I've been using Microsoft Expression (Free version)

It's a pretty big field, what are you interested in? Just to name a few options....

Pentesting, forensics, incident response/handling, security operations, security audit, research.......

I changed careers from network admin to pentesting at 30. I managed to do so without taking a pay cut. It's possible, you just have to be strategic about it. Like ajohnson said, the next logical step in my eyes is for you to become a web app ninja. You'll have to convince a potential employer that you actually know what you're talking about. You might want to start blogging, or publishing useful code to the community.....whatever it is, just start showing that dream company that you're a ninja. Where are you located?

That's a cool idea and I think that would work well with what I usually recommend.... which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

Weak passwords have already been mentioned.... I have pretty good success taking about 10 common passwords and spraying them across ALL the services I discover. Vmware, vnc, SMB, telnet, ssh.... everything.... In large environments, I usually hit at least one, which is typically the first step in total pwnag3 because of all the stuff already mentioned. Defense is hard. Glad I'm on offense.

What AJ said but in addition:

 - Sync'd local admin pws
 - Lots of LM hashing in use
 - Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible

Good to know I'm not totally crazy.

I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!

It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application....which is allowed by the ingress filtering.

You'll see overlap because there is a methodology to pen testing. Techniques, however, are different between vendors. Depending on who you ask, you'll get different answers on which pen test certs are "worth it." One could argue that taking ALL of them would fill in the gaps the other vendors might have. Obviously, unless you have an unlimited training budget, that's not likely realistic, so you need to prioritize what you want.

As you've noticed, there are several "beginner" pen test certs and far less "advanced" ones. GXPN claims to be advanced, and it certainly is more advanced than some of them but in my opinion its lacking in some areas, for example.

A point of clarification:

OSCE and P are very different certs. OSCP is pentest focused, OSCE is exploit development focused (mostly).

I personally started with OSCP and then went back and looked at the GPEN material. I decided that I wanted to spend that 5K somewhere else.

However, at my company we like to push people into GPEN first, then push them to OSCP. They seem to work well together.

Keep in mind, a lot of this stuff is teaching you methodology and "how to think" the rest is really just sharpening your own techniques and skills. Regardless of all the education you get, the best way to get really good at this, is to get real world experience in real environments.

Well,  spread the word!

You know pentesting firms that don't know what the OSCP is?

Go for it, you'll struggle but it's well worth it and I think you know more than I did, when I started. The OSCP is well respected in the community, however our friends in HR still don't appreciate as much as we do. If you're looking to work at a pen testing firm, and they don't know what OSCP is, run away and apply somewhere else

I think H1t M0nk3y is in Canada? I could be wrong though.

However, IMHO the best way to get to a good company is via cons and networking.

Nice review AJ!