Hi everyone, couple of months back I completed Offensive Security Wireless Professional (henceforth addressed as OSWP) (also known as WiFu). I am writing this blog for sharing my experience (of new learning), express my views on course and exam, also to clear some misconception about this course. Of-course these are my views and I’ll try my best to keep this blogpost spoiler free. So, let’s start:
Some facts about OSWP:
- OSWP is an entry level course designed by Offensive Security (henceforth addressed as OffSec) team.
- This course deals with Wireless Security (Honestly speaking Wireless Fidelity aka Wi-Fi)
- Unlike other courses, this course does not have remote labs available. Candidate should buy necessary hardware and setup lab for practice. Hence along with exam fees, hardware cost is additional.
- This is cheapest OffSec course (450 USD)
What you can expect from OSWP:
- You’ll understand how Wi-Fi works and why it is inherently flawed with various security issues.
- Why WEP/WPA are weak security standards and how to break them to obtain keys!!!
- Learning different tools such as Aircrack-ng suite, JTR, Pyrit etc.
- May clear your concepts about Rainbow tables and how you can perform war-driving/walking/running blah-blah etc.
- Compiling your own WiFi drivers
What you should not expect from OSWP:
- Breaking WPA2 with blink of eye.
- Breaking enterprise-grade wireless network (one which using Airtight, Radius etc solutions)
- Hacking Bluetooth and other wireless technologies.
- Post-exploitation activities
Why I choose this course:
To summarise my answer in one line: “I am master procrastinator”. (Watch this amazing Ted talk to understand what is master Procrastinator: Tim Urban: Inside the mind of a master procrastinator – TED Talks). Let me explain why…
Well, I’m in infosec industry from last 4 years. I’m doing web appsec, mobile appsec, source code review and currently reviews. I’ve never did anything with network security (this is strange as I have associate level certificate from D-Link in Switch config). Anyways, due to lack of network security experience, work load and my procrastination habit, I did not opt for any certification 3 years prior to OSWP (I am not even CEH and never will be… It’s not worth). It just popped up in mind that I should go for something easy to do and well recognised certification. I looked around and saw tons of my friends and colleagues are going for OSCP (one of which is Paranoid Ninja; please read his awesome blogpost: 31 days of OSCP Experience). I can see they are dedicated and their perseverance is way beyond mine. I decided, well, let’s go for simplest of them i.e. OSWP. Atleast that’s what my first thought was when I first read description. But soon after some interesting things happened after I enrolled to course, and it changed my perception about WiFi security.
Starting with WiFu Dojo:
So, I started reading reviews of OSWP, basics of WiFi security etc. and come to conclusion that I can complete this course without failing, as it will be shame failing such short course.
As there is no online lab involved and you have 4 months’ worth time to study, practice and schedule exam, I paid exam fees and got download link within 3 days. I got excited and started with videos. But within first few videos, I came to know that I should complete lab guide first as it has essential theory part. Now to be honest, unlike other OffSec courses, you can actually skip lab guide and rely entirely on videos. Videos are sufficient to get certified, BUT… you’ll miss the core of concepts of WiFi. This I understood because of some events I mentioned earlier. (Don’t worry I’ll tell you those at the end of blogpost).
WiFi Theory is pain in @5$
Nevertheless, I started with lab guide and I swear… its boring. Like its really boring. OffSec instructors themselves admit that “Theory Section is dry, but its worth reading.” So, I read it, re-read it and try not to sleep :P. Once completed with big chunk of theory (Almost 80+ pages), I started with lab setup.
Lab setup – a headache of its own kind
Trust me if you have no idea of WiFi cards and don’t know how to identify correct drivers and compiling them, then it will be a sort of pain. Issue I faced while this course are as follow:
- Choosing correct attacking hardware: In terms of chaos, anarchy and fragmentation, only Android can beat WiFi cards. For basics, you should know “Who is manufacturing card” and “Who is chipset manufacturer”. i.e. you can be using TP-Link card with Realtek chipset and so one…. These manufactures are so evil. They change single character in Card model name and the chipset and its characteristics entirely. OffSec guys mentioned this as well, so be careful. Personally, I went for two different Alfa cards, AWUS036NHA and AWUS036ACH. AWUS036NHA is one of the most stable card out there, but it supports only 2.4Ghz range. AWUS036ACH is dual band, but still it doesn’t have stable injection drivers(?). During entire course, I extensively used AWUS036NHA effortlessly and banged my head whenever tried using AWUS036ACH.
- Choosing correct victim router: Honestly speaking, just like attacking hardware, there is no ideal victim router. *cough* Spoiler *cough* Me (and many of my friends) faced issue while performing Fragmentation attacks, as almost all new routers drop such packets and attack fails. Many routers do not even have WEP setup option, which is pain for us. Anyways, I used D-Link DIR-615.
- Choosing correct guest OS: Now you might think, since this is OffSec course, candidate should use Kali Linux. Well, dead wrong. As long as it is Linux, supports your Alfa card and can run Aircrack-ng, feel free to use any Linux. Personally, I used BackTrack 5 during this course. Best thing about BackTrack 5 is that it is stable (more stable than any Kali Linux version). It was plug-n-play while using AWUS036NHA. But if you want to use AWUS036ACH, BackTrack is really bad choice. You have to write your own custom wireless drivers to use it.
- Choosing correct Virtual machine environment: You have two choices. VMware or Virtualbox. I went with VMware as I want no more pain in @$5. It’s your choice altogether.
- Choosing correct wireless drivers: I cannot even tell how much I googled this. Github, old repos, YouTube, Blogs …. So many things. And yes, this is not for AWUS036NHA. That little bastard works with everything. Big bastard AWUS036ACH, on contrary, does not budge and never worked one single time. Finally I kept it away and stared working solely with AWUS036NHA. Finally my setup looked something like this.
Not bad huh!!! Well its AWUS036ACH and Kali Linux, but anyways. This is it was like.
Once this was done, I took my own sweet time and studied/practiced almost all attacks. I used following resources for study other than OffSec material:
- http://www.aircrack-ng.org/doku.php : This is Aircrack-ng wiki, created by Thomas d’Otreppe aka Mister X. Must read for anyone who wants to understand basics of WiFi and to use Aircrack-ng suite of tools.
- SecurityTube Wireless Security Expert : Guys, its SecurityTube and Vivek Ramachandran, what else should I say!!!
Once I felt confident, I scheduled exam.
Its exam time!!!
So, after couple of months, I registered for exam. If you look at exam description, its simply mention “Compromise 3 targets and get secret key, within 3 hours and 45 minutes.”. Now such vague challenge can make you think that exam is challenging (but unfortunately, it’s not; unless you screwed up very bad). What I confident about was there will be WEP and WPA attacks I need to perform. So, I simply prepared command templates with necessary steps. One might say, why no shell script. Well, because I AM MASTER PROCRASTINATOR.
One more thing about exam pattern, there is no VPN involved. You have to SSH remote machine on given IP:PORT. So I decided to use puTTY. But came across, Bitvise SSH client on puTTY website. Simply amazing client. I decided to go for it. Well, I was set to face OSWP challenge.
Sorry to say but exam was real let down for me. I knew it will straightforward, but it was not even challenging. I completed it within 75 minutes. I could have completed within 40 minutes if I have not wasted my time in some worthless effort. They could have make it more challenging but cannot do anything about that. Within next two and half hours and took all screenshots and formulated my report and shared with OffSec. Within next 2 days, I got mail from OffSec that I successfully completed challenges. After couple of days received OSWP certificate.
What I learned from WiFu
- I come to know about basics of WiFi and its security. Atleast I was able to scratch a surface of domain which was totally new to me.
- Patience – Performing some attacks successfully is very difficult in real world scenario. Patience and perseverance is virtue in this case.
- Compiling binaries which I never did before.
- It opened totally new world of Wireless to me.
Why WiFu is still significant!!!
According to me, even though syllabus is old and exam is non-challenging, WiFu is very significant, due to following points:
- It will clear your basics and help you to understand more complex systems.
- Everything is wireless now. IoT help to connect internet and many IoT device use WiFi for connectivity. Its new lucrative attack surface.
- As I mentioned in start of blog, some interesting event happened during my course. They are as follow:
- Every mobile phone in world is “BroadPWNed”: World’s every mobile phone uses Broadcom chip for WiFi and it has very serious security issues, allowing BoF and complete device overtake.
- BlueBorne: Armis Security come up with BlueBorne attack which is another wireless attack on Bluetooth devices.
- WPA2 Broken: Researchers demonstrated successful WPA2 Key Reinstallation Attack.
- WPA3 Coming: More secure WPA3 is upcoming security standard.
Along with this there are Software Defined Radios (SDR), HackRF, BladeRF, Google Rail WiFi and so many things are coming up with Wi-Fi. So, it is good idea to have this certification.
Just like other OffSec courses, exam is not important but what you learned while preparing exam. Not only this course gave Wi-Fi security knowledge but confidence to face more challenging topics. So currently I’m learning Shellcoding in Linux 32 bit Assembly. So, you can expect a blog on that as well, but that is different story. Till then, Auf Wiedersehen!!!!!!!