OSCP review for experienced pentesters
Some time ago I passed the Pentesting with Backtrack course and also the final exam that gained me the OSCP certificate. In the following blog posts I will write down my experience and give you my view on this exercise. You may also want to check out part two where I discuss some drawbacks of the course and tips for you to better prepare.
Why another review? There are many reviews already on the net that cover OSCP. These are excellent reviews with tons of info about the course to the extent that is allowed to share. It is not my goal to copy these reviews in my own words. Its my goal to give my opinion about OSCP as a professional security consultant with over 6 years of hands-on experience with pentesting. I work at an international consulting firm and have been performing all kinds of pentesting jobs through the years. From dedicated webapps, external perimeter, internal network pentest, hybrid internal/external on /16 networks, databases, mobile apps, SAP, SCADA, social engineering, red team assignments, etc., Ive been fortunate to be able to do them all. So if you happen to be experienced in pentesting and you are – just as I was – wondering if OSCP has any added value, this review is for you.
Why OSCP if you are experienced already?
This was the main question I was battling for some time. Having read about OSCP got me actually really excited. Finally a course that wasnt talking lightly about pentesting, required a true hands-on exam and – judging from many reviews – actually means something. Going through the syllabus I finally decided to leave behind any doubts on not adding value. Even if I could skip most modules I could always use the time to fill in any gaps in my knowledge that I might had gained in the recent years. In the worst case I would just spend some time pwning boxes. What’s not to like? Combining work and and the course I went for the 90-day option. I rescheduled the exam one time as I misjudged the prep time needed. I might have been ready for the exam already, but I also wanted to root the majority of the systems in the test network before starting the exam. I needed two more important boxes, so I rescheduled. I’m glad I did as I had _a lot_ of fun with these final two and also learned some new tricks.
Yes, I learned some really nifty things I never came across in my work. And not only on the topic for which I have to say I was very weak before the course (exploit development). Much to my surprise I also learned tons of cool little tricks on topics I thought I covered enough already. And here I can be very clear to you. Even if you have the experience, you will learn new stuff. As long as you are open to approaches you might not be used to you will learn, learn, learn. And in our quickly changing field that is never a bad thing :-) Also ask yourself the question: how many tools in BackTrack am I *really* experienced with? Another clear learning topic for me was the simple fact of doing hacks completely without a (web)vulnerability scanner and without all the Metasploit tricks. Being a consultant I’m often on time pressure, forced to gain the most impact in the least time needed. Using the best tools available is essential. This is not a bad thing. I will continue using the best tool for the job. But knowing how to do your work without all these tools makes you stronger.
Main reasons to do the course
These are important reasons why OSCP is a good course to do even if you already are experienced in pentesting. Below I list several items that really add to OSCP being one of the best certifications I ever did:
- It never hurts to be critical on how and what you have learned yourself to do things through the years.
- Strong focus is on pentesting without the one-click tools. You are encouraged to learn how stuff really works, in stead of how a certain vulnerability scanner or exploit framework does things.
- Regardless of your exact background, the curriculum is diverse and you probably will learn new stuff. Even on topics that you already know pretty good it never hurts to have a fresh new look. I learned some new stuff on tunneling and put it in practice (e.g. where else can you tunnel in a tunnel that was setup over a tunnel :-) )
- The teaching material is very good. Both the PDF and the videos are worth it. This makes learning so much easier. These guys know their stuff and can explain.
- One of its kind with true hands-on hacking. What other security certification do you know that has such a large hands-on part? When you think about it, it is ridiculous all the other certs don’t have a hands-on part. Especially in the business of pentesting it is important to not only know in theory something is insecure, you also need the hands-on skills to exploit the insecurities. So if you get a pentesting certificate, you might want to make it this one.
- The lab environment you get access to is great. It is a good match for the theory you will be going through. Immediately you can test in practice in the lab. And once you are done with all the theory you can immediately continue powning boxes in the network (and a big network it is).
- Also, were you ever afraid of testing new tools/ways at a live client network? You might just be able to test it here in the labs.
- You might just learn something from the fresh insight of the people in the community. There is large community available on IRC. Some members have already done the course and just hang around. Others are just as you working through the labs. Help is available, but be warned: no easy help! IRC moderators are available to help you through the most toughest moments. But be prepared to get an answer like ‘Ah, nice try. But try harder’. No easy help from them. Make sure to also check the forum. Some good, but sometimes outdated, info is there.
- Great great fun. The network is setup to be one big CTF. Although not of the highest difficulty level, for some boxes you will have to think hard on how to pwn them. You will have fun by experiencing ‘pain’ and you will ‘suffer(erence)’.
Is it hard?
I’m afraid I cant answer that for you. I don’t know your skills. But I do know that probably you will go through the theory very fast. Perhaps just some emphasis on one or two chapters where you think you are weak. Don’t be stupid and skip parts, take time and see this as a learning opportunity. About halfway through the labs – when you have pwned all the easy boxes and have got a few of the harder ones – you will get a good idea if you are ready for the exam yet. If you need the 30, 60, or 90 day option depends on the dedication and time you can put into it. The exam itself I think was not hard. If you pwned your way through the labs in the proper way I don’t think you will find the exam that hard. Hell, I even got a severe food poison halfway through the exam, forcing me in my bed and bathroom for about the second part of the exam time (and additionally 3 days of recovery). Fortunately I gathered enough points in the first few hours. That actually became an issue the day after the exam, when the report needed to be written. Thankfully my day job requires me to write reports, so Im pretty skilled on that. Between the running to the bathroom, sleeping and feeling generally extremely miserable I found some time to write the report quickly (with one hand on the keyboard, the other one switching between holding my sore head and the emergency bucket). So I would say no, it’s not hard if you are experienced. Just make sure you actually are open to learn new stuff during the course. The way you have been pentesting isn’t always the best way, nor the way OSCP requires. I for one learned new cool tricks and gained great insight in how others think pentesting should be done. Im happy I did the course. Because Im happy with the way OffSec approaches training Im looking for other courses by them.
In part two of this post Ill dive into some drawbacks and some tips.