I researched this a few years ago and it can be lucrative if you are well skilled at finding vulnerabilities.

Does VUPEN still buys exploits? Could not find it on their site. I only seen vacancies.

I am mostly interested in in the OS/application layer so incentives for website issues not work for me. If anybody knows more companies like VUPEN and ZDI please post.

If it's free and you have to choose then I'd stick with ECSA/LPT. Seems a bit more advanced than CHFI, that looks pretty basic... It might cover some of the pentesting that you can skip in the other mentioned certs and gives you some background.

Furthermore I agree with above poster, a lack of jobs. For example the country where I live right now does not have any computercrime laws. Forensics would be useless here but pentesting is something that could take off in the near future.

If you work for a CERT/CIRT I would recommend the CHFI though as it would give you at least basic knowledge of obtaining and handing evidence.

Well, whatever you choose please write a review on this site. I'd like to read it.

Well they both cover a different field so it depends on what work you do or want to do. Besides that I would suggest to choose for a different organization as eccouncil is not highly regarded.

Instead of CHFI you could do an Encase cert.
Good alternatives for LPT would be: eCPPT or OSCP

Will watch the slides and video when available since this interest me a lot. I have a basic understanding of the various methods but no real hands on. One thing I always wonder is how to find vulnerable code. Never done much fuzzing and not enough coding experience to spot programming errors in source code.

I know of Corelan and will watch the security tube vids (although I can;t stand the accent). Any other recommendations on the fuzzing / finding vulns side of things?

Here are some links for Windows that I bookmarked for Windows:

http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/

http://pentestmonkey.net/tools/windows-privesc-check

http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-1-local-administrator-privileges/

I did not try any of them yet as I currently focus on Linux. If you play the IO challanges on smashthestack.org then level4 is good to practise. It teaches you to abuse SETUID/SETGUID programs.

Basically you search for any program running with SETUID and see if there is a vulnerability in it. Then you exploit it and you gain the elevated rights.

Do as me, I have not started OSCP yet but am reading various books and spending time with Smashthestack.org

- Script any enumeration and other tasks that take time. Also script tasks for gathering information on systems you compromised, do it both for a Windows and Linux environment. I modified various public scripts into a customized one that does generate the right amount of data for me.

- Test your shellcode and make a reliable archive!!! I once spend a few hours trying to escalate privs just to find out the shellcode I used was broken...

- Learn various ways to escalate privs manual on Windows and Linux. They are very different and getting some hands on will give an advantage I think.

- Find a suitable way to keep track of information uncovered and for preparing your report. I am looking at the various notekeeping tools as right now I just use Notepad and well it is hmmm messy.

This is one of the reasons why a risk analysis and defense in depth are so important. Focus your security efforts on the most important assets and understand that even then there will still be a way for a determined attacker to get what they want. Your best bet is to secure them so well that the time and money required for a succesfull attack is not worth what they are after.

However if you are a high profile target like a government agency or army, all bets are off....

I have changed my plans a little bit due to carreer oportunities/requirements. Right now I am prepping for CISSP since it allows me easier access to some interviews. Aiming to get certified somewhere in Oct I think. Some domains have a lot of overlap with my previous studies.

After this I do either OSCP or pursue a Bachelor degree (which has Prince2/TMAP amongst other certs).

For OSCP I would adopt the following order:
6: Look for the parts you don;t know or can save you time/automation/scripting or parsing
2: but only sections on payload creation, shellcode, meterpreter
4: read assembly ouput near fluent
5: focus on stack overflows both in Linux and Windows. Learn the specific tools on both OS'es

Save 3, 1 and 7 for after OSCP as I think it might go to deep and you will not be able to master this in depth in time for the exam.

I am actually doing something similar but before I sign up as to save my lab time. Good luck!

@ Cyberspirit: this is how I tend to study. I try to be able to do most attacks without using any tools. Purely by scripting, abusing the shell and making use of available cmd's/tools native to the OS or API's. If this gets me stuck I use an automated tool and see if it can complete the attack. If it does I tear apart their logic until I can do it by hand myself. This cost a tremendous amount of time but allows me to perform even when tools are blocked.

Thanks, I did throw OSCE in the search here but did not get this article. This answers most of my questions. Already played the reg challenge but first have to complete OSCP hehe.

Read that file already yes. I was just curious what you thought of the course, does it complement OSCP well? Did you find OSCE more difficult?

Here a few other questions I came up with after thinking a bit more:

Web Application:
- how deep does it go? Since they are in the process of developing a stand alone track as well. Will I learn anything new if I master the techniques of the "Web Application Hacker Handbook"?

0Day / Advanced Exploitation:
- Windows only?
- Does it touch on 64-bit?
- If I am correct, OSCP goes just in the basics of buffer overflow exploitation. Does OSCE handle things like SafeSEH/DEP/ALSR bypass, heapspraying? A yes or no is enough, no details needed if sharing is forbidden by Offensive Security.

@hayabusa would you mind telling some about the OSCE track? As I understand it this track is mostly about advanced exploit development techniques but that is all I can find.

Hehe I know the feeling you had since I recently started to play around with buffer overflows on the IO challenges of smackthestack.org

My biggest problem was understanding how to find the return address in gdb. By now it is going smoothly and I am a bit dumbstruck I did not understand this a few years ago. Also learned to abuse SETUID programs and using an egg + envirnoment variable to exploit programs. Very nice!

Anyway I will book the OSCP as soon as I am back from my Bangkok trip. Decided to skip on OSWP and ECPPT. OSCP is just awesome.

Follow this tutorial together with the Web Application Hacker's Handbook and you have a pretty decent image of web-pentesting. Try everything out and if you get stuck, ask at that particular point, I am sure the community here will help you out.

Do I understand correctly that you have to create 2 reports? One for the student network that you exploit and one for the actual exam?

If so, does not owning all boxes on the student network have an impact on your final grade?

I wish you can clarify this for me.