OSWP Retrospective

My Road to WiFu

The OSWP aka WiFu in the old days was the second OffSec certification that I’ve taken. While the journey was far smoother than the dreadful marathon that was the 24 hour OSCP certification, there were indeed a few interesting things to share along the way.

Format

I enrolled in the new Offsec Training library format, which is the new course delivery platform that they implemented in 2022. Instead of downloading the course PDF and videos en bloc as in the past, now you log in to their “training library” web app to watch videos and read the course documents. There is an option to download everything. As I write my own documentations along the way I did not download the files.

Content delivery this way was smooth and mostly intuitive. I imagine most people would feel the same if their internet connection is okay.

Hardware

In order to pentest a Wifi network, you need a compatible wireless card that supports monitor mode and packet injection. As there are no virtual labs for you to attack in the course, you need to set up your own home lab as instructed in the course manual. A spare Wifi router is highly recommended, as you do not want to repeatedly reset your home network password, disconnecting every device in the process, or change into a vulnerable setup to invite attackers.

OffSec recommend the following hardware for the course:

Recommended Wireless Network Routers
---
NETGEAR AC1000 (R6080)
Linksys WiFi 5 Router Dual-Band AC1200 (E5400)

Recommended Wireless Cards
---
Alfa AWUS036NHA

What did I use? A TP-Link TL-WN722N v1 that I bought a while back, and a cheapo TP-Link router that supported 802.11 a/b/g/n as well as WEP, WPA1/2 personal authentication (most mass market routers do, these days). You could also refer to the aircrack-ng wiki page for wireless card compatibility.

WN722N v1 card. Note that only V1 supports monitor mode and such
Alfa AWUS036NHA which is recommended by OffSec

Course content

The course work was about 40-50 hours long. Between going to work and working through the contents after hours and during weekends, I spent maybe 6 weeks to complete at a relatively comfortable pace.

The first half of the course dealt with the theory underlying the various WiFi protocols, authentication schemes and handshakes. This is where I spent the most time on actually, due to a lack of background knowledge. As you might expect, notes covering “802.11b specifications” or “linux wireless drivers” tend to be rather dry but still arguably essential to the testing of WiFi. OffSec included .pcap files for the different examples of network interactions, control frames to inspect in Wireshark. Which was also a good exercise in on itself.

The second part of the course, the home-lab work, came 30-odd hours later. That involved learning the various techniques in attacking WPA1/2 personal, enterprise network including deauth attacks, evil twin AP, rouge captive portal, to name a few.

As the aim of the course was to crack authentication hashes to obtain Wifi passwords, a section discussing hash cracking tools such as JTR, Hashcat etc was included. Far as I remember, it was more detailed than the OSCP coverage of the topic and introduced me to techniques like mask attacks and rule-based attacks and was quite nice!

Tools involved in the course – most of the practicals were done by interacting with the aircrack-ng suite, though you need additional tools such as hostapd-mana to mount more sophisticated rouge AP attacks. Later in the course more tools and frameworks such as bettercap & kismet were introduced to perform the attacks more efficiently & systematically. Though, arguably they do not add new core functionality to what aircrack-ng was doing.

The WiFu Exam

Disclaimer: everything I write here is also in OffSec’s documentations.

So how would the sensei challenge me to make me earn my new 4 letters? In the exam, I:

  • Have a 4 hour time limit;
  • Need to crack 2 out of 3 Wifi network in a VPN-connected virtual environment;
  • One of them is mandatory;
  • Use default wordlists provided in the Kali VM provisioned;
  • Each scenario would only be active one at a time;
  • You got many resets to the scenarios in case something breaks.

All the specifications strongly suggested to me that the hash-cracking part of the exam should not be very hard (BUT: take nothing for granted!!). Why? Using default wordlists means cracking the hashes inside of the VM, which may or may not have powerful hardware (How to check for it? Which tool support GPU as opposed to CPU cracking?). Let’s for the sake of discussion say it does not. Then the focus should be on how to successfully mount one of the attacks (may be simple or sophisticated) described in course work to obtain the hash in the first place. This was my expectation going in.

Anyhow, on the exam day there were a few surprises indeed, which I definitely won’t go into details here. I also had a scenario in which the target AP did not broadcast anything, and I had to reset the scenario for it to work properly. But overall it went okay and I cracked all 3 within the time given, just barely.

Thank you, Sensei!

Me