It does have a Metasploit module.  Have you tried reading the source to figure out what's going on? 

Theres a whole set of info on bypassing NX protection in the comments, as well as information about the handle you have to bind to as well as the type of dceprc call that triggers the vulnerability.  I was currious what additional info was in the Metasploit module, and i just learned quite a bit about bypassing NX protection. 


If you are going to be re-creating this in python, the Metasploit dcerpc library is pretty easy to decypher, so you can probably pull what you need from there.  The RFCs are pretty helpful as well, but understanding how something works in theory and then looking at a protocol interaction in reality is often more helpful.

Hope this helps.

The thing that will help you most in OSCE is to verify you really understand each lesson as it is presented.  For instance, you will be walked through an exercise, then you will have to complete it on your own.  You should try this:

1) Do the exercise with the video
2) At end of chapter, re-create the exercise referencing the manual
3) Rinse and Repeat until you don't need to reference the manual at all

This takes more time, but the worst time to figure out that you didn't really get what was going on is during the exam.   Also, don't be afraid to reference other material.  When I didn't get the explanation of something, I hit up google and on occasion found some complimentary stuff which helped. 

Hehe.. NOP is a funny little cert.  Immunity is still offering it it seems based on their site, but I think it started out as a marketing tool.  The deal was, get a random vulnerable binary, and see if you can write a working sploit in 45 mins using immunity debugger and their drag and drop sploit creation tool.  You end up having to understand how concepts like pattern offsets work to find offsets, and basically their tools help you a lot.  Their drag and drop sploit creation tool is pretty neat, but of course, it's all out of my personal price range. 

In all, unless you wanna do it for fun, NOP isn't going to teach you anything.  Going the OSCE path will teach you stuff unless you're already at a level where you think ASLR is a "cute defense" and laugh as you code around it or you don't deal with conventional exploitation any more because ROP is the future. 


I Reaaaaaalllly wanna take Advanced Windows Exploitation.  I wish it were offered more places than Black Hat.  I have heard some interesting things about SANS 660 and their 700 level exploit writing classes.  They are way more expensive though, so will have to figure out how to do that.

MaXe is spot on.  You don't have to be able to write assembly, but you generally need to get binary math (bit shifting, OR, AND, XOR etc) and you should have a base understanding of registers from PWB.  From there, if you have a good assembly reference you can look stuff up,  but the more you've dealt with looking at assembly the faster you will pick stuff up.

I did pass the OSCE.  I didn't pass it anywhere near as quickly as I did the OSCP.  OSCP took me between 6-8 hrs, OSCE took me 40 hrs total with a 4 hr nap, a 6 hr nap, and a few time taking the dog for 20 min walks cause I was frustrated  

In retrospect, I followed along with the course manual too closely when I was doing labs on my own.  Some of the things where I thought I understood them, I was wrong and then I figured it out on the test.  One challenge, had I done a better job of doing labs in the course, i would have taken something that took me about 10 hrs down to probably about 4 hrs.  Although, at this point, I REALLY understand it, but in retrospect I wish I had done a better job of going through some of the labs.

Check out http://sourceforge.net/projects/laudanum/ .  They have some things that will do what you want.  There are also some cleansed versions of what the evil folks out there are using.  They have some advanced functionality such as ability to escalate privileges, deal with databases, etc. 

Then, there's a fun one.  If you can turn it into a remote file injection, metasploit has a payload (exploit/unix/webapp/php_include) that will allow you to inject a php meterpreter.  It may be injectable on it's own, but you can then route traffic through that php file and do further enumeration, scanning, and ssh brute-force in order to get what you want.  And of course, you will have a shell, so you can do most of what you're looking for.

Hope this helps

For the CCNA, you can use y200emu emulator.  Unless they have changed it substantially since i took it, most of the links required are serial, and most of the things you will have to do should work within the emulator, and most of all, no hardware required. 

http://7200emu.hacki.at/index.php

They even have sample virtual lab setups for CCNA.

NSE's are written in LUA.  The biggest challenge when I was working on NSE devel is that LUA is missing some things I really wanted.  Read a basic LUA tutorial, and then on the Nmap site in the docs there's a section dedicated to working with NSEs.  Once you understand the basics, you can look at the stock stuff to figure out more.  The big thing is that libraries are changing pretty quickly and growing.  Make sure when you are doing devel, you are using the latest nmap release, otherwise you are going to be missing a ton of libraries and other examples.

hope this helps

So, their response isn't business related it's emotional.  So, in my opinion, you need to make an emotional case as well as a business case.  

For instance, knowing that during an outage, it cost you X, but it may have also meant that a manager had to explain him/herself to someone.  Nobody wants to be at the helm when the ship hits the iceburg, so you may be able to play that card at the same time.  

Figure out how your company makes money, create some scenarios, demonstrate the pre-cursors for those scenarios to take place, and then talk about what could be lost and how much can be gained from some initially simple steps.

If they got every single box, figure out how to make that harder, my guess is you can probably improve things with some things starting simple and then leverage those changes into having a "security specalist" and then work the specialist into a team over time.  

Good luck! OSCE was extremely challenging.  Knowing what you do now, I'm sure it will help a lot on the next attempt.  Let us know how you do! 

H1t M0nk3y, that wasn't my understanding, so thanks for sharing your experience. 

There is another aspect to remember here in addition to the time management.  Your bonus points from the class (I assume you did them, if you didn't get started now) apply to your final score.  So, you don't have to get everything, you just have to get enough points to add up with your bonus points to pass.  I would say don't shoot for 100%, instead, evaluate what you are working with before you start concentrating on anything.

The points are important, but before you set out to own anything, get your recon done.  Figure out what you are dealing with. Don't spend more than the allotted time on any one box.  Document everything you do, and then if you have extra time once you've gotten other objectives go back and finish.  By getting as much info as you can about all the boxes, you have the opportunity for them to determine what amount of credit you get for each objective.  If you haven't done anything, there is no room to give you the benefit of the doubt.

exploit-db and search for Lan Party:
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=lan+party

That will get you a pretty easy to configure app with mysql that it works great with.  That's what I've done demos on, it was very easy.  If you have an up to date securely configured PHP, you will have to undo things to make remote file inclusion possible.  That will be your only challenge.

Just wanted to bump this up.  I'm going to be speaking again this year and they have a good lineup.  If you have the opportunity, you should really try to make it.  There are a number of things which differentiate SecTor from other conferences.  First of all, you can expect the same quality of speakers you see at other large security conferences, but SecTor isn't huge.  If you want to talk one on one with HD Moore or other industry leaders, you will have the opportunity to do so.  In addition, because the size of the audience is smaller in each talk, you will have more of a chance to ask questions, interact, and maximize the information.  Another difference is that instead of lots of research, almost all of the talks involve immediately applicable techniques, tools, and concepts that are more relevant than some of the things you may see at DefCon or BlackHat.  This conference isn't about 0days, it's about taking concepts, techniques and tools and sharing information for you to take home and use.


The conference is a blast, the venue is great, and they have some great speakers lined up.  Hope to see some of you guys there, and if you are, stop by and say hey

I did v2.  I haven't seen the content for v3 so no idea on the comparison. 

I will look back at my leo files, but I don't think I used any sploits off the web.  I think everything I used was milw0rm or exploitdb.

I'm working on the OSCE writeup right now.  I hope to have it done within the next week or so.  It was a heck of a course.

I got all the boxes on the OSCP.  To get a perfect score, from my experience, you need to understand everything you did from the course well enough that you are only going back to reference commands and not techniques.  I did not get all of the "extra" boxes that you discover in the lab that aren't part of the normal IP range.  If anyone gets all those let me know the next conference we're at together cause you deserve a frosty beverage of your choice.  The OSCP makes you think a little beyond the class, so if you just follow the steps you'll find what you need to do, and then the extra thought comes from the actual execution.  The OSCE is the same way.  Figuring out what to do is fairly straight forward, figuring out how to do it is where you have to take what you've done in the labs to the next level.  

I am not a professional pen tester.  I do some of it as part of my job, but I spend probably about 5% of my time doing pen test related things.  My background is in unix sysadmin and security, and I have taken a pen testing class before but nothing as thorough as the OSCP.  I finished the OSCP in about 8 hours with all but one box popped by hour 5.  The last 3 hours were all spent on the one box i had left with half an hour of World of Warcraft stuck in between.  The 30 mins of WoW were what made all the difference as after I took a break I figured out what to do next pretty quickly.

So .. if I didn't say it before.. in both the OSCP and OSCE breaks made all the difference.  I actually took a few hour nap in OSCE and it made a huge difference.    

Ok, last tidbit of stuff that helped me.  When looking for exploits, whether remote code execution, privilege escalation, or whatever almost everything you need is going to be on the bt4 cd.  The search script through the archives is nice, but it made me spend way more time than I needed in most cases.  Frequently grep got me exactly what I needed cause some people have stuff in the code that is really helpful.  For instance, if you have shell on a RedHat 6.0 box and you are looking for privilege escalation for that, just try 'grep -ri "Redhat 6.0" platforms | grep local' .  From there you can figure out what each thing does.  If you've tried other stuff and it didn't work, that really helped me.

Good luck!  The fact that you have gotten this far and are still going means you will get it, it's just a matter of a little more practice.  If you have areas where you feel you are weak, let us know and we can maybe make some more recommendations.  

I still wanna talk with some folks to come up with some good test builds for vms to use for pen-testing practice.  If folks are interested in working on this with me, drop me an email or PM.  I typically do most of my demos with XP SP0, but am eager to add some other vms to my standard arsenal.

j0rDy, I can relate to your feelings on doing the "humane" thing.  Based off of my experience, if you have gotten all of the boxes in the lab, then you probably can get a passing score on the exam.


I figured out something interesting about offsec courses doing the "Cracking the Perimeter"/OSCE content over the past month.  While they certainly don't hand you answers, you typically have what you need. 

You are going to hit places where you are like "what the hell do I do with this".  It seems that in most cases, the answer is to approach it like anything else you will find.  Go through the basic steps: scanning, enumeration, etc etc.  You will find what you're looking for, then you just have to figure out what to do with it.  Google is your friend, I used it a bunch in both the exams I have taken.

This may sound odd, but one thing that I figured out a bit later than I would have liked is that following along with the lab manual is not the same as understanding what happened.  I would suggest that before you take the test, try to do all of the exercises in the book without referencing back walk-through in the class.  If you can do those without looking, you are probably well on your way to being where you need to be. 

I didn't realize that I relied a little bit too much on the book for something until it showed up on the exam.  After about 6 hrs of grinding through something that should of taken me 2 hrs, I finally really understood what was going on.  I just wish I had tried to do that exercise without the notes once to help me know how far off my actual knowledge of it was. 

The forums are great as well, if you haven't checked out the OSCP forums, you should do so.  There are some great gems there from people who have had the same questions.


As for "Try Harder", it really isn't about trying harder.  Stand up, take a break, walk around the block, do something else for 10 mins, whatever.  Come back, see if anything has changed.  You probably know enough to get you started on the way there, and just have to find the piece that you're missing.  I know on both OSCP and OSCE, taking the dog for a walk when I got frustrated made a huge difference.  At one point on the OSCE I actually hit a point where I was relatively confident I wasn't going to get the answer.  I took the dog for a half hour walk, watched tv for about 15 mins, came back again and had a plan for how to tackle it.   

You only have 24 hrs for the exam, but don't be afraid to take a break and do something else for a few mins. In most cases, you'll get way more done when you  come back.  If nothing else, work on a different problem for a few mins. 

Anyway, hope this helps some.