Offensive Security Wireless Professional (OSWP) review - Nethemba

BLOG

Offensive Security Wireless Professional (OSWP) review

Introduction

As with OSCP and OSCE I decided to review my experiences with Offensive Security’s OSWP course and exam. As before, I will state that I adopted the nick Dyntra for Offensive Security and many know me by this name. Feel free to say hi on either irc.wechall.net (#revolutionelite #wechall) or chat.freenode.net (#offsec)

Course

Starting on a negative, let me say that the first few chapters of the Wi-Fu course are dry. So much so that the authors state reasons in the first few pages not to skip them. Having battled through the array of diagrams, explanations, packet dumps, acronyms, and many tables of response codes and reasons however there is a gem of a course here which although shiny, could do with just a bit more of a polish.

There is no remote lab associated with this course, meaning that the student is expected to purchase suitable hardware to experiment with different attacks presented. This is definitely the first major challenge as there is really no indication of what constitutes ‘suitable hardware’ (Even the recommended hardware had some issues)

In the end I used two routers and two packet-injectable wireless cards. My setup and reasoning for each is as follows:

Routers:

  • D-Link DIR-615 – Brilliant to inject and works with all attacks. Does not have a WEP shared-key mode.

  • Netgear N150 (DGN1000SP) – Drops spoofed ARP packets and is poor to inject, but has a WEP-shared key mode. I used it for this only.

Packet-injectable cards:

  • ALFA AWUS036NHA – Very stable. It works for everything really well except for fragmentation attacks.

  • ALFA AWUS036H – Works for fragmentation attacks but it is not very stable so I did not use this for anything else.

With a combination of the above hardware I was able to run through the course without issues. The course itself however is a little outdated. There is a lot on WEP attacks and some solid sections on WPA2 and GPS. I would have liked to have seen some WPA3 downgrade attacks and areas relating to Bluetooth. Having said this, I dug out a router which I had previously acquired from a friend and cracked the password which they had set at one point (yes I could have just reset it but there’s no fun in that) so the material is still relevant despite the age.

The course itself covers the following areas:

  • IEEE and standards

  • Wireless operating modes

  • Packets and frames (Control, Management, Data, Beacon, Probe, Authentication, Association, Packetforge etc)

  • Hardware and cards

  • Aircrack-ng suite (airmon, airodump, aireplay, aircrack, airserv, airtun, airbase, airdecap, airgraph etc)

  • WEP cracking

  • WPA1/2 cracking

  • Fake authentication attacks

  • Deauthentication attacks

  • ARP packet generation and replay

  • Interactive packet replay

  • Working with client and clientless setups

  • Korek ChopChop attacks

  • Fragmentation attacks

  • PSK bruteforce attacks

  • Four-way handshakes

  • Cracking with JTR

  • Cracking with coWPAtty

  • Cracking with Pyrit

  • Recon with Kismet

  • Rogue access points

  • Karmetasploit attacks

  • MitM attacks

As can be seen, there is a lot of material here and this can come as a surprise to those who believe Wi-Fi cracking is nothing more than running a wordlist against a captured handshake (though this approach is covered) and this is reflected in the huge 380+ page document and 80 videos.

On the whole a solid course with information which is well presented.

Exam

Unlike OSCP’s famous 24-hour exam, OSCE’s 48-hour exam, OSEE’s 72-hour exam there is a nice change of pace here with a 4 hour exam in which we need to recover the keys to 3 wireless networks (All 3 are required to pass). The setup is quite clever and efficient with SSH access to an Offsec attacking system which has a packet injectable adapter attached and the 3 required networks within range of this. After doing a little recon I was attacking the first system and immediately hit an issue. Something should be working but wasn’t. Was it the system? The card? Was the network misconfigured? Was I being an idiot? I let the attack continue to run, knowing full well that the key should have been recovered by this point. 45 minutes in… an hour in.. After a lot of research I reached out to the Offensive Security official support and asked my question as to whether I should continue with my attack or start from scratch.

When the answer came it was exactly what I expected: We cannot confirm nor deny the behaviour. Try harder. Even after OSCP and OSCE this was still a huge slap in the face.

A quarter of the exam gone and nothing to show for it. I made the decision to abandon the attack and re-run it. The key was recovered within 5 minutes. I was both furious with myself and relieved (and yes I was being an idiot).

The other two networks then fell within the next hour and I had all required systems within half of the exam time. After some screenshots and double-checking some notes I sent the report and received word of a pass around 2 days later.

Conclusion

It is easy to have mixed feelings about an offering such as this one however it is difficult not to justify the investment. Having taken into account that hardware purchase is required for this course, this is an added expense. It is due to this (and there being no remote lab) that the course and exam is the cheapest of the Offsec offerings. If you visit the IRC channel (see introduction) we can often see the presence of an admin ‘Mister_X’ who is none other than the creator of the Aircrack-ng suite. Regardless of whether you feel the course is outdated it goes to show that the software creators support it personally and with the price point being intentionally low should be reason enough to jump on board. If those reasons coupled with amount of excellent material and resources are not enough, then perhaps focus on the fact that you too can be an Offensive Security Wireless Professional.

Aside:

Acclaim now verify Offensive Security certifications (amongst others) Check out my profile here: https://www.youracclaim.com/users/sabretooth/badges