Mobile Station -- Blue Team

Physical Setup

1. Boot Drive: Insert SSK 256GB USB-C SSD into one of the laptop's USB-C ports. This is your OS drive -- it stays plugged in at all times.
2. ALFA Adapter: Connect the ALFA AWUS036AXM to the USB 3.0 extension cable. Plug the extension cable into a USB-A port on the laptop. The 6ft cable lets you position the adapter for optimal reception -- elevate it, point it toward the target area, keep it away from the laptop's RF noise.
3. Laptop Placement: Position the laptop where you have a clear view of the screen but are not conspicuous. The adapter does the listening -- the laptop just needs power and a place to sit.
4. Power: Keep the laptop plugged into AC power during extended captures. The Core 9 270H and USB peripherals will drain the battery in ~2 hours under load.

Flash the SSD

1. Download Kali Linux 2025.4 Live ISO from kali.org/get-kali
2. Flash to the SSK SSD using Rufus (Windows):
   • Select the ISO
   • Write mode: DD Image (not ISO Image -- this is critical)
   • Persistence: allocate ~100GB for the persistence partition
3. Rufus will create the live partition + persistence partition automatically

BIOS Configuration

1. Power on the Acer Nitro, press F2 during boot to enter BIOS
2. Disable Secure Boot: Security tab > Secure Boot > Disabled
3. Boot Order: Set USB SSD as first boot device (or use F12 boot menu each time)
4. Save and exit -- laptop will boot from the Kali SSD

Change Default Password

Kali default credentials are kali / kali. Change immediately.

$ passwd

System Update

$ sudo apt update && sudo apt upgrade -y

Verify ALFA Adapter

# Check USB detection
$ lsusb | grep -i mediatek
Bus 00x Device 00x: ID 0e8d:7961 MediaTek Inc. Wireless_Device

# Check wireless interface
$ iwconfig
wlan1     IEEE 802.11  ...  (this is your ALFA)
wlan0     IEEE 802.11  ...  (this is your internal WiFi)

# Detailed interface info
$ iw dev

Set Timezone

$ sudo timedatectl set-timezone America/Chicago

Connect to Phone Hotspot

Internet access goes through the internal WiFi adapter (wlan0) connected to your phone's hotspot. The ALFA adapter (wlan1) stays in monitor mode -- never connects to anything.

# Scan for your hotspot
$ nmcli device wifi list ifname wlan0

# Connect to phone hotspot
$ nmcli device wifi connect "Praxis" password "YOUR_HOTSPOT_PASSWORD" ifname wlan0

# Verify connection
$ nmcli connection show --active
$ ping -c 3 8.8.8.8

ProtonVPN Setup

# Install ProtonVPN CLI
$ sudo apt install protonvpn-cli -y

# Login (follow interactive prompts)
$ protonvpn-cli login

# Connect to fastest server
$ protonvpn-cli connect --fastest

# Verify VPN is active
$ protonvpn-cli status
$ curl ifconfig.me

Enable Monitor Mode (preserves internet on wlan0)

# Put ONLY wlan1 (ALFA) into monitor mode -- wlan0 internet stays up
# DO NOT use airmon-ng check kill -- it kills NetworkManager and drops ALL adapters
$ sudo ip link set wlan1 down
$ sudo iw dev wlan1 set type monitor
$ sudo ip link set wlan1 up

# Verify -- should show Mode:Monitor on wlan1, Mode:Managed on wlan0
$ iwconfig

Note: Interface stays named wlan1 (not wlan1). Use wlan1 in all capture commands.

Lock to Target Channel

# Lock to channel 149 (current CTS-A channel)
$ sudo iw dev wlan1 set channel 149

# Or lock to channel 157 (original attack channel)
$ sudo iw dev wlan1 set channel 157

# Verify channel
$ iw dev wlan1 info

Start Capture

# Full capture on locked channel
$ sudo airodump-ng wlan1 -c 149 -w /home/kali/captures/$(date +%Y%m%d_%H%M%S)_ch149

# Or use tcpdump for lightweight capture
$ sudo tcpdump -i wlan1 -w /home/kali/captures/$(date +%Y%m%d_%H%M%S)_ch149.pcap

Disable Monitor Mode

$ sudo airmon-ng stop wlan1

# Restart NetworkManager
$ sudo systemctl start NetworkManager

Wireshark (GUI)

# Launch Wireshark on capture interface
$ sudo wireshark -i wlan1 -k

# Open a saved capture file
$ wireshark /home/kali/captures/20260322_161800_ch149-01.cap

tshark One-Liners

# Filter deauthentication frames
$ tshark -r capture.pcap -Y "wlan.fc.type_subtype == 0x000c" -T fields -e frame.time -e wlan.sa -e wlan.da

# Filter CSA (Channel Switch Announcement) frames
$ tshark -r capture.pcap -Y "wlan.tag.number == 37" -T fields -e frame.time -e wlan.sa -e wlan.csa.channel

# Count frames by type
$ tshark -r capture.pcap -T fields -e wlan.fc.type_subtype | sort | uniq -c | sort -rn

# Show all unique BSSIDs
$ tshark -r capture.pcap -T fields -e wlan.bssid | sort -u

# Filter by specific MAC address
$ tshark -r capture.pcap -Y "wlan.addr == AA:BB:CC:DD:EE:FF"

# Live monitor for deauth frames
$ sudo tshark -i wlan1 -Y "wlan.fc.type_subtype == 0x000c" -T fields -e frame.time -e wlan.sa -e wlan.da

tcpdump (Lightweight)

# Quick capture with rotation (new file every 100MB)
$ sudo tcpdump -i wlan1 -w /home/kali/captures/rolling.pcap -C 100

# Capture with time limit (3600 seconds = 1 hour)
$ timeout 3600 sudo tcpdump -i wlan1 -w /home/kali/captures/$(date +%Y%m%d_%H%M%S)_1hr.pcap

File Naming Convention

All capture files follow this format:

YYYYMMDD_HHMMSS_ch{channel}_evidence.pcap

# Examples:
20260322_161800_ch149_evidence.pcap
20260322_163000_ch157_evidence.pcap
20260322_170000_ch149_deauth_capture.pcap

Directory Structure

$ mkdir -p /home/kali/captures/{raw,analyzed,exports}
$ mkdir -p /home/kali/evidence/{screenshots,notes,hashes}

Backup to Separate USB

# Mount evidence USB (adjust device name)
$ sudo mount /dev/sdc1 /mnt/evidence

# Copy captures with checksums
$ cp -v /home/kali/captures/raw/*.pcap /mnt/evidence/
$ sha256sum /home/kali/captures/raw/*.pcap > /mnt/evidence/checksums.sha256

# Verify integrity
$ cd /mnt/evidence && sha256sum -c checksums.sha256

# Unmount
$ sudo umount /mnt/evidence

Chain of Custody Notes

For each capture session, record in a text file:

• Date, time (start and end), timezone
• Operator name (Robert Cleaver)
• Equipment used (laptop model, adapter model, adapter MAC)
• Channel(s) monitored
• Physical location of the station
• File names generated
• SHA-256 hash of each file
• Any observations during capture

# Generate hash for a capture file
$ sha256sum /home/kali/captures/raw/20260322_161800_ch149_evidence.pcap

Run through this checklist before every deployment.

Pre-Mission

• Laptop charged (or AC adapter packed)
• SSK SSD boots Kali successfully
• ALFA AWUS036AXM detected in Kali (lsusb)
• Phone hotspot "Praxis" tested and working
• ProtonVPN login tested and connects
• USB 3.0 extension cable packed
• Evidence USB drive packed (for backups)
• Captures directory created on SSD

On-Site Setup (5 minutes)

1. Position laptop, connect power
2. Connect ALFA via extension cable, elevate adapter
3. Boot from SSD (F12 > select USB)
4. Connect internal WiFi to phone hotspot
5. Start ProtonVPN
6. Enable monitor mode on ALFA
7. Lock to target channel
8. Start capture
9. Log start time and conditions

Teardown

1. Stop capture (Ctrl+C)
2. Log end time
3. Generate SHA-256 hashes of all new capture files
4. Backup to evidence USB if available
5. Disable monitor mode
6. Disconnect VPN
7. Shut down Kali cleanly (sudo shutdown -h now)
8. Remove SSD and adapter, pack equipment

Network Separation

The blue team station operates on a completely separate network path from the company infrastructure:

• Capture path: ALFA adapter (monitor mode) > passive listen only > no network connection
• Internet path: Internal WiFi > phone hotspot (cellular) > ProtonVPN > internet
• There is zero overlap between these paths. The station cannot be detected on the company network.

Cover Story

If anyone asks what you're doing with the laptop: "Running network diagnostics for a connectivity issue."

This is technically true -- you are diagnosing a network problem. You don't need to elaborate further.

Physical Security

• Don't leave the laptop unattended with captures visible on screen
• Lock the screen when stepping away (Super+L or set auto-lock)
• Store the SSD separately from the laptop when not in use -- the SSD contains all evidence
• The laptop's internal drive has no Kali or capture data on it