For the last few months I have been working towards becoming an Offensive Security Certified Professional (OSCP). Fortunately, the hard work has paid off and I now have the OSCP certification! Here’s a brief review of the experience.
Why the OSCP?
I’ve had an interest in computer security for as long as I can remember. However, despite this interest, I had no formal qualification to prove my capabilities to myself and to others. Therefore, I decided to change this.
When looking for a security certification I had three main criteria:
- Value for money — I would be paying for the security course out of my own pocket and therefore couldn’t justify the price of courses such as SANS;
- No recertification — following from the previous point, I did not want to have to pay for recertification every year (especially as the content of most courses doesn’t appear to change too often);
- Educational — There are some courses out there that are primarily book work followed by a multiple choice exam. While passing this form of assessment gives you a qualification, it does little (at least for me) to help you learn the skills. I wanted a course which was hands-on and allowed me to use the tools and apply the techniques being taught!
Fortunately, Offensive Security’s Pentesting with Kali Linux (PWK), for which upon completion the OSCP is awarded, met these requirements as well as offering much more: lab time, on-hand help, access to their CrackPot, videos, an active forum, plus much more!
Is this course for me?
This is the first course I’ve done outside of university, so I’ve not got much to compare against in terms of difficulty or expertise. Therefore I’ll give you a little more detail about myself. I’m 23, I have a Masters in Computer Science from Southampton University, I’m proficient in a number of languages, (Perl, Python and C being a few), I know my way around Linux and Windows operating systems, and before starting the course I had a pretty solid foundation of web application security. Despite these attributes, I still found parts of the course challenging.
So, is this course for you? I believe that this course is suitable for everyone who has a genuine interest in security. If you’re unsure if that’s you or you’ve had little exposure to security, I’d recommend doing a bit of self-directed learning first. Sites such as VulnHub can provide you with an introduction to simple techniques, whereas sites such as OWASP can provide a wealth of information on things like web application security.
You don’t need to be a programmer to pass the course, although on occasion you will be required to read and modify exploits, and you may find it useful to write small scripts to automate some of the mundane tasks you’ll find yourself doing time and time again. If you’ve never written or seen a program before and don’t know what a function or variable is, then I’d recommend spending a few hours learning the basics. Python is probably the easiest language to get started with, and sites like LearnPython look like they give a good introduction.
Most of your time will be spent in a terminal. Therefore, I think a basic understanding of Linux and Windows commands is a must. Without knowing how to do simple tasks on the command line, you’ll struggle! Again there’s a sea of resources out there, and in an afternoon you could probably learn the fundamentals.
Next, I’d recommend having time — and lots of it. Depending on what you want to get out of the course, and how much experience you have, will determine how much you need. I have a full time job, so I could only devote a few hours every night throughout the week. On weekends I put in 16+ hours and I continued this this for a couple of months! While it’s definitely possible to get away with doing less than this (I had the intention of breaking into every lab machine), you’ll still need a few hours on a daily basis for at least a month to make good progress.
Do you need to know your way around a assembly and a debugger? While you will be expected to use a debugger in the buffer overflows section of the course, it’s well guided and even though I had little experience with these concepts, I found them pretty easy to grasp.
If I’ve not scared you away, and you’re thinking of doing this course, I’d recommend starting with 60 days worth of lab time. If you’re prepared to knuckle down, this should allow you to make enough progress in order to sit the exam. If after 60 days you feel you aren’t ready, then lab extensions are available for a pretty reasonable price!
What can I expect to learn?
The PWK course comes with a PDF with over 300 pages of content, exercises that help you apply the techniques, and hours of videos that complement the content. The course syllabus can be found here, but in a nutshell, PWK provides a solid foundation in everything required to enumerate, penetrate and control a host.
The notes and videos are a good starting point for the techniques required to compromise a computer. This includes topics such foot-printing, enumeration and exploitation, as well as information on exploit development, meterpreter and pivoting into new networks. While the course content is great, you’re also expected to do some independent learning. Once topics have been introduced, and you understand the basics, searching online to build upon the information provided is a must. Ultimately how much you learn is down to how much work you’re willing to put in!
If you’ve covered the material and still don’t know what you’re doing, then just recently, the Offensive Security team have posted a number of comprehensive walkthroughs on the forum for a few of the lab machines. These didn’t exist when I started the course, but I wish they had as they provided a great introduction into how to approach compromising a host.
While you’ll often need to break down personal barriers and persevere to make progress, there are support channels too. The forums available to OSCPs are often a great place to get hints (not answers!) on hosts. There’s also the #offsec IRC. I didn’t use this, but from what I’ve heard it’s a great place to meet fellow students and get some tips on the machines!
I think the most valuable lesson you’ll learn though is that hard-work, persistence and determination eventually pay off as you begin to compromise more and more hosts throughout the lab!
The labs are the biggest selling point of the PWK course. They are available in 30, 60 or 90 day blocks and can be extended by 15, 30, 60 or 90 days if required. The labs themselves, contain several networks, with over 50 machines supporting a range of operating systems. Offsec have done a great job at mimicking a real network, including a number of bots that act as users, and a number of hints throughout the labs providing insight on how other machines may be compromised. As you break into machines you’re encouraged to do additional information gathering; on numerous occasions I was missing information when trying to break into a machine so don’t skip this stage!
The aim of the lab is to get a shell with admin privileges (e.g. root or system). In addition there are a number of
network-secrets.txt located throughout the labs that prove as evidence that you’ve compromised a host. The machines with
network-secrets.txt are connected to another subnet, and can typically be used as a pivot point to access that new network. The machines in the labs allow a range of techniques to be explored including (No)SQL injection, local and remote file inclusion, buffer overflows and client side attacks. You’ll also get to try out various privilege escalation techniques, try your hand at some simple brute forcing and play with the metasploit framework. If you do use the metasploit for exploitation, I’d recommend trying to break into the machines again without it. A very limited use of metasploit is allowed in the exam, so you don’t want to become dependent on it!
Offsec also provides, each student with a panel to revert machines (each machine within the lab is a VM which can be reverted to a snapshot). As the lab network is shared by numerous students, some machines may have been exploited/modified in a way such that it’s no longer possible to exploit. Therefore, ensure you revert a machine before trying to break into it!
If you’ve read other OSCP reviews you’ve probably heard about Sufferance, Pain and Humble! It’s true, these machines are tough, but extremely rewarding once you’ve managed to get root access on them. While there’s no requirement to compromise these machines before sitting the exam, I felt it was a rite of passage. By the end of my lab time I had managed to break into every machine within the lab, and felt confident about sitting the exam.
The time Offsec has spent setting up these labs is evident, and during the course of the labs I’ve learnt more than I ever expected to! One crucial piece of advice is that take care to manage your workflow. Keeping detailed notes on all your activities is so important. The course recommends using KeepNote. I gave this a go initially but found it had a number of downfalls such as an abysmal search. Therefore, I created a git repo and used markdown to write my notes. The benefits of doing this are:
- You can backup your notes to a remote server. I had a private GitHub repo I uploaded my notes to (make sure you don’t upload to a public repo!!) and ensured I committed on a regular basis to protect all my hard work!
- Searching across notes is simple with the use of tools such as grep or ack. This was particularly important when trying to find links between the machines.
Lastly I’d recommend to enjoy the labs. Many OSCP reviews forget to mention this, but the labs are extremely good fun! Yes it’s hard work, but the best things in life often are!
Once your lab time has finished, or you feel like you’ve learnt as much as you can, it’s time to book the exam. I scheduled my exam for the weekend before my lab time was due to end. You’ll probably need to book the exam a few weeks in advance as there are limited exam slots available on any given day!
The OSCP exam is unlike any other exam I’ve taken! It’s an arduous 24 hour practical exam followed by 24 hours to submit the report. In the exam you’ll be given a small number of machine to exploit, and you’ll require 70⁄100 points to pass. Use of certain tools (e.g. metasploit) is restricted, so make sure you’ve got a solid methodology and aren’t dependent on these!
I found the exam tough, within the first few hours I managed to break into two machines, but it was hard-going after that! Although progress was slow at times, the OSCP had taught me to keep going at it and by the end of the exam time I had obtained enough points to pass! One piece of advice for the exam is to remember to take regular breaks for food and drink, staring at the same problem for hours on end doesn’t do you any favours!
Once the 24 hour VPN access to the exam network expired, you’ve then got 24 hours to write and submit a real-world pentesting report. While this sounds scary, it isn’t too bad as Offsec provide a template to use. Student’s reports range in size, but mine was 166 pages. In addition to the points you can obtain from compromising the exam machines, bonus points are also available. At the time of writing, 5 points for submitting the course exercises and 5 points for submitting a detailed writeup of 10 labs machines. I’d recommend writing up the lab machines and the exercises before you sit the exam.
While I was fortunate to pass first time, don’t panic too much if you fail. Many students fail on their first attempt and the cost of retaking is pretty reasonable ($60 at the time of writing). If you do fail, try to focus on the areas you struggled with, either by booking a lab extension, or using sites such as VulnHub to refine your skills.
I submitted my exam report on the 20th August and got an email saying I’d successfully became an OSCP on the 22nd August 2016. Upon completion of the exam you’re give access to a locked part of the forum where lab machines can be discussed in more detail and you can chat with your fellow OSCPs!
A word of advice
You don’t have to go far to find heaps of information and advice for the OSCP. Here’s a bit of mine:
- Document as you go!
- Go through all the course notes and videos before jumping into the labs.
- Don’t panic! If you’re really stuck, there’s the forums, IRC and online support that you can turn to for help.
- I’d recommend booking the exam once you’ve gained access to each of the networks and feel comfortable rooting most machines. Having a solid pentesting methodology is also a must.
- Revert the machines before you being attacking a host!
- While it’s ok to ask for hints, never ask for the answer! You’re just cheating yourself of the learning experience!
- There’s a mountain of resources out there that are worth their weight in gold. Those I kept coming back to include:
- Persevere! Don’t give up! Try Harder!
If you’re willing to put in the work, willing to do a lot of independent learning, and willing to Try Harder then the OSCP is probably right for you! From my research and experience of the course, I believe it’s one of the best value certifications available on the market today, and the awesome labs make the PWK course one of a kind.
This review can’t cover it all, but the Offensive Security Team have posted a number of great reviews here.
Would I recommend it to other budding security enthusiasts? Definitely. Am I considering putting myself through the pain and anguish again for the OSCE? Probably…