OSWP: The entry-level cert

Well, this will hopefully be an SMS-length post on what the OSWP examination brought me. If it’s not, I’ll rant for pages about some shit none of you are interested about.

If you want a short list on my best practices for WiFi, scroll to the bottom (Press End on your keyboard)

Me and WiFi: a love story in three acts

When I was a young padawan, I was interested in WiFi. I always watched in awe as some guy on the internet used BackTrack5 to do the one-two-WEPpitycrack. It seemed almost magical that this was so easy to do. Being a n00b, I always missed some minute detail (like I shouldn’t type in mon1 if my wireless card is mon0), but it was fun overall. I used to think up complex stalking schemes where I would have to follow someone by their BSSID and find where they live only by their wireless profile (which, knowing what I know now, is scary as fugg). The thing where WiFi shines compared to, say, buffer overflows, is that I could do it anywhere. Just pop the card into monitor mode and poke around the neighborhood. With buffer overflows, I was a dumb kid that told his IT teacher he’d hack him because I had command line access.

(NOTE: I couldn’t)

First brushes with OSWP

Skip forward a couple of years and m4iler the then-19-year-old stumbled upon a lovely huge Offensive Security and SANS repository of certificate materials. Thus began my OSWP journey. It was the only thing I understood well enough to not be completely lost. I read up on all the attacks, got to know the aircrack-ng suite (which, in my mind, is still awesome). I read through it, but didn’t try nearly all of it. Not by a long shot. The most I may have tried is running airodump-ng on a subway, in the street and doing my best not creaming my pants at how many networks there were.

This went for months before, at last, I said “This doesn’t lead anywhere, I cannot spend $350 on something I won’t use! I’m a translator!”

WEP: if you use it, stop and change it.

Then came the breakthrough: After about a year of reading this stuff (I listened to some SANS courses on enterprise networks as well), I decided that I’d check out the around-the-house networks.

What I saw made me grin at my PC.

A WEP network.

It was actually real! The thing I knew was so insecure that no one should use it, ever, anymore, was right next to my house! The prey I have trained all my life to attack was finally within my reach.

Long story short: I stumbled. Running airodump-ng, I realized that there were two networks running on the same device: One network called $internetprovider-ESSID, protected by WPA2, and VOIP, protected with WEP. This post is a write-up of how I got into the WPA2 network without any handshake cracking.

The WEP network had no clients connected, so the regular ARP replay attack was not an option. If you want to attack a network like this, the chopchop or fragment may be valid ways to generate IVs. That is what you need, a shitload of Initialization Vectors. Once you get enough IVs, you can crack the password (The IV is only 24-bit long, so if you get enough, you can deduce the encryption key).

I cannot remember how precisely it went down, but in the end, I cracked WEP, yay! The password was actually just the motherfucking BSSID of the WEP network. I could have tried it, but I didn’t think to do as much. It hasn’t happened since, so I wouldn’t probably bother trying it.

Now-I’m-in the network, on a useless subnet with a WEP encryption and weak signal. The first thing you do if you get in a network this way is check the router. Keep in mind I’m doing a writeup for the internet company as I’m doing this, while it COULD stay that way, I don’t want it to. In the interface, it’s a run-of-the-mill web interface. What is the first thing you try if you see a router login interface?

Yes. It worked.

Now, I have gotten a foothold in the network and due to lazy setup and I’m in the router’s settings. What can you get with the router’s settings?

Yes. What was it, you may ask? It was the ESSID and last octet of the BSSID. So something along the lines of “MyWireless31”. Like, seriously?

Now, to get some karma back for all this, I e-mailed the internet company (using the hacked wifi) from a horsefuckers.org e-mail address, saying what I’d found and recommending a fix.

What do you think was the answer? “Yeah, it’s like that, but basically WPA2 is too slow for our old network.” Oh, and wait for it, wait for it: “Yeah, we use WEP on our long-distance communication as well, so inter-city connections suffer from the same issue. Why? The servers couldn’t handle the encryption at the required speed.”

Thank fuck I’m not with that ISP anymore!

This issue never repeated itself, as in, I didn’t try to crack any more WEP networks around that company, knowing full well it’d be a low-hanging fruit.

OSWP: this time for real

At the end of January, I actually saved up enough dollaridoos to take my real OSWP. Before that, I made the home lab, got a good wireless card and went through all the exercises from the bootleg material. Later, I found the exam itself is very interesting, but straightforward. It lets you try all the attacks, even WPA2 (which I was scared of because I didn’t have enough practical experience doing it, especially concerning wordlists). In the end, a fun little night-hack (scheduled from 9PM to 1AM)

It took me a week to re-read the material and then I took my exam. It paid off, two days later I got the cert! Yay!

This has helped me to break into infosec, even! When I said “Yeah, I paid for my OSWP myself,” both interviewers cut about 10 minutes off the interview because “It was some basic TCP/IP stuff, we can skip all this.” This amazed me and when I asked them about OffSec and their certs, the reply was: “We consider OSCP to be the basic cert everyone needs to get. If you feel like you can do it and want to pivot from blue to red, we can pay for your cert.”

The takeaway

In closing, let us gather a couple of points to take away for your private life.

Takeaway for WEP setup

Don’t use it. Just that. Go to WPA2. If you use WEP, I will personally crack your password and set up a Tor exit node.

Takeaway for WPA2 setup

  • Use a unique ESSID, but not that unique to be geolocatable.
  • Use a long, random password. 8 characters may not be enough. Mix random letters, numbers and symbols.

Of course, for the second point, you may think that you will not remember it, but for many uses, you don’t have to! When is the last time you had to put your wifi password into your phone or laptop? If you’re like me, it’s been months. Android even adds wireless networks using QR codes, so there’s no use in not doing a 20-ish random password!

Conclusion

This article will probably get some more fleshing-out, but it’s the gist of what you may want to know.

-m