Hello guys,

I’ve written this article because I’ve spent a lot of time trying to set up my lab to reproduce the attacks described in the PEN-210 course.

So I’m going to show you how to set up all the scenarios needed for the OSWP exam and without paying a single penny 🐀

PEN-210 doesn’t include a lab, so you have two choices: buy a router and WiFi adapter or virtualize your lab environments.

During my OSWP journey, I chose to buy the recommended material:

  • Alfa AWUS036NHA Adapter
  • Linksys WiFi 5 Dual-Band Router

Now that I have finished OSWP, I would say that buying a router is only useful for WPA and WPS attacks. Virtualized environment do both and more and it’s much easier to practice on it.

Good news: in this post, I will explain how to set up WEP/WPA2/WPA Enterprise labs.

Let’s start by creating 3 virtual wireless interfaces:

sudo modprobe mac80211_hwsim radios=3

You can inspect with the following command:

ip l
  • wlan0 is for the virtual wireless Access Point (AP) that we’ll launch in the wifi_ap shell
  • wlan1 is for the wireless network client
  • wlan2 is for the attacker

Create the wireless AP shell and get the PID to associate the wlan0 to the shell:

sudo ip netns add wifi_ap
sudo ip netns exec wifi_ap bash
echo $BASHPID

Switch to another shell and assign the wlan0 interface to the wifi_ap shell:

sudo iw phy phy0 set netns <wifi_ap PID>

Access Point Configurations

Now create a file ap.conf and paste the desired configuration into it to configure the Access Point.

WPA 1/2 Configuration

# AP interface 
interface=wlan0
# ESSID
ssid=Mostar
# channel number
channel=1
# g = 2.4 GHz / a = 5 GHz  
hw_mode=g
# ieee80211n enable
ieee80211n=1
# 1 = WPA1 / 2 = WPA2 / 3 = WPA1 and WPA2
wpa=3
# authentication type
wpa_key_mgmt=WPA-PSK
# password
wpa_passphrase=yellowbanana
# WPA encryption
wpa_pairwise=TKIP CCMP
# WPA2 encryption
rsn_pairwise=TKIP CCMP

WEP Configuration

interface=wlan0
ieee80211n=1
ssid=Mostar
hw_mode=g
channel=1
ignore_broadcast_ssid=0
wep_default_key=1
wep_key1="yellowgiraffe"
wep_rekey_period=300

WPA Enterprise

# SSID of the AP
ssid=Playtronics

# Network interface to use and driver type
# We must ensure the interface lists 'AP' in 'Supported interface modes' when running 'iw phy PHYX info'
interface=wlan0
driver=nl80211

# Channel and mode
# Make sure the channel is allowed with 'iw phy PHYX info' ('Frequencies' field - there can be more than one)
channel=1
# Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf to set up 802.11n/ac/ax
hw_mode=g

# Setting up hostapd as an EAP server
ieee8021x=1
eap_server=1

# Key workaround for Win XP
eapol_key_index_workaround=0

# EAP user file we created earlier
eap_user_file=/etc/hostapd-mana/mana.eap_user

# Certificate paths created earlier
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
# The password is actually 'whatever'
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh

# Open authentication
auth_algs=1
# WPA/WPA2
wpa=3
# WPA Enterprise
wpa_key_mgmt=WPA-EAP
# Allow CCMP and TKIP
# Note: iOS warns when network has TKIP (or WEP)
wpa_pairwise=CCMP TKIP

# Enable Mana WPE
mana_wpe=1

# Store credentials in that file
mana_credout=/tmp/hostapd.credout

# Send EAP success, so the client thinks it's connected
mana_eapsuccess=1

# EAP TLS MitM
mana_eaptls=1

Run hostapd ap.conf in the wifi_ap shell to run the Access Point.

Client Configurations

Create a file supplicant.conf to configure the client.

WPA Enterprise

network={
  ssid="NetworkName"
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity="Domain\username"
  password="password"
  eap=PEAP
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

WPA-PSK

network={
  ssid="NetworkName"
  key_mgmt=WPA-PSK
  psk="password"
}

WEP

network={
  ssid="NetworkName"
  key_mgmt=NONE
  wep_key0="password"
  wep_tx_keyidx=0
}

Run sudo wpa_supplicant -i wlan1 -c supplicant.conf in another shell to connect to the Access Point as a legitimate client.

Now you can enjoy the wlan2 interface to run your favorite wireless attacks 🎉

Tip

use sudo dhclient -v wlan1 to request DHCP by after connecting to the access point using wpa_supplicant access point with DHCP server setup to receive an IP address.

Revert Changes

To reset all the network changes you’ve made in this session just reboot kali:

sudo reboot now

post based on tony harris OSWP Lab setup tutorial

Buy me a coffee