Offensive Security Wireless Attacks (WiFu) + Offensive Security Wireless (OSWP)

The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.

A few months back, I took Offensive Security's online course WiFu course & exam OSWP, as I had written up a review for PWB/OSCP & CTP/OSCE, I thought I would do this too. As always, everything in this post is both personal comments and my own experience with the course.

Offsec WiFu Box

It's not easy to create a course, especially with the amount of resources that are freely available, such as the aircrack-ng wiki and Security Tube's Wireless Megaprimer. Both are good, if not great sources of knowledge that make them a valued resource, however, there is still room for WiFu - more on this later.


Before doing the course, I had already dabbled with 802.11 and its security, successfully cracking some WEP & WPA networks, and writing my own "wrapper" to automate the process. However, I still learnt more than a thing or two by the time I had completed the course.

Everything that I knew before the course, was self taught, which came from reading blog/forum postings, and the odd video (There are plenty of resources – and they range in quality, depth of detail and age).

Yes, I was able to learn, and teach myself for free. But, I spent time doing it, as I had to go out searching for it (which made it easier to skip over certain areas, if you didn't seek them out). There are also conflicting bits of information online (either because it's out-dated or it's "the blind leading the blind").


As always, with an Offsec course, all the information that you need is in one place. They have done their homework including getting the author (Mister_X) of _THE_ pentesting tool for 802.11, aircrack-ng, to help write the course.

Course Material

Course Materials & Lab/Exam Setup

The course material is made up of a handbook/document (.PDF – 385 pages), and videos (.SWF – little under 3 and a half hours). In the handbook, there are links to external example .CAP files that Offsec is hosting, allowing you to follow alongside. There is also a custom Backtrack ISO file, which is what the course recommends you use.


I personally was able to progress through the entire course material in a weekend. The exercises were straight forward, and I didn't run into any issues completing them (I used an old NetGear WG614 v9 & TP-Link WR104ND for access points and ALFA AWUS036H & Linksys WUSB54GC wireless cards).

Unlike PWB/CTP, there isn't a remote lab this time to connect into – you will be re-creating the labs locally. They isn't any "step by step" instructions showing you how to alter the router configurations (you sometimes see a glimpse of this in the videos), as each router's UI is different. Instead they just inform you what settings you need to place your router in for this exercise.


The upside to not having any remote labs, is that you are not limited to lab time, so you are able to work on it freely. However, the exam attempt that comes with the course is only valid for 120 days after you receive the course materials – which is plenty of time to get you prepared.


The exam however, is taken remotely. You do not VPN in (like OSCP/OSCE - which allows you to use your own hardware and software configuration), instead you SSH to a clean, ready to go, Backtrack 5 r3 machine which has everything you need to be able to pass the exam.

Material Breakdown (WiFu)

If you want to follow along yourself, you can find the course syllabus here.

It begins with all with all the standards & protocols for 802.11 (with a bit of a history lesson), which moves into how a wireless networks work, the different types of WiFi.


Then it is chapter 3. This gives a full breakdown of 802.11 packets, as well as techniques used in the protocol, and it goes into a great amount of depth. Throughout this section, on nearly every page there is a screenshot, table, or diagram to help break up the text, and help explain the area in more depth.

I personally see it as a bit of a "dry" area, and the authors felt the same (there are words of encouragement to stick with it and understand everything that is being said here).

This is a large section (over 100 pages), as they have to cover too much in this area. This builds up a good proportion of background knowledge, showing why everything works.

Reading back on my notes for this chapter, the amount taken towards the ends does start to thin out (however I have now got the PDF to use as reference to fall back on).


After learning all that theory behind it, it starts to get ready for the practical. They do this by showing how to pick hardware (note: I see this question being ask almost on a daily basis – it's a popular question!). Rather than just saying "get this card", they explain what to look for in a card – and which one would be best suited for the job (spoiler alert: there isn't a single card that "is the best and does everything").

Quick run down, they compare: interface, signal/power, antennas & chipsets. I personally was impressed with the antennas section, showing the different signal patterns – this is something I hadn't looked into before.


I should say at this point, unlike PWB & CTP where you remotely VPN in, connecting to their (Offsec) labs, you need to setup and create your own locally. So, if you wish to do any of the practical you will need to purchase some of the hardware you have just researched (as its not included in the course fees). The exam however, is taken online – this is covered later.


Next, the course starts to teach you about how the hardware works with the software via wireless stack & drivers, which is another commonly asked about area I've seen online. They run you through the basics such as testing drivers & (manually) enabling "monitor" mode.

I would have liked to have seen more "troubleshooting" here, or a bit more advance commands to gather more information about what's going on/current setup. I mention this because it bugs me regarding people who are wanting help, but lacking detail (however more often than not, it's also the manner of the person and how they are asking for help).


The rest of the course from here on out it is now practical (note: I'm guessing a lot of people's pre-course knowledge starts at this point). Most of the time, it uses the aircrack-ng suite, which is really a swift army knife. By the end of the course, I think you use all the attacks but one that aireplay-ng has to offer. There is some similarity to the aircrack-ng's wiki content for parts of the remainder of the course.

The course explains what is being shown on screen, with how it relates to what's been taught so far, followed by arguments to interface with the program as you see fit. At the end of each chapter, there is now a lab to complete. These are tasks that relate to what has just been taught as well as a troubleshooting for common issues that the student may run into at certain stages.


They start at the start with the aircrack-ng suite, by putting your card into the right mode, as this is something that you will always need to do before commencing any attacks. This allows you to view the surrounding wireless networks. The last bit in this section, tests the wireless card, making sure "packet injection" works.


It then branches off into WEP attacks, with client and clientless scenarios using various different configurations & attacks. Depending on which access point has been used, will affect which attacks are successful. Offsec does recommend certain access points to be used, and the course has been fully tested with them (meaning all the attacks will work). If you wish to break away and use something different, you may find that certain attacks will not work.

As there are various possibilities and different combinations of WEP configurations, not every scenario is "hackable" (e.g. clientless with WEP Shared Key), however the ones that are, are covered. It even mentions the injection attack, which allows you to inject data into a network which you are not even "connected" to.


Then the course sets its focus on WPA/WPA2. Unfortunately the course only covers on Pre-Shared Key (PSK), skipping over Enterprise. However, most WiFi networks that I've seen use PSK.

I've gone through the pain & "joy" of setting up a radius server at home in a test lab, which isn't the most straightforward thing – which could be another reason why its not covered. I also understand not giving away a pre-done VM image, as that still has a lot of moving parts and could cause another set of issues.

They course cover using CPU vs GPU with the speed increase between the two methods, as well using pre-calculated rainbow tables to speed up the brute force progress.


Afterwards it's the reconnaissance section which demonstrates a few different methods to visualize clients and their relationships using 802.11, something which I can see being very useful when doing wireless assignments for clients. There is also a bit of information on "war * (war driving/walking/cycling etc)" – which is something that I spent a lot of time doing in 2013 (blog post to follow).

Lastly, there is the "rogue access point" (aka a fake access point or the "evil twin attack") for both WEP & WPA. This is where you setup a "cloned" access point to mimic the target, and finding different ways to force targets to use it. The last practical for the course goes into "Karmetasploit" to exploit the wireless client, which I felt is a good way to finish.

Up to this point, the videos coincide with the handbook/document very well, much like with PWB. There are a few extra "bonus" things that are included in the PDF (alternate methods and techniques to speed up the attacks). There was a few extra little "tricks" that you can do also do, covering sharing the wireless interface over a network to a remote machine, relaying & repeating captured data and decrypting packets.


For all of this, true Offsec style, you learn how to do this "manually". You don't rely on any "One click GUI" programs (that really is just a wrapper around aircrack-ng suite).

Side note: If you have done PWB/CTP, you will notice it's not the same narrator (Mati), this time it's Devon.

Exam (OSWP)

I can't go into too much detail here without giving the game away. In short, there isn't any "curve balls" in it (unlike OSCP/OSCE), its straight forward and pretty much what you would expect.


The exam is four hours long, but I found myself finished within an hour.

It would have been sooner, however there was a technical issue on the remote machine (the wireless card needed to be switched out). All I had to do was ask on IRC and an admin had fixed it within 15 minutes.


Like OSCP/OSCE, everything that you're tested on, is covered in the course material. Unlike OSCP/OSCE, you don't need to write a report at the end, in order to pass.

Reflection

Myths

One of the comments I've heard, criticising the course is, "It's mainly WEP attacks".

This is true to a point as the WEP section has about 100 pages & WPA/WPA2 is about 40 pages. My take on it is that there aren't as many (publicly known) attacks towards WPA/WPA2, so there isn't as much information to cover.

Because WPA/WPA2 uses (a much) "better" cipher, the only (known) weakness is just an offline brute force on the four way handshake .Whereas with WEP there was a poor cipher implement which had a weakness with the maths that behind it. The result means there are various ways to crack WEP.

WPS

To help "pad out" the WPA/WPA2 section, I thought they could have covered the WPS attack.

Note: WPS != WPA/WPA2.

However you can only have it on WPA/WPA2 networks, which I believe makes it relevant. Looking into the history of it, I understand why it's not in the course...

The course is currently on version 3, which came out in July 2011. However, about four months later, in December 2011, (as far as I can see) there was the first public release of a PoC "tool" (and paper) to "hack" WPS. It's a bit of a shame with the timing as it didn't make it into this release of the course (may do if there is a newer release of the course.)

Whilst on the subject: shortly after the release of the tool which most people know today, reaver, but that hasn't been updated since January 2012 (last version is v1.4). To pick up the slack/fill in for it, there is "bully" which is currently still in active development.

Side note: the WPS attack hasn't (yet?) made it into aircrack-ng.

Criticism

Personally, I would have liked to have seen something more than a line or two about both "hidden" SSIDs & MAC filtering. These are bypass-able, and could have an "extra mile" exercise (like in PWB).


As I mentioned before, in the WPA/WPA2 section, the course doesn't cover enterprise. With WEP, there isn't any mention of "key index" (how to identify which key index is being used). However, "most" of the time, it is slot 1.

Side note: if it's not index 1, then Apple devices have a hard time connecting!


I felt there isn't as much of a "self-study" element, compared to the PWB, as the course material does cover a vast amount of what you need to know as and as a result, limits the possible "extra mile" exercises.

Is this course for me?

So why do this course? What's the point in doing this, I know how to crack/hack WPA.

You may think that you know it all, and you truly might do. However, for the people that don't, or those who are missing certain areas, this is a great way to learn about wireless 802.11 security. It certainly helped me to fill in the blanks & pitfalls in my knowledge and cleaned up a few things.


The course itself isn't too complex and it's short (and this is reflected in the course fees. It is also currently the cheapest course that Offsec's cheapest course on offer).


There is also an exam at the end, which will give you a certificate (OSWP), which is recognized professionally.

What's wrong with the resources that are out there currently?

Nothing! If they work for you, that's great.

Personally, I like the mixture of both written material & multimedia (that co-inside with each other). I personally really like Offsec's style of presenting & teaching.


The aircrack-ng wiki is a manual showing how to use their tool (rightly so!), and SecurityTube is a free "sample" of their commercial course (the videos are free, however everything else requires a fee – slides, certificate and additional content).

From what I saw from Security Tube, it might touch on more topics, however, I didn't feel that it went into the same amount of depth and I didn't like the style in which it was presented.


Kudos to both, for giving out free, descent and original content.

Summary

Advice

There is a chance that you will need to buy some hardware for the course, so don't expect or rely on your current wireless device.


If something isn't working for you, try and troubleshoot why its not. It (wireless security) is a popular subject online, and the chances are, someone before you has already had the issue (and found the solution).


You do not need to have done any of the other Offsec courses (e.g. PWB/CTP) before, that's not an issue. There isn't any "cross over" between the courses. This could be your first (security) certificate, or simply just another course for you to do.

Offsec once again, starts at the start, and covers everything in a single package - including the stuff that you could have been afraid to ask.


I wanted to learn about wireless 802.11 security, not how to hack WEP/WPA and I feel they managed to give me exactly what I wanted.


Credit to Offsec, as it is obvious that there has been a fair amount of time and thought put into the course (as always!). Thank you for doing so.

This is an enjoyable little straightforward course and I would recommend it.