Lab Guides

Objective: Students learn to detect rogue access points (evil twins) that impersonate legitimate WiFi networks.

Book Connection: Z.R.A.K.: Signal — fake hotspot detection

Equipment Required

• 1x dedicated WiFi router (the "legitimate" AP) — any consumer router
• 1x second WiFi router or portable hotspot (the "evil twin")
• Android devices with Z.R.A.K. installed (1 per student or group)
• Isolated network — not connected to school infrastructure

Setup Instructions

1. Configure the legitimate router with SSID CafeWiFi-Lab, WPA2 security, a known password, and channel 6
2. Connect the legitimate router to nothing (no internet uplink) — this is a closed lab network
3. Configure the evil twin router with the same SSID CafeWiFi-Lab but use WPA (not WPA2), set it on channel 1, and use a different MAC address (default is fine)
4. Place routers at different locations in the classroom
5. Power on the legitimate router first. Wait 2 minutes. Then power on the evil twin

Student Exercise

1. Open Z.R.A.K. in RECON mode, go to the WiFi tab
2. Observe the list of nearby networks. Note that CafeWiFi-Lab appears twice
3. Switch to Advanced Mode. Compare the two entries: different BSSIDs (MAC addresses), different channels, different security types
4. Open the Events tab — Z.R.A.K.'s evil twin detector should flag the duplicate SSID
5. Use the signal strength readings to estimate which AP is closer
6. Document findings: Which one is the rogue? What gave it away?

Expected Outcomes

• Students identify that two APs share the same SSID but differ in BSSID, channel, and security
• Students understand that an evil twin can look identical by name but differs in technical details
• Z.R.A.K. automatically flags the security mismatch as a potential evil twin

Discussion Points

• How would a real attacker make the evil twin harder to detect?
• Why does signal strength matter in identifying rogue APs?
• What should you do if you find an evil twin in a real cafe?

Objective: Students learn the concept of a network baseline and how to detect drift — new, missing, or changed devices that may indicate a security event.

Book Connection: Z.R.A.K.: Baseline — distinguishing normal from abnormal

Equipment Required

• 1x WiFi router (the lab network)
• 3-5 devices to connect as "known" devices (laptops, phones, tablets)
• 1-2 "rogue" devices to introduce later
• Android devices with Z.R.A.K. installed

Setup Instructions

1. Set up the lab router with SSID LabNet-Baseline and WPA2 security
2. Connect the 3-5 "known" devices to the network
3. Keep the "rogue" devices powered off or disconnected

Student Exercise — Phase 1: Capture Baseline

1. Connect to LabNet-Baseline with Z.R.A.K.
2. Enable SOC mode and let it run for 5 minutes to establish a baseline
3. Go to the Inventory tab and review the captured baseline. Note the number of devices, their MAC addresses, and signal strengths
4. Document the "known good" state

Student Exercise — Phase 2: Detect Drift

1. The teacher connects 1-2 "rogue" devices to the network
2. Students observe the SOC Inventory tab for drift detection
3. Check for new devices appearing in the scan that weren't in the baseline
4. Review the Jaccard similarity index — it should drop below 1.0
5. Check Events/Operations for any generated incidents
6. Document: What changed? How did Z.R.A.K. detect it?

Discussion Points

• Why is establishing a baseline important for security?
• What kind of real-world events cause legitimate drift vs. suspicious drift?
• How does the Jaccard similarity index work?

Objective: Students learn how ARP tables work and why gateway MAC changes can indicate man-in-the-middle attacks.

Equipment Required

• 1x WiFi router (lab network)
• Multiple devices connected to the network
• Android devices with Z.R.A.K. (rooted Pixel recommended for full ARP visibility)
• A second router or device that can act as a "rogue gateway" (same subnet, different MAC)

Setup Instructions

1. Configure the lab router on subnet 192.168.10.0/24 with gateway 192.168.10.1
2. Connect several devices to establish an ARP table
3. Prepare a second router or device configured with the same gateway IP but a different MAC address (powered off initially)

Student Exercise

1. Open Z.R.A.K. in RECON mode, use the Overview tab to see the current gateway information
2. Use the Tools tab to run the Subnet Mapper tool — document all devices and their MAC addresses
3. Note the current gateway MAC address
4. Teacher introduces the "rogue gateway" — this simulates a gateway MAC change
5. Observe Z.R.A.K.'s Events tab for the gateway MAC change alert
6. In SOC mode, check the Environment feed for the "Gateway MAC changed" notification

Expected Outcomes

• Students understand that the gateway MAC address should remain constant on a stable network
• A MAC change triggers an automatic alert in Z.R.A.K.
• Students learn that this is a primary indicator of ARP spoofing or man-in-the-middle attacks

Discussion Points

• What is ARP and why does it lack authentication?
• How could an attacker use ARP spoofing to intercept traffic?
• What are legitimate reasons a gateway MAC might change?

Objective: Students learn about the Bluetooth devices broadcasting around them and how to detect potential tracker devices.

Book Connection: Z.R.A.K.: Pattern — device tracking and rogue device identification

Equipment Required

• Android devices with Z.R.A.K. installed
• Various Bluetooth devices for students to discover (headphones, speakers, fitness trackers, keyboards)
• Optional: a BLE beacon or tag (to demonstrate tracker-like behavior)

Setup Instructions

1. Scatter Bluetooth devices around the classroom — some visible (discoverable), some in use
2. If available, place a BLE beacon in a hidden location
3. Ensure Z.R.A.K. has Bluetooth permissions on all student devices

Student Exercise

1. Open Z.R.A.K. RECON mode, Bluetooth tab
2. Scan and catalog all discovered Bluetooth devices
3. Switch to Advanced Mode to see MAC addresses, device classes, manufacturer IDs, and risk scores
4. Identify which devices use random (rotating) MAC addresses vs. static MACs
5. Walk around the room. Note which devices maintain consistent RSSI (signal strength) as you move — these exhibit tracker-like behavior
6. If a BLE beacon is hidden: can students locate it using signal strength as a guide?
7. Document all findings with device types, estimated distances, and risk assessments

Discussion Points

• How many Bluetooth devices are broadcasting around us at any given time?
• What is the difference between BLE and Bluetooth Classic?
• Why do some devices rotate their MAC addresses?
• How could someone use a BLE tracker maliciously?

Objective: Students learn to enumerate all devices on a local network and build a complete inventory with OS fingerprinting and service discovery.

Book Connection: Z.R.A.K.: Source — infrastructure audit, unknown device discovery

Equipment Required

• 1x WiFi router (isolated lab network with internet — optional for DNS exercises)
• 5-10 devices of various types connected to the network (laptops, phones, Raspberry Pi, smart speakers, IoT devices)
• Android devices with Z.R.A.K. installed

Setup Instructions

1. Configure router with SSID LabNet-Discovery
2. Connect a variety of devices — the more diverse, the better
3. If possible, run a simple web server on one device (e.g., Python http.server) and an SSH server on another

Student Exercise

1. Connect to LabNet-Discovery with Z.R.A.K.
2. Use the Overview tab to see the network summary
3. Open the Tools tab and run:
   • Subnet Mapper — discover all IPs and MACs on the network
   • Port Scanner — scan discovered devices for open ports
   • Service Discovery — find services via mDNS and SSDP
4. Switch to Advanced Mode to see OS fingerprints (TTL-based), vendor identification (from MAC OUI), and service banners
5. Build a complete network inventory: IP, MAC, vendor, OS guess, open ports, running services
6. Identify any "unknown" devices that shouldn't be on the network

Discussion Points

• How can MAC addresses reveal the device manufacturer?
• Why is a network inventory important for security?
• What risks do open ports and running services introduce?
• How would you handle finding an unknown device on a corporate network?

Objective: Students learn how DNS resolution works, how it can be spoofed, and how TLS certificates establish trust.

Equipment Required

• 1x WiFi router with internet connectivity
• Optional: a device running a local DNS server (e.g., dnsmasq on a Raspberry Pi) to demonstrate DNS manipulation
• Android devices with Z.R.A.K. installed

Setup Instructions

1. Configure the lab router with SSID LabNet-DNS
2. For the DNS spoofing demonstration: configure dnsmasq on a Raspberry Pi to resolve a test domain to a different IP. Set the router's DHCP to distribute this Pi as the DNS server
3. Alternatively, configure the router's DNS settings to point to the Pi

Student Exercise — Part A: DNS Analysis

1. Connect to the lab network. Open Z.R.A.K. Tools and run the DNS Probe
2. Z.R.A.K. compares the system-configured DNS against trusted resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8)
3. If the lab DNS is manipulated: observe the discrepancy Z.R.A.K. detects between the local DNS response and the trusted resolver response
4. Document which domains resolve differently and what the tampered response points to

Student Exercise — Part B: TLS Validation

1. Use Z.R.A.K.'s TLS Certificate Validator tool on discovered services
2. Check for: certificate expiry dates, self-signed certificates, CN mismatches, weak key sizes
3. If a local web server is running with a self-signed cert, Z.R.A.K. will flag it
4. Document all TLS findings

Discussion Points

• What happens when you visit a website if DNS has been spoofed?
• How does HTTPS/TLS protect against DNS-level attacks?
• Why should you be cautious about accepting certificate warnings?
• What is the difference between a self-signed certificate and one issued by a trusted CA?

Objective: Students practice a full incident response workflow — from detection through documentation to structured reporting.

Book Connection: Z.R.A.K.: Trace — incident correlation, cross-case patterns

Equipment Required

• Lab network with the evil twin and/or rogue gateway from previous labs
• Android devices with Z.R.A.K. installed

Setup Instructions

1. Set up the lab network with known-good devices
2. The teacher will introduce multiple "attacks" during the exercise:
   • Evil twin AP (from Lab 1)
   • Gateway MAC change (from Lab 3)
   • New unknown devices joining the network
3. Students do not know in advance when or what attacks will occur

Student Exercise

1. Enable SOC mode and let it establish a baseline
2. Monitor all SOC tabs: Environment, Command, Inventory, Live Map, Operations
3. When events are detected:
   • Note the time, event type, and severity
   • Switch to RECON mode to investigate specific details
   • Return to SOC mode to continue monitoring for additional events
4. After the exercise period, generate an incident report using Z.R.A.K.'s export function
5. Export in at least two formats (Markdown + JSON or CSV)
6. Write a summary: What happened? When? What evidence supports your conclusions?

Expected Outcomes

• Students practice the observe-document-report workflow
• Students understand incident severity levels and confidence scoring
• Students produce structured, evidence-based reports
• Students experience that real security monitoring requires patience and attention

Objective: Students learn about WiFi frequency bands, channel allocation, and how congestion affects network performance and security.

Equipment Required

• 2-3 WiFi routers set to different channels
• Android devices with Z.R.A.K. installed

Setup Instructions

1. Configure Router A: channel 1 (2.4 GHz), SSID Lab-Chan1
2. Configure Router B: channel 6 (2.4 GHz), SSID Lab-Chan6
3. Configure Router C: channel 11 (2.4 GHz), SSID Lab-Chan11
4. If available, also set up a 5 GHz network to show band differences

Student Exercise

1. Open Z.R.A.K. WiFi tab and observe all visible networks
2. Switch to Advanced Mode to see channel numbers, frequencies, and signal strengths
3. Use the Analyzer to view WiFi channel congestion visualization
4. Map which channels are most crowded (include networks from outside the lab)
5. Walk around the room and observe how signal strength changes with distance
6. Document: Which channels overlap? Which are congested? What channel would you recommend for a new network?

Discussion Points

• Why do only channels 1, 6, and 11 not overlap in 2.4 GHz?
• What are the advantages and disadvantages of 5 GHz vs 2.4 GHz?
• How does channel congestion affect network security (not just performance)?

Objective: Students survey a physical area to map all wireless networks and devices, understanding the density and security of the wireless landscape.

Equipment Required

• Android devices with Z.R.A.K. installed (with GPS enabled)
• A defined walking route (school hallway, campus perimeter, or outdoor area)

Student Exercise

1. Open Z.R.A.K. and ensure GPS is active
2. Walk the defined route at a steady pace
3. Z.R.A.K. automatically geo-tags all discovered WiFi and Bluetooth devices
4. After the walk, review the Map tab to see all discovered devices plotted geographically
5. Analyze:
   • How many unique WiFi networks were found?
   • How many use open (no password) security?
   • Where are the highest density areas?
   • Any networks still using WEP or WPA (not WPA2/WPA3)?
6. Use the Analyzer to generate a security posture summary

Discussion Points

• How many wireless networks surround us that we never notice?
• What percentage of discovered networks had strong security?
• What risks do open or weakly-secured networks present?
• How could this data be used responsibly by a school IT department?

Objective: Students experience the role of a Security Operations Center analyst, monitoring a network over an extended period and responding to events as they occur.

Equipment Required

• Lab network setup from previous labs
• Android devices with Z.R.A.K. installed
• Teacher-controlled devices for introducing simulated events

Setup

1. Set up the lab network with baseline devices
2. Students enable SOC mode at the start of a class period
3. Over 30-45 minutes, the teacher introduces various events at random intervals:
   • New device joins the network
   • Evil twin AP appears
   • Device disappears from the network
   • Gateway MAC changes briefly
   • Multiple new Bluetooth devices appear

Student Exercise

1. Monitor the SOC Environment tab for situational awareness
2. Watch the Command tab metrics for anomalies
3. Check the Inventory tab for baseline drift
4. Review the Operations tab for correlated incidents
5. For each detected event: log the time, describe what was detected, assess severity, and note the evidence
6. At the end, export a full incident report and compare findings with other students

Discussion Points

• What is the difference between a security event and an incident?
• How does event correlation reduce false positives?
• What makes a good SOC analyst? (Patience, attention to detail, systematic documentation)
• How do confidence levels and severity scoring help prioritize response?