Just wanted to bump this up.  I'm going to be speaking again this year and they have a good lineup.  If you have the opportunity, you should really try to make it.  There are a number of things which differentiate SecTor from other conferences.  First of all, you can expect the same quality of speakers you see at other large security conferences, but SecTor isn't huge.  If you want to talk one on one with HD Moore or other industry leaders, you will have the opportunity to do so.  In addition, because the size of the audience is smaller in each talk, you will have more of a chance to ask questions, interact, and maximize the information.  Another difference is that instead of lots of research, almost all of the talks involve immediately applicable techniques, tools, and concepts that are more relevant than some of the things you may see at DefCon or BlackHat.  This conference isn't about 0days, it's about taking concepts, techniques and tools and sharing information for you to take home and use.


The conference is a blast, the venue is great, and they have some great speakers lined up.  Hope to see some of you guys there, and if you are, stop by and say hey

I did v2.  I haven't seen the content for v3 so no idea on the comparison. 

I will look back at my leo files, but I don't think I used any sploits off the web.  I think everything I used was milw0rm or exploitdb.

I'm working on the OSCE writeup right now.  I hope to have it done within the next week or so.  It was a heck of a course.

I got all the boxes on the OSCP.  To get a perfect score, from my experience, you need to understand everything you did from the course well enough that you are only going back to reference commands and not techniques.  I did not get all of the "extra" boxes that you discover in the lab that aren't part of the normal IP range.  If anyone gets all those let me know the next conference we're at together cause you deserve a frosty beverage of your choice.  The OSCP makes you think a little beyond the class, so if you just follow the steps you'll find what you need to do, and then the extra thought comes from the actual execution.  The OSCE is the same way.  Figuring out what to do is fairly straight forward, figuring out how to do it is where you have to take what you've done in the labs to the next level.  

I am not a professional pen tester.  I do some of it as part of my job, but I spend probably about 5% of my time doing pen test related things.  My background is in unix sysadmin and security, and I have taken a pen testing class before but nothing as thorough as the OSCP.  I finished the OSCP in about 8 hours with all but one box popped by hour 5.  The last 3 hours were all spent on the one box i had left with half an hour of World of Warcraft stuck in between.  The 30 mins of WoW were what made all the difference as after I took a break I figured out what to do next pretty quickly.

So .. if I didn't say it before.. in both the OSCP and OSCE breaks made all the difference.  I actually took a few hour nap in OSCE and it made a huge difference.    

Ok, last tidbit of stuff that helped me.  When looking for exploits, whether remote code execution, privilege escalation, or whatever almost everything you need is going to be on the bt4 cd.  The search script through the archives is nice, but it made me spend way more time than I needed in most cases.  Frequently grep got me exactly what I needed cause some people have stuff in the code that is really helpful.  For instance, if you have shell on a RedHat 6.0 box and you are looking for privilege escalation for that, just try 'grep -ri "Redhat 6.0" platforms | grep local' .  From there you can figure out what each thing does.  If you've tried other stuff and it didn't work, that really helped me.

Good luck!  The fact that you have gotten this far and are still going means you will get it, it's just a matter of a little more practice.  If you have areas where you feel you are weak, let us know and we can maybe make some more recommendations.  

I still wanna talk with some folks to come up with some good test builds for vms to use for pen-testing practice.  If folks are interested in working on this with me, drop me an email or PM.  I typically do most of my demos with XP SP0, but am eager to add some other vms to my standard arsenal.

j0rDy, I can relate to your feelings on doing the "humane" thing.  Based off of my experience, if you have gotten all of the boxes in the lab, then you probably can get a passing score on the exam.


I figured out something interesting about offsec courses doing the "Cracking the Perimeter"/OSCE content over the past month.  While they certainly don't hand you answers, you typically have what you need. 

You are going to hit places where you are like "what the hell do I do with this".  It seems that in most cases, the answer is to approach it like anything else you will find.  Go through the basic steps: scanning, enumeration, etc etc.  You will find what you're looking for, then you just have to figure out what to do with it.  Google is your friend, I used it a bunch in both the exams I have taken.

This may sound odd, but one thing that I figured out a bit later than I would have liked is that following along with the lab manual is not the same as understanding what happened.  I would suggest that before you take the test, try to do all of the exercises in the book without referencing back walk-through in the class.  If you can do those without looking, you are probably well on your way to being where you need to be. 

I didn't realize that I relied a little bit too much on the book for something until it showed up on the exam.  After about 6 hrs of grinding through something that should of taken me 2 hrs, I finally really understood what was going on.  I just wish I had tried to do that exercise without the notes once to help me know how far off my actual knowledge of it was. 

The forums are great as well, if you haven't checked out the OSCP forums, you should do so.  There are some great gems there from people who have had the same questions.


As for "Try Harder", it really isn't about trying harder.  Stand up, take a break, walk around the block, do something else for 10 mins, whatever.  Come back, see if anything has changed.  You probably know enough to get you started on the way there, and just have to find the piece that you're missing.  I know on both OSCP and OSCE, taking the dog for a walk when I got frustrated made a huge difference.  At one point on the OSCE I actually hit a point where I was relatively confident I wasn't going to get the answer.  I took the dog for a half hour walk, watched tv for about 15 mins, came back again and had a plan for how to tackle it.   

You only have 24 hrs for the exam, but don't be afraid to take a break and do something else for a few mins. In most cases, you'll get way more done when you  come back.  If nothing else, work on a different problem for a few mins. 

Anyway, hope this helps some.

I agree with hayabusa, you should feel good with what you've learned and how far you've come.  The OSCP isn't an easy test, and the fact that you got part of the way there is def an achievement.  You should try to setup some of this stuff in your own lab, and do the bonus questions from the class.   I learned a valuable lesson while doing the bonus questions: It's not as easy when you can't follow along what to do.  I spent a lot of time on the extra boxes to own in the lab, which helps a lot for the exam.  These bonus boxes are especially nice as a few of them require you to figure out what to use for priv escalation etc, which is something you don't want to spend a lot of time on once you've already gotten a shell.  Congrats on how far you've come, don't give up   Although "Try Harder" is sort of a bitchy motto, it's pretty applicable to this type of stuff.  There's a whole ton of apps that you can re-create the exploit writing stuff on, and setting up redhat 9 boxes in virtualbox is cake.  This is a great community, and maybe the right place to start working on some sample configurations for ownable boxes so that people can practice this stuff in the privacy of their own PC.  Good luck on your next shot

camtasia is pretty expensive, but if you have the budget it's worth it.  All my vids I typically do on my mac with iShowU HD.  It's like 30$ and worth every penny.  For linux, the last set i did with recordmydesktop and it worked well.  I didn't do audio with it, so I can't speak to that, but I can point you to vids that I did with iShowU and recordmydesktop and you can decide for yourself:

recordmydesktop (did low res, can do higher):
http://www.vimeo.com/12651974

ishowuHD: (hd res for full screen)
http://www.vimeo.com/3036502

Oh.. another awesome way to do it that I learned about just last week.  If you have a single match for something and are lazy :

and it will auto expand to:

I thought that was neat

Technically both of those are legit.  Metasploit will only really do tab completion for fully qualified contexts but inside Metasploit it mostly addresses the modules outside of the context of aux/exploit/payload. 

So if you know what you are going after:

is functionally equivalent to:

Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

so you could:
or
[quote[use windows/meterpreter/reverse_tcp[/quote]

set your LHOST

then :

in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.

I believe the core part of the problem is that puts append a new line and somewhere down the line it may be doing an append of "\n" somewhere along the line.  Metasploit seems to have encountered this in the past as about everything I've seen uses put for dealing with sockets.  Switching it from sock.puts to sock.put fixes the problem for me. 

I spoke there last year and had a lot of fun.  They had Chris Hoff for keynote which was great, and they had a number of presentations that were pretty good.   A lot of the folks you see at Blackhat/Defcon and other big conferences were there.  Just going from memory @Beaker did keynote, @jjx did stuff on next generation NAC, @RafalLos did stuff on problems still causing problems for web security, @NathanHamiel did stuff on python tools for web testing, @rsnake had a good presentation on what the bad guys are up to, there was a 2 part walkthrough that was great on w3af and the social stuff was pretty good.  This year they have HD Moore and others lined up with Metasploit goodness, and if you can't catch talks at BH/DC then I think some of them will be repeated at SecTor. 

This looks like a lot of fun,   The team I did Defcon CTF with is going to try this next.  If you think you might like to give it a go register now because...

REGISTRATION CLOSES TOMORROW

Here is another post about the stuff that re-ignited this debate:

http://vrt-sourcefire.blogspot.com/2010/06/defenders-of-faith.html

I use the public disclosed information a fair amount, especially with POC.  It's even more valuable if there are things in the wild as I've written a number of custom rules based on the disclosure that protect me in some cases better than what AV already does or in many many cases, what AV says it does.  Without some of this information, it's difficult to tell how protected you really are.

There are lots of positives and negatives to both sides of this debate, but for me, I hope that the bad guys are not the only ones looking for bugs.  The question really lies in, how does one disclose something "responsibly" when the vendor says it's not a problem.  If you knew about it, and then someone else comes out with a 0day, were you responsible or irresponsible for not letting people know ahead of time how to be protected ?

The columns section basically sorts by author what is already on the home page.  The plus side is if you really like something someone posts, you can see what else they have done in the past since we all concentrate on different things.

I agree and disagree.   Most of the larger cons are whatever you make of them.  There is plenty of excellent content and you have two choices: 1) Drink until you're stupid or 2) Attend talks, and then party some after hours.  If you look at the big "Cons" like BlackHat, Defcon, CanSec, SecTor, ShmooCon, Hope,  etc then most of them have pretty good content.  There is a whole set of additional conferences coming up which seems to have great content at a much lower price and that is the "B-Sides" movement.  They have done a number of them this year, most have been streamed over the net so you don't have to "be there" but the people who are there seem to be more of the people who are into learning and social networking instead of folks who are looking for a great party. 

All in all, I go to probably 3-5 a year some of which work pays for, some of which I pay for, but I try not to miss BH/Defcon/Bsides-Vegas and ShmooCon since they are both typically very educational and a lot of fun.

 

This is a pretty good rundown:

https://365.rsaconference.com/blogs/securityreading/2010/06/14/fair-use-plagiarism-and-the-world-s-no-1-hacker-book