Having recently passed the OSCP, I was looking for my next certification. I spent several weeks weighing the different options. Should I look to take my overall penetration testing skills to the next level and pursue Offensive Security’s new OSEP (Offensive Security Experienced Penetration Tester) course or pursue a more specialized path i.e. one dedicated to web application penetration testing, for example? In the end, I opted for the OSWP (Offensive Security Wireless Professional), also known as PEN-210, from Offensive Security. The reason behind this decision was twofold. Firstly, I really didn’t have a great deal of experience with wireless penetration testing and felt this would be a good opportunity to take my wireless skills to the next level. Second, I figured we would be conducting a large number of wireless penetration tests in 2021, as many of our clients had postponed their wireless assessments during 2020 due to the ongoing COVID-19 pandemic. Therefore, the OSWP seemed like a good option that would provide me with the tools needed to better assist our team in conducting wireless penetration tests for our clients.
Having purchased the course from Offensive Security, I received the course materials shortly after. As usual, the course materials from Offensive Security are very good. The author of the ‘Wi-Fu’ course is Thomas d’Otreppe de Bouvette, the creator of the Aircrack-NG suite, and he is obviously an expert in the field.
Some of the topics covered in the course are listed below:
- IEEE 802.11 Wireless Networks
- Packets and Network Interaction
- Linux Wireless Stack and Drivers
- Aircrack-ng Essentials
- Cracking WEP with Connected Clients
- Cracking WEP via a Client
- Cracking Clientless WEP Networks
- Bypassing WEP Shared Key Authentication
- Cracking WPA/WPA2 PSK with Aircrack-ng
- Cracking WPA with JTR and Aircrack-ng
- Cracking WPA with coWPAtty
- Cracking WPA with Pyrit
- Additional Aircrack-ng Tools
- Wireless Reconnaissance
- Rogue Access Points
Personally, I thoroughly enjoyed the course. Unlike the OSCP, there are no virtual labs, and the student is required to purchase the required hardware devices to setup their own lab environment. Coming from a military background (Royal Signals), I personally have a soft spot for playing with different antennas and radio equipment. Therefore, I enjoyed setting up my own wireless lab and testing the different wireless adapters, etc. This, however, turned out to be slightly trickier than anticipated, as some of the more modern wireless access points don’t support WEP (Wired Equivalent Privacy), which is required for the course. I ended up purchasing the recommended hardware devices listed in the course content, as I felt using the recommended hardware devices would likely result in fewer issues. This turned out to be correct, and the course ran relatively smoothly.
The OSWP Course
The name of the course is ‘Wi-Fu’, and I felt it had a great layout and solid content. The student receives a PDF that is around 300 pages long and a large number of videos that demonstrate the topics covered in the PDF. The first 100 or so pages are purely theory, as the teacher wants to make sure the student really understands what is happening under the hood, rather than just running commands aimlessly. Although it’s tempting to skip ahead to the labs, the author regularly urges the student not to, and to make sure the theory is fully understood before proceeding. The theory is very clearly explained, and as previously mentioned, the teacher is clearly an expert when it comes to wireless networks.
The labs themselves were very enjoyable, and I learned a lot about wireless networks when constantly changing my lab configuration for each exercise prior to conducting the various attacks. The student is also introduced to a variety of password cracking tools, such as John the Ripper. Students that have previously studied the OSCP will already be familiar with these.
My only gripe with the Wi-Fu course was that it’s pretty outdated. I would say two thirds of the course focuses on WEP. The remaining third focuses on WPA (Wi-Fi Protected Access) and WPA2. However, even then, the WPA/WPA2 sections focus purely on WPA/WPA2 PSK (Pre-Shared Key). Surprisingly, there is no content on hacking enterprise wireless networks, which was slightly disappointing.
WiGLE is a good site for statistics regarding wireless networks across the world, and at the time of writing, less than 5% of discovered WAPs (Wireless Access Points) are using WEP. Those statistics appear to include personal wireless networks. Therefore, I would assume the number of wireless networks using WEP is a lot less than 5% when it comes to modern day enterprise networks. As previously mentioned, when discussing the lab setup, many modern day WAP’s don’t even support WEP. For more context, the below image shows less than 3% of wireless networks using WEP, and that’s from 2016!
Therefore, it feels like dedicating roughly two thirds of the course to something most penetration testers will likely never encounter seems almost counter-productive. I’m not saying WEP shouldn’t be included in the course, however dedicating two thirds of the course to a dying protocol seems slightly wasteful. Of course, WEP was likely still widely in use when this course was designed, and I’m sure it will play a smaller role if/when the course is updated.
The OSWP Exam
The exam was a nice change of pace from the OSCP exam, lasting four hours rather than 24 hours. The student is required to SSH into a remote machine, and then attempt to crack a variety of wireless networks that are within range of the attack machine. Unlike the OSCP, there is no passing score per se. There are a number of challenges, and the student must complete ALL of them, in order to obtain the OSWP certification.
The Wi-Fu course material contains a great deal of information about 802.11 wireless networking, and unlike the OSCP, you will likely not require any further research outside of the course materials to pass this exam. Everything you need to learn to pass the exam is contained in the course materials. However, having said that, I personally used Pentest Academy’s WiFi labs to help prepare for the exam and found them to be a great help.
Would I recommend the OSWP? Absolutely. It’s a great introduction to wireless penetration testing and the course materials are excellent, albeit slightly outdated. Offensive Security have been very busy recently, updating their existing courses and introducing their new OSCE pathway. Therefore, I imagine they will update their wireless course in the near future.
Did the OSWP help me achieve my goal of better preparing me for wireless penetration tests? I feel like I learnt a lot, and my understanding of the theory behind various wireless attacks will certainly stand me in good stead for future engagements. Overall, I am very happy that I took the course and I really enjoyed the experience. Thank you OffSec for another great course!