diff --git a/hw3/archer-scan.png b/hw3/archer-scan.png
new file mode 100644
index 0000000..f540a33
Binary files /dev/null and b/hw3/archer-scan.png differ
diff --git a/hw3/hw3.md b/hw3/hw3.md
index 9bda160..b0e3c4f 100644
--- a/hw3/hw3.md
+++ b/hw3/hw3.md
@@ -1,5 +1,7 @@
 # Homework 3: Cracking WiFI!
 
+For this homework assignment, I will demostrate cracking the `NetSec` WiFi network, and performing some reconissance. I will do this via the `mallory` machine, running kali
+
 ## Crack the NetSec WiFi network password with bettercap
 
 ### Find the BSSID and connected client of the NetSec Network
@@ -31,11 +33,31 @@ The connection was successfull
 I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig`  and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24`
 ![subnet](./subnet.png)
 
-Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results.
+Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results. I've run this a few times on different days to see which hosts are persistant, and less likely to be other students
 ![nmap](./nmap.png)
-### Open ports and services on client 1
+![nmap-1](./nmap-1.png)
+![nmap-2](./nmap-2.png)
 
-### Open ports and services on client 2
+To summerize this, the interesting devices, excluding ourselves (mallory) are
+```
+Nmap scan report for Archer (192.168.0.1)
+MAC Address: 28:87:BA:75:7E:98 (TP-Link Limited)
+
+Nmap scan report for bookworm (192.168.0.139)
+MAC Address: D8:3A:DD:7E:3C:31 (Unknown)
+```
+We have one router/gateway (archer/28:87:BA:75:7E:98), one persistant client device (bookworm/D8:3A:DD:7E:3C:31). The other devices shown in some of these scans do not seem to persist and are not shown in my last scan which is at the time of writing. I will now scan for open ports on these available devices.
+
+### Open ports and services on archer
+As the router/gateway, I do not expect any interesting servcies to be running here. But let us make sure
+![archer-scan](./archer-scan.png)
+
+As probably expected, our gateway is responding to DNS requests, and has a web interface open on http(s).
+
+Let's assume the port 80 traffic is only allowed to redirect users to the SSL web traffic on 443. From my home machine, I can do the following to tunnel traffic and take a look at the web page
+![ssh-double-tunnel](./ssh-double-tunnel.png)
+
+### Open ports and services on bookworm
 
 ### Access the RTSP stream
 
diff --git a/hw3/nmap-1.png b/hw3/nmap-1.png
new file mode 100644
index 0000000..cb4d2de
Binary files /dev/null and b/hw3/nmap-1.png differ
diff --git a/hw3/nmap-2.png b/hw3/nmap-2.png
new file mode 100644
index 0000000..1f8b07f
Binary files /dev/null and b/hw3/nmap-2.png differ
diff --git a/hw3/notes.txt b/hw3/notes.txt
new file mode 100644
index 0000000..056cf2d
--- /dev/null
+++ b/hw3/notes.txt
@@ -0,0 +1,11 @@
+Advertising Device	View Device Details
+MAC	28:87:BA:75:7E:93 (TP-Link Corporation Limited)
+Name	NetSec
+Type	Wi-Fi AP
+Advertised encryption	WPA2 WPA2-PSK AES-CCM
+First advertised	May 11 2024 23:21:58
+Last advertised	May 11 2024 23:21:58
+Last advertised SSID	NetSec
+Encryption	WPA2 WPA2-PSK AES-CCM
+Channel	48
+Main Frequency	5.240 GHz
\ No newline at end of file
diff --git a/hw3/ssh-double-tunnel.png b/hw3/ssh-double-tunnel.png
new file mode 100644
index 0000000..1d49e37
Binary files /dev/null and b/hw3/ssh-double-tunnel.png differ