Today, I want to tell you a story about my journey towards OSWP (Offensive Security Wireless Professional). It was quite a fun and interesting experience. OSWP is my second certification from OffSec next to OSCP. OSWP was way less course content and study input. Nevertheless, for me Wi-Fi was an fascinating field to learn more about the offensive side of things.

What is OSWP (PEN-210)?

For those who don’t know; OSWP (Offensive Security Wireless Professional), is a certification for those who want to learn how to pentest wireless networks. From OffSec: “This wireless security certification demonstrates a learner’s ability to identify and exploit vulnerabilities in 802.11 networks. The OSWP equips penetration testers with specialized skills in wireless security assessment, complementing their knowledge base and making them a valuable asset for organizations.”

The course aligns the following content:

So.. Learn aircrack-ng suite and ready to go? Well.. kinda. The aircrack-ng suite is the way to go tool for wireless pentesting. However, there are some other tools that will be necessary to know to pass the exam.

Preparing for the OSWP exam

On November 22, 2023, I bought a learn one subscription when it was 20% off. Mostly for OSCP, but the deal included OSWP as well. However, I had to complete the course and exam before November 23, 2024 (within 1 year). Believe me, this is really doable. After I passed OSCP, my thought was to do OSWP immediately after that. After learning for OSWP (except for MGT) something else came up and my focus for OSWP was off the table. Two weeks ago passed BSCP (https://www.incendium.rocks/2024/11/08/BSCP%20preparation%20and%20exam%20experience/), I remembered that I had until November 23rd to complete OSWP before my money is thrown away. So I decided to schedule the exam the 21st of November at 13:00 PM.

The course does not include practice labs. I did some research in study material/labs which I could do, but man there is not a lot to find for OSWP (at least that’s what I thought). So I bought a (way too) expensive Wireless Adapter, the ALFA Network AWUS1900. The reason for this is that the chipset in this wireless adapter is compatible with Kali. I also bought a Wireless Router which I could set up to test WEP, WPA-1, WPA-2 and WPS. Unfortunately, there was also one major topic that my AP did not support. This was WPA-MGT (Enterprise).

After a while, someone on Discord mentioned WifiChallenge labs (https://wifichallengelab.com/), which is a CTFd hosted platform that includes an image for VMWare/Virtual box. It is really amazing. If you complete these labs (without write-ups), you are 100% ready for OSWP. The best thing is that you don’t need any physical material like a wireless adapter. My tip is to follow the OSWP course from OffSec and do your labs from wifichallengelab.

It also includes labs for WPA-MGT which you need to know for OSWP. It is basically WPA2 but with a few extra steps with certifications. Furthermore, it even includes labs for WPA3, which the OSWP course does not include. So to summarize my preparation for OSWP: Study theory from OSWP course, practice on wifichallengelab.

Exam

First, everything that you need to know for the exam is included in the exam guide: (https://help.offsec.com/hc/en-us/articles/360046904731-OSWP-Exam-Guide). The exam includes 3 (three) labs. You can only do one at the time. You need to complete at least two labs to pass where one of the three is mandatory to complete. Not only that, but you have 4 hours to complete the exam. The exam is proctored, so you need a webcam. Next to the exam, you need to write a professional report about your findings and steps to reproduce them.

You get a dedicated Kali VM which you can SSH into when connected to the VPN. The VM includes a wireless card that you can use to do your testing. The necessary (and allowed) tools are also installed on the VM. That’s right, some tools are not allowed. Read the exam guide to know what kind of tools are not allowed. Basically automatic exploitation tools.

I completed the necessary labs within one hour. With the three hours that I had left I decided to use that time to write my report and if necessary make more screenshots that were missing in my notes (and that was a good idea). I used sysreptor for my notes. For the report I used the Word-document that OffSec supplies. Remember to include screenshots of proof.txt and the cracked/obtained PSK/Password.

I submitted the report about 1 hour after my exam ended. It says to wait approximately 10 business days for the results. To my surprise about 14 hours later, I went to offsec and checked my status. It said that I passed!

Review

Overall, the OSWP course and exam teach you the basics of Wireless pentesting. The course is kinda out of date (lastly updated on May 17th 2021). The course doesn’t provide practice labs which I think is quite a shame. I noticed that https://lab.wifichallenge.com/ also provided a certification now, so maybe that’s the way to go if you are eager to learn more than just the basics of wireless pentesting. Still I’m happy I passed and learned some cool things along the way :).