Friday, January 13, 2012

OSCP - My review

The truism "anything worth having doesn't come easy" is one I have often remembered when on a particularly difficult path to a goal. Never have the words rung quite so true when applied to my quest for the OSCP certification. This phrase, along with several other quotes and snips of wisdom helped to motivate me though the PWB (Penetration Testing with Backtrack) course and final 24 hour exam.

The OSCP certification is an offensive security course which teaches the attacking side of Information Security and is largely aimed at those wanting to become penetration testers. My personal motivation for taking the course and exam were to better understand the methodology, tools and techniques that attackers employ to breach networks and systems. I have been a dabbler with offensive security practices for several years, have read several books on the subject, taken courses and run my own lab of vulnerable systems to practice on. I wanted to consolidate, formalize and measure the basic knowledge I had gained though my own exercises and the PWB course seemed like a perfect way to do this.

Obtaining the OSCP certification requires taking a self-paced course "Penetration testing with Backtrack" and passing a final exam. The course materials consist of a PDF manual, a lab full of vulnerable systems and a set of videos which complement and enhance the exercises in the PDF. The student is expected to review each section of the course and in some cases complete a given exercise and document it at the end of the given module. The course starts off fairly easy with some simple scripting but soon ramps up to scanning, buffer overflows, web application hacking, client side attacks, password attacks etc. Each module in the course is well laid out and presented. The videos are voiced by the Backtrack CIO himself "Mutts" and he does a great job of explaining the material at hand. Some of the videos and modules are worth repeating to really digest the concepts being explained.

The student is expected to follow up the modules with their own research and where necessary seek answers to questions or expand on the topic which may not have been fully understood in the text or video. For example, I went through the buffer overflow section of the course twice and then practiced on some vulnerable applications to really digest and understand the subject. Eventually, after much frustration the concepts clicked and I soon found myself writing some of my own simple buffer overflow exploits. The feeling of accomplishment I got from this was tremendous and underlines the Offensive Security mantra of "Try harder".

Once I started to get comfortable with the exercises and documentation it was time to move on to the lab. The PWB lab is comprised of multiple networks and systems which contain wide range of vulnerable applications and systems spread across several networks. The student connects to the lab via a VPN connection from Backtrack. Once the student starts working in the PWB lab they are expected to document each system they manage to break into, and in the case of root or administrator access retrieve a key from the administrator's desktop as proof of compromise. Some of the systems in the lab are relatively easy to get access to, but many are not and present challenges that would frustrate a trappist monk. I spent many late nights trying harder and battling to gain access to a system, breaking one barrier only to encounter another. Applying "Try harder" often worked in these cases and forced me to think and approach problems in new and novel ways. After extended periods of study and practice I found myself able to slip into a hacker's mindset far more easily.

The PWB lab is really well designed. There are multiple ways of gaining access to many of the systems and some systems lead to other networks. For example, some systems are dual homed and have access to other networks which also contain vulnerable systems. The dual homed systems are great for practicing pivoting and attacking systems and networks though intermediary hosts. This often involves tunneling attacks through hosts you already control to circumvent firewall rules. Many of the vulnerabilities in the lab require you to download, fix and compile exploit code. Often in these cases the devil is in the very minor details and absolute focus and concentration is required to get an exploit to work the way you want it to.

After several months in the lab I managed to break into more than 35 systems. I had root or administrator access on almost all of them. As I had taken a couple of extensions generously paid for by my employer I decided to book the PWB 24 hour challenge and make an attempt at gaining the full certification. The OSCP challenge requires that the student connect to a new network containing hosts they have never seen and to compromise enough of them to gain enough points to pass. The student is given 24 hours to complete the challenge and then a further 24 hours to submit their final report for review.

I took two days off work and told my team to only call me if something was on fire or someone was dead. I started the challenge at 11 AM on Thursday morning. I spent the first couple of hours just getting a lay of the land and planning my attacks. The rest of the day was a blur, I remember my wife bringing me food a couple of times and my dogs wondering why I was still up typing furiously at 4 AM. I had made good progress throughout the day but was stuck needing 10 points to pass and my weary mind was starting to demand sleep. I considered packing it in and taking the exam again at later date when I decided to give it one final push. Sometime around 7 AM on Friday morning I was finally done, I had owned everything with the exception of one box, a box that I had user privileges on and tried so hard to elevate. I probably spent 5 hours on it alone. I stumbled into bed as my wife was getting up for work. I drifted off to sleep with a big smile on my face. I had really done it and it was over. I was both elated and sad as I had grown attached to my late night study and hacking sessions in the lab, listening to the inception soundtrack or just silence save for my typing.

Documenting each system I hacked was probably my least favorite part of the course, but absolutely necessary as part of the process. As I worked my way through the lab systems I took notes, console output and screenshots of each compromise to use later in my final report. If I had the course over again I would have documented each system completely as I rooted them, rather than waiting to near the end to compile all my notes into a cohesive report. This ended up taking me almost a week and another day for my final exam report. Counting my lab exercises my final report was 350 pages.

When I received the official word from Offensive Security that I had passed I was also given access to a discussion forum restricted to those who had also passed the PWB challenge. The forum contains war stories from the labs and solutions to some of the exam systems. I looked up the host that I had tried so hard to elevate from user to admin and found that I was extremely close the whole time, a minor change in one parameter would have done the trick. ;-)

I would highly recommend the PWB course to anyone who is serious about Information Security. More than just a hands on technical challenge, it's also a test of determination and perseverance.

Try Harder!

24 comments:

  1. I have been thinking about trying this. But i would be paying for it myself, so i am a bit more determined to be ready.

    I am very curious about the entry level for this?
    How much foreknowledge would you require to even attempt this course?

    ReplyDelete
    Replies
    1. "How much foreknowledge would you require to even attempt this course?"

      I would recommend basic to intermediate Linux skills. Understand how to move files around, set and read permissions and configure services and networking. You can pick most of this up with online tutorials or just playing around with a Linux distro.

      Some scripting experience is helpful, though not a requirement.

      Windows admin level skills are helpful, but again, not a requirement.

      I would say the only real requirement is a lot of your time, patience and determination.

      Delete
  2. How much programing and/or scripting experience do you think one needs before taking the class?

    Thanks in advance.

    ReplyDelete
    Replies
    1. "How much programing and/or scripting experience do you think one needs before taking the class?"

      Not a lot really. I had some scripting experience (mostly Windows) before starting and no programming experience at all.

      Delete
  3. Nice write up...thinking about taking this one. How well did you know the BackTrack toolset before you took the class?

    ReplyDelete
    Replies
    1. I knew the in and outs of Metasploit and nmap fairly well, but not in depth and had some familiarity with other tools (netcat, nikto, compilers etc)

      Delete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Hi,
    I noticed that you mentioned that it took you a couple of months to break into 35 machines. I am contemplating purchasing 30 day subscription to the labs but after reading your comment I am having second thoughts. Please can you share your thoughts on the lab subscription length you would recommend based on your experience.
    Thanks

    ReplyDelete
    Replies
    1. Personally, I wanted more time simply because I don't have the resources to work on it as much as I would like. In a good week I was getting about 25 hours of OSCP time. If you can dedicate 8 -10 hours a day and you have some experience you could probably get it done in 30 days.

      Delete
  6. Thanks for the write up .
    I am good in programming;know basics of linux and ethical hacking;butnever worked in IT sec, a fresher;

    I have planned to do OSCP exam to enter in the IT sec world. What's your opinion? Can i achieve the oscp certification? Also How much it will helpful to get into the IT Security world?

    ReplyDelete
    Replies
    1. Hi Trenton,
      thanks for the writeup... Got here from OFFSEC page... like most ppl around here, I just need a piece of advice fom the guru :P
      I work for a leading ecommerce giant and have CEH, ECSA certifications on the IT Security side and a lil on the programming side[SCJP].
      But just considering me as a fresher, do u think one'd do good in the 30 day pack? looking forward for the suggestion from the guru.. :P

      Delete
  7. Hi Trenton,
    thanks for the writeup... Got here from OFFSEC page... like most ppl around here, I just need a piece of advice fom the guru :P
    I work for a leading ecommerce giant and have CEH, ECSA certifications on the IT Security side and a lil on the programming side[SCJP].
    But just considering me as a fresher, do u think one'd do good in the 30 day pack? looking forward for the suggestion from the guru.. :P

    ReplyDelete
  8. Brian,

    It really depends on how you learn. We all have different learning habits. Personally I took my time because I have a very demanding full time job. If I only had 30 days to do it, I would want to be putting in at least 5 hours a day 6 days a week.

    ReplyDelete
  9. Brian - Good writeup on the OSCP. I am about 70 days deep into this and in the same boat as you are except that I feel I run into a brick wall on this.

    Did you have to spend a lot of time figuring out how to tweak exploit code to get into some systems or were some tools good enough to get into some boxes.

    Also any advice can you give for someone who already is beaten up by someone who as repeatedly hit a brick wall?

    ReplyDelete
  10. I'm planning on taking this course soon. Which version of Backtrack do they require you to use? Does it matter?

    ReplyDelete
  11. i, I want to know, if in the labs the machines have firewalls and the student has to attack them....is like the real world? or the machines don't have any firewalls......

    ReplyDelete
  12. A mix of both. Just like the real world.

    ReplyDelete
  13. I been looking around and cant seem to find an answer:
    Do the lap time start as you start the course or does the 30 / 60 / 90 days start when you are ready ?

    Thanks

    ReplyDelete
  14. You can start working in the lab as soon as the course starts. I made the mistake of waiting quite a while before starting in the lab, if I had it over I would have started sooner.

    ReplyDelete
  15. Hello, I'm a Computer Science graduate, i know about programming with java,c and a bit of scripting but mostly on Windows. I'm familiar with linux but at a basic level i believe.. ( cli commands etc.. )

    I decided to try and learn more about web app and network security. I don't know if that matters at all but i began completing some hacking challenges i found online such as the ones provided in try2hack.lt,hackthissite.org,hacking-lab.com and probably more and have been succesfull in almost all. I imagine these are really easy and not irl challenges so yeah.. i'm not sure if i should give OSCP a go or wait till I learn more stuff.
    I'm going to pay for it, since i'm unemployed lol, so i have to be sure.

    What do you suggest I do?
    Also, Is this certification a good first step for becoming a Junior Pen Tester or should i try other?
    How hard is this certification compared to other out there and which are mostly recognized by HR departments?

    Thank you, George.

    ReplyDelete
  16. Hi George,

    Thanks for your comment and sorry for the late reply.

    It matters a lot. The fact that you took it upon yourself to seek out these challenges demonstrates that you have real interest in the field.

    Take a look at the vulnerable Linux distro metasploitable and the Metasploit unleashed online course. If these appeal to you you will most likely do well with and enjoy the OSCP.

    This is a very good cert to obtain to get your foot in the door as a pen tester. Unfortunately its not all that recognized by HR depts, but those who know, know. I hire information security staff and I would give immediate and preferential treatment to anyone who had the OSCP because I know first hand what its takes to get it.

    I would also recommend a lab where you can practice as well as reading everything you can get your hands on. If you really enjoy the work immerse yourself in it for a few years and work at honing your skills and finding a specialty.

    Good luck.

    ReplyDelete
  17. nice article. seeing that you have been in the security field for about 13 years and for me that i am just a year plus into the information security field, i really seem scared taking it. i have explored and did a lot of research in information security but i am still really scared of taking this course.

    But i am not motivated by fear so i am gonna just do it. any advice.
    thanks

    ReplyDelete