I recently passed the OffSec Wireless Professional (OSWP) exam and now officially hold the certification. In this article, I will discuss my personal OSWP journey and other relevant OSWP information you can use to help yourself pass the exam, too. This includes:
Related YouTube Video:
Summary
Overview of OSWP:
OSWP is a premier wireless penetration testing certification.
Offered by OffSec, known for rigorous exams and prestigious certifications like OSCP.
Validates expertise in wireless assessment methodologies and practical skills in security testing against wireless networks.
Skills Demonstrated by OSWP Holders:
Identifying encryptions and vulnerabilities in 802.11 networks.
Circumventing network security restrictions and recovering encryption keys.
Proficiency in wireless offensive security, including attacks against WPA Personal and Enterprise networks, rogue access point attacks, and more.
Utilization of various tools for reconnaissance and cracking authentication hashes.
Target Audience:
Aspiring Wireless Security Experts looking to prove their skills.
OffSec Enthusiasts with extra lab time aiming to master wireless hacking.
Value of the OSWP Journey:
Best pursued as a complement to other OffSec certifications.
Utilizes existing subscription and lab time effectively for 1-3 weeks of dedicated study.
Course Practicality:
PEN-210 course blends theoretical knowledge with practical, hands-on experience.
Despite its theoretical density, it equips learners to face the OSWP exam confidently.
Recommended Prerequisites:
Basic understanding of networking, Linux, Wi-Fi, password cracking, encryption, Wireshark, and PKI.
Approach to the PEN-210 Course:
Emphasis on understanding practical attack methodologies over theoretical content.
Not all sections are critical for exam success, with custom wordlists creation being an example.
Additional Practice Resources:
WiFiChallenge Lab offers a free platform for practical Wi-Fi attack simulations.
David Bombal's Cracking WiFi WPA2 Handshake video as a supplementary learning resource.
Exam Experience:
Efficient check-in process and structured exam scenarios.
3 hours and 45 minutes exam duration, with strategic management of scenarios and time.
Exam Report Strategy:
Focus on detailing steps to obtain proof.txt with supporting screenshots.
Report writing is less demanding compared to other OffSec reports.
Exam Tips:
Efficient time management and strategic scenario handling.
Importance of thorough note-taking and command preparation.
Conclusion:
The OSWP preparation and exam offer a balanced challenge.
It is more accessible compared to OSCP, requiring significantly less preparation time.
Ideal for those with additional lab time, adding value to the OffSec learning experience.
What is OSWP?
The OSWP is probably the best (and the only one that I know of) wireless penetration testing certification on the market. It is offered by OffSec, which is known for its strict exams and prestigious certifications, such as the OffSec Certified Professional (OSCP). The OSWP proves that a person has a good understanding of wireless assessment methodologies and practical skills to conduct effective security tests against wireless networks. According to the Accredible certification description: "OSWPs are able to identify existing encryptions and vulnerabilities in 802.11 networks. They can circumvent network security restrictions and recover the encryption keys in use. Skills learned include:
Greater insight into wireless offensive security and expanded awareness of the need for real-world security solutions
Using various wireless reconnaissance tools
Implementing attacks against WPA Personal and Enterprise encrypted networks
Understanding how to implement different rogue access point attacks
Implementing attacks against Wireless Protected Setup (WPS) networks
Using various tools to crack authentication hashes
Implementing attacks against Captive Portals
The exam also demonstrates that OSWPs are able to perform under imposed time constraints."
Who Is OSWP For?
Aspiring Wireless Security Experts: If you're intrigued by the thought of deciphering the vulnerabilities in wireless networks and want to showcase your expertise, the OSWP is a great certification to pursue.
OffSec Enthusiasts with Time on Their Hands: Those who find themselves with spare lab time after pursuing other OffSec courses have the perfect opportunity to channel these resources into mastering wireless hacking in a short time span. Why not add the OSWP to your arsenal before your access expires?
Is the OSWP Journey Worth It?
From my personal journey and perspective, the OSWP shines not as a standalone pursuit but as a complement to other OffSec certifications. The true value lies in leveraging your existing subscription and lab time to grasp this certification, especially if you have leftover time from another OffSec course completion.
In essence, the OSWP certification is a strategic choice for those looking to maximize their OffSec learning experience, offering a rewarding challenge for 1-3 weeks of dedicated study.
Course Practicality
The PEN-210 course includes a substantial amount of theoretical knowledge which may not be directly applicable to the exam. However, the unique, hands-on approach to wireless security sets it apart. Despite the course’s theoretical density, it provides nearly all you need to tackle the OSWP exam head-on. Be prepared, though, to venture beyond the course material for some external research—a hallmark of the OffSec learning experience that many find annoying but a critical skill in real-world penetration testing. Despite the course being a 200-level OffSec course, I found it significantly easier than the OSCP course and certification.
Recommended Prerequisites
I would recommend a basic understanding of networking, Linux, Wi-Fi, password cracking, encryption, Wireshark, and public key infrastructure (PKI) before starting the PEN-210 course. You don't have to be an existing pentester to find success in this course; however, it does help significantly.
How I Tackled the OSWP PEN-210 Course
I speed-read all the theoretical information just because I'm a completionist. However, it's not necessary to read the sections that don't showcase practical skills. Anytime the course shows you how to conduct an attack, you want to take good notes and fully understand the logic and reasoning behind each part of the attack.
One section I can confidently say you don't need to complete to be successful on the exam is the section that tells you how to build/create custom wordlists. In the OSWP exam guide, OffSec says, "For any scenario that requires a dictionary to crack the keys, please use any wordlist that is available by default in the provided Kali Linux." Other than this one section, I'm not going to tell you what is and what isn't necessary to know for the exam due to OffSec's academic integrity policy. You'll have to figure out what you need to know by yourself. I recommend reading the OSWP exam guide, exam FAQ, and PEN-210 FAQ before starting the course. I recommend re-reading these after you complete the course and before you start your exam. Lastly, I didn't complete a single exercise during the course. In the PEN-210 FAQ, OffSec recommends getting a Wi-Fi adaptor. You don't actually have to purchase any hardware (adaptors or routers) to be successful on the OSWP exam. However, if you want to test Wi-Fi networks in the wild as a professional, you will need to purchase equipment. The exercises seemed like good exercises to practice with, but there are ways to practice your Wi-Fi attacks through other resources.
Additional Practice Resources Utilized
The cheapest way that I know of to practice your Wi-Fi attacks is through the WiFiChallenge Lab. It's 100% free to create an account. The way it works is you download the WiFiChallenge lab virtual machine (VM). Once you have the VM, you can complete all the challenges, as the WiFiChallenge lab VM simulates several wireless networks and a wireless adaptor. These challenges really prepared me for the real exam, and I highly recommend them. Especially if you skip the exercises in the PEN-210 course. It's worth noting that I didn't complete all the exercises. I got to the "MGT" section and stopped, as seen in Figure 1.
Figure 1: Kyser's WiFiChallenge Progress
I also had to resort to the walkthrough for many of the challenges since the PEN-210 course doesn't teach you how to complete all of these. So, it's worth noting that you don't have to know all this information to be successful in the OSWP exam. However, there is information in these challenges that proved to be critical for my OSWP exam that didn't make an appearance in the PEN-210 course. Again, due to academic integrity, I can't tell you what is pointless info, as opposed to critical info for the exam. Also, there is a good chance you may get different exam scenarios than me, so I can't tell you what techniques you have to know. My advice is to learn as much as you can. It's better to know it and not need it than to need it and not know it.
I also recommend watching David Bombal's Cracking WiFi WPA2 Handshake video and taking notes on what he does in the video.
My Exam Experience
The check-in process went a lot faster than my OSCP exam. I actually did it so fast that I had to wait a few minutes after check-in before starting the exam. Once in the exam and connected to the exam VPN, one of three scenarios will already be loaded for you. I read from other OSWP write-ups that you should start with the pre-loaded scenario first because it takes 15-25 minutes to switch scenarios, but in my experience, it only took a few minutes to switch scenarios. Since you can only have one scenario loaded at a time, I do think it's in your best interest to start with the pre-loaded scenario first, which took me about 45 minutes to an hour to complete while taking notes along the way. Once I completed the first scenario, I switched to the mandatory scenario. Which I completed at my two-hour mark exactly. Since you only have to complete 2/3 scenarios (one being mandatory), I spent enough effort on the exam to pass. So after 2 hours, I took a short 15-minute break to get a snack, go to the bathroom, and refill my coffee cup. I came back to the exam, and I spent about another hour and a half on the last scenario. Overall, I was in the exam environment for about 3 hours and 40 minutes. You only get 3 hours and 45 minutes to do the exam, so I only had 5 minutes left to spare. Despite the lack of spare time, I never felt rushed. After all, the third scenario was not necessary for an exam pass; I just wanted to do it for the extra challenge and for the fun of it.
3 hours and 45 minutes is the right amount of time for the exam in my opinion. Many people pass at the 1.5 or 2-hour mark. I used up almost all my time because I had to research information on the fly for the third scenario due to lack of practice with the specific attack needed, and I made sure I took detailed notes and screenshots along the way for my report. Plus, my Kali VM crashed mid-exam (on my host machine), and I had to restart it.
How I Approached the Exam Report
Unlike the OSCP exam, you don't have to have an executive summary, detailed methodology, and recommended fixes for vulnerabilities in your report. The report is only the steps you took to obtain the proof.txt and a handful of screenshots along the way. I was as detailed as possible with my report, and it ended up taking me five hours to write 26 pages. I've seen other people say it took them about three hours to write their report. Overall, if you've done another OffSec report, this should be much easier for you.
Exam Tips
Don't waste time. You only get 3 hours and 45 minutes. Use it wisely. I recommend taking one 15-minute break at maximum.
Start with the pre-loaded scenario, just in case your scenarios take a long time to build.
The next scenario you should load is the mandatory one (if your mandatory scenario wasn't the first to load).
Have a list of commands ready to go. I recommend never typing in commands and pasting as much as you possibly can to avoid typos.
Take good notes along the way, and ensure you have all the notes and screenshots needed for your report before switching scenarios.
Never clear your terminal; leave all the terminal output on your screen just in case you forgot to take a screenshot or a note.
When you start a new scenario, open a new terminal tab; that way, you have the terminal history for each scenario on its own unique tab.
Conclusion
Overall, I only spent 26.5 hours preparing for OSWP, and I was able to complete 3/3 scenarios in the allotted exam time. It took me exactly one week to prepare for OSWP, and I spent much of my first three days reading theory that I didn't really need to know to find success on the exam. The PEN-210 theory was pretty boring, but once the course started teaching the practical elements, I started having fun. I also had a lot of fun with the WiFiChallengeLab. But the best and most fun part of the OSWP was the exam itself. I thought it was a fun challenge that was the perfect amount of difficulty for me. It was much easier than OSCP, and honestly, I don't think the PEN-210 should be a 200-level course. OffSec makes it seem like the OSWP is the wireless equivalent of the OSCP, but I disagree; the OSCP is much more challenging and requires 3 to 6 months of preparation. Where OSWP only takes 1 to 3 weeks to prepare. OSWP isn't worth going after by itself, but if you have extra lab time, it is a worthwhile and fun pursuit. I'm happy that I dedicated a week of learning to OSWP. If you enjoyed this write-up of the OSWP, then you might also enjoy How I Passed the OSCP on My First Try.