Archive for August, 2013

OSCP tips and drawbacks

Posted in OSCP, Security on 2013/08/25 by mram

In part 1 I explained why the Pentesting With Backtrack + OSCP exam is a good course even if you are experienced with pentesting already. In this second part I’ll cover some items that will help you better prepare for the course. Besides its greatness the course also has a few drawbacks that I want to cover so you are aware of it.


Not many tips can be given without disclosing too much info on the course. Don’t expect tips about the content, just some tips on how to get you better through the course:

  • Plan for this, it will take time to do it right and you want to do it right. The course is full of great info, so make time to read and experience it all.
  • Don’t focus on the OSCP material alone. Be curious and investigate questions you may have. Especially if you have the lab still available you can easily experiment.
  • Be open for different approaches. This really is the case if you are experienced already.
  • OffSec does a good job by learning you the importance of note taking during the course on how you pwned each box. Yes, this is important. Especially if you continue for a career in pentesting. Take notes, notes, notes. Not only to make your own life easier for the reporting, but also for during the test. As with any pentest the slightest bit of info gathered on box A can help you get further on box B.
  • Experiment with different ways of note taking during a pentest. Again note taking is really key. I personally dislike the exact way OffSec teaches you to take notes. I tried it but simply can’t work and think¬†efficiently the way OffSec teaches you to take notes (why on earth would you want to make a separate child note for every port of a system?!). But note taking is important so I needed to find a different way. In my day job as pentester most of the time a text editor and screen shots is good enough for smaller tests. For larger tests I use Notecase (Pro). Main take away is easy dumping of text in proper format combined with including of screen shots. After that its the search function that takes care of finding back my notes. Notecase was a good fit for me during this course. Of course this is a personal preference.
  • Again on note taking, but this time the advice to take notes of commands/hacks/tricks you use during tests. My ‘useful_commands.txt’ that I’ve been maintaining since my first pentesting day is by far the most valuable file I have on my computer. It contains tons of specific commands for specific situations. Many commands I know from memory, but many more I don’t. Also my brain doesn’t store stuff Ive seen one time. I need to see it more often. When encountering rare situations at a pentest, I research and write down in my file. Next time I encounter a similar situation I know I’ve encountered it before but will not remember exactly how I did this. With a simple look up from my file I save precious time. For example the command to add a 2nd uid=0 user on a HPUX box. Yes I somewhat know how to, and I could use the man page. But what if I only have non interactive access, or if the man pages aren’t installed? I could search online. But by far the quickest way is to check my useful_commands.txt file. I see many colleagues of mine mimic this, it works great!
    Update: nowadays there is a book called Red Team Field Manual that does about this. Its a good start containing many great operational commands.
  • Get online on IRC. The forum is helpful but not that active. The IRC channel is! great info there.
  • If you need it, try to find a studying buddy (on IRC). Somebody who is going through the course just as you are. Be careful not to give him answers of the end result and he/she will not do the same to you. But being able to discuss approaches may really help you to sharpen your ideas and counter those hard moments when you are completely stuck on one of the more difficult boxes.
  • Restore the VMs before you start pwning them. People don’t clean up, boxes are in unstable state, hints may be gotten from files left behind by others. Just restore before pwning and you will have the full learning experience.
  • Start in time with the reporting. If you do use the Offsec template (which I advise against, see further below this post for why) make sure to not wait till the end.

These are I think the most important tips for prepping for the course. There is one more, but it is needles to say as you sure have read on other OSCP write-ups: be ready to try harder.

Drawbacks of the course

Although OSCP is a great course that I recommend to others, I did notice a few drawbacks. Do note that I see OSCP as a preparation for a professional pentesting career, and from that perspective Ive noted the following items:

  • There aren’t many IT networks where you can exploit 8 year old vulnerabilities. At OSCP you can. Not all boxes, but some. For sure a nice trip down memory lane, but I would say that not all boxes are a good representation of the real world. No biggie, but please keep this in mind. Also don’t try to pwn boxes with exploits that are disclosed just last month. This might be possible, but you are spoiling your own learning experience if you aren’t aware of this.
  • Content wise I see several issues. I would say that there is:
    • Too much focus on info gathering over the internet.
    • Too much focus on exploit development. Yes this is important but this takes up a _very_ large part of the course, imho too big of a part.
    • Not enough focus on post exploitation. In the labs you are required to do so every once in a while, but in real world pentests post exploitation plays a far larger role namely to determine the business impact of a finding.
    • Not enough info on databases and networking. Yes both are somewhat covered, but there is much much more to learn on these topics for a starting pentester.
    • The majority of clients use Active Directory. Being experienced in management and hacking of Active Directory is a must for a good and efficient (internal) pentest. OSCP lacks true AD hacking in the lab and in the course material. A simple chapter on the basics of AD mngt and hacking would greatly be appreciated for a starting pentester. Be ready to learn this on your own.
  • The biggest point for improvement I think is the reporting. Offsec teaches you to write a technical report detailing the steps you took. I see and hear this at clients many times when talking about what they really want: clients are not happy with 100+ page reports where in length you detailed how you owned a specific box and in what order you performed which step, what you got from a NMAP output and how you modified a given exploit. Clients are interested in the factual insecurities, in the business impact of it and most of all in what steps to take for to improve. The OSCP report template forces you to report in a lengthy way that is easy to understand for other pentester. But how many times will you write a report for another pentester? Think of the audience you are writing for, and think in summaries and key messages. Why group your findings per system when it might be easier for the client to have a report per finding or per department that will need to follow up the findings, with a simple ‘applicable to system X Y Z’ list. While writing keep in mind what next steps the audience should do after your report. Don’t get me wrong, the mere fact that OSCP forces you to write a report for the course is a good thing. Its just a missed opportunity that the template kind of forces you to write down your lab notes instead of a quality pentest report. I understand this might be good for passing the course, but please don’t continue reporting like this once you are a professional pentester.

Despite the drawbacks listed above I want to stress I still think OSCP is a very good course. I recommend it to anybody thinking seriously about pentesting, experienced or not.


OSCP review for experienced pentesters

Posted in OSCP, Security on 2013/08/14 by mram

Some time ago I passed the Pentesting with Backtrack course and also the final exam that gained me the OSCP certificate. In the following blog posts I will write down my experience and give you my view on this exercise. You may also want to check out part two where I discuss some drawbacks of the course and tips for you to better prepare.

Why another review? There are many reviews already on the net that cover OSCP. These are excellent reviews with tons of info about the course to the extent that is allowed to share. It is not my goal to copy these reviews in my own words. Its my goal to give my opinion about OSCP as a professional security consultant with over 6 years of hands-on experience with pentesting. I work at an international consulting firm and have been performing all kinds of pentesting jobs through the years. From dedicated webapps, external perimeter, internal network pentest, hybrid internal/external on /16 networks, databases, mobile apps, SAP, SCADA, social engineering, red team assignments, etc., Ive been fortunate to be able to do them all. So if you happen to be experienced in pentesting and you are – just as I was – wondering if OSCP has any added value, this review is for you.

Why OSCP if you are experienced already?

This was the main question I was battling for some time. Having read about OSCP got me actually really excited. Finally a course that wasnt talking lightly about pentesting, required a true hands-on exam and – judging from many reviews – actually means something. Going through the syllabus I finally decided to leave behind any doubts on not adding value. Even if I could skip most modules I could always use the time to fill in any gaps in my knowledge that I might had gained in the recent years. In the worst case I would just spend some time pwning boxes. What’s not to like? Combining work and and the course I went for the 90-day option. I rescheduled the exam one time as I misjudged the prep time needed. I might have been ready for the exam already, but I also wanted to root the majority of the systems in the test network before starting the exam. I needed two more important boxes, so I rescheduled. I’m glad I did as I had _a lot_ of fun with these final two and also learned some new tricks.


Yes, I learned some really nifty things I never came across in my work. And not only on the topic for which I have to say I was very weak before the course (exploit development). Much to my surprise I also learned tons of cool little tricks on topics I thought I covered enough already. And here I can be very clear to you. Even if you have the experience, you will learn new stuff. As long as you are open to approaches you might not be used to you will learn, learn, learn. And in our quickly changing field that is never a bad thing :-) Also ask yourself the question: how many tools in BackTrack am I *really* experienced with? Another clear learning topic for me was the simple fact of doing hacks completely without a (web)vulnerability scanner and without all the Metasploit tricks. Being a consultant I’m often on time pressure, forced to gain the most impact in the least time needed. Using the best tools available is essential. This is not a bad thing. I will continue using the best tool for the job. But knowing how to do your work without all these tools makes you stronger.

Main reasons to do the course

These are important reasons why OSCP is a good course to do even if you already are experienced in pentesting. Below I list several items that really add to OSCP being one of the best certifications I ever did:

  • It never hurts to be critical on how and what you have learned yourself to do things through the years.
  • Strong focus is on pentesting without the one-click tools. You are encouraged to learn how stuff really works, in stead of how a certain vulnerability scanner or exploit framework does things.
  • Regardless of your exact background, the curriculum is diverse and you probably will learn new stuff. Even on topics that you already know pretty good it never hurts to have a fresh new look. I learned some new stuff on tunneling and put it in practice (e.g. where else can you tunnel in a tunnel that was setup over a tunnel :-) )
  • The teaching material is very good. Both the PDF and the videos are worth it. This makes learning so much easier. These guys know their stuff and can explain.
  • One of its kind with true hands-on hacking. What other security certification do you know that has such a large hands-on part? When you think about it, it is ridiculous all the other certs don’t have a hands-on part. Especially in the business of pentesting it is important to not only know in theory something is insecure, you also need the hands-on skills to exploit the insecurities. So if you get a pentesting certificate, you might want to make it this one.
  • The lab environment you get access to is great. It is a good match for the theory you will be going through. Immediately you can test in practice in the lab. And once you are done with all the theory you can immediately continue powning boxes in the network (and a big network it is).
  • Also, were you ever afraid of testing new tools/ways at a live client network? You might just be able to test it here in the labs.
  • You might just learn something from the fresh insight of the people in the community. There is large community available on IRC. Some members have already done the course and just hang around. Others are just as you working through the labs. Help is available, but be warned: no easy help! IRC moderators are available to help you through the most toughest moments. But be prepared to get an answer like ‘Ah, nice try. But try harder’. No easy help from them. Make sure to also check the forum. Some good, but sometimes outdated, info is there.
  • Great great fun. The network is setup to be one big CTF. Although not of the highest difficulty level, for some boxes you will have to think hard on how to pwn them. You will have fun by experiencing ‘pain’ and you will ‘suffer(erence)’.

Is it hard?

I’m afraid I cant answer that for you. I don’t know your skills. But I do know that probably you will go through the theory very fast. Perhaps just some emphasis on one or two chapters where you think you are weak. Don’t be stupid and skip parts, take time and see this as a learning opportunity. About halfway through the labs – when you have pwned all the easy boxes and have got a few of the harder ones – you will get a good idea if you are ready for the exam yet. If you need the 30, 60, or 90 day option depends on the dedication and time you can put into it. The exam itself I think was not hard. If you pwned your way through the labs in the proper way I don’t think you will find the exam that hard. Hell, I even got a severe food poison halfway through the exam, forcing me in my bed and bathroom for about the second part of the exam time (and additionally 3 days of recovery). Fortunately I gathered enough points in the first few hours. That actually became an issue the day after the exam, when the report needed to be written. Thankfully my day job requires me to write reports, so Im pretty skilled on that. Between the running to the bathroom, sleeping and feeling generally extremely miserable I found some time to write the report quickly (with one hand on the keyboard, the other one switching between holding my sore head and the emergency bucket). So I would say no, it’s not hard if you are experienced. Just make sure you actually are open to learn new stuff during the course. The way you have been pentesting isn’t always the best way, nor the way OSCP requires. I for one learned new cool tricks and gained great insight in how others think pentesting should be done. Im happy I did the course. Because Im happy with the way OffSec approaches training Im looking for other courses by them.

In part two of this post Ill dive into some drawbacks and some tips.