Ok, here is my story. I will be completely honest here so others can benefit from my experience.

Background
I finished my Bachelor Degree in Computer Science in 1999. Since then, I have spent most of my time has a web application developer to eventually became a Java application architect. I have also been a database administrator on Oracle SQL-Server and MySQL. Finally, I have been a business analyst (I hate this job), a team lead, a project manager and even an assistant director (4 month replacement)!

After school, I never stop studying. I started a Master in Computer Science (Distributed Algorithms) that I didn't finish (2 babies arrived in the middle of it...). I own 3 certifications: Project Management Professional (PMP), GSEC and CEH.

I started my own company more than 3 years ago. I now do consulting as a Java system architect.

All that to say that I am not 17 years old (I am 34!) and I am very serious when I start something.


IT Security path
After 10 years as a web apps developer, I needed another challenge. I was hesitating between 3 things: 1) IT Sec, 2) Developing my own application and 3) become a full time woodworker and build kitchen cabinets! (I am currently building mine...). I gave myself a full year to investigate these three options. But after 6 months, it became clear to me that: 1) I L-O-V-E It Sec!!, 2) After 3 prototypes of applications (2 XBox 360 games and a web app scanner) --> postpone in the future, 3) Woodworking will be my hobby. So go for IT Sec!

Although I always was interested in IT Security, I really started to study this topic in February 2009. And up to August 2009, I was more "poking" around to find out if I really wanted to do that. Defcon 17 (July/August 2009) was a revelation to me! So since then, I have spent an enormous amount of time studying. And by that, I mean an average of 2 hours a day for a full year! To me, this isn't work, it is a game! I love it!

I studied for CEH and GSEC more or less at the same time. I wrote both exams with only 8 days between the two (January 2010). After that, I started Penetration testing With Backtrack (PWB) in March of this year.


Penetration testing With Backtrack (PWB)
What a great course! Nothing compares to this. Really, this is the best way for me to learn. Period. This forum is full of reviews about this course and my post is becoming quite long, so I will keep it short. I would give a 95% mark to this great and excellent course.


Preparation for the OSCP exam
I have been through the PWBv3 videos 3 times.

The first time, I just sat down, relaxed and enjoy all the information coming at me. My goal was to get an overview of all the material.

Then, I did all the "normal" exercises. I went in the lab and hack my way into something like 8 machines. Things were becoming tougher, so I decided to go through the videos again.

The third time I watched the videos, I did all the "Extra Mile" exercises, read the 400 page long PDF (many things aren't in the videos!) and hack a total of 18 machines, including pivoting into other subnets. I also took a total of 120 days of lab time!!!

I this point, I had learned a gigantic amount of stuff. I became good I writing Python scripts and I developed my own pen testing methodology. At the end, I was randomly choosing a machine in the lab and I could hack it in about 2 hours (my last 6 targets took me about 2 hours each). So I figured it was time for me to challenge the OSCP exam.


OSCP: First attempt
I cannot say anything regarding the exam, but my own vision of it is that it is much tougher than the machines in the lab. In the lab, the Offensive Security team says that there is always at least 2 different ways of pawning a box. Maybe it is not the case for the exam? I can't tell. Also, I never spent more than 5 or 6 hours strait in the lab. In the exam, after 20 hours, you start to make stupid mistakes... But anyway, I got a mark of 60% (you need 70% to pass!).



OSCP: Second attempt
I then realize that I needed more tools in my toolbox. So right after this exam, I focused big time on what I had missed. By far the biggest thing was privilege escalation. So I spent a lot of time on this. Than a little bit more than 2 weeks after the first attempt, I tried it again.

After 45 minutes into this second exam, I already had 60 points (I let you make the relation with the first attempt...). So first, I was a bit disappointed to get a "similar" exam. Than I though that I would go for 100%. But after 24 intense hours of hard work, I failed it again... Mark: 60%.

My first failure was tough to take, but this one was very difficult. Other than OSCP, I failed 2 exams in my entire life (1 at the university, and CEH because I studied the wrong material...)! I spent 16 hours trying to convert a shell into root/admin and couldn't do it! At this point, I was ready to give up on OSCP...


OSCP: Third attempt
Two months and a half after the second attempt, I gave it a third try. After three times, even if you get a 100% mark, you would still have a bitter taste in your mouth. So between the second and the third attempt, I read my scans 20 times, installed new VMs in my lab and added more tools in my toolbox. Believe me, you can ask me any questions related to the course material and I would know the answer. In addition, I have practice them all many times.

So I got my exam yesterday morning and it was tougher! Only one of my previous tricks worked and after 9 hours, I only had 10 points. So I stopped and call it a day.


My personal opinion
•   PWBv3 is an excellent course, close to being perfect. But the certification exam requires you to know (and master!) way more than what is in the course. I would say the course, including the lab and the exercises covert about 60% of the exam. Again, this is my personal subjective opinion!
•   I don't think the exam is faithful representation of a real pen test for many reasons: 1) You can't use a vulnerability scanner; 2) You can only use Metasploit once and can't use Core Impact, etc; 3) You cannot do reconnaissance; 4) Many old and vulnerable services are installed but hardened in the backend. This creates many dead-ends; 5) No firewalls/IDS/IPS blocks you (good for students but not real-life...); 6) You have to do everything in 24 hours
•   Also, if I was doing a real pen test, I am pretty sure I would have done a very good job! I mean when you have a shell or you are able the dump the backend database, crash an application or even just show exploits for vulnerable services, you have already done a lot! In real life, you don't get half the points for "only" having a shell...
•   The course lacks two things: 1) Privilege escalation techniques and 2) Penetration testing methodology. Otherwise, great course!
•   The lab machines are easier to hack then the one in the exam. Again, my humble opinion.
•   This great certification should maybe be separated from the course. So anyone could go straight to the exam if they are already experts. This way, if the course doesn't teach you everything you need to know, then it is ok.
•   People with a server admin background are definitively starting way ahead of network and developers...


Bottom line
Although failing exams is never a good feeling, I am not frustrated at all. I have learned so much. I don't have the certification, but I got knowledge now, which will help me continue in this field. After all, my ultimate goal is not doing a pen test of networks, but to pen test web applications. So I will probably continue on my learning path and move on from OSCP. I may give it a try in a few years, but for now, I need to move on.

Thanks for reading this rather long post!

I also have Grendel's book, which is great, especially for setting up labs and using vulnerable VMs.

What I did was to go straight to the PWB course. After one full pass, I started buying books on things I was missing. I think I bought like 12 books! But I am a bit crazy, you don't have to do that. In addition, it depends on your background.

I would say start with PWB and take breaks once in a while to go get what you are missing.

And the course keeps you motivated big time because you learn at a crazy pace! Getting ready for the exam is another story because it's hard to know what you are against too before actually sitting the exam...

@H1t M0nk3y

I am sorry to hear this.

I have heard mixed views on the OSCP exam and the general opinion is that it is not an easy at all.

I am currently preparing myself for the CREST Registered Tester exam due next month at the moment and want to go onto to perform the CREST Certified Tester exam next year (provided I pass the CRT  )

I would love to know how the OSCP compares with the CREST CCT exams but am aware that CREST is yet to establish itself world wide and is still very much the main cert to have in the UK.

@H1tM0nk3y -

Sorry to hear you had a rough go, again.  I completely understand your views, and while you've learned a ton, I'm certain, I fully empathize on the feelings of despair, when you've beaten yourself up hard, in working towards a goal.

As MaXe said, I was confident you'd be able to pass, and I still am.  Whether you take it anytime in the near future, or give yourself a break (sometimes, walking away for a while can be of great benefit) before coming back to it, I think, in the end, you'll succeed.

And as sil noted, you've done a great job sharing your experience for others, and I applaud you, too, for being very honest about your attempts, and helping others, through your posts.  (The writeup was very well done, IMHO.)

Good luck, whichever route you pursue, and stay active here.  You'll continue to learn a TON by listening to / reading from others.

Thanks everyone!! I really appreciate your comments!

@MaXe
Oh yes, I tried these things, along with "getsystem" and trying to migrate to other processes and channels from the meterpreter. I also spent lost of time on running processes, and it worked once. But only once...

@sil
Congratulation for being honest too!

I did learn a lot from these attempts, especially the first one. The only thing I didn't get from this whole experience is a piece of paper... I now feel I know enough now to learn a lot by myself through books and hacking in my lab. I am now confortable talking to anyone about security: even if they know way more than me on a given subject, I can still understand what they are talking about!

And you know what? Yesterday I stopped for a minute and realized what I just did. Without saying anything about the exam, I realized I have done many complex commands without even looking at my notes. I was going crazy fast to open an application or review this and launching that. In a few words, I was confortable doing my job. That felt great!!

I totally agree! I just need to work a bit more on c)...


@Hayabusa
Thanks hayabusa. You can only improve when you are honest with yourself.

I will try it again next year or something like that. But don't worry, I will continue full speed in IT security. Books, personal lab and keeping up to date with these sites!

Thanks chrisj, MaXe, sil, T_Bone and Hayabusa very encouraging posts!

It takes courage and very high self confidence to share failures H1t M0nk3y.  Go on. You will rock.

@chrisj:
The next step for me are more than likely GPEN and CISSP. SANS/GIAC certs and the CISSP are both very good here to pass HR screenings and that's why I am targetting them.

I think GPEN is close to OSCP in term of knowledge, plus the business side, wireless and other little things. I may do this one first.

Everyone asks me if I have my CISSP. Like sil said in another post, CISSP has little to do with pen testing, but this one will really help me open doors. Again, I am a consultant and I change clients several times a year.

So 1) GPEN and 2) CISSP. But I am in no rush. I will take the time to study and when I am ready, then I will move on.


@dante: That's very encouraging. Thanks!


@mallaigh: I wrote this for people like you, so you can better prepare yourself! Good luck!

Hey j0rDy!

Thank you for your comments, I appreciate it!

But man, don't get discouraged by my story!!! I know how you feel right now and this exam is indeed very tough, but maybe I didn't see a big obvious thing that you will spot right away. Just keep on working hard toward your goal and you will eventually succeed. Just learn from my experience, don't get discourage!

I am targetting GPEN now, so I am still 100% focus on IT-sec! 

Good luck j0rDy!