OSWP by OffSec | Detailed Review

 Hello, my fellow hackers,

In this blog post, I will be providing a comprehensive review of the Offensive Security Wireless Professional (OSWP) course (PEN-210) and certification. You can either buy the course independently or part of Learn-One bundle with any other OffSec certification.

If you are new to the world of wireless pentesting and want to build a strong foundation before diving into the OSWP course, I highly recommend checking out the free Wireless Security Megaprimer series by the renowned Vivek Ramachandran. In this series, Vivek goes into great detail on most of the attack scenarios covered in the OSWP course. 

By following Security Tube's Wi-Fi Megaprimer series, you will gain valuable knowledge and hands-on experience with topics such as cracking WEP encryption, exploiting WPA/WPA2-PSK networks, and launching WPA/WPA2-Enterprise attacks. This series serves as a perfect complement to the OSWP course, as it will enhance your understanding of wireless security concepts and help you prepare for the challenges ahead.

I. Preparation

Before diving into the course, it's important to note that the OSWP course does not come with a pre-configured lab environment. Therefore, you will need to set up your own lab, which requires a minimum of three components:

1) Wireless Access Point: You will need a wireless access point that supports various encryption standards such as WEP, WPA/WPA2 (both PSK and Enterprise), and WPS.

2) Virtual Machine or Raspberry Pi:  For the WPA/WPA2 Enterprise network, you will need a virtual machine/Raspberry Pi with a configured Radius server connected with AP via LAN wire.

3) Wireless Card: To perform packet injection and other wireless attacks, you will need a compatible wireless card that supports the necessary functionalities.

4) Devices which support WPS based authentication.

II. The Course & Lab

The OSWP course primarily focuses on wireless 802.11 protocol security and penetration testing. It provides an in-depth understanding of the protocol standard, different types of wireless network infrastructures, and Wi-Fi encryption standards including WEP, WPA/WPA2 (Personal and Enterprise), WPA3, and WPS.

During the course, you will explore five major attack scenarios, namely:

  1. WEP-protected Wi-Fi networks
  2. WPA/WPA2-PSK networks
  3. WPA/WPA2-Enterprise networks
  4. WPS-enabled networks
  5. Captive portal attacks

To execute these attacks effectively, you will work with be working with various tools and utilities, including:

  • Aircrack-NG suite, bettercap, kismet, wash, reaver
  • Native Linux utilities (iw, ifconfig, iwconfig, wpa_supplicant, dhclient)
  • Password cracking tools: crunch, john, hashcat
  • Fake AP tools: freeradius, hostapd-mana, eaphammer
  • Captive portal tools: Apache, dnsmasq
  • WireShark and Tshark for packet analysis

III. The Exam

During the OSWP exam, you are not required to have any specific hardware, as you will be provided access to a Kali VM. This VM has a wireless network interface card attached, which can be utilized for attacking the respective Wi-Fi networks.

The exam duration is 3 hours and 45 minutes. You will be given three attack scenarios: WEP, WPA/WPA2-PSK, and WPA/WPA2-Enterprise. Out of these three, one scenario is mandatory (and I'm sure you can guess which one). After the exam you need to submit a detailed report with 24 hours of scheduled exam end time.

The objective of the exam is to successfully hack into the Wi-Fi networks and download the proof.txt file from the respective access points using a curl request.

In conclusion, the Offensive Security Wireless Professional (OSWP) course and certification provide an in-depth exploration of wireless 802.11 security and penetration testing. By setting up your own lab environment and utilizing a range of tools, you will gain practical experience in attacking various Wi-Fi networks. The exam challenges you to apply your skills and knowledge in real-world scenarios. Obtaining the OSWP certification is a significant achievement for any aspiring wireless security professional.

Exam Tips:

Tip # 1: Prepare your notes for attacking each types of wireless network including, WEP-protected networks, WPA/WPA2-PSK networks, WPA/WPA2-Enterprise networks.

Tip # 2: Prepare the wpa_supplicant config file for each type of network. You will need to connect to the targeted wireless networks using command line utility after successfully cracking them . Having these configurations readily available will save you time during the exam.

Tip # 3: Use password list provided with John and Hashcat for cracking the hashes.