Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

Review: Offensive Security BackTrack WiFu

Published: 08/30/2010

I've never been a huge fan of certifications or their exams for several reasons. While they may help instill some fundamental knowledge in the learning process, ultimately I see them as skill baselines. We've all worked with some "certified" individuals who, while possessed the paper establishing that they met the mark, in practice their ability to do the job didn't quite live up to expectations.

That's not to say that I wouldn't ever attempt to get certified. Until relatively recently in my career, I didn't bother with them. However, given my diverse skill set, some knowledge gaps made themselves very apparent over time so I've gone the certification route to fill them in. I don't regret it one bit.

However, all the exams I've taken so far have mostly been the multiple-choice affair. I think there's a certain degree of validity in this type of test method. Unfortunately, one can still guess their way through the exam and get lucky. Test questions in the form of interactive simulations are generally far and few in between.

Offensive Security is an exception to this. They are well-known for a more practical, hands-on approach. A few weeks ago, I decided I wanted to take something very technical, relatively bite-sized, and do-able within a short time frame. Offensive Security's Wireless Attacks ("BackTrack WiFu") fit the bill nicely.

Developing your .11 Fu

When giving advice on securing a home wireless router, a lot of well-intentioned individuals will adamantly recommend against using WEP because "it can be hacked in minutes." While this fact may be true, can many of them actually demonstrate this weakness to convince others? Talk is cheap.

BackTrack WiFu has been around for a few years and while the material is somewhat out-of-date at the moment, it's still a very solid first-step "offensive" class that I thought was well-presented. You sign up, get your hardware in order (because this particular class requires students to do all the lab work in their own environment with their own equipment), go through the lab guide and accompanying video tutorials, and practice-practice-practice. A WiFu ninja overnight you will not become.

Without a doubt, this was the most fun technical course I've taken in my career so far, and while I've been involved with 802.11 networks in one form or another for some years now, I still learned plenty. It was much more enjoyable than watching some training videos on configuring a specific vendor's device / software by pressing x and y. The class goes straight into the meat and digs deep.

It has been emphasized that one shouldn't skip the first few chapters of theory in the lab guide. It's critical that the student understand how the protocols function. Otherwise, he'll end up as nothing but a script kiddie who blindly repeats attacks based on what was posted online. Performing the attacks fluidly really does require the student to have a good understanding of how things are working under the hood.

Couldn't one simply learn the material by searching the web and asking questions in forums? After all, YouTube has videos on much of the same at a superficial level. However, while the class doesn't have the usual loud music pounding away while the instructor is providing visual demonstrations, the course carefully goes step-by-step and explains in detail the why in addition to the how, a very important distinction which separates the ones who merely pushes buttons and use templated attacks from those who can adapt quickly when things don't go as expected.

Besides, speaking as someone who's already busy during his off-hours, it's nice to have one place to go and get spoon-fed the basic information (although you as a student will still have to supply the intuition and critical thinking skills for the other half of the equation). As a professional, I want to be efficient with the limited free time I have available so a class that covers it from start to finish in an easy-to-follow format is very convenient.

In short, I thought the material was very good (at least for the area it was intending to cover), the lab guide well-laid out, and the video presentations straight to the point. Although I could complain a bit about some inconsistencies in the videos (some recorded segments were louder than others) and the rare misspellings in the lab guide, the value you get for the course fee is very reasonable if you're working the typical hours at the office. In addition, if you need help or have questions about the content, the Offensive Security team provides multiple avenues for direct assistance and has been pretty timely in responding to my inquiries. While an online course like this may make a student feel completely on his own, that's not the case here.

Some areas where I thought the course fell a bit short - the material primarily revolves around the Aircrack-ng suite and mostly covers WEP attacks, so this isn't cutting edge by any means. There is a little bit on WPA-PSK, but the tools demonstrated are a bit old, especially considering a constantly-evolving field such as information security. The course is based on BackTrack 3, and at the time of this writing, BackTrack 4 R1 has just come out. There was also no mention of non-PSK networks (802.1X / WPA Enterprise) which I feel would help broaden the applicability of the course for enterprise security admins.

One has to also keep in mind that while the official name for the course is "Wireless Attacks," the focus is on 802.11 Wi-Fi only and does not cover Bluetooth, WiMAX, or any other wireless protocols. Hence, "WiFu."

The challenge exam

The WiFu challenge is probably the most fun (and potentially stressful) part of the entire experience. No multiple choice questions here. You have to do the actual work and you either know it or don't and all objectives must be completed. There is no "minimum passing score." There is a sense of adrenaline rush with the thrill of being on the hunt in a "real-world" environment. After a few weeks of doing the labs, watching the videos several times over, and practicing on my own (including having a friend reconfigure a test access point over and over so I'm going in (mostly) blind), I felt confident that this particular exam should be a walk in the park. This is where, of course, the ego takes a hit. Wi-Fi environments aren't always particularly predictable, and given the number of potential configurations that an AP-client combination can be set up in, one has to learn to adapt.

There was one particular section in my exam which I expected to be relatively trivial until I discovered that none of the attacks I was familiar with were working. Offensive Security's underlying motto is "Try Harder" (try hitting a non-existent page on their website and see their 404 message). I had to persist and find new avenues the best I could. The challenge was indeed a nice little stretch for me since I had to go back to basics to see if I could derive something a tad different to poke the network enough to give up its secrets.

In the end, I finally managed to get a working solution and find a path to victory. This exam was much more demanding than a multiple-choice test and, admittedly, involved some emotional stakes in the game ... but it never got boring. In order to achieve the OSWP certification, you have to document your findings with an explanation of why you chose your methods.

Your path to enlightenment has just begun, Grasshopper...

As I mentioned before, certifications are just the beginning. No course teaches you absolutely everything because there's always more out there to dig into. BackTrack WiFu provides a real taste of what Wi-Fi attacking is like and it's up to you to continue your journey and discover new secrets.

If I had to give a rating for this course, I'd say four out of five stars ... and definitely more involved and exciting than any of the other vendor cert courses that we've all heard the four-letter acronyms for. I hope any future version(s) of BackTrack WiFu will include focus on attacking 802.11i / WPA / 802.1X and the newer attack methods that have been available for the past couple of years. I believe the SANS 617 (Wireless Ethical Hacking, Penetration Testing, and Defenses) course already covers this and more, but at ten times the cost of the Offensive Security offering, making BackTrack WiFu a bargain for the vast majority of us without deep pockets or employers extremely willing the shell out funds for training.

Go back to my list of rambles.