diff --git a/hw3/archer-scan.png b/hw3/archer-scan.png
index f540a33..ee4b476 100644
Binary files a/hw3/archer-scan.png and b/hw3/archer-scan.png differ
diff --git a/hw3/bookworm-scan.png b/hw3/bookworm-scan.png
new file mode 100644
index 0000000..1f76e0a
Binary files /dev/null and b/hw3/bookworm-scan.png differ
diff --git a/hw3/hw3.md b/hw3/hw3.md
index 5259743..b56842e 100644
--- a/hw3/hw3.md
+++ b/hw3/hw3.md
@@ -70,26 +70,57 @@ MAC Address: 28:87:BA:75:7E:98 (TP-Link Limited)
 Nmap scan report for bookworm (192.168.0.139)
 MAC Address: D8:3A:DD:7E:3C:31 (Unknown)
 
+Nmap scan report for 192.168.0.47
+Host is up (1.2s latency).
+MAC Address: 70:F7:54:FF:1C:59 (Ampak Technology)
+
 Nmap scan report for 192.168.0.240
 MAC Address: E4:5F:01:91:0C:52 (Raspberry Pi Trading)
 ```
-We have one router/gateway (archer/28:87:BA:75:7E:98), one persistant client device (bookworm/D8:3A:DD:7E:3C:31). The other devices shown in some of these scans do not seem to persist and are not shown in my last scan which is at the time of writing. I will now scan for open ports on these available devices.
+We have one router/gateway (archer/28:87:BA:75:7E:98), one persistant client device (bookworm/D8:3A:DD:7E:3C:31). The other devices shown in some of these scans do not seem to persist and are not shown in my last scan which is at the time of writing. I will now scan for open ports on these available devices. Specifically, I will scan the default 1000 common ports.
 
 ### Open ports and services on archer
 As the router/gateway, I do not expect any interesting servcies to be running here. But let us make sure
+
 ![archer-scan](./archer-scan.png)
 
-As probably expected, our gateway is responding to DNS requests, and has web interfaces open on http/s.
+As probably expected, our gateway is responding to DNS requests, upnp, and has web interfaces open on http/s.
+
+Using ssh tunneling from 192.168.0.1:80 to localhost:8080, I can take a look at the web page on http. As shown, it prompts for a password, but is otherwise unremkable. When looking at the page on https, it is also un-remarkable, and just says that https is not supported and to use http instead. (not shown)
 
-Using ssh tunneling from 192.168.0.1:80 to localhost:8080, I can take a look at the web page on http. As shown, it prompts for a password, but is otherwise unremkable. When looking at the page on https, it is also un-remarkable, and just says that https is not supported (not shown)
 ![tp-link-page](./tp-link-page.png)
 
 I decided not to try any attacks against the router and will be moving on.
 
 ### Open ports and services on bookworm
+Bookworm is running rtmp and sun-answerbook services. This is interesting. I will explore the rtmp stream later on
 
-### Access the RTSP stream
+![bookwork-scan](./bookworm-scan.png)
 
-#### Screenshot
+### Open ports and services on khadas
+Upon scanning, the machine with MAC 70:F7:54:FF:1C:59 revealed its hostname as Khadas and has a port for ipp (printing) service open
 
-#### Camera make, model, brand, capacity, and manufacture date
+ssh connection can be made to khadas with default credentials (root/khadas)
+
+![khadas-scan](./khadas-scan.png)
+
+### Open ports and services on Raspberry Pi Trading (reterm-i)
+The only interesting service running here is ssh. Moving on
+
+![rpi-trading](./rpi-trading.png)
+
+### Access the RTMP(RTSP in assignment) stream
+
+As shown above, I have discovered an rtmp network video stream on the bookworm device. My research shows the stream url likely consists of a format like rtmp://192.168.0.139:1935/${path}/${key}
+I have tried various things to recover the stream url path and key. It seems like the path may be 'live', but I cannot figure out the key
+* Guess random plausible stream keys or default keys common on raspberry pi cameras
+* Try to see if the media stream is actually RTSP and not RTMP (it's on an rtmp port, but assignment suggests it should be rtsp)
+* brute force stream keys with a bash script using ffmpeg and rockyou.txt
+* poke around khadas (root and khadas user) to see any reference to rtmp streams
+* perform de-auth attack and try to capture handshakes on 802.11 to see if I can get the datagrams (via wireshark) for any clients who many be streaming from the stream (which streams would include the path and key)
+
+For now, this is as far as I have come
+
+#### Screenshot - TODO
+
+#### Camera make, model, brand, capacity, and manufacture date - TODO
diff --git a/hw3/khadas-scan.png b/hw3/khadas-scan.png
new file mode 100644
index 0000000..37ed7f8
Binary files /dev/null and b/hw3/khadas-scan.png differ
diff --git a/hw3/rpi-trading.png b/hw3/rpi-trading.png
new file mode 100644
index 0000000..96b43b9
Binary files /dev/null and b/hw3/rpi-trading.png differ
diff --git a/hw3/scans.txt b/hw3/scans.txt
new file mode 100644
index 0000000..acda523
--- /dev/null
+++ b/hw3/scans.txt
@@ -0,0 +1,23 @@
+Nmap scan report for 192.168.0.47
+Host is up (1.2s latency).
+MAC Address: 70:F7:54:FF:1C:59 (khadas/Ampak Technology)
+
+Nmap scan report for 192.168.0.139
+Host is up (0.62s latency).
+MAC Address: D8:3A:DD:7E:3C:31 (bookworm)
+
+Nmap scan report for panda-kali (192.168.0.165)
+Host is up (0.70s latency).
+MAC Address: 00:C0:CA:B2:EB:4B (Alfa)
+
+Nmap scan report for 192.168.0.187
+Host is up (0.55s latency).
+MAC Address: 00:C0:CA:B2:EB:61 (Alfa)
+
+Nmap scan report for reterm-i (192.168.0.240)
+Host is up (0.91s latency).
+MAC Address: E4:5F:01:91:0C:52 (Raspberry Pi Trading)
+
+Nmap scan report for mallory (192.168.0.161)
+Host is up.
+Nmap done: 256 IP addresses (8 hosts up) scanned in 27.42 seconds