PREFACE
This course/exam is no longer provided as standalone and only included with a purchase of one of OffSec’s subscription plans. I had purchased a LearnOne subscription at OffSec’s end of year sale to get my OSCP, but decided to get OSWP out of the way first. If you want to see what I think about OffSec’s subscription plans, check here.
DISCLAIMER
I will NOT be giving away any exam spoilers or answers here. Feel free to contact me with questions, however, I am not willing to discuss any exam specifics or give any overt hints.
THE COURSE
The accompanying course to the Offensive Security Wireless Professional (OSWP) exam is the PEN-210 course, which is accessible with an OffSec subscription. If you have one of the aforementioned subscriptions, an exam voucher for one attempt is included. The course covers everything you need to pass this exam and the objectives are straightforward, provided that you understand and can replicate the steps of the attacks.
The course topics include:
- IEEE 802.11
- Wireless Networks
- Wi-Fi Encryption
- Linux Wireless Tools, Drivers, and Stacks
- Wireshark Essentials
- Frames and Network Interaction
- Aircrack-ng Essentials
- Cracking Authentication Hashes
- Attacking WPS Networks
- Rogue Access Points
- Attacking WPA Enterprise
- Attacking Captive Portals
- bettercap Essentials
- Kismet Essentials
- Determining Chipsets and Drivers
- Manual Network Connections
The first few modules cover wireless technology in general and then the course moves into network analyzing and attacks against WPA/WPA2, WPA Enterprise, WPS, rogue access points, and captive portals.
This course has been updated from the previous course that mostly covered WEP, which is an outdated protocol that is not much in use nowadays. I think this course does a great job of covering some of the more modern wireless attacks, however, I must note that while there was some brief outlining of the WPA3 protocol, attacks on WPA3 networks were not included.
The course was easy enough to follow, but the included labs required the purchase of specific equipment to practice the techniques. I, like many others, started my interest in security with wireless many moons ago, so I was already familiar with these concepts/attacks. I skimmed through the course in about a week or 2, jotted down what I felt was relevant and scheduled my exam. If you have the hardware and can set the lab environment up, then more power to you. But, if you take good notes of the course material, you should have no problem passing this exam without the labs. For this course, I took notes in Obsidian.
EXAM PROCESS
This is a proctored exam and therefore needs to be scheduled for a specific date/time. You can log into the OffSec portal and click the exam tab under the PEN-210 course and choose an available date/time that works for you. Prior to the day of your exam, you will receive an email from OffSec outlining the proctoring requirements. On the day of your exam, you are to log in 15 minutes before your scheduled time to their proctoring software to select your webcam, share your screen(s) and do the whole verification process (have your ID handy). If you are in doubt whether your setup will work, you can request a test run from OffSec prior to your exam. You will log into the proctoring software with your OSID and an MD5 hash provided to you in the email.
Despite what I’ve read online, you can take this exam directly from a Kali Linux host machine and a modern browser (which is what I did for both OSWP and OSCP – review coming soon). However, and with good reason, some recommend to take the exam from a virtual machine and have a backup VM just in case something breaks on your primary. This is entirely up to you and at your own risk.
At the scheduled time of your exam, you will receive another email from OffSec providing you with your VPN connectivity pack, VPN username and password, links to the exam control panel and instructions on where and how to upload your report. Once in the control panel, you will find the guidelines that will serve as your “letter of engagement”. This details your targets and where to submit your flags. It also informs you of the required task(s) to pass this exam.
You are given approximately 4 hours (really 3 hours and 45 mins) in the exam environment to complete the technical portion of the exam. Once you finish (or the environment expires), you are given an additional 24 hours to write and submit your penetration testing report for review. Once you submit your report, receiving your results can take up to 10 days (this can vary, but in my experience, it is usually quicker than 10 days).
THE EXAM
As mentioned above, this exam is fairly straightforward. If you know the attacks and can replicate the steps, you can easily pass this exam. You are given 3 targets total, 1 of them is mandatory to pass and you can choose between the other 2. The exam environment was stable and I don’t think I needed to revert any of the targets at all.
It took me about 3 hours (with some short breaks) to attack the selected targets, take my screenshots and submit my flags into the control panel. It took a bit longer than expected because I had to re-do one of the attacks as I was not getting the expected results and noticed I had made an error on one of my commands. Once I had everything I needed, I asked the proctor to end my exam early (webcams make me nervous).
I usually take rough exam notes in Obsidian and then put my report together afterwards. For this exam, I decided to drop my screenshots and notes directly into LibreOffice Writer to save some time on the report. Once you are done, you can submit your report over at OffSec’s upload portal using your OSID and the MD5 hash provided to you at the beginning of your exam. OffSec has some strict guidelines for uploading, so make sure to take a look at their OSWP Exam Guide. I used the OpenOffice/LibreOffice template provided by OffSec and my report ended up being 19 pages long. It took about a day to receive my results.
OVERALL THOUGHTS
I thought this was a fun exam. It has some good content and with the more recent course updates, it has what I would consider to be some relevant topics in wireless technology/security. I would have liked to see some more focus on WPA3 and also more varied wireless attacks featured on the exam. If you have an OffSec subscription and an included attempt of this exam, I do think it’s worth the time to run through it and take the exam.
EXAM TIPS
There is a time crunch on this exam, but I do think it is more than enough time to perform the required attacks. Do not overthink and do not let the stress get the best of you. Make sure to eat well, stay hydrated and take some quick breaks if you need them.
Make sure to have all of your notes and screenshots in order. Along with submitting your flags in the exam control panel, OffSec requires that the screenshots of your flags show specific details. I threw my notes directly into LibreOffice Writer and used Flameshot to take screenshots.
It is imperative that you learn how to connect to the various networks and retrieve your flags via command line.
Most importantly, do not give up. It’s easy to feel defeated and discouraged if you fail, but your best is all that you can do.
Best of luck. Onwards and upwards!
RESOURCES
Other OSWP writeups:
OSWP – Foundational Wireless Network Attacks – Review (2023)
Offensive Security Wireless Professional (OSWP): my experience
Report templates:
Bonus:
Check out this Reddit post for some useful tidbits.