Tuesday, May 3, 2011

Offensive Security Certified Expert

I will start this post the same way I started my post on the OSCP certification, with a slight modification:

"This was one of the hardest THE HARDEST thing I have ever done in my life both academically and professionally. This course is not for the faint of heart and requires a lot of self discipline, perseverance and a very understanding wife."

The Offensive Security guys recommend taking the "Pentesting with Backtrack" course and successfully completing the OSCP exam challenge before you take the "Cracking the Perimeter" course. After the CTP class, you can take your Offensive Security Certified Expert exam challenge and if you pass, you become an OSCE. The OSCE course and exam challenge are significantly harder than the OSCP.

The OSCE is very different from the OSCP and I never thought I would even attempt the OSCE after the pain I endured from the OSCP. To take the Cracking the Perimeter course you have to pass an initial challenge before they will even take your money to sign up -->  http://www.fc4.me/

You have to obtain the 16 byte registration key -- sounds simple enough, eh? This is their attempt to weed out the weak! I attempted this challenge one evening, just to see if I could do it. I managed to get the registration key and submit the registration form but now I had a real predicament on my hands. "Do I let the Offensive Security guys torture me again?" The answer was clearly YES, I need more pain.

So the journey begins.

There are some notable differences between this course and the OSCP course:
  1. The lab for the OSCE is not stocked full of vulnerable systems to compromise. In fact, its only a handful of boxes that you use to facilitate the course modules. Based on this, I would say you probably do not need the 60 days like I signed up for. That assumes you can dedicate 30 straight days on the material.
  2. They don't need an elaborate lab for this course because a lot of the material is on exploit development. Meaning, you can hit exploit-db and practice practice practice on your own VMs.
  3. In this course, you will live inside a debugger. You will become so comfortable with HEX and assembly that you will begin dreaming about EB 06. OSCP was about 5% in a debugger, OSCE is about 90%.
65 66 66 20 79 6f 75 20 68 65 78 61 64 65 63 69 6d 61 6c 20 69 20 68 61 74 65 20 79 6f 75!

The material is very interesting and for the most part, still relevant today. There was one module on Anti Virus evasion that is a little dated, however this spawned additional research and I ended up finding a way to make Metasploit payloads 100% undetectable. That is a Metasploit bind shell :) I slightly expanded work that Scriptjunkie did on this subject. This is an example of how the Offensive Security guys opened up my eyes from the course and gave me ideas so I knew what to look for.

The videos and course lab guide are brilliantly put together, just like OSCP. Here is the process I used to learn the material:
  1. I watched all the videos and walked through each exercise in the lab as Muts narrated. Then, I went back and re-did everything on my own.
  2. After I completed the course modules I jumped on exploit-db and started recreating all of the buffer overflow exploits I could find. I would take one, strip out everything in the middle and try to get the same results. I probably recreated 50 exploits. The point of this was to get very familiar inside a debugger and to see first hand some of the obstacles you encounter when writing exploits.
  3. I would revisit the videos and course lab guide as needed.
After my 60 days of lab time it was time to take the exam. I felt like I was ready. After all, I kicked the shit out of the OSCP exam so I was feeling pretty confident about this.

Well, I wasn't ready..... at all. I failed the first exam. I only had 1/3 of the points I needed to pass. The exam is very hard but not impossible. This was the first time I have failed at something in a long time and it was a serious ego check. Not to mention I worked 17 straight hours the first day and another 15 the second day. Part of me wanted to throw the towel in because I had already learned much more than I ever thought possible and I wondered if the cert was really worth it. I thought I had reached my technical limit. That thought didn't last too long. I continued to perfect my skills and took the exam again about 3 weeks later. This time I was ready and passed. What an incredible feeling.

While I was practicing the exploitation techniques they taught me and trying to expand my skills, I managed to find a few software bugs on my own. Most of them are boring DoS, but one was a remote code execution buffer overflow.

I'm not sure I can recommend this course to everyone, it's pretty gnarly but again, brilliantly put together by Offensive Security. They certainly give you the tools to help you succeed, but as usual, they don't tell you everything you need to know. The content in this course is fascinating and if you're a security junkie you will find it thoroughly entertaining. It's too bad this cert doesn't get more notoriety because I have a much better grasp on more things security, much more than I did with OSCP. Two times now the Offensive Security folks have expanded what I thought was possible and it has really helped me in so many areas.

There is so much information to know in the infosec industry and this process taught me something important. To excel at the fastest pace possible in infosec I think you need to be on the edge of going crazy. What I mean is that there is too much to know and the only way to continue learning at an accelerated pace is to be on the edge of too much information. This is a fine line and if you can learn to balance it with your home/family life, you're in good shape, otherwise you'll go nuts.

Thanks again to offsec for making me a little more crazy and at the same time opening my eyes up to the significant issues infosec faces. At least I have a little better idea how to secure my networks and what to watch out for.



airloom said...

Really good review, I finished the OSCP last August and have been meaning to get round to doing the CTP course and having a crack at the OSCE exam.

I intend to start CTP in June and go for the 30days. Is there a specific book or site that helped you on this course or did you manage to learn everything directly from the courseware and hands on practice?

Craig said...

I only used two books as reference, The Shellcoders Handbook and the Web Application Hackers Handbook.

However, most of my research just came from the Internet. Good luck and let me know how it goes!

Ben said...

Yep, the exam definitely requires some creative thinking, and knowing your shell-coding inside out.

I failed first time as well.

Talking to the admins on #offsec, I think this is the norm, and the way the exam is designed it is more like a learning experience than a test or your knowledge.

After the first attempt, you need to go away, dig deep, and come up with something new.

Ben said...

Great blog BTW Craig ;o)

ranjanyogesh said...

i have registered for OSCP but i didnt receive the mail. i use my official mail id after that they have send me a mail to fill the form. i fill the form and submit then... no process for further registration. please help me to get this certification.

Craig said...

Jump on the offsec IRC channel and ask for an admin, they'll get it squared away.

Dhruval Gandhi said...

Hi , on 10th I have started CTP . !!
Now In book I got few topics to learn , I just want to say In 48 hours exam do they ask question strictly regarding books technique or they can ask beyond that ?

Craig said...

iampole -

Anything is possible.

Dhruval Gandhi said...

Craig, Anything is appreciated bcose I am not doing easy thing that I know, But here I just want to confirm, do they ask about the thing which is not cover in CTP !! Here I know they can ask some question which is related to CTP topic but very deep,

U got me what i want say ?

Craig said...

It's a typical Offensive Security course. They give you material that should spawn your own research. They definitely do not tell you everything. You will likely take the exam at least 2 times because it's pretty challenging. This is not your standard "read book" then "pass test" course. That is not how they structure these classes. It will stretch your brain in ways you didn't think possible.

Amr said...

great blog thanks for you precious information, i wanted to ask about the prerequisites before starting the OCSE how did you prepare yourself, or just after OSCP cert u started OCSE.
i hear that they require you to have some good experience working with debuggers and exploit research before starting the course?!!

Craig said...

I just dove in, without having that much experience. I don't think you can really prepare :) Just get in there and see how it goes, worst case you have to do an exam retake, which is cheap.

Amr said...

If you don't mind to answer on this question i have read in your oscp that you were working as network/system admin. so after gaining your OSCE certificate now you have a job in security field as a pen testing or what?
people tell me it is not easy to get job in info sec field.

Craig said...

Amr - you're right. It isn't easy getting a job in infosec. Here is my story about how I got a job as a pen tester http://www.pwnag3.com/2011/12/my-road-to-pen-testing.html

Feel free to use the contact form if you want more advice.


Unknown said...

Very interesting read...I really like how you broke it down it made me want to go study for the exam right away...lol...but I am on my way now


Unknown said...

In regards to study time does the CTP course require 30/60 days of constant study (all day) or did you do your study just in the evenings.