolling-code counter progression data
Grading Rubric
Binary Gates (pass/fail; must pass all to receive a grade)
- Authorization form signed before Day 1
- All captures from authorized targets only (verified by BSSID/frequency logs)
- All transmissions inside Faraday cage or virtual-path (no live TX outside cage)
- GNU Radio flowgraph or virtual-path equivalent submitted
- Findings report submitted
Failure of any binary gate results in a 0 for the capstone.
Scoring (100 points)
Technical Execution (40 points)
| Item | Points | Notes |
|---|---|---|
| PMKID or 4-way handshake successfully captured | 8 | Capture file submitted; correct format |
| Dictionary attack configured and documented | 5 | hashcat command, wordlist rationale, result |
| WPA3-SAE capture with comparative analysis | 7 | Must cite specific frame-level differences |
| Sub-GHz IQ demodulation and bitstream decode | 8 | Python analysis; correct bitstream or documented failure with root cause |
| PSK 3-way handshake (flowgraph + decode log) | 7 | GNU Radio flowgraph functional; SYN/SYN-ACK/ACK sequence visible |
| Rolling-code analysis with counter progression | 5 | 5 captures; counter chart; mechanism explanation |
Report Craft (30 points)
| Item | Points | Notes |
|---|---|---|
| Executive summary communicates risk to a non-technical reader | 6 | No jargon without definition; clear impact statement |
| Findings use the required template format | 6 | All fields populated; no placeholder text |
| Remediations are specific and actionable | 8 | "Rotate to WPA3-SAE" beats "upgrade security" |
| CVSS scoring applied correctly (at least 2 findings) | 5 | Score matches vector string; vector string submitted |
| Writing quality (no LLM boilerplate, clarity, precision) | 5 | Instructor discretion |
Engagement Discipline (30 points)
| Item | Points | Notes |
|---|---|---|
| Scope adherence (all captures within authorized targets) | 15 | Verified by BSSID + frequency audit of submitted captures |
| Faraday compliance (all TX inside cage or virtual path) | 10 | Instructor observation log |
| Methodology documented before execution | 5 | Day 1 recon report submitted on time |
Score Thresholds
| Score | Grade | Notes |
|---|---|---|
| 90-100 | A | Meets or exceeds industry-consultant quality |
| 80-89 | B | Competent; minor gaps in report craft or coverage |
| 70-79 | C | Functional execution; report needs significant revision |
| 60-69 | D | Major gaps in either technical or report section |
| Below 60 | F | Does not meet pilot-ready bar |
What "Pilot-Ready Bar" Means
A student at the 80-point threshold can:
- Conduct a constrained wireless engagement against a known-vulnerable AP with appropriate authorization
- Produce a findings report that a program manager or client could act on
- Explain the difference between WPA2-PSK and WPA3-SAE attack surfaces without looking it up
- Build a working BPSK communication channel in GNU Radio from a flowgraph template
- Read a sub-GHz IQ capture and identify signal structure
A student at the 90-point threshold can additionally:
- Select and justify tool choices without a recipe
- Score findings accurately with CVSS v3.1
- Identify the rolling-code mechanism from first principles and propose a credible defense
- Teach the PSK 3-way handshake to a peer without notes