Friday, February 24, 2012

Course Review - Offensive Security Wireless Attacks (WiFu)

The Background

After passing the OSCP, I enrolled for the Offensive Security Wireless Attacks (aka WiFu) course. This course is talking about how to attack a wireless rotuer no matter it is set to WEP, WPA or WPA2.

The Hardware

You are required to have at least one wireless device to act as victim (laptop with wireless card or smartphone, such as Android or iPhone) and a computer which is installed with BackTrack 5 R1 as an attacker. The attacker machine is recommended to have a USB adaptor (the USB adaptors that recommended on the official site). If you do not have wireless device as victim, you may consider to buy a wireless USB dongle for your desktop.

Furthermore, you are also required to have a wireless router or access point that equipped with WEP and WPA/WPA2 features (the models are recommeded on the official site).

Beware that not all the wireless dongles or wireless cards can be injected and in monitor mode. In addition, some wireless routers behaved unexpectedly when doing the attacks. For example, my dd-wrt flashed TP-LINK TL-WR1043ND do not perform some of the attacks, such as Korek Chopchop attack. However, not all access points can perform Korek Chopchop attack indeed. Therefore, the suggested hardwares in the official website are recommended to buy.

At the time of this writing, Netgear WNR1000v2h2 N150 can be bought in Hong Kong and it is not so expensive. However, I am not sure if this model is the one stated in the official site. You should not upgrade the firmware but you should downgrade it to v1.0.1.1 as the other version of firmwares do not provide WEP function. The older firmware can be downloaded from the Netgear official site.

My hardwares for the lab are as the following. Hope they can give you some idea :
(1) Access Point - TP-LINK TL-WR1043ND (flashed with dd-wrt v24-sp2 18024) (can be injected)
(2) Access Point - Netgear WNR1000v2h2 N150 (firmware v1.0.1.1)
(3) Victim - Google Nexus One (Android 2.3.6)
(4) Victim - TP-LINK TL-WN321G (54Mbps, Ver 4.1) (can be injected and in monitor mode)
(5) Victim - TP-LINK TL-WN821N (300Mbps, Ver 3.1) (can be injected and in monitor mode)
(6) Attacker - Cloned ALFA Networks AWUS036H USB 500mW (Realtek RTL8187L)

The Course

This course, version 3.0, is designed for beginners. It teaches you the wireless concept and its weakness. The most mentioned tool is Aircrack-NG Suite but it also mentioned others, such as tool that using GPUs for the brute forcing and other advanced tools. However, it does not cover the WPA/WPA2-Enterprise attack.

Offensive Security does not provide any lab for your access. You are required to set up your lab for practice. The hardwares that mentioned above are required for setting up your own lab.

The Challenge

The four hours challenge requires you to SSH to a BackTrack box in order to complete the objectives. After the challenge, you are required to submit your report within 24 hours.

Finally, the exam was over. Within 3 business days, I received an email which informed me that I passed the challenge. If you passed the challenge, you will be an Offensive Security Wireless Professional (OSWP). I am an OSWP now!

The Conclusion

In conclusion, this course will teach you all the basic wireless cracking.