← All sample lessons

Shared lesson

Public Wi-Fi Threat & Defense Lab: Sniffing, Evil Twins, and Layered Controls

63 min · 1.3

Objective

Students will analyze public-network attack scenarios (MITM, rogue AP, evil twin) using packet-capture evidence and device settings, and will select and justify layered defenses (HTTPS, VPN, disabled auto-connect) that mitigate each specific threat — exercising AP Skill Categories 1 (Analyze Risk), 2 (Mitigate Risk), and 3 (Detect Attacks).

Hook

5 min

Open with the 2017 DEF CON 'Wall of Sheep' demonstration and the widely reported case of attackers at airports and coffee shops harvesting credentials from open Wi-Fi. Tell students: 'You are sitting in a Chicago O'Hare terminal. Your phone silently reconnects to Boingo_Free_WiFi. Within 90 seconds an attacker two gates away has your Instagram session cookie. Today's investigative question: which specific defense would have stopped that — and which would NOT have?' Push students to commit to a hypothesis out loud before the lab. Tie to AP Skill 1 (Analyze Risk): they will quantify likelihood and impact.

Direct instruction

  1. 8m

    Pre-lab briefing: the public-Wi-Fi threat model and the layered-defense stack

    Content

    On a public network the attacker's position is on-path — either sharing the same broadcast domain (open network, packet sniffing), poisoning ARP to become the default gateway (classic MITM), or standing up a rogue access point with a spoofed SSID (evil twin). The threat is not 'hackers are scary'; it is that layer-2 trust is essentially zero on any network you don't control. Defenses work in layers, and each layer covers a different failure. Disabling automatic connection prevents the device from silently associating with an evil twin — it defeats the delivery of the attack. HTTPS provides end-to-end TLS between browser and server, so even a sniffer or MITM on the LAN sees only the SNI hostname and ciphertext payload — it protects confidentiality and integrity of the application data. A VPN wraps ALL traffic (DNS, non-HTTPS apps, background telemetry) in an encrypted tunnel to a trusted gateway — it protects transport for everything, not just web. Critically, layered controls are not redundant: a compromised VPN endpoint still leaves HTTPS intact; an HTTPS-only site still leaks metadata that a VPN would hide; and neither defends the endpoint itself (malware, a phished password, a logged-in account). The worked example: on open Wi-Fi, a user loads http://example-news.com over HTTP — a sniffer sees the URL, cookies, and body. Same user loads https://example-news.com — sniffer sees the destination IP and 'example-news.com' in the TLS SNI, but not the path, cookies, or content. Same user over a VPN to https://example-news.com — the local sniffer sees only encrypted packets to the VPN gateway IP; SNI is hidden inside the tunnel.

    Delivery

    Move fast — this is a briefing, not a lecture. Emphasize the layered-defense stack visual: auto-connect off (delivery), HTTPS (application), VPN (transport), endpoint hygiene (host). Ask cold: 'If a VPN encrypts everything, why bother with HTTPS?' Expected answer: VPN only protects up to the VPN provider; from there to the server it's plaintext again unless HTTPS. Pre-empt the misconception directly: 'A password on the Wi-Fi does NOT mean your traffic is private from other users on that Wi-Fi — they have the same key.' Also pre-empt: 'The SSID is just a name. An attacker's AP can broadcast 'Starbucks WiFi' too — your phone can't tell.' Tell students the lab will make them prove each of these with packet evidence.

  2. 3m

    Lab procedure and safety walkthrough

    Content

    The lab has three stations that each student completes in order at their own workstation. Station A: analyze a provided packet capture (screenshots embedded in the handout) of HTTP vs HTTPS vs VPN-tunneled traffic and record exactly what an attacker can see at each layer. Station B: evaluate four public-network scenarios, identify the primary threat, and prescribe the minimum layered defense. Station C: on the classroom laptop, open Wi-Fi settings, document current auto-connect and 'known networks' state, and change settings to reduce evil-twin exposure — screenshot before and after. Each station has a data-recording block in the handout that must be filled in; the post-lab analysis in the last 7 minutes uses that data.

    Delivery

    Hand out the lab packet. Point at the three stations on the handout. Emphasize: do NOT attempt any packet capture on the school network or any network you do not own — Station A uses provided captures only. Set a 13-minute soft timer per station. Circulate and check that students are writing evidence, not opinions.

Activities

  1. 40m

    Public Wi-Fi Threat & Defense Lab (3 stations)Lab

    Targets AP Skill 1 (Analyze Risk), Skill 2 (Mitigate Risk), and Skill 3 (Detect Attacks). Students work individually, 13 minutes per station. Teacher circulates and checks the data-recording blocks are being filled with evidence. Full student handout follows — copy verbatim to a handout, or project the packet. Student handout: Public Wi-Fi Threat & Defense Lab Name: __________ Period: ____ Station A — Packet evidence: what can the attacker actually see? (13 min) You are given three simulated Wireshark captures taken from a laptop on an OPEN coffee-shop Wi-Fi. For each, a fellow patron is running a passive sniffer on the same SSID. - Capture A1 — user visits http://newsdaily.example over HTTP. - Sniffer sees, in cleartext: - GET /login HTTP/1.1 - Host: newsdaily.example - Cookie: session=8f2a91b4c7... - POST body: username=jsmith&password=Wildcats2025 - Capture A2 — user visits https://newsdaily.example over HTTPS (no VPN). - Sniffer sees: - TCP handshake to 93.184.216.34:443 - TLS ClientHello, SNI: newsdaily.example - Everything after: Application Data (encrypted bytes) - Capture A3 — user connects to VPN, then visits https://newsdaily.example. - Sniffer sees: - UDP 1194 traffic to 45.79.12.88 (VPN gateway) - All payloads: encrypted - No SNI, no destination hostname visible on the local link For each capture, complete the table on your handout: 1. What can the local attacker read? (URL, cookies, credentials, hostname, IP, nothing) 2. What defense is in effect at each layer? (Wi-Fi / Transport / Application) 3. If the attacker upgrades from passive sniff to active MITM with a forged TLS cert that the browser rejects, what changes for each capture? You must cite specific evidence from the capture (a field name or line) to support each answer. Targets Skill 3 (Detect Attacks) and Skill 1 (Analyze Risk). Station B — Scenario risk assessment and defense prescription (13 min) For each scenario: (a) name the PRIMARY threat using vocabulary from today, (b) rate likelihood (L/M/H) and impact (L/M/H) with one-sentence justification, (c) prescribe the MINIMUM layered defense that reduces the risk to acceptable, (d) name one defense that sounds helpful but would NOT address this specific threat and explain why. - Scenario 1: At an airport, your phone auto-connects to 'Boingo_Free_WiFi'. There are actually two APs broadcasting that SSID; the one with the stronger signal is a Raspberry Pi in a backpack. - Scenario 2: A hotel Wi-Fi requires a room-number login through a captive portal. All guests share the same WPA2 passphrase printed on the key card. - Scenario 3: You use a reputable VPN on open café Wi-Fi and log into your bank at http://mybank.example (the bank does not redirect to HTTPS). - Scenario 4: A conference network is WPA3-Enterprise with individual credentials, but you notice your laptop still has 'CONF_GUEST' saved as an open auto-connect profile from last year. Targets Skill 1 (Analyze Risk) and Skill 2 (Mitigate Risk). Station C — Endpoint configuration: harden your device (13 min) On your classroom laptop: 1. Open Wi-Fi settings → Manage known networks (Windows) or System Settings → Wi-Fi → Details (macOS) or equivalent. 2. Record the current state in the Station C table: - Number of saved networks: ____ - Number set to 'Connect automatically': ____ - Any saved OPEN (unsecured) networks? List SSIDs: ____ 3. Perform and document THREE hardening changes (screenshot or write exact setting name + new value): - a. Disable 'Connect automatically' on any open/public SSID. - b. 'Forget' any saved open network you do not use daily. - c. Turn on 'Random hardware addresses' (Windows) or 'Private Wi-Fi address' (macOS/iOS) for at least one network. 4. Write a two-sentence justification: which specific threat from today does each change mitigate, and what does it NOT protect against? This station targets Skill 2 (Mitigate Risk) directly — you are implementing a control, not describing one.

    Materials

    • Student laptop with browser and Wi-Fi settings access
    • Printed lab handout (below) — one per student
    • Optional: Wireshark installed for enrichment (not required; captures are provided as screenshots in handout)
    • Pen for annotation
    Example outputs
    • Station A1 sample: 'Attacker reads full login POST body — evidence: line shows username=jsmith&password=Wildcats2025 in cleartext. Only Wi-Fi-layer defense possible (WPA3), no transport or application encryption. Active MITM adds nothing — attacker already has everything.'
    • Station A3 sample: 'Attacker sees only encrypted UDP 1194 to 45.79.12.88. Cannot determine destination hostname or content. Defense: VPN provides transport encryption; HTTPS provides application encryption inside the tunnel. If VPN provider is compromised, HTTPS still protects the login.'
    • Station B Scenario 1 sample: 'Primary threat: evil twin (rogue AP spoofing SSID). Likelihood H (auto-connect + common SSID), Impact H (full traffic interception). Minimum defense: disable auto-connect on open SSIDs AND use VPN if connection is needed. Would NOT help: a stronger Wi-Fi password — the SSID is open and there is no password to strengthen.'
    • Station B Scenario 3 sample: 'Primary threat: plaintext credentials to bank over HTTP; VPN does not save you here because traffic is decrypted at the VPN exit and travels plaintext to the bank. Defense: refuse to log in over HTTP; require HTTPS end-to-end. VPN alone is insufficient.'
    • Station C sample: 'Removed 4 auto-connect flags on open SSIDs (evil-twin delivery blocked); forgot 'HOTEL_GUEST' (prevents silent re-association); enabled random MAC (reduces cross-network tracking). Does NOT protect: a logged-in account, phished credentials, or malware already on the device.'
    No-equipment fallback

    If laptops are unavailable, Station C becomes a paper task: students annotate a printed screenshot of a Windows 'Manage known networks' panel showing 6 saved SSIDs (three open, four with auto-connect on, one named 'Airport_Free_WiFi') and mark each change with a justification.

Formative assessment

7 min
  1. Post-lab analysis (AP-style free response, ~4 sentences). A user on open airport Wi-Fi enables a reputable VPN and then signs into their email at https://mail.example. Referencing your Station A evidence, explain (a) what a local packet sniffer can and cannot observe, and (b) two distinct residual risks that neither the VPN nor HTTPS mitigates. Targets Skill 1 (Analyze Risk).

    short answer(a) The sniffer sees only encrypted packets addressed to the VPN gateway's IP; the SNI, destination hostname, URL path, cookies, and payload are all inside the tunnel and hidden. (b) Residual risks include: (1) endpoint compromise — malware or a keylogger on the device captures credentials before encryption; (2) account-level compromise — a phished or reused password lets the attacker log in from anywhere, no MITM required; (3) the VPN provider itself sees decrypted traffic destinations; (4) a saved auto-connect profile could later associate with an evil twin. Any two are acceptable if clearly distinct from transport encryption.
  2. Scenario item (AP-style, multi-select reasoning). A hotel offers Wi-Fi where every guest uses the same WPA2 passphrase printed on the room key. Which statements are TRUE? Select all that apply. A) Traffic is safe from other guests because the Wi-Fi is password-protected. B) Another guest with the same passphrase can potentially decrypt your traffic or run a MITM. C) HTTPS still protects your web sessions from other guests. D) A VPN would encrypt your traffic between your device and the VPN gateway, past the hotel network. E) The shared passphrase authenticates the access point to you, so an evil twin is impossible. Targets Skills 1 and 2.

    multiple choiceB, C, D. A is false (shared passphrase = shared trust; other authenticated guests can sniff/MITM). E is false (WPA2-PSK does not prevent a rogue AP with the same SSID and passphrase, and it does not authenticate the AP to the client in a way the user can verify).
  3. Detection task (Skill 3). During a coffee-shop visit your laptop shows TWO networks named 'CoffeeShop_WiFi' — one with a strong signal and one weaker. Your laptop associated automatically with the stronger one. List two specific pieces of evidence you would collect to determine whether the stronger AP is an evil twin, and state what each piece of evidence would show if the AP were malicious.

    short answerAcceptable evidence includes: (1) BSSID (MAC address) of the AP — a legitimate shop AP's BSSID should match posted signage or previous visits; a new/unknown BSSID broadcasting the same SSID is suspicious. (2) Certificate warnings when visiting a known HTTPS site — an evil twin doing TLS interception would trigger cert errors. (3) Gateway IP / DNS server assigned by DHCP — unusual values suggest a rogue AP. (4) Captive portal appearance/URL differs from expected. (5) Signal strength anomalies (a portable Pi-based AP often has an inconsistent signal profile). Student must give TWO and connect each to what a malicious AP would show.

Vocabulary

open network
A Wi-Fi network with no link-layer encryption (no WPA2/WPA3); frames travel in cleartext over the air and any nearby device can capture them.
man-in-the-middle (MITM)
An attack where the adversary silently relays and can alter traffic between two parties who believe they are talking directly, e.g., via ARP spoofing on a shared LAN.
evil twin
A rogue access point that broadcasts the same SSID as a legitimate hotspot (e.g., 'Airport_Free_WiFi') to trick devices and users into associating with it.
rogue access point
Any unauthorized AP attached to or impersonating a trusted network; an evil twin is one specific type.
packet sniffing
Passive capture of network frames using tools like Wireshark or tcpdump; on an open network this exposes any unencrypted payload.
VPN
A virtual private network encrypts all traffic between the client and a VPN gateway, hiding payloads and destinations from the local network and any on-path attacker up to the gateway.
HTTPS
HTTP over TLS; provides encryption in transit, server authentication via certificates, and integrity between browser and web server — end-to-end, independent of the Wi-Fi layer.
SSID
Service Set Identifier — the human-readable Wi-Fi network name; it is not authenticated and can be spoofed by any AP.
captive portal
The HTTP(S) login/agreement page a public network forces new clients through; often runs before any encryption is negotiated and can be spoofed.
automatic connection
A device setting that re-associates to any SSID matching a previously saved profile — the vector that lets evil twins snare devices without user action.

Common misconceptions

  • 'The Wi-Fi has a password, so my traffic is private.' Wrong — WPA2-PSK with a shared passphrase means every authenticated user holds the same key; other guests can capture and, with the 4-way handshake, decrypt your traffic. Only per-user credentials (WPA2/3-Enterprise) or application-layer encryption (HTTPS, VPN) protect you from co-guests.
  • 'A VPN makes me anonymous and safe.' Wrong — a VPN protects traffic in transit to the VPN gateway. It does not protect the endpoint (malware, keyloggers), the account you log into (phished/reused password), or traffic past the VPN exit if the destination is HTTP. The VPN provider itself sees your destinations.
  • 'If the SSID is the real name, it's the real network.' Wrong — SSIDs are unauthenticated broadcast strings. Any AP can broadcast 'Starbucks WiFi' or 'Airport_Free_WiFi'; an evil twin often copies the exact SSID and offers stronger signal so devices prefer it.
  • 'HTTPS is redundant when I'm on a VPN.' Wrong — VPN and HTTPS defend different segments. VPN hides traffic from the local network up to the VPN provider; HTTPS protects end-to-end from browser to server. If either the VPN provider or an upstream hop is compromised, the other layer still holds. Layered controls are not duplicates.

Materials checklist

  • Printed lab handout (one per student) with the three-station procedure, embedded packet-capture text, and data-recording tables
  • Student laptops with Wi-Fi settings access
  • Projector for slide deck
  • Optional: Wireshark installed on lab machines for enrichment
  • Timer visible to class (13-minute station rotations)