Tuesday, December 14, 2010

Offensive Security Certified Professional

For the last 70ish days I've been actively hacking away in a lab environment, preparing for the Offensive Security Certified Professional (OSCP) exam. This was one of the hardest, yet most rewarding things I've ever done both academically and professionally. This course is not for the faint of heart and requires a lot of self discipline, perseverance and a very understanding wife. I highly recommend it if you're interested in penetration testing or would like to understand how the bad guys think. With this new way of thinking, you can begin to understand how to protect your network.

If you're wondering if the OSCP is for you, let me give you a little of my background. I've been in network/systems administration for about 10 years. I have in depth knowledge of protocols/routing/switching/enterprise applications and TCP/IP in general. My Windows skills are advanced but my Linux skills going into the course were weak. I run Linux at home and have had some exposure to different flavors but by no means, was I an expert in Linux. I am a terrible programmer, but can understand some C and enough scripting languages to get by. You need to bring all these skills and more to the course because you wont be taught these things - you will be expected to use them while you're hacking the lab and practicing the new concepts that "mutts" teaches you.

I have always been interested in security but outside of general metasploit usage, I wasn't very well versed in any of the popular open source security tools. This isn't a necessity because you will be come a whiz at them as you work the course. The course can be taught live or online. I chose the online portion and was given a set of videos and a 300 page lab guide. The videos are incredibly useful and extremely well put together. The lab guide is equally as useful. I will continue to reference both of these resources in the future. These two guides are simply that, they teach you the concepts but you really have to teach yourself how to apply them. You need to be able creatively think about applications, networks and protocols to understand how to apply the concepts you've learned.

This is where the perseverance and hard work comes in. No one is going to show you what to do in the labs, the administrators are not helpful and the IRC channel is full of people who just brag or talk about other things not related to the course. Do not assume you'll receive outside help when you get stuck. I believe this was done by design, it teaches you to be self sufficient and resourceful. The idea is that if you cant help yourself you wont ever be good at this. There are options for help, you just have to find them. There were many times where I would hit a wall, thought I couldn't penetrate any more servers and thought I hit my technical abilities but stepping away or reading additional resources would often help.

The lab consists of numerous hosts that are also connected to other networks. There are very easy servers and very difficult servers. As you start to penetrate these networks you run into fun things like fake bank databases, usernames/passwords and often the Offensive Security guys taunting you through funny website graphics or smiley faces. These "nuggets" made it fun to work the labs.

They sell the course in blocks of time. I highly, highly recommend getting at LEAST 60 days in the lab. The progress I made throughout the process was a roller coaster. I would go a week without any progress and then get on a hot streak and nail 5 servers in a night. Looking back, my knowledge at 30 days was not even half of what I ended up learning after the 75 days (I bought an additional 15 days). The more time in the labs, the better.

You're required to pass the "exam challenge" to obtain your certification. The exam is a new lab that you've never seen before and you have 24 hours to exploit the servers in that lab. My test started at 7am and I finished about 14 hours later. You have to submit all your documentation to them within 24 hours of the end of your exam. I read horror stories about this exam, people taking all 24 hours to complete the exam, others taking the exam 3 and 4 times. I believe with my additional lab time, I was better tuned to take the exam. I put an incredible amount of time into this, probably an additional 30-40 hours a week in addition to my full time job. It wasn't like work though, it was extremely fun.

I took the exam on Saturday and have been anxiously awaiting my results. Today I found out that I passed the exam and received my OSCP.

If you're interested in what you'll learn, check out the course syllabus here.

Bravo to the Offensive Security crew for a brilliant course. I learned more than I ever thought possible.
After 4 months - I decided to take the OSCE challenge and documented that here.


firesofmay said...

This is the best and honest review ive read about it.
Thanks a lot.

bucen said...

After my cissp certification, I’m asking for myself to train to PWB.
I looked on Offensive Security, I didn’t understand very well the time that you can spend on the security labs ?
When you subscribe for example 30H, how does it works:
Does it the time that you spend really on the labs ?
Or, Could you only to connect to the labs until a certain date ?

Craig said...

You sign up for a specific number of days, 30, 60 or 90. There is a date at which your access ends, it is not based on how much time you put in....that is up to you!

Gopi Kiran said...

The way u presented the review was really good and u mentioned about the pre-requisite for taking/attending for the course.I really like it...

Thank you.

Dhruval Gandhi said...

Hi, Congratulations..

Tell me one thing , when exam get start.. the examiners are give us the IPs of the hosts or we have to make blind scanning and identified host and do the PT ?

Craig said...

For the exam challenge you'll get 5 servers to attack. Each with different point values. The hosts will be known so you don't have to discover them on your own. There are specific objectives for each server.

Dhruval Gandhi said...

You mean they will give 5 ips ?

Craig said...


Johan said...

Hi Craig!

First I'd like to congratulate you to the OSCP, very impressive!

Secondly, I have a question regarding the amount of time you spent on this course. You wrote; "I put an incredible amount of time into this, probably an additional 30-40 hours a week in addition to my full time job."

Does that mean you had roughly 30-40 hours per week to study or were you able to study at your full time job as well?

The reason why I'm asking is because I'd like to take this course with maybe 5-6 months lab time. However, I'm currently a full time employee and I'm not able to study or work with anything related to the course. So I'm planning to spend most of my spare time to the course. Do you think this will be sufficient?

Thank you in advance!

Craig said...


The 30-40 hours was in addition to my full time job. There were times that I could study at work but that was not the norm. I got a little obsessed with studying, just because I was having so much fun. You might not need as much time, it just depends on your background. 5-6 months of lab time might be excessive though. I would recommend trying to do the labs in large blocks of time, instead of like an hour each day. Keep in mind, you can also keep adding time to your lab. Just make sure you don't let the time lapse, because if you have to re-activate, you'll likely get a different internal IP address which will slow you down. You will have to re-create some work. Feel free to use the contact me form on this blog if you want to take you questions offline.

Unknown said...

Hi Craig, do you recommend any other support material for the course? I'm already into Linux and some security, but I want to be well prepared when I take the course.

Craig said...

Enrique -
Have a look at the syllabus to make sure you know what you're in for. Be sure you're comfortable with bash/python and general networking. Other than that, you'll likely be "learning by fire."

Unknown said...

Hi Craig..i am looking to do OSCP exam but i want to know if there is a lot of depth about evading firewall

Unknown said...

Hey Craig i am looking to start on the path of OSCP please i want to know if evading AV is greatly discssued and also any prior knowledge to knowing passing the nerve racking exam

Craig said...

@wilson wonder Evading firewalls is not a topic in the course. I posted a link to the syllabus in the post. There is also no topic on AV evasion. There is a small section on that in OSCE, but not OSCP. As far as the exam preparation, just hack as many systems as you can in the OSCP lab. Try to get to the admin network, if you do, you'll be ready.

Unknown said...

Craig, thanks for your response

guze said...

@Craig, is there a book (material) outside offensive security one can read to prepare one for the exams pending the PWK training and certification

Craig said...

There are so many books to consider. I would recommend letting what you discover in the labs guide your "external references" search. There are a few must have books like the Web Application Hackers Handbook and the Shellcoders Handbook, but honestly these days I leverage blogs to keep up to date. If you want my opml feed, I can post it for you.

test said...

Congrats Craig..
I want to opt for OSCP but bit confused to opt it or not.
Let me put down my strength and weakness.

1.Good understanding of web application penetration testing

1.Not very good at linux,scripting languages,metasploit.

Request to give a heads up how should I plan to clear OSCP