I recently passed the OSEP exam, as I discussed in my most recent blog post. My employer purchased a Learn One subscription on my behalf, which had the Offensive Security Wireless Professional (OSWP) included in the bundle. With two months left before my Learn One subscription ended, I decided to give the OSWP exam a go, as it seemed interesting and I had heard it wasn’t too challenging.
With about 2 weeks of light study, I passed the exam last weekend. Here are my thoughts.
The Course
The OSWP is actually the second oldest certification offered by OffSec, and was previously known as the “WiFu” when first released in 2007. It’s had an interesting run during its lifetime, with the techniques taught in the course becoming obsolete relatively quickly, as WiFi security improved from using trivially crackable WEP encryption to WPA2 and WPA3 in rapid fashion. While it has been updated since release, the OSWP is no longer available as a standalone course and is only accessible as a free add-on when purchasing an annual subscription for one of OffSec’s flagship courses.
The OSWP syllabus contains the following topics. I’ve broken these down into three different sections to illustrate how I approached the course content:
Wireless Network Theory
- IEEE 802.11
- Wireless Networks
- Wi-Fi Encryption
- Linux Wireless Tools, Drivers, and Stacks
- Wireshark Essentials
- Frames and Network Interaction
- Determining Chipsets and Drivers
- Manual Network Connections
Wireless Network Attacks
- Aircrack-ng Essentials
- Cracking Authentication Hashes
- Attacking WPS Networks
- Rogue Access Points
- Attacking WPA Enterprise
- Attacking Captive Portals
Alternate Tools
- bettercap Essentials
- Kismet Essentials
About half the course is essentially theory, which covers the way WiFi networks operate and the history behind the protocols used and how they were developed over time. Six of the modules then cover types of wireless attacks and how to perform them primarily using the Aircrack-ng suite of tools, before the course then briefly discusses two other testing frameworks that could be used as alternatives. I personally found the theory content hard to get through, and the techniques to be very methodical in the sense that it was simply covering off what you commands you should be using in what order to get to the desired outcome. There was little room for alternative techniques, tools or approaches to be learned in the content as the techniques shown were very much presented in a “do it this way” sense. Course content was delivered via text and video, with sufficient level of detail.
The Labs
This was my biggest surprise in the entire course. There were no labs to practice the techniques taught. The course instead encourages you to setup your own lab, with many students opting to practice using the WifiChallengeLab resource, an entirely seperate entity from OffSec.
I found this to be pretty poor from an OffSec course, which has long held labs as being a core way to teach students complicated techniques and concepts. A key part of what made OffSec stand out when they first arrived on the certification scene was their emphasis on hands-on practice through the use of labs and a practical exam, as opposed to being yet another multi-choice exam that only really tests your memorization ability. To see them move away from this ideology, even for a course of lower profile compared to their flagship products, is disappointing.
The Exam
The exam is 3 hours long, and presents 3 wireless networks to crack. One of the three is mandatory, and only 2 are required to pass the exam.
I personally didn’t find the exam too difficult. I didn’t practice any of the techniques using external resources, so all I had were my notes and the course content to get me through the exam. I found that simply using the techniques presented in the course as they were, and using Google to find a few specific guides or resources was more than enough to get through the exam. Don’t overthink this one – what you see in the course is pretty much what you get in the exam.
I used just under 3 hours before finishing the exam, and gained access to all three networks. I then submitted my report shortly afterwards and received the notification that I passed the very next day.
Post Exam Thoughts on the OSWP
The OSWP was a pretty quick turnaround for me. I took about 2 weeks to go from opening the first course topic to passing the exam. While it was interesting to learn about some of the theory, and explore using some well-known tooling I can’t say I learned too much in this course, and by no means do I consider myself an “expert” in wireless penetration testing. There isn’t really enough depth in the course to cover off all the scenarios for an in-depth wireless audit, and only learning how to use the Aircrack-ng suite of tools feels a little bit like learning hacking but only learning about Metasploit.
The technologies covered in the course were surprisingly more relevant than I had expected them to be though, covering WPA2 and WPA2-Enterprise networks. While most modern home routers now use WPA3 out of the box, and enterprises will typically use WPA3-Enterprise or authenticate via certificates, WPA2 and WPA2-Enterprise with credentials might still be used in some circumstances. I found the section on Rogue Access Points to be the most interesting section of the course, and it would be an interesting exercise to see how well this type of technique would transfer over to real-world use. The course had clearly been updated since it’s first release, and was no longer limited to just cracking WEP encryption.
Despite the relevance of the material being better than expected, I was still a bit disappointed by the tooling used and the restrictions applied in the exam. Automated tools and frameworks such as besside-ng, wifite, wifiphisher are restricted in the exam. While I understand why this is the case for courses such as the OSCP, I think this is a bit of a shame in the case of the OSWP. Despite the infodump of content at the beginning of the course, the sections of the course that detail attack techniques doesn’t seem to really be focused on teaching you why you are using certain techniques to attack a wireless network. Instead, it just focuses on how this should be done with the toolset they specify. Because so much of the course is focused on using tooling in a step-by-step manner, I can’t see why more sophisticated tooling that is more likely to be used by pentesters working on an actual wireless engagement aren’t taught or allowed.
I think there’s a real opportunity for OffSec to adapt the course so that it’s structured in a way that guides students down the approach a pentester would take on a formal engagement. Start by teaching how to identify the network type in the first instance, then work from there and do not place any restrictions on the tooling that can be used. It would be worth updating the course to include WPA3 networks too, even if these aren’t vulnerable in the same way as WPA2 or WEP networks are, it would still be worthwhile to cover any implementation flaws or misconfigurations that may be present in these networks.
With all that said, I did find the course to be interesting overall. If you have a Learn One subscription and get access to the OSWP, I think there’s no harm in giving it a go. If you have some time remaining in your subscription plan it is well worth spending a couple of weeks going through the content and exam. As a standalone product, I don’t think it really holds up. But as a free addition to one of their flagship courses, it’s a fun challenge and gets another OffSec cert in your collection.
Kento.
KentoSec 