OSCP tips and drawbacks
In part 1 I explained why the Pentesting With Backtrack + OSCP exam is a good course even if you are experienced with pentesting already. In this second part I’ll cover some items that will help you better prepare for the course. Besides its greatness the course also has a few drawbacks that I want to cover so you are aware of it.
Not many tips can be given without disclosing too much info on the course. Don’t expect tips about the content, just some tips on how to get you better through the course:
- Plan for this, it will take time to do it right and you want to do it right. The course is full of great info, so make time to read and experience it all.
- Don’t focus on the OSCP material alone. Be curious and investigate questions you may have. Especially if you have the lab still available you can easily experiment.
- Be open for different approaches. This really is the case if you are experienced already.
- OffSec does a good job by learning you the importance of note taking during the course on how you pwned each box. Yes, this is important. Especially if you continue for a career in pentesting. Take notes, notes, notes. Not only to make your own life easier for the reporting, but also for during the test. As with any pentest the slightest bit of info gathered on box A can help you get further on box B.
- Experiment with different ways of note taking during a pentest. Again note taking is really key. I personally dislike the exact way OffSec teaches you to take notes. I tried it but simply can’t work and think efficiently the way OffSec teaches you to take notes (why on earth would you want to make a separate child note for every port of a system?!). But note taking is important so I needed to find a different way. In my day job as pentester most of the time a text editor and screen shots is good enough for smaller tests. For larger tests I use Notecase (Pro). Main take away is easy dumping of text in proper format combined with including of screen shots. After that its the search function that takes care of finding back my notes. Notecase was a good fit for me during this course. Of course this is a personal preference.
- Again on note taking, but this time the advice to take notes of commands/hacks/tricks you use during tests. My ‘useful_commands.txt’ that I’ve been maintaining since my first pentesting day is by far the most valuable file I have on my computer. It contains tons of specific commands for specific situations. Many commands I know from memory, but many more I don’t. Also my brain doesn’t store stuff Ive seen one time. I need to see it more often. When encountering rare situations at a pentest, I research and write down in my file. Next time I encounter a similar situation I know I’ve encountered it before but will not remember exactly how I did this. With a simple look up from my file I save precious time. For example the command to add a 2nd uid=0 user on a HPUX box. Yes I somewhat know how to, and I could use the man page. But what if I only have non interactive access, or if the man pages aren’t installed? I could search online. But by far the quickest way is to check my useful_commands.txt file. I see many colleagues of mine mimic this, it works great!
Update: nowadays there is a book called Red Team Field Manual that does about this. Its a good start containing many great operational commands.
- Get online on IRC. The forum is helpful but not that active. The IRC channel is! great info there.
- If you need it, try to find a studying buddy (on IRC). Somebody who is going through the course just as you are. Be careful not to give him answers of the end result and he/she will not do the same to you. But being able to discuss approaches may really help you to sharpen your ideas and counter those hard moments when you are completely stuck on one of the more difficult boxes.
- Restore the VMs before you start pwning them. People don’t clean up, boxes are in unstable state, hints may be gotten from files left behind by others. Just restore before pwning and you will have the full learning experience.
- Start in time with the reporting. If you do use the Offsec template (which I advise against, see further below this post for why) make sure to not wait till the end.
These are I think the most important tips for prepping for the course. There is one more, but it is needles to say as you sure have read on other OSCP write-ups: be ready to try harder.
Drawbacks of the course
Although OSCP is a great course that I recommend to others, I did notice a few drawbacks. Do note that I see OSCP as a preparation for a professional pentesting career, and from that perspective Ive noted the following items:
- There aren’t many IT networks where you can exploit 8 year old vulnerabilities. At OSCP you can. Not all boxes, but some. For sure a nice trip down memory lane, but I would say that not all boxes are a good representation of the real world. No biggie, but please keep this in mind. Also don’t try to pwn boxes with exploits that are disclosed just last month. This might be possible, but you are spoiling your own learning experience if you aren’t aware of this.
- Content wise I see several issues. I would say that there is:
- Too much focus on info gathering over the internet.
- Too much focus on exploit development. Yes this is important but this takes up a _very_ large part of the course, imho too big of a part.
- Not enough focus on post exploitation. In the labs you are required to do so every once in a while, but in real world pentests post exploitation plays a far larger role namely to determine the business impact of a finding.
- Not enough info on databases and networking. Yes both are somewhat covered, but there is much much more to learn on these topics for a starting pentester.
- The majority of clients use Active Directory. Being experienced in management and hacking of Active Directory is a must for a good and efficient (internal) pentest. OSCP lacks true AD hacking in the lab and in the course material. A simple chapter on the basics of AD mngt and hacking would greatly be appreciated for a starting pentester. Be ready to learn this on your own.
- The biggest point for improvement I think is the reporting. Offsec teaches you to write a technical report detailing the steps you took. I see and hear this at clients many times when talking about what they really want: clients are not happy with 100+ page reports where in length you detailed how you owned a specific box and in what order you performed which step, what you got from a NMAP output and how you modified a given exploit. Clients are interested in the factual insecurities, in the business impact of it and most of all in what steps to take for to improve. The OSCP report template forces you to report in a lengthy way that is easy to understand for other pentester. But how many times will you write a report for another pentester? Think of the audience you are writing for, and think in summaries and key messages. Why group your findings per system when it might be easier for the client to have a report per finding or per department that will need to follow up the findings, with a simple ‘applicable to system X Y Z’ list. While writing keep in mind what next steps the audience should do after your report. Don’t get me wrong, the mere fact that OSCP forces you to write a report for the course is a good thing. Its just a missed opportunity that the template kind of forces you to write down your lab notes instead of a quality pentest report. I understand this might be good for passing the course, but please don’t continue reporting like this once you are a professional pentester.
Despite the drawbacks listed above I want to stress I still think OSCP is a very good course. I recommend it to anybody thinking seriously about pentesting, experienced or not.