Attempt report

Evil twin SSID 'ACME-Corp' near the cafe — auto-connect captured employee credentials

Cyber × Network FusionRogue Wireless APDifficulty · Easy

Attempt 1 of 1 · cmoy2p707000113ysghyxhqq1

← All attempts ↻ Retry this scenario New scenario

Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Not enough data yet

Not enough data yet · Cyber × Network Fusion

You have 1 of 3 attempts at Easy. Complete 2 more to unlock a recommendation. (Track: Cyber × Network Fusion)

Track · Cyber × Network Fusion

Easy

Sample size: 1

Submission · what was sent and how you responded

Rogue Wireless APDifficulty · easyHigh asset

[P2] Evil twin AP near building 4 cafe — captive portal captured 4 user logins

From: Wireless / Security <wireless-team@acme-corp.com>
To: soc@acme-corp.com
Date: 2026-04-22 12:55 UTC

Wireless IDS flagged a non-corporate AP broadcasting SSID "ACME-Corp" with the same WPA2-Enterprise hint string we use, located just outside Building 4 (cafe area). The rogue AP appears to be running a captive portal that mimics our SSO page. Four employee laptops auto-connected to the rogue while passing through the cafe today (we saw their MACs in the rogue's beacon-response). Helpdesk has had two reports of "weird login screen on the corporate Wi-Fi". Please investigate, contain, and harden. The rogue is still active. — Wireless / Security

Evidence

Wireless IDS + four affected user sign-in logs

# Wireless IDS detection
12:31:14 IDS-WI-04 detected non-corp AP bssid=aa:bb:cc:11:22:33 ssid="ACME-Corp" channel=6 RSSI=-58dBm
                   location: outside Bldg 4 cafe (estimated)
                   client probe responses observed: bcd1.7f00.aa01, bcd1.7f00.aa02,
                                                    bcd1.7f00.bb12, bcd1.7f00.bb45
                   captive-portal redirect to https://acme-corp-wifi[.]net/auth

# Entra sign-in for one impacted user (alice)
12:34:20 SUCCESS user=alice@acme-corp.com IP=198.51.100.77  UA="curl/8.4"
                  (note: alice's normal IP space is 10.x corporate)

# Wi-Fi controller
WLC#show client mac bcd1.7f00.aa01
  AP: rogue (not in our managed list)
  Connection started: 12:30:48

# 802.1X / WPA2-Enterprise config audit
ssid "ACME-Corp"  PEAP-MSCHAPv2  no certificate validation enforced on clients

Affected asset

Name: Corporate SSID 'ACME-Corp' + 4 employee accounts
Type: Wireless trust boundary + credentials likely captured
Owner: Wireless / Security
Level: High

Your submitted response

27 words

Hi,

The team will send people to investigate using Wireshark. If we find any suspicious network equipment plugged in outside the building, we will remove it.

Thanks,

Final score

5/ 100

27 words submitted

Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 5/100. Strongest area: Clarity & structure (45%). Weakest area: Attack & fault understanding (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points

Attack & fault understanding0/3 · 0.0 / 15
Topology & asset impact0/3 · 0.0 / 10
Prioritization0/2 · 0.0 / 10
Containment & mitigation0/5 · 0.0 / 20
Investigation & diagnosis0/4 · 0.0 / 15
Recovery0/4 · 0.0 / 10
Evidence & change record0/3 · 0.0 / 10
Clarity & structure1/2 · 4.5 / 10

Strengths

No category reached 70% coverage.

Missing / weak

Attack & fault understanding
Topology & asset impact
Prioritization
Containment & mitigation
Investigation & diagnosis
Recovery
Evidence & change record

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

Containment & mitigation0% coverage
WIPS containment, password reset + session revoke, and portal-domain block must all appear; partial sets score partial credit.
Attack & fault understanding0% coverage
Name evil-twin SSID + captive-portal credential capture AND the underlying client misconfig (PEAP without server-cert validation).
Investigation & diagnosis0% coverage
Cite WIPS detection, WLC client log, and Entra sign-in correlation together — and call out the SSID config root cause.

Model answer outline

Situation

An evil-twin AP (bssid aa:bb:cc:11:22:33, channel 6, RSSI -58 dBm) is broadcasting our corporate SSID 'ACME-Corp' near the Building 4 cafe with a captive portal at acme-corp-wifi.net. Four employee laptops auto-connected today because PEAP-MSCHAPv2 is configured WITHOUT client-side server-cert validation, and at least one (alice) has already signed in to Entra from 198.51.100.77 / curl-UA — the rogue is still active.

Prioritization

Treat as P2 active credential capture: rogue is still up, four MACs already touched it, and one Entra sign-in already replayed.
Run wireless containment (rogue mitigation), identity containment (cred + session) and physical investigation (rogue location) in parallel.
Escalate to Wireless + SOC + Facilities together so the WIPS deauth, account lockout, and physical sweep do not race each other.

Containment

Trigger WIPS rogue containment / deauth on the offending BSSID until physical removal — keep corporate Wi-Fi up for everyone else.
Reset passwords and revoke active Entra sessions for the four employees identified by the rogue's probe-response list.
Block the captive-portal domain (acme-corp-wifi.net) on the corporate resolver and on the proxy egress so any in-flight redirects fail closed.
Push a temporary client policy that enforces server-cert validation on the 'ACME-Corp' SSID profile so laptops stop trusting any portal that claims the SSID.

Investigation

Pull the WIPS detection record for bssid aa:bb:cc:11:22:33 and correlate the four client probe-response MACs against the WLC client log.
Use spectrum analysis / the WIPS triangulation hint (channel 6, -58 dBm, outside Bldg 4 cafe) to narrow physical search before sweeping.
Diff each affected user's Entra sign-in log around the cafe window — IP, ASN, UA — to identify which sessions are tainted.
Audit the SSID profile: PEAP-MSCHAPv2 with no server-cert validation is the configuration root cause and must be captured in the RCA.

Recovery

Move the corporate SSID off PEAP-MSCHAPv2-without-validation toward EAP-TLS with certificate-based 802.1X.
If PEAP must remain temporarily, enforce server-cert validation and pin the RADIUS server cert on every managed laptop.
Turn on WIPS auto-mitigation for confirmed rogues advertising corporate-named SSIDs.
Add a short awareness piece for the cafe area: 'if Wi-Fi asks you to log in via a browser, it is not us'.

Evidence preservation

Archive the WIPS detection log, the WLC client log, and the four Entra sign-in records before they age out.
Capture the fake-portal page source (acme-corp-wifi.net) and the cert chain it presented for the SOC evidence locker.
Open Wireless + SOC + Facilities tickets recording the BSSID, channel, RSSI, and any physical hardware reclaimed.

Communication

Notify the four affected employees with a pre-templated user message; do not include the captured passwords in the message.
Brief Facilities for a physical sweep of the cafe area and adjacent meeting rooms.
Inform Helpdesk so 'weird login screen on Wi-Fi' tickets are routed straight to SOC during the active window.

Dangerous actions to avoid

Do not shut down the entire corporate Wi-Fi to 'remove the rogue' — only the rogue BSSID needs containment.
Do not let clients keep auto-connecting to the rogue while you 'investigate' — push the client-cert enforcement now, not later.
Do not paste, email, or screenshot the captured employee passwords into chat or tickets.
Do not rely only on a password reset; revoke active sessions, otherwise an in-flight token survives the reset.

How to improve next time

Evil-twin attacks succeed because clients trust the SSID name; the real fix is server-cert validation, not just 'kick the rogue AP'.
Pair WIPS containment with identity containment — kicking the rogue does not invalidate the credentials it already captured.
Block the fake portal domain on the corporate resolver too; some users will try to 'log in again' from a different network.
Triangulate with WIPS data (channel, RSSI, probe-response list) before sending Facilities to walk the building.
Use the incident as the lever to move PEAP-only SSIDs to EAP-TLS — PEAP-without-validation is the underlying bug.

AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review languageEnglishKorean

AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 5/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (45%). Points were held back mostly in Containment & mitigation (0%), Attack & fault understanding (0%), Investigation & diagnosis (0%).

Rubric focuscontainmentattackUnderstandinginvestigation

Next study step

Re-read the containment & mitigation expectations for this scenario and list the concrete steps you missed.