This month, our colleague Remco earned his OSWP (Offensive Security Wireless Professional) certification. In this blog post, he shares his journey and experiences on the way to achieving this certification.
This month, our colleague Remco earned his OSWP (Offensive Security Wireless Professional) certification. In this blog post, he shares his journey and experiences on the way to achieving this certification. This is Remco's second certification from OffSec, in addition to his OSCP. Although OSWP requires less course material and study effort than OSCP, Remco found it fascinating to learn more about the offensive side of Wi-Fi. Read on to discover more about his learning and insights!
For those who don't know: OSWP (Offensive Security Wireless Professional) is a certification for people who want to learn how to pentest wireless networks. According to OffSec: "This wireless security certification demonstrates a student's ability to identify and exploit vulnerabilities in 802.11 networks. The OSWP provides pentesters with specialized skills in wireless security assessment, which complements their knowledge base and makes them a valuable asset to organizations."
The course covers the following components, among others:
So... Learn the aircrack-ng suite and you're done? Well not quite. The aircrack-ng suite is indeed the tool for Wi-Fi pen testing. Still, there are some other tools you need to know to pass the exam such as hostapd-mana and freeradius.
On November 22, 2023, I started a Learn One-subscription. This was primarily for OSCP, but the deal also included OSWP. However, I had to complete the course and exam by Nov. 23, 2024 (within a year). This is certainly achievable. After I passed OSCP, I thought I would immediately go on to OSWP. But after studying for OSWP (except for WPA-MGT), something else came up in between, so my focus on OSWP disappeared.
Two weeks ago I passed BSCP (Burp Suite Certified Professional), and then I remembered that I had until Nov. 23 to complete OSWP. I decided to schedule the exam on Nov. 21, 2024, at 1 p.m.
Unfortunately, Offsec's course does not include practice labs. I researched study materials and labs that I could use, but honestly, there isn't much out there for OSWP (at least, that's what I thought). So I bought a (way overpriced) wireless adapter, the ALFA Network AWUS1900. The reason is that the chipset in this adapter is compatible with Kali. I also bought a wireless router that allowed me to test WEP, WPA-1, WPA-2 and WPS. Unfortunately, my access point did not support one important issue: WPA-MGT (Enterprise).
After a while, someone on Discord mentioned the WifiChallenge Labs (https://wifichallengelab.com/), a CTFd-based platform that includes an image for VMware/VirtualBox. It's really great! If you complete these labs (without using write-ups), you will be 100% ready for OSWP. Best of all, you don't need any physical hardware like a wireless adapter. My tip: take OffSec's OSWP course and use WifiChallengeLab's labs for your practice.
The WifiChallengeLab platform also includes labs for WPA-MGT, which is what you need for OSWP. WPA-MGT is basically WPA2, but with a few extra steps with certificates. In addition, it even includes labs for WPA3, which is not covered in the OSWP course.
Briefly, my preparation for OSWP was as follows:
Everything you need to know for the exam is in the OSWP Exam Guide. The exam consists of three labs, only one of which you can take at a time. You must complete at least two labs to pass, and one specific lab is mandatory to complete. You have 4 hours for the exam, which is proctored, so a webcam is required. In addition to the exam, you must write a professional report on your findings and the steps to reproduce them.
You get a dedicated Kali VM that you connect to via SSH through the VPN. This VM contains a wireless card and the necessary (and allowed) tools. Automatic exploitation tools are not allowed, so please read the exam guide carefully.
I completed the required labs within an hour and used the remaining time to write my report and add missing screenshots to my notes (a good decision). For notes I used Sysreptor, and for the report I used OffSec's Word template. Don't forget to add screenshots of proof.txt and the PSK/passwords obtained.
I submitted my report about an hour after the exam. Although grading can take up to 10 business days, I saw that I passed after only 14 hours!
All in all, the OSWP course and exam teaches you the basics of Wi-Fi pen testing. However, the course is a bit outdated (last updated May 17, 2021). I also regret the fact that the course does not offer practice labs. I noticed that WifiChallenge Labs now also offers certification, so maybe that's a better choice if you want to learn more than just the basics of wireless pen testing. Nonetheless, I'm glad I passed and learned some cool stuff along the way 🙂 ).