Now if we could only find out who's in lulz and if they're related to anon at all...

Loaded question for sure!

Outside of compliance drivers, it obviously depends on the organization. Progressive or information technology centric companies I think see more value and thus are receptive. I am currently working with a client that is as such but their main drivers are their client requirements since they are a private company. I have seen lots of other companies that see absolutely no value because IS Managers say their networks are secure.

Ironically, with all the high profile attacks lately (Lulzsec) as soon as the main stream media catches on - it will impact how organizations look at pentests. The main stream media will get these stories, screw them up, and scare people beyond belief. This is always a good thing for Information Security people. All of a sudden if this stuff hits the Wall Street Journal, executives begin to panic...regardless, if you've been telling them for years to get a pentest... Reactive IT, isn't that what we're all used to?   

Assuming the pen test company doesn't just deliver Nessus scan results and actually does a pen test, there is definitely value.

Unfortunately, the gap between modern technology controls and what the bad guys can do is huge. The thing in the middle of that gap are people. I think most of us would agree that the easiest way to get into a network is via social engineering. What usually will come out of a pentest is, "Hey, you need a security awareness program for your employees."

My 2 cents and why I think Info Sec is going to just keep exploding.

You're provided with a VPN - all attacks are remote. The recommend using the backtrack distro.

I remember asking this question when I was starting out. I remember getting obsessed with the test as I was two weeks in.... beginning to panic...I suspect you are just starting out in OSCP? Believe me when I tell you this, do not worry about the exam right now.

This stuff will all become clear as you begin to root the boxes in the labs. You will quickly learn that there are plenty of ways to pwn boxes without using metasploit or nessus. What you will (hopefully) get good at is figuring out what services are running and what versions of software are actually listening on those ports. From there you can find exploits to use.

Like hayabusa said, it is all doable without these tools, in fact its a bit more elegant to do so and way less noisy.

Make sense?

AHAHHAHA
http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/

This will be fun to watch Apple scramble to build a security group to handle this stuff.

Sil is right on. Pillage each box for as much info as possible. In a real life situation you'll likely run into password re-use or other juicy data that you get from all these places that you will use over and over.

Another point of Sil's I would emphasize is to organize your own set of local priv escalation exploits. There are so many different sploits, each depending on different apps on the box or different kernel versions... and finding them in a pinch while "the heat is on" might be a challenging task. If you use one  in the lab, make sure you label it on your own box so you can get to the pwnage factor much faster 

Zeroflaw,

Like H1t said, get into the labs because that is the best way to prepare. If you can get all the way into the Admin network in the PWB lab, you are ready for the exam. I actually only made it to the Dev and IT networks but got about 30ish boxes and passed. I really don't think there is a better way to prepare because there are no other labs like the one they built. Even if you build your own, you're kind of cheating yourself because you know what you installed, know what versions of software etc. etc. The only other advice I have is to be able to commit to it, work on it every day so that it stays fresh in your mind. Don't over think it, just pwn it.

A port that is open means there is some software or hardware device that is listening for connections. The way to "get in" is to exploit that software or hardware that is listening. Usually crappy code causes these problems with this software/hardware.

A very basic example:

You do a port scan and see that port 21 is open which commonly used for FTP. You then enumerate the service to try and figure out which software is running that FTP server....you determine that it is SuperCrappyFTP version 1.0 . Then, you dig around on exploit databases and find out that there is a known buffer overflow exploit for that version. The rest you can figure out on your own. But that is how a hacker would gain access through an FTP port.

BTW - I still havent found a solution for this problem and have read in multiple places that it is an issue for others.

My workaround has been to put the AEBS in bridge mode and use another device for my FW/NAT. It's an extra hop in my network but at least I get accurate results until they fix it!

Jamie - Just got that book (C++ Primer Plus). I like it so far!

I bought that book and found it to be useful at times during the course. I think its good to have in the arsenal regardless... I find myself referring to it more and more after I finished OSCE.

One more a little less technical but a very very good book is Counter Hack Reloaded. I remember reading that in the beginning and it "opened my eyes."

+1 for grey hat - good book.

There is no single book to do that. You need about 30 books and tons of exp

If you want to look at SQL injection hit the book I recommended. There are also numerous SQL injection tutorials/walk throughs on the intertubes.

From the web side, the Web Application Hackers Handbook is very specific and technical. If you're interested in exploit development, take a look at the Shellcoders Handbook....very technical.