diff --git a/hw3/bettercap-deauth.png b/hw3/bettercap-deauth.png
new file mode 100644
index 0000000..6eecd03
Binary files /dev/null and b/hw3/bettercap-deauth.png differ
diff --git a/hw3/bettercap-wifi-recon.png b/hw3/bettercap-wifi-recon.png
new file mode 100644
index 0000000..0b2d9ea
Binary files /dev/null and b/hw3/bettercap-wifi-recon.png differ
diff --git a/hw3/bettercap-wifi-show.png b/hw3/bettercap-wifi-show.png
new file mode 100644
index 0000000..d246a63
Binary files /dev/null and b/hw3/bettercap-wifi-show.png differ
diff --git a/hw3/cracked.png b/hw3/cracked.png
new file mode 100644
index 0000000..4707892
Binary files /dev/null and b/hw3/cracked.png differ
diff --git a/hw3/hashcat-running.png b/hw3/hashcat-running.png
new file mode 100644
index 0000000..bc0eaa7
Binary files /dev/null and b/hw3/hashcat-running.png differ
diff --git a/hw3/hcxpcapngtool.png b/hw3/hcxpcapngtool.png
new file mode 100644
index 0000000..dab6a50
Binary files /dev/null and b/hw3/hcxpcapngtool.png differ
diff --git a/hw3/hw3.md b/hw3/hw3.md
index c1a8a84..cf6b424 100644
--- a/hw3/hw3.md
+++ b/hw3/hw3.md
@@ -3,6 +3,7 @@
 For this homework assignment, I will demostrate cracking the `NetSec` WiFi network, and performing some reconissance. I will do this via the `mallory` machine, running kali
 
 ## Crack the NetSec WiFi network password with bettercap
+
 After connecting to mallory, I start by running `bettercap` on the `wlan0` interface. I then try to turn on wifi reconnaissance.
 ![start-bettercap](./start-bettercap.png)
 
@@ -11,14 +12,29 @@ As issue is returned that bettercap cannot put wlan0 into monitor mode. This is
 
 ### Find the BSSID and connected client of the NetSec Network
 
+Running `wifi.show` with bettercap, we see the BSSID of NetSec. That being 28:87:ba:75:7e:93
+![bettercap-wifi-show](./bettercap-wifi-show.png)
+
+with `wifi.recon 28:87:ba:75:7e:93` I can see the clients of the NetSec network. Here, we see the client with BSSID 70:f7:54:ff:1c:59
+![bettercap-wifi-recon](./bettercap-wifi-recon.png)
 ### Perform a deauth attack on the network with bettercap and capture the 4-way handshake
 
+With `wifi.deauth 70:f7:54:ff:1c:59` I can send a deauth message to the above client. We can see this worked, and the handshake was automatically captured
+![bettercap-deauth](./bettercap-deauth.png)
 ### Use the hcx toolsuite to convert the captured handshake to a format that hashcat can understand
 
+Using hcxpcapngtool of the hcx toolsuite, I can convent this pcap file to a format hashcat will understand (after copying the file from /root to /home/kai)
+![hcxpcapngtool](./hcxpcapngtool.png)
 ### Crack the password using hashcat and rockyou.txt
 
+Finally, I run `hashcat -m 22000 -a 0 -w 3 -o bettercap-cracked.txt handshake.hc22000 rockyou.txt` on the above converted handshake file, to crack the password and write it to `bettercap-cracked.txt`.
+![hashcat-running](./hashcat-running.png)
+
+After ~7 minutes, we have cracked the password. That being `crackme1`
+![cracked](./cracked.png)
+
 ### Connect workstation to the wifi network and show using nmtui
-Now that I have found the password, I can initiate a wifi connection from `mallory` to the raspberry pi
+Now that I have found the password, I can initiate a wifi connection from `mallory` to the NetSec network
 
 The first issue encountered was the the network manager was inactive. This is confirmed by running `systemctl status NetworkManager`
 
@@ -35,10 +51,12 @@ The connection was successfull
 ![nmtui-connected](./nmtui-connected.png)
 
 ## Scan the network with nmap
-I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig`  and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24`
+I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig` and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24`
+
 ![subnet](./subnet.png)
 
 Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results. I've run this a few times on different days to see which hosts are persistant, and less likely to be other students
+
 ![nmap](./nmap.png)
 ![nmap-1](./nmap-1.png)
 ![nmap-2](./nmap-2.png)