Skip to main content
>_ Nullpoint

OSWP

·873 words·5 mins
Certs Offsec
Table of Contents

This page is giving you a summary about my experience in obtaining the OSWP certification. There are also some tips and tricks for the exam in the end, which I think gives you a better chance for succeeding on it.

Overview
#

The OSWP cert is official described with:

PEN-210 (Wireless Attacks) introduces the foundations of wireless network security, exploring common vulnerabilities and exploitation techniques. The course prepares learners in skills related to different types and architectures of Wi-Fi networks, wireless reconnaissance, and exploiting vulnerabilities in WPS.

PEN-210 is ideal for penetration testers and security professionals seeking to expand their skill set to include wireless security policies and assessments. It has no formal prerequisites, though it’s strongly recommended that you have experience using the Linux command line, a solid understanding of TCP/IP networking, basic knowledge of wireless networking concepts (e.g., 802.11 protocols, encryption), and some familiarity with the standard skills of penetration testing.

Overall I would describe it as a very well rounded course to learn most common Wi-Fi vulnerabilities and exploitation techniques. If you feel familiar on a Linux terminal you can take this course easily. Tough be aware that there is not a single lab included. Offsec encourages you to build your own testing lab.

The exam contains:

  • 3 Wi-Fi Networks (Objective: retrieve the passphrase, connect to network and gather a flag located under http://192.168.1.1/proof.txt)
    • 1 mandatory network
    • 2 networks, where you can solve either one

So you have in total 4 hours to solve at least 2 networks by retrieving the Wi-Fi passphrase. After that you got another 24 hours to write and submit your report, how you executed your attacks. The exam is fully proctored. There are some tools restrictions like wifite or eaphammer, in general tools which are doing an auto exploitation.

Why did I choose this course? Mainly because I signed up for OSCP+ with a Learn One subscription, which includes the OSWP material including one exam attempt for free. I had some previous knowledge on WPA2 and WEP cracking. But everything WPA3 and WPA Enterprise related was new for me.

Review
#

Course
#

I enjoyed the course overall very much. It contains 16 modules of different significance. If you’re familiar with pentesting and Wi-Fi networks in general the course is doable in about 2 weeks, working full time (that’s my time I used approx.). The course has one major downside, where it differs very much from other Offsec courses: It does not contain a single lab. I don’t understand their decision on this and think they cheaped off here. The course costs 800 dollars (at least a Learn Fundamentals subscription). I’d rate the PEN-210 course a 6 / 10 mainly because of the missing labs. The best solution for this is using https://lab.wifichallenge.com/ and their prepared virtual machine https://github.com/r4ulcl/WiFiChallengeLab. You can solve all challenges the OSWP exam throws at you and even more. If you only want to learn Wi-Fi hacking I would recommend the course from WiFiChallengeLab for 200 Euro over OSWP any day (even tough I did not do this course myself). One main point for doing OSWP is, it comes for free when doing any other major Offsec 200 course with a Learn One subscription.

What modules did I like the most?

  • Wireshark Essentials + Frames and Network Interaction
    • These modules intertwines, as you learn Wireshark in terms for Wi-Fi pentesting and learn for every Wi-Fi technologies how the network traffic occurs. This knowledge is very well explained and I learned the most on these modules.
  • Any exploitation modules like WPA cracking, WPS, Rogue Access Points, Captive Portals and WPA Enterprise.
    • Those are the modules that explain the effective attacks.

What modules did I dislike?

  • bettercap Essentials, Determining Chipsets and Drivers, Kismet Essentials and Wireless Networks
    • These modules are complete fillers, which I think could be replaced with newer attacks like f.e. OPN Wi-Fi attacks or introduction to more commonly used tools like wifite and eaphammer.

Even tough the WEP attack is easy, I did not understand, why it was no longer in the course material. Yes of course it is outdated, but because it “maybe” is still part of the exam, they should include the teaching.

Exam
#

The exam is very easy and there are no rabbit holes or pitfalls. If you know how to execute the taught attacks, they are exactly mirrored in the exam. The environment was very stable and I was able to fully recover the passphrase of all three networks and wrote a short report in 1,5 - 2 hours. I used Sysreptor for report writing, they even have a template for this exam. From all my obtained certs, it was by far the easiest one.

Tips & Tricks for Exam
#

  • Focus on these attacks:
    • WPA Cracking
    • WPA Enterprise Attacks
    • Rogue Access Points
    • WEP Attacks
  • You only need one tool: Aircrack-ng
  • You have to ssh into the attack machine, so learn to execute the attacks and connect to networks from command line only.
  • Scan the networks for some amount of time before analysis. If you only scan for a short amount you might miss the network, which is vulnerable.
  • Repeat an attack if it does not trigger immediately. Let attacks run for a longer time.