OSWP - Foundational Wireless Network Attacks - Review (2023)

OSWP - Foundational Wireless Network Attacks - Review (2023)

Nee's photo
Nee
·

4 min read

Introduction

Greetings, fellow cyber peoplez! Just wanted to give you guys some insight into my journey towards earning the Offensive Security Wireless Professional (OSWP) certification. In this blog post, I will take you through some of my experiences throughout this certification and how I tackled some of the issues I faced.

The PEN-210 (OSWP) is considered a foundational course alongside the PEN-200 (OSCP). In comparison to the challenging PEN200 certification(💀), the OSWP certification can be seen as a more approachable step in the journey towards wireless network security. In other words, it's not as tough!

Background

I've had little to no (practical) experience pentesting wireless networks before this. However, I was familiar with the aircrack suite and cracking tools that can be used in conjunction with it. I had a wifi pineapple for a little while and was experimenting with it couple of months ago.

Thus, I was looking forward to getting more hands-on experience with this course. I'm proficient in setting up wired networks but that proficiency didn't carry over to the wireless side of things while setting up the labs.

Gear

Router

  • NETGEAR AC1000 (R6080)

  • Linksys WiFi 5 Router Dual-Band AC1200 (E5400)

Offsec recommends the routers mentioned above to all students taking the course. However, they're pretty old (as expected) and the availability of the router depends heavily on where you're based out of. Fret not, there were some alternatives that saved me.

DD-WRT

DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.

After some intense g00gling, I came across dd-wrt which was the evolved version of OpenWrt. I had this extremely old D-Link dir-868L sitting around collecting dust in my rack.

Luckily enough dd-wrt had custom firmware for it and I was able to flash it with no issues. If you were going to purchase the recommended router, I'd recommend looking into dd-wrt to check for your old router's compatibility before wasting some cash.

Wireless Adapter

  • Alfa AWUS036NHA

  • For wireless card compatibility, please refer to the Aircrack-ng wiki

For the wireless adapter, Offsec recommends students to get the Alfa adapter mentioned above or rever to the Aircrack wiki and pick one of their liking.

However, I ended up getting an Alfa AC1900 which was slightly overkill. After the card arrived, I realized that the Kali did not support the adapter out of the box. Thankfully the fix was as simple as installing the following package.

apt install realtek-rtl8814au-dkms

Shoutout to this kind soul over in the Amazon reviews section😂.

Labs

With the gear out of the way, let's discuss labs. To make things somewhat difficult, the course did not come with any labs. This would explain why offsec had to recommend routers. Students were required to set up most if not all the labs by themselves. However, there were a ton of guides on how to set up the following networks for attacking. (WEP, WPA[1/2/enterprise], WPS).

Setting up the various networks with dd-wrt wasn't too complicated. The process was pretty much the following:

  • Find a guide

  • Find the corresponding setting on my dd-wrt GUI

  • Wait for the network to go up

The "annoying" part was actually getting a client to connect to the network constantly and capture the attack. I just ended up using another VM with a wifi adapter passed through.

Do keep in mind to verify that your router is not using 802.11W as that would prevent deauth attacks and make it tougher for you to capture the handshakes.

The Exam

My Experience

The exam was pretty straightforward. I was presented with 3 different types of networks to attack and had to successfully compromise 2 out of the 3 networks to pass. However, there was a guideline that stated that cracking 1 of the networks was mandatory to pass. This basically meant that you could only "choose" one other network to compromise.

My exam environment was pretty stable (for the most part). When I was sniffing on one of the networks, I was only getting stations. Thankfully that issue was solved with a simple revert.

Word of advice, don't limit yourself to the tools within the coursebook. There might be another tool out there that might get things done with a little bit more ease even though the end product is the same.

Thoughts

Overall, the exam was pretty doable as long as you went through the courseware and familiarised yourself with the commands and processes! Reporting was as simple as other offsec examinations. Modify the given template to your liking and submit!

Conclusion

I enjoyed the PEN-210 and understood some fundamental content and debunked a few misconceptions of mine. Was definitely less stressful compared to the other offsec courses I underwent. Hope this helps someone out there, all the best for your attempt!

wireless networkinformation securityCertificationoffsec