Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free OffSec Wireless Professional Practice Questions

Pass your OffSec Wireless Professional (OSWP / PEN-210) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
OffSec does not publicly publish OSWP pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which header is prepended by the Linux mac80211 stack to outgoing/incoming frames captured in monitor mode to convey radio metadata such as signal, channel, and rate?

A
B
C
D
to track
Same family resources

Explore More OffSec Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

OffSec OSEP Experienced Penetration Tester

Practice Questions

OffSec OSWE Web Expert

Practice Questions

OffSec OSCP Certified Professional

Practice Questions

OffSec Defense Analyst (OSDA)

Practice Questions

OffSec Exploit Developer (OSED)

Practice Questions

OffSec Exploitation Expert (OSEE)

Practice Questions
2026 Statistics

Key Facts: OffSec Wireless Professional Exam

$450

Standalone Exam Fee

OffSec PEN-210 (or $1,749 bundle)

4 hr

Practical Lab Time

Plus 24 hrs to submit report

3

Wireless Scenarios

All must be compromised

Pass/Fail

Scoring

No partial credit

100

MCQ Practice Questions

Conceptual OSWP prep

OffSec

Online Proctored

Private VPN lab

OSWP (OffSec Wireless Professional, PEN-210) is a fully practical wireless pentesting certification: a 4-hour hands-on lab with 3 wireless scenarios, plus 24 hours to write a technical report, delivered over OffSec online proctoring at $450 standalone (or $1,749 in a PEN-210 + exam bundle). This 100-question multiple-choice practice bank is conceptual prep — it is not the OSWP exam format, which has no MCQs. Use it to lock in 802.11 frame types, monitor-mode tooling, WEP IV / FMS / KoreK / PTW, the WPA/WPA2 4-way handshake and PMKID attack, hashcat -m 22000, WPA3 SAE / Dragonblood, and WPS Pixie Dust before your live lab.

Sample OffSec Wireless Professional Practice Questions

Try these sample questions to test your OffSec Wireless Professional exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which 802.11 frame type is used by an access point to advertise its presence, supported rates, and capabilities at regular intervals?
A.Probe Request
B.Association Request
C.Beacon
D.RTS
Explanation: Beacon frames are management frames broadcast by the AP at the configured beacon interval (typically every 102.4 ms / TU=1024 us). They contain the SSID (when not hidden), supported rates, channel, capability flags, and security information elements (RSN/WPA IEs).
2An 802.11 frame's Frame Control field divides frames into three top-level types. Which set correctly lists those three types?
A.Beacon, Data, ACK
B.Management, Control, Data
C.Authentication, Association, Encryption
D.Probe, Beacon, Handshake
Explanation: The 802.11 Frame Control field's Type field has three values: Management (0), Control (1), and Data (2). Subtypes within each type identify specific frames such as beacon, probe request, ACK, RTS, CTS, QoS data, and so on.
3Which Wireshark display filter would isolate ONLY 802.11 management frames in a capture?
A.wlan.fc.type == 0
B.wlan.fc.type == 1
C.wlan.fc.type == 2
D.wlan.fc.subtype == 8
Explanation: In Wireshark, wlan.fc.type == 0 matches management frames, type == 1 matches control frames, and type == 2 matches data frames. To isolate beacons specifically you would combine type 0 with subtype 8 (wlan.fc.type_subtype == 8).
4What does the BSSID identify on a typical infrastructure 802.11 network?
A.The human-readable network name
B.The MAC address of the access point's radio (wireless interface)
C.The vendor-supplied serial number of the AP chassis
D.The default gateway of the wireless LAN
Explanation: The BSSID (Basic Service Set Identifier) is the 48-bit MAC address of the AP's wireless interface (its radio). It uniquely identifies the BSS the AP serves. The SSID/ESSID is the human-readable network name, which can be shared across many APs in an ESS.
5An ESS (Extended Service Set) is best described as which of the following?
A.A single AP and its associated clients
B.A peer-to-peer ad-hoc network with no AP
C.Two or more BSSs connected via a Distribution System and sharing one ESSID
D.A point-to-point bridge between two routers
Explanation: An ESS is two or more BSSs interconnected by a Distribution System (typically wired Ethernet) that share a common ESSID. Clients can roam between APs in the ESS while remaining on the same logical network.
6Which 802.11 frame is sent by a client to begin associating with an AP after authentication completes?
A.Reassociation Request
B.Association Request
C.Probe Response
D.Authentication Response
Explanation: After Open System (or SAE) authentication completes, the client sends an Association Request (management subtype 0) to the AP. The AP responds with an Association Response containing an AID and capability information.
7Which 802.11 management frame can a client send unauthenticated to discover specific or all SSIDs in range?
A.Beacon
B.Probe Request
C.ATIM
D.Disassociation
Explanation: Probe Requests are management frames clients use during active scanning to ask APs to identify themselves. A directed probe targets a specific SSID; a wildcard probe (broadcast SSID) elicits responses from any AP that allows it.
8In 802.11, which control-frame pair is used by the optional virtual carrier sense / collision avoidance handshake before a long data frame is transmitted?
A.ACK / NACK
B.RTS / CTS
C.PS-Poll / Beacon
D.BAR / BA
Explanation: RTS (Request to Send) and CTS (Clear to Send) are control frames used to reserve the medium and combat the hidden node problem. The CTS sets a NAV (Network Allocation Vector) at all stations that hear it, preventing them from transmitting during the reserved interval.
9How many non-overlapping 20 MHz channels exist in the 2.4 GHz ISM band in most regulatory domains (US/EU)?
A.1
B.3
C.5
D.11
Explanation: Although 2.4 GHz has 11-13 channels (US: 1-11, most of EU: 1-13), only channels 1, 6, and 11 are non-overlapping at 20 MHz spacing. This is why 2.4 GHz deployments standardize on 1/6/11 to minimize co-channel interference.
10Channel 14 in the 2.4 GHz band is permitted only in which regulatory domain?
A.United States (FCC)
B.European Union (ETSI)
C.Japan (MIC) — for 802.11b only
D.Global / unrestricted
Explanation: Channel 14 (2.484 GHz) is permitted only in Japan and only for 802.11b DSSS operation. Most other regulatory domains stop at channel 11 (US) or 13 (most of EU).

About the OffSec Wireless Professional Exam

The OffSec Wireless Professional (OSWP / PEN-210) is OffSec's hands-on wireless penetration testing certification. It validates the ability to enumerate wireless networks, capture and crack WEP/WPA2 handshakes, run PMKID attacks, exploit WPS implementations (online PIN brute force and Pixie Dust), and execute rogue-AP / Evil Twin scenarios. The exam itself is a 4-hour practical lab with 3 wireless scenarios, followed by a 24-hour technical report. This 100-question multiple-choice bank is conceptual prep — not a substitute for the lab — covering the 802.11 frames, RF/channel concepts, attack tooling (aircrack-ng, hashcat, hcxtools, Reaver, Bully, eaphammer, wifite), and modern WPA3/Wi-Fi 6E topics that underpin OSWP scenarios.

Assessment

OSWP is a fully practical, hands-on exam: 3 wireless scenarios over a 4-hour proctored lab via VPN, plus 24 hours to submit a technical report. This 100-question MCQ bank is conceptual prep covering 802.11, WEP, WPA/WPA2, WPA3, and WPS/rogue AP techniques.

Time Limit

4 hours practical + 24 hours to submit report

Passing Score

Pass/Fail (all 3 scenarios must be compromised and documented)

Exam Fee

$450 standalone (or $1,749 PEN-210 bundle) (OffSec online proctored)

OffSec Wireless Professional Exam Content Outline

20%

802.11 Fundamentals

802.11 frame types (management, control, data), beacons, probe request/response, association, authentication, deauth/disassoc, BSSID/SSID/ESSID, 2.4 GHz channels 1-11/13/14, 5 GHz UNII bands and DFS, 6 GHz UNII-5/7, RSN IE / AKM suites, HT/VHT/HE amendments.

20%

Wireless Recon and Capture

mac80211 / nl80211 framework, monitor mode, airmon-ng (start, stop, check kill), iw / iwconfig, Kismet passive scanning, hidden SSID enumeration, fingerprinting via probe IEs, tcpdump -y IEEE802_11_RADIO, Wireshark wlan.fc.type / wlan.fc.type_subtype, radiotap headers, AR9271 / RTL8812AU / MT7601U adapters.

10%

WEP Attacks

RC4 with 24-bit IV, IV reuse, FMS / KoreK / PTW progression, aircrack-ng -z (PTW) and -K (KoreK), aireplay-ng -1 fakeauth, -3 ARP request replay, -4 chopchop, -5 fragmentation, packetforge-ng, PRGA recovery, clientless WEP attack chain.

25%

WPA / WPA2 Attacks

4-way handshake (Anonce, Snonce, MIC, GTK, KCK/KEK), PSK vs Enterprise (PMK derivation), capturing EAPOL with deauth (aireplay-ng -0), aircrack-ng -w wordlist, hashcat -m 22000 (unified PMKID+EAPOL) replacing legacy -m 2500/16800, PMKID attack with hcxdumptool / hcxpcapngtool, KRACK, Beck-Tews, 802.11w MFP.

10%

WPA3 and Modern Wi-Fi

WPA3-Personal SAE (Dragonfly), Hash-to-Element (H2E), Dragonblood timing/cache side-channels (CVE-2019-9494/9495), WPA2/WPA3 transition-mode downgrade attacks, OWE (Enhanced Open) AKM 18, mandatory MFP and WPA3 in 6 GHz, Wi-Fi 6E/7 features (OFDMA, BSS Color, MLO).

15%

WPS and Rogue AP Attacks

WPS PIN brute force with Reaver and Bully, Pixie Dust offline attack on weak E-S1/E-S2 nonces (--pixie-dust / -K 1), WPS lockout limits, Evil Twin with airbase-ng / hostapd-mana, captive portal social engineering (Wifiphisher), Karma and MANA rogue-AP variants, eaphammer for WPA2-Enterprise rogue RADIUS, wifite automation.

How to Pass the OffSec Wireless Professional Exam

What You Need to Know

  • Passing score: Pass/Fail (all 3 scenarios must be compromised and documented)
  • Assessment: OSWP is a fully practical, hands-on exam: 3 wireless scenarios over a 4-hour proctored lab via VPN, plus 24 hours to submit a technical report. This 100-question MCQ bank is conceptual prep covering 802.11, WEP, WPA/WPA2, WPA3, and WPS/rogue AP techniques.
  • Time limit: 4 hours practical + 24 hours to submit report
  • Exam fee: $450 standalone (or $1,749 PEN-210 bundle)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

OffSec Wireless Professional Study Tips from Top Performers

1Build a legal home lab with two routers — one set to WEP, one to WPA2-PSK with a known short passphrase — and practice the full aircrack-ng workflow end to end.
2Memorize the 802.11 frame subtype values (beacon=8, probe req=4, probe resp=5, auth=11, deauth=12, assoc req=0, assoc resp=1, disassoc=10) so Wireshark filters become second nature.
3Use the modern hashcat -m 22000 unified format and convert captures with hcxpcapngtool — the legacy -m 2500 (hccapx) and -m 16800 (PMKID-only) modes are deprecated.
4Practice channel-locking airodump-ng (`-c <chan> --bssid <BSSID>`) before every WPA2 handshake attempt — hopping mode misses 4WHS frames.
5Drill WPS attacks with both Reaver online (`-K 0`) and Pixie Dust (`-K 1`) so you understand which firmware mitigations defeat which approach.
6Read OffSec's PEN-210 syllabus and aircrack-ng documentation, and treat this MCQ bank as a knowledge check after lab work — not a substitute for it.

Frequently Asked Questions

What is the OSWP / PEN-210 exam?

OSWP (OffSec Wireless Professional) is OffSec's hands-on wireless penetration testing certification, mapped to the PEN-210 course. The exam is a 4-hour practical lab with 3 wireless scenarios delivered over a private VPN, followed by 24 hours to submit a technical report. It validates the ability to compromise WEP, WPA2-PSK, WPS, and rogue-AP scenarios.

How is OSWP scored — does it have multiple-choice questions?

No. OSWP is fully practical and graded pass/fail. You must successfully compromise the wireless scenarios in the lab and document them in a technical report. There are no MCQs on the live exam. This 100-question MCQ bank is conceptual prep to lock in the 802.11, WEP, WPA/WPA2, WPA3, and WPS knowledge that underpins the practical scenarios.

How much does OSWP cost in 2026?

OSWP is $450 USD for a standalone exam attempt. Most candidates buy the PEN-210 + 1 exam attempt bundle for $1,749, which includes the official course materials and lab access. Retake pricing follows OffSec's current policy.

What topics does OSWP cover?

OSWP focuses on 802.11 wireless attacks: frame structure, monitor mode, hidden SSID enumeration, WEP cracking with aircrack-ng (PTW, FMS, KoreK, ARP replay, chopchop, fragmentation), WPA/WPA2 4-way handshake and PMKID attacks (hashcat -m 22000), WPS Reaver/Bully online brute force and Pixie Dust, Evil Twin / rogue AP setups (airbase-ng, hostapd-mana, eaphammer), and current WPA3 / Wi-Fi 6E concepts.

How long should I study for OSWP?

Most candidates need 40-80 hours over 4-6 weeks if they have a Linux background and have used Wireshark. Plan more time if 802.11 is brand new. Hands-on lab time on a permitted home or test network with an Atheros AR9271 or RTL8812AU adapter is more valuable than reading alone.

What Wi-Fi adapter should I use for OSWP prep?

OffSec traditionally recommends adapters that support reliable monitor mode and packet injection. The classic choice is an Atheros AR9271 (e.g., the original TP-Link TL-WN722N v1) for 2.4 GHz. For dual-band 2.4/5 GHz, Realtek RTL8812AU/8814AU with the aircrack-ng or morrownr driver is widely used. MediaTek MT7601U works on 2.4 GHz but is less consistent for injection.

Is OSWP still relevant given WPA3 and Wi-Fi 7?

Yes — OSWP is still highly relevant. WPA2-PSK remains widespread, WPS is still enabled on many routers, and rogue-AP / Evil Twin attacks against humans remain effective even on WPA3-Enterprise networks. The PEN-210 course content has been refreshed to include WPA3 SAE, Dragonblood, transition-mode downgrade, and 6 GHz constraints.