oscp-certs

This course review will be discussing my experiences with the Penetration Testing with Kali Linux (PWK) course, as well as the Offensive Security Certified Professional (OSCP) exam and certification. This course has been designed by the Offensive Security team, and is instructed by Mati Aharoni (Muts).

The overarching view of this course is to introduce students to the offensive side of information security, specifically geared toward penetration testing. Please see the course syllabus for an overview of the topics covered – Link.

Am I ready for OSCP?

baby

This course is Offensive Security’s introductory penetration testing course, so little prerequisite knowledge is necessarily required. Having said that, I would strongly suggest completing the free course Metasploit Unleashed.

If you would like further experience with Offensive Security’s testing/teaching style, you might find it helpful to first look into OSWP. This is a much smaller time investment, and is arguably significantly easier than OSCP.

Anyone willing to put in the time to “Try Harder” is capable of being successful in PWK/OSCP, you must be prepared to jump into the course and start learning. If you are just getting started, you will likely need to supplement the course materials with significant additional research. At the end of the day, problem solving and the ability to learn new concepts on the fly is one of the most important skills to have as a penetration tester, and this is an excellent opputunity to develop these skils.  With that said, Offensive Security is known for pushing their students and refusing to hold your hand, so if your self motivation and self study skills are lacking, you are unlikely to be successful.

Course Format:

This course is structured as a full network penetration test in a virtual environment. The student is provided with a full written pdf copy of all topics covered, as well as numerous hands on videos further detailing the course modules.

The student is provided VPN access to the network, as well as a virtual machine for testing/research purposed during the allotted lab time.

Course Experience:

The OSCP labs have a large number of systems, ranging from very easy to mind bendingly difficult. If you’re a beginner going into the labs, you will start to see a few early wins, but will quickly find yourself scratching your head. Based on my experience, I recommend adding the additional challenge of not leveraging any pre-packaged exploits in Metasploit, with the goal of not relying on automated tools. I began to develop my own scripts for many tasks, which led to me developing an extremely valuable skillset with Python that I now leverage heavily day to day.

While you’re allowed to use almost any tool currently available during the lab, I significantly leveraged the following tools most frequently:

1) Nmap with various NSE scripts

2) Netcat, Netcat, and more Netcat

3) Python and Bash scripting

4) Metasploit (MSF Database, msfpayload for Shellcode/Meterpreter binaries)

5) Burp Suite for manual testing

6) Google/Exploit-db for vulnerability and exploit research.

Another recommendation is leveraging Metasploit’s database to keep track of lab targets. This proved very useful as you could use simple commands within msfconsole (hosts, vulns, services, creds, etc.) to list information gathered from Nmap or Metasploit auxiliary modules, and potentially assisting with the development of your lab report.

List Hosts:
msf > hosts

List any credentials gathered through meterpreter:
msf > creds

List successful exploits launched via msfconsole:
msf > vulns

Import Nmap scan data:
msf > db_import [nmap_scan].xml

I found that taking screen shots and verbose notes while tackling systems, rather than after completion of the labs, will benefit greatly you in the long run. After completing full exploitation of a box, I was able to walk back through each step I took to get SYSTEM/root taking screen shots and notes within KeepNote. I found it solidified my understanding of the material, and made it much easier to compile my report towards the end of my lab time. Lastly, I learned to always remember that getting your shell does not mean you are finished with a target, because you might find something very useful to leverage and further compromise the network or system.

“Okay, so I tried everything I can think of….Now what?”:

It is very likely during the course of the labs you find yourself stuck on a particular box and not know what to do next. I often asked myself the following question when stuck on a box:

“What do I currently know about the target, how can I learn more, and what can I do with this information?”

It may seem like an overly simplistic approach, but after you have exhasted every option you can think of for multiple days at a time, circling back to the basics can be very helpful. I learned to take every piece of new information I acquired as a “win” rather than focusing solely on a “shell” as a win, as this  started to wear on my confidence once the low hanging fruit in the lab was completed.

Exam Experience:

The exam is formatted as a 24-hour active pentest against a small simulated network challenging the skills you developed during the course of your PWK lab time. The complexity of the targets in the test range from easy to exploit to extremely difficult and points are awarded accordingly. Upon completion of the exam, you will have an additional 24 hours to submit your documentation (from the exam and lab) for grading.

Recommendations:

First and foremost, if you’re considering this course, ensure you have the time to dedicate to it. You will need to spend several hours and multiple days per week in the labs, developing new skills, researching, etc. The number one thing I learned from this course is how easily you can put learning off for a few days, only to realize you’re quickly behind the progress curve required for the examination. If you do not have the time to dedicate to this journey, do not try to convince yourself you will be successful.

Be comfortable diving deep into unfamiliar waters. Unless you’re (very) experienced in the offensive security realm, there will likely be topics covered or skills required that are foreign to you, and you’re going to have to learn things that will seem overwhelming at first glance.

Throughout this course you will be required to “think like a pentester”: “How can someone misuse this?”, “How can I benefit from this information?”, “Am I overthinking this?”, etc.

No matter how much you want to jump into getting that shell, do not neglect the information gathering process as it is usually the missing link to successful exploitation 99.99% of the time. Endlessly throwing exploits at a system will usually not benefit you and will usually result in nothing new learned and wasted time.

You Will Need to “Try Harder”:

HobbitThorin

My experience with the “Try Harder” methodology paid off after working on a particular box for several days. I had tried every technique and obscure skill I knew, and nothing was working. I was so fixated on figuring out the solution, I began to lose sleep. After several days, I was hacking away with ‘The Hobbit’ playing in the background.. Just as Thorin Oakenshield faces down the Azog the Defiler and the song “The beginning of the end for Thorin” starts to play, my shell spawns. The experience was amazing; as all my hard work finally paid off and the epic music played in the background. These are the types of experiences I had during OSCP labs, ones earned through the mindset of “Try Harder”.

Conclusion:

I have had extensive experience with industry certifications, and I can say without a doubt that Offensive Security trainings and certifications are in a league of their own.  The training they provide develops real technical skills, forcing you to leverage what you learned to solve complex problems, rather than the traditional multiple choice question format.  I think that more organizations should follow the Offensive Security style of hands-on labs and testing, and move away from a multiple choice exams during the certification process.

Make no mistake, you will leave OSCP a changed person, you will think and look at problems differently.  You will find that the persistence that was burned into you through the course has made you someone who will forever “Try Harder”.  This mindset will carry over into other areas of your life and career other than just hacking, making you more willing to walk into unknown scenarios with complete confidence, knowing that with enough persistence, anything is possible.

 

Additional Resources:

http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials

https://www.corelan.be/index.php/articles/ – Exploit tutorials

http://www.securitytube.net/ – Training videos

http://www.offensive-security.com/blog/ – Offensive Security blog

http://blog.g0tmi1k.com/ – Security blog