EH-Net

After hearing and reading so many positive reviews over the past year, I decided to take the plunge. I received my materials late Saturday (08/04) evening, which was technically 08/05 00:00 GMT. So far I have about 8 hours invested into the course and I have enjoyed everything so far. At first, I started reading the modules in order (lab pdf) but then I decided to briefly fly through the entire lab pdf, just to see exactly what I will be learning. Sooo..I've been reading/slighty skimming through the lab for about 4-6 hours and I'm only on module 8, so that should give people an indication to how much material is packed into the lab pdf.

Just like so many people have mentioned, I can get through the first five modules pretty easy (learning backtrack, learning some BASH/python, port scanning, enumeration, etc..)but from module six and on, I know I will have to do A LOT of outside research...which I'm completely fine with. I'm not going to lie, going through the buffer overflow section for the first time was like reading Japanese.

The further I get into the Lab pdf, the more I feel a little overwhelmed. I kind of wish OffSec would give you the choice of going through the PDF and Video's for a week or two, then starting the lab time. The material is totally worth it but I can't help but think I'm losing money by reading, researching, and watching video's..rather than messing with the lab.

My personal goal is to get everything done within 60 lab days and take the test some time after that.

Well I better get back to the pdf. Any comments are welcomed.

Good luck with the course.

From my own experience, try not to get too worried about the buffer overflow section. If it only seems like Japanese you're probably doing alright :). After a couple of run throughs and the hands-on examples everything starts making sense.

When I did the final challenge (and (hopefully) without giving too much away from my own challanges) I finished one section, sat back in the chair with a grin on my face, and the question of 'did I really just do that' going through my mind.

The material is tough, but you should get there in the end. Although I do agree with you re: offsetting courseware/lab time, I took an extension to get more time in the labs (partly for extra practice, and partly just because the labs are FUN).

I completely agree. I think the key here is your loss = their gain as a lot of people seem to end up buying extensions.

One thing I'd caution you on is to use BOTH the pdf & video - I got hung up in a big way on the buffer overflow section because the pdf skipped over a key component. The video on the other hand covered it correctly.

Cool good luck I hope to be doing this course soon too just trying free up extra money...

What other resources did you use to learn buffer overflows?

I have about 5 links but any other suggestions would be nice.

Exploit Writing Tutorials: https://www.corelan.be/index.php/articles/

Buffer Overflow Megaprimer: http://www.securitytube.net/groups?operation=view&groupId=4

Smashing the Stack in 2010: http://pentest.cryptocity.net/files/exploitation/stsi2010.pdf

Reviewing exploits on ExploitDB. I believe cd1zz recommended FreeFloat FTP as a good service to play around with.

This is also a pretty handy resource, using vulnserver: http://www.backtrack-linux.org/forums/showthread.php?t=203

thanks for the link

Yes, great link. I hadn't seen that one before.

Also, I just remember that the Metasploit blog recently started providing these types of tutorials as well: https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development--the-series

+1 Definitely agree.  Do not stress the course however.  It is easy to feel too much pressure and stress.  It will be a fun, painful ride either way.  Have fun. 

Agree with Agoonie. Just take it one lesson at a time and try not to stress about the stuff that sounds difficult. You can always circle back and deal with that after you've got some momentum.

Cool some really good advice from the more expierence guys who done the course good luck ....

My advice for learning the buffer overflow is to load the vulnerable software on your own lab machine and practice it there. That's what I did to successfully complete the exercise. :)

Cool bit fo advice any other advice from people who have passed ?

I don't know why every bufferover flow document talking about 32bit OS exploit (EIP, ESP etc..)

I didn't find any single document about 64bit OS exploit (RIP, RSP etc..) Because it has totally different register set..

Slightly off-topic, but I suppose this may help:
http://turkeyland.net/projects/overflow/index.php (http://turkeyland.net/projects/overflow/index.php)

thank you for the link!

Right now I have not signed up and am studying many different attacks and the theory behind it. However I feel overwhelmed as well since there is so much to cover.

Besides reading many of the papers mentioned here I practise as well on smashthestack.org (mainly IO). There are many different challenges that expose you to the various types of vulnerabilities, helps you to identify them and gives you an understanding how to exploit them in a timely manner. Of course I document everything and write my own little scripts or code where I need it. You never know when you need it again.

I struggle a bit with GDB as I am used to Immunity, Olly or IDA. Yeah yeah, I am a Windows guy hehe.

There is cheatsheet worth printing:
darkdust.net/files/GDB%20Cheat%20Sheet.pdf

And of course an Intel Assembler 80x86 one:
http://www.jegerlehner.ch/intel/

Anyway it is a good prep for the OSCP cert I think. Will be signing up after OSWP. Good luck everybody  :)

Update: Today will be my 16th day with the course and so far the course has met my expectations. I have currently put 42 hours into the course and I am happy to say I have gained root on 5 boxes so far . Every time I gain root on a system, my confidence in the lab goes up ten fold. Given, they might not of been the hardest systems in the vulnerable network but never-the-less, I have learned SO MUCH in the last 2 weeks.

At this point in time, I am thinking about taking the OSCP exam somewhere near the end of September/beginning of October.

Make sure you leave time to write the report before taking the exam.

Thanks for the advice, the report has already been on my mind. I've read from multiple reviews that the final report is hundreds of pages...

Just a question is the lab you practice in the same as the exam or are you given another lab ?

The exam is not given in the same lab you practice in.

Do I understand correctly that you have to create 2 reports? One for the student network that you exploit and one for the actual exam?

If so, does not owning all boxes on the student network have an impact on your final grade?

I wish you can clarify this for me.

great question i would like to know the answer too that too

@sh4d0wmanPP ,

I haven't looked to far into the final reports but I would think they would be 2 separate reports. I don't think they would want your lab info mixed in with your final report? But I do not know for sure.

The number of systems you own during the lab will have not hinder your OSCP grade.
I have heard of some people only owning 8 systems and taking the test, but I have also heard about people owning 30-50 systems.

The lab environment for practicing and the exam environment are two different ones. Also, it's not a must to document how you owned machines in the practice lab, but recommended. If you are on the edge between pass and fail of the examination, you might have better chances to pass with a report that also contains your efforts in the practice lab environment.

As for the report, I combined mine (but had separate sections.)  My lab notes were an appendix to the exam report.

I don't know what was considered 'proper', but that was how I did it.

My report was combined as well. It was only 78 pages.... not hundreds... :)

Thanks for the info guys. My bad, I read one review where the guy said his report was 350ish pages, that's crazy to me...

There is no standard on how long the report must be. It should contain all necessary information though. ;)

When writing anything try to focus on quality over quantity.

Wow, that's hilarious. My exam section was ~90 pages, and combined, the entire report was just shy of 500.


You need to remember that you're not actually writing text for all those pages. Most of my pages only had a screenshot and a sentence or two explaining what was going on.

As I was going along, I'd just alt+printscreen whatever window I was in, add a note in Word, paste the screenshot below, add a page break for a nice transition, and repeat.

With dozens of lab systems, it's easy to obtain a high page count with minimal effort. Think where you'll end up with only five screenshots per day at 30, 60, and 90 days. My approach was to include a step-by-step walk-through for each system, so anyone could repeat the compromise. cd1zz was apparently much more concise ;D What's important is that you adequately communicate your findings.

Mine wasn't 350, either, but it WAS in the 130-150 range, if I recall correctly.  Wasn't as detailed on the lab section for MOST targets / exercises, but I did have a LOT for the data gathering section...

HOLY COW!  Yeah I didn't show every single step, except for the section that had the Exam Challenge.

The rest of the lab report was basically the vuln, and proof of exploitation.

wow sounds like the reprots are pretty hardcore I was not expecting it to be that long but now thinking about it I could see why it would be.

My report was 205 and the exam was about 30ish.  It was a long process since I wanted to the report to be perfect but the screenshots were a pain.  It would always throw off everything else in the report as far as formatting.

TIP: Work on your report while you are doing the course.  At least the last two weeks of the course.  It helped me out a lot. 

ok sorry is this is really dump question but you say work on your report how can this be done ?

From my understnading you get lab time what is another network to your exam ? Do you not get an exam network where you need to write a reprot for that ?

It's recommended to write the report while you progress through the course rather than at the very end of your course time. This way you have things right in memory and won't need to spend your last time with just report writing, which might take quite a while if you are just starting with it. If you document your findings too sloppy in your temporary format, it might also be difficult to document it properly in your final report (especially if your lab time is over and you can't go back to verify).

From what I remember, they give you a template to the report for the Lab PenTest.  I am talking about the LAB portion.  You should take notes while you are working on the lab.  Add your notes/results to the report ( for screenshots).  You can work on some of the notes after the course is over but it seemed better to me to do it while you still have access to the lab.  The exam is whole other animal.  But you will see once you take it. :) 

I see what you are saying. I think what the other guys are saying is that you include your normal Lab work in with the pen test report at the end? So work on the format of the lab work report as you go so you don't have a heap of formatting to do right at the end.... is that correct???

jamier,

What they are trying to say is, it's a good idea to review the report template provided by Off-Sec before starting your attacks..so you can start writing your report as you go. Example: once you attack and gain root on your first host, you can put screen shots and all other useful information in the report at that time, so you do not have to at a later time. From the people who have taken the course, they mostly agree to create your report while you go through the lab instead of waiting to do it all at the end of your lab time.

Yah I am with you now I gussed that is what was being implied but just want to make sure.

Does the lab change that much the exam one ?

I don't believe the individuals who have taken the exam are able to answer that question. From what I have been told, if you can root the majority of the systems in the lab..you should do fine.

@Jamie.R - as a former Offsec student, you should understand that we can only give you so much info on that.  I'd agree with the post, above - if someone is doing well in the lab, and understands not only the specific exercises and steps to pwn those targets, but the fundamentals of what they're seeing and doing, they SHOULD do well on the exam.  If a person finds themself really struggling in the lab, then perhaps they should spend more time studying, before attempting the exam. 

That's all I'll really give you, on that one, except to say, 'try harder' <evil grin>  Put it this way, I'm currently studying for a second attempt on my OSCE exam.  I thought I was ready, the first time, and, looking back, I was 'ALMOST' there.  But I realized, after attempt #1, what I needed work on.  So it's not always an exact science, of knowing the labs to ace the exam.  Labs are preparatory, but not necessarily all-inclusive.  Offsec is preparing you for the real world of pentesting.  Hope you are enjoying the challenge!

@hayabusa would you mind telling some about the OSCE track? As I understand it this track is mostly about advanced exploit development techniques but that is all I can find.

http://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/

What questions do you have?

Have you passed the OSCP?

There's also the Syllabus: http://www.offensive-security.com/documentation/cracking-the-perimiter-syllabus.pdf

Easier to explain something, or discuss, if there are some 'more specific' questions...  (sorry, but you need to give me something to work with)

I'll start with a couple of generalities:

CTP / OSCE teaches more about combining attack vectors in creative ways, to reach the end goal.

They do discuss 0-day bug hunting / exploit development, and also touch on some more web exploitation techniques, in ways one might not have thought to use them.

Read that file already yes. I was just curious what you thought of the course, does it complement OSCP well? Did you find OSCE more difficult?

Here a few other questions I came up with after thinking a bit more:

Web Application:
- how deep does it go? Since they are in the process of developing a stand alone track as well. Will I learn anything new if I master the techniques of the "Web Application Hacker Handbook"?

0Day / Advanced Exploitation:
- Windows only?
- Does it touch on 64-bit?
- If I am correct, OSCP goes just in the basics of buffer overflow exploitation. Does OSCE handle things like SafeSEH/DEP/ALSR bypass, heapspraying? A yes or no is enough, no details needed if sharing is forbidden by Offensive Security.

There is also a review on here for it:

http://www.ethicalhacker.net/content/view/342/24/

<nods head> ...and Ryan's review was a good one.

Thanks, I did throw OSCE in the search here but did not get this article. This answers most of my questions. Already played the reg challenge but first have to complete OSCP hehe.

Here is my review, from last May.

http://www.networkadminsecrets.com/2011/05/offensive-security-certified-expert.html

Nice write-up. I'm curious what percentage of people pass on the first attempt. It seems like nearly everyone I know semi-personally that has one has come up short the first time around (which really adds to the intimidation factor, especially considering how much outside prep you did beforehand).

It's got to be a low number. I have yet to talk to anyone who passed on their first try.

The fact that it has such a low pass rate makes it all the move valuable I think. It means that you can't just read a couple of brain dumps and pass the exam.

I'm reading extra 6 books right now and are taking it more slowly to grasp the information more deeply than presented before taking the OSCP test.

I'm also going to extend my lab time huge :-)

I'm figuring it's the only way. Script kidding isn't going to work in that test imho.

Offensive course always seem to get great reviews I guess that why so many people want to jump in and do them.

The course also seem really well know all over the land what makes it appearing on your CV pretty good for job applications.

This is course that I really plan on doing sooner rather than later just hope I pass as it seems like a right challenge.

At the risk of being branded for heresy, I have to say this...I don't understand the overwhelmingly positive reviews of the OSCP. IMHO, the OSCP training is far from perfect - there is plenty of room for improvement.

I've finished the core modules of the OSCP and am working through the labs at the moment. I would have to say that, instructionally speaking, the quality level could best be described as uneven. There are some excellent modules (BoFs to name one) but there are also some modules that fall short.

Elaborate further please. A negative critique can be just as valuable as positive ones.

I'm sure it depends on your frame of reference. If you're an experienced pen tester when you go through OSCP, you'll likely notice issues that others with less experience will not notice.

The manual is far and away my biggest complaint. There are errors in it which detract from the overall polish of the course. Not anywhere near as bad as CEH's but still. Some of the errors were small, like *this* code not matching *that* output. But there were some that were enough to throw me off for an hour or so. I could see how it would be difficult to regularly update the videos, but a PDF? Also, I don't expect them to have the latest BT R# syntax/path/etc in the manual, that'd be ridiculous, but couldn't there at least be some form of errata? My suggestion would be to create a web page where students could submit errata which the offsec folks could then confirm. OSCP students are the best people to review the material.

And while the videos are great, I'm disappointed that they serve to supplement the manual rather than complement it. If I'm trying to look something up, a printed manual is much easier than scanning through multiple video segments.

Instructionally, some modules were great, others, not so much. The BoF module was excellent. Muts stepped through each item in the process methodically. That was followed by an exercise where you could practice this on your XP Client. Conversely, the port forwarding module - critical to the back labs - amounted to "here's some cool things...try out whatever you can on whatever lab machine you think it might work on."

I've learned enough in this class to make my head explode but I can't understand why I see not even a slightly negative review. Maybe it's just me having a low tolerance for errors in manuals. I don't want to come across as completely knocking this class. I'm not. But like I said, there is room for improvement.

Thanks for sharing, I am considering the PWB course and its good to hear many views. Oh, and you are sooo branded. ;)

Hey hey hey !! You need to read my post more 9 days ago in my OSCP journey thread when I lost a complete DAY figuring stuff out, that made me really pissed :-)))

:-)

Thing is, I noticed that with OSCP you need to add at least 6 books that you should read before or wile doing this course.

I think we must not forget that OSCP is all about the labs, not so much about the pdf and the videos...

What are the 6 books you are reading?

@DragonGorge I can certainly understand your frustration. The reality is though, that in a pen test, lots of things don't work perfectly. An exploit you find might be broken, a PoC might display the wrong output, this stuff happens all the time.

Now, whether or not this was done on purpose by Offsec is up for debate. I think it makes you learn to be very resourceful. This is a key skill to develop because a lot of the time during a pen test you're going to have figure out of new stuff you've never seen before....just like in the OSCP labs. Compare it to boot camp, if they made it all very easy, you'd never be ready for the real deal.

I also think the reason you don't find many negative reviews is that most people review the course when they are done and have passed the exam challenge. Usually they're riding a big time high and they've already forgot about all the minutia that drove them crazy during the journey. Hang in there, I'm sure you'll be one of these people writing a glowing review :)

This has some really good feedback and some great points.

@cd1zz Putting errors in the mateial to make you think that would not surprise me if they done that. And cant agree with you more things dont alway work and you have to deal with that.

I would also like to know the 6 books you think people should read before hand??

It's in my thread about the OSCP

JMP http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9115.0/

:-)

Telling people "you need to figure this out on your own" is 100% cool.

Giving incorrect information causing some people to lose an entire day is far from cool. Even a very vague errata would be a nice place to check for future students.

They also run an IRC channel, and there's almost always someone that'll respond to legitimate questions / concerns. If you come across an error that you can't correct easily, just go ask a question. There's no need to waste an extended amount of time struggling with it. I don't think erroneous materials are intended to be part of the experience.

Update: I have taken a 3-5 day break from the course because I've been researching so much but not making any strides in the lab. It's a little disheartening but I know it's part of the course.

I have currently compromised 6 systems but I have used Metasploit for each one. Over the past week, I have been doing outside research on: buffer overflows, sql injections, what to look for once I'm in the computer, and learning the network topology. There is so much too learn, it's a little overwhelming but still a lot of fun..I'm learning so much everyday.

My goal for the next week is to root my 1st system without using metasploit, that will definitely be a good day  ;D.

After get a taste of the OSCP, I can't wait to finish this course and move onto the OSCE. A man can dream, can't he  :D.

I am sure if you TRY HARDER you will get there :P

is it possible to root all box in OSCP Lab without metasploit?  or there are some limitation of manually exploit?

"Many"? I have yet to find one! :)

But I totally agree with the idea that the overwhelmingly positive reviews are attributable to the exam "high". That is why I started a journal similar to sternone's. I want to remember these issues if/when I write a review because they need to be stated. Hopefully Offsec will take steps to improve the quality of their manual.

Anyway, thanks for the words of encouragement. Regardless if I pass or not, I have learned a ton through the course (and on my own).


Most are quality control issues:
You can control the Apache server by using either the apachectl2 start / stop
It's actually "apache2ctl"

And here's a code example:
print “Fuzzing ” + command + " with length:" +str(len(string))
And on the next page, its output:
Fuzzing MKD:1
Fuzzing MKD:20
Doesn't take a programming guru to see one doesn't match the other. Again, very benign examples which hardly caused a hiccup.

Metasploit IS the limitation

Yes. Metasploit does nothing you can't do on your own.

DragonGorge its good idea keeping diary i look forward to your write up

Well, I'll have to spend some serious time sanitizing it first. Right now it's about 50% profanity.  ;D

Good luck!  Looks like we started at the same time.  I haven't read through this entire thread, but how is day 25 treating you?

Cool well post it once you had sorted it out as I think it not only be good for future students but also people who run the course. When you run a course its good to get negative feedback as it helps make the course better.

Can you please save a profane version for me :)

Seriously though, all of your feedback has me very excited to take this course. There are a few things that I want to get out of the way first to make sure I'm prepared for the course but it's at the top of my 2013 list.