Posted in certification, oscp

I tried harder: My OSCP review and advice

A couple weeks ago, I received official word from Offensive Security that I obtained my OSCP -- Offensive Security Certified Professional.

Needless to say, I'm thrilled with this outcome as I've been working hard to achieve this. And if you're reading this blog post, you're likely doing the same. During the process of obtaining my OSCP I, like you, read a lot of different posts about people's experiences. It was helpful for me to know that I wasn't alone in how I was feeling about my work and how the exam went. I won't go into detail about what it was like for me, or how to get box A or box B, but I will offer some advice that I wish someone had told me when I started.

Use the material. Live the lab.

When I first started the course, I didn't have a true appreciation for how valuable the lab was. In fact, I hadn't read a single review of the PWK course. I was simply going off its notoriety without really digging into what was ahead of me. I knew it was hands on, and I knew the exam wasn't a simple multiple choice test that I could study to.

The people who fail the exam cut corners and ignore the signs.

What I did not know was how truly hands on it was. Without a doubt, the lab made the PWK course one of the best educational experiences of my life. I'm dead serious when I say that. When you register and begin the course, read the course guide and watch the videos but live and breathe the lab. It is phenomenal in every regard. And your time spent in there, however long it may be, is not wasted time.

Don't be nice

I'm a nice guy. Or, at least, I like to think I am. I'm polite. I mind my P's and Q's. Some may even call me a Goodie-Two-Shoes. This attitude doesn't work in the lab. I started out the lab a lamb and left a lion. I was scared of breaking things at first -- my past life as a web developer and designer, I suppose. But then I talked to a couple of the folks in the #offsec IRC room and realized I was being too nice.

nmap -vvv -T2 -sS 192.168.17.202

Turned into...

namp -vvv -T4 -sC -A -p- 192.168.17.202

I started throwing everything I had at the lab machines from a scanning and enumeration standpoint and I suddenly found doors opening. When you've compromised a machine, be it local or root, pillage and loot thing until it's bone dry. I'm sure in a setting outside the lab, you'll want to work with a little more finesse, but don't worry about it here. Lock and load.

Get a methodology

When you're attacking machines in the lab, develop a methodology. The people who fail the exam don't have a methodology. Sure, pen testing requires some parallel thinking and the ability to connect disparate dots (some might even call it an art), but the most important thing is to gather information, enumerate and learn every last possible detail about a machine you can before exploiting it. I know it's overused, but that saying from Abraham Lincoln about spending 6 hours to chop down a tree with 4 of those spent sharpening his axe really is true. But that's only part of the methodology. You have to know where to look, when to look there and what to look for. Be surgical and precise about your attack patterns and don't leave out the details. The people who fail the exam cut corners and ignore the signs.

Talk to each other

I started out doing this alone. I didn't know anyone else personally or professionally who had done it. And so I didn't have a mentor to speak of. But my theory is that this course doesn't just teach you to perform offensive security tasks and the tools to do them, it teaches you a workflow or even, if I dare say it, a lifestyle. So, in that sense, I learned as part of my workflow that it's important to reach out and explore. That meant talking to people in the #offsec IRC room among other places. I felt weird asking for help when I got really, really, really stuck, because I had heard the "Try harder." mantra before and even though I hadn't had it spoken directly to me, I was already frustrated by it.

...when it comes right down to it, I think this course is more about the lifestyle or mindset than it is the toolset.

But once I started talking to my fellow classmates (I rarely talked to the admins), my learning ability just soared. The cool thing about the Offsec culture is that even the students know the value in finding one's own path with this work and to not give away the answers. Some students might just ask for the answer outright, but the good mentors out there are the ones that in turn ask the right questions of the student. It's important to find fellow classmates and mentors who also do this. If you're getting answers from anyone outright, run away. That will only diminish the value of the what the course is trying to teach you.

Set aside time

This course takes time. If you're a super-experienced uber pen tester with mad 1337 skillz, you probably don't need that much time. But I would recommend for those of you who aren't to make sure you set aside good blocks of time. This isn't a course that works well in one- to two-hour chunks here and there. I felt that my best learning came when I was able to spend 4-5 hours at a time on it.

Explore outside the materials

There's more to this class than what's in the guide. There are tools, scripts, technologies, etc. that are all useful/required in the lab that are not covered in the course guide. Get to know Kali and get to know the security community. Surf Github. Use Twitter. Read forums. Read security blogs. Listen to podcasts. Like I said, when it comes right down to it, I think this course is more about the lifestyle or mindset than it is the toolset.

Have fun!

Most of all, you should have fun! The folks at Offsec have done an amazing job putting together a class that is nothing less than exceptional. I'm jealous of people now when they say they're embarking on the OSCP quest. If I could do it all over again, I would. And that's why I'm going to be doing their Cracking the Perimeter course to get my OSCE cert next. :-)

If you have questions or just want to ask about something I didn't outline here, hit me up on twitter.