My OSCP journey…

  • This topic is empty.
Viewing 145 reply threads
  • Author
    Posts
    • #7802
      sternone
      Participant

      Hi,

      I started the course on Sunday and now I’m 3 days in 🙂

      Maybe I can talk a little about how this deal goes for me and hope it’s a fun read with my ups and down with this journey!!

      Feel fee to post anything you like in here. Good or bad. Things I do wrong or something else you wanna say.

      When I read about Offsec I said: THIS IS IT! Don’t give me that CEH theoretical bull, I wanna have hands on challenge me that it hurts and I wanna cry stuff !! I ran to get my wallet and ordered my slot right at the spot.

      After following their procedure I received a mail that I was booked for Saterday evening at 19.00h GMT-5.. What? Are you kidding me, that’s like… waiting a small week !!!!!! NO !!

      I was just like a little kid, waiting for that email to arrive on Saturday evening. I think I googled 10 times to know what 19.00h GMT-5 exactly was in my timezone 🙂 It has been a long time since I felt this way! I guess that’s a good sign no?

      There I was ready at my PC…19.00h passed.. nothing came in ? WHAT ? 19.01 still nothing! .. 19.02..19.03..19.04….19.05 !! THERE IT IS !!!

      The cronjob script that sends out these mails is set to run not at 19.00 but at 19.05 !! I’m telling ya !! NASTY !!!!!!! 🙂

      I have been putting all the time I can into it so far, but have other stuff to do during the day, so after 3 days I already learned a lot. The text is extremely well written and the videos are very very good and never boring. The good thing about this text is that it leaves you googling for a lot of things, and I guess that’s how it should be. Not everything is int he text, but everything is in the text to get you going search for more…

      I’m doing the extra miles questions after each chapter who aren’t needed but advised, but hey, that’s easy said, I’m only 3 days in, I just started with 3.2.

      I do feel myself jumping to the exercise immediately after finishing a chapter looking for solutions on their questions and by doing so forgetting to watch the splendid video’s… now here’s an exciting boy!

      What I learned from this course is that you need to document your steps. I understand it’s the only way. The nice tool to take notes (notetaker) under linux that I had no idea it existed helps me a lot. Done something in the shell that’s cool  ? No problem, press ctrl-insert and that program just takes a screenshot and puts it in your text. Screenshot to big ? No biggie, just right click and resize it on the spot. Easy.. very easy…

      Can’t wait to try to attack all those boxes smiling at me after I found all their cool names…..but I’m holding off.. first I need to finish the guide and make sure I understand everything !!!

      Great job Offsec and Thanks for your product !!

    • #48911
      dynamik
      Participant

      Awesome, I love the enthusiasm!

      If you ever get discouraged, just remember that they have three more advanced courses and this is only the tip of the iceberg 😉

    • #48912
      Catalyst256
      Participant

      Sternone, I’m 3 weeks into the OSCP course and still having a blast, I spend most of my time in the labs (need to do the exercises) and the learning never stops. Make sure you join the IRC channel (#offsec) I didn’t to start with but it really helps having other people to talk to.

      Just remember the course isn’t supposed to be easy, but it’s not impossible, have fun and enjoy what you learn.

      When you get stuck on a machine in the lab, try not to stress over it, just take a break and move onto another machine (there are plenty) what you might find is that as you learn new tricks and techniques you will find something that can help you with those “tricky” machines.

      I will just share some tips that I’ve found useful since I’ve started.

      1. You are not trying anything that other people haven’t already done, so remember google is your friend.
      2. ENJOY IT
      3. If in doubt “Try Harder” (course motto).

      Adam

    • #48913
      Jamie.R
      Participant

      Sounds like a lot of fun how have you allocated time do you spend all day in the labs whats your breakdown ?

    • #48914
      Catalyst256
      Participant

      So obviously it’s down to the individual but I spend 3+ hours in the lab at least 5 days a week (have a full time job, so study is all in my own time).

      I use the course videos and material for reference or to cover off areas I don’t know about. If I get the chance at work I will research tools/techniques etc that I need to “pop” a box in the lab.

      The majority of my lab time so far has been enumeration tasks and collecting information. It is really important to enumerate every box as much as possible,

      I’ve found no end of useful bits of information from scans that have helped a lot.

      Again it’s all down to the individual and how they learn best.

      Adam

    • #48915
      BillV
      Participant

      It would probably also help other readers of this post if you both share your background and experience both in IT and security. That way other people looking to take the class can see what sort of skills they may want to have before taking the plunge.

      Great overviews thus far though. Enjoy the rest of course and good luck on the exam!

    • #48916
      Catalyst256
      Participant

      No worries BillV..  🙂

      I’ve got 16 year experience working in IT mostly operations/sys admin roles. Just started to get more focused on infosec since the beginning of the year. Done my Security+ exam and got a couple of other certs (not security related).

      Done bits and bobs over the years that touch security (firewall configs, wireless networks etc) but never really focused on it.

      Doing the OSCP to give me some more “hands on” experience and give me a good base to build on.

    • #48917
      sternone
      Participant

      My background: I started in 1982 programming on a ViC20 🙂

      I was always fascinated with hacking and cracking. Then end of the 80’s I boxed a lot, especially with the color blue.

      😉

      I’m always well shaved too.

      For some old timers that might ring a ‘bell’.

    • #48918
      Jamie.R
      Participant

      My background,

      Well started using computer when they first come out my first computer was a Time that came with Doom and Theme Park. Since I got that I was kinder hocked on computers. I was more into software really lvoed learning shortcup and showing off when asked to do somthing at school.

      At school started messing with new things leanring new stuff found some cool bugs in the system and thought hacking was really cool wanted to get into it so much but it was prettty hard back them with not course like there are today.

      I left school and was not sure what I wanted to do as a job so tried my hand at a few things before deciding to go uni all this time I was hoooked on security reading about it in the news watching movies trying break things so on

      I finally went uni and spent most of my time moaning that security was really skipped over.

      Left uni and jsut wanted to get more involved in security so started doing course going to events meeting people and kinder took off from that.

    • #48919
      sternone
      Participant

      DAY 6



      Alright Folks, I’m now in my 6th day. I have been using almost every time I have left to work on the document, watch the videos, and do the exercises.

      I just finished module 6, but just 1 time, like, let’s see what this real deal with ‘buffer overflow exploitation is”

      ARE YOU KIDDING ME ? THAT’S FREAKING AWESOME !!

      This course is the course I always wanted. I missed probably 2 or 3 steps in the chapter where I couldn’t really follow what he was doing but I’m planning to spend a lot of time and a lot of rehearsing the Buffer Overflow Fun.

      I will tonight also look on amazon what good beginners books I could buy for some more Assembly information. Any advise ?

      Module 5, the Man in the Middle attacks was very sweet too, but no labs, I understand, I will have to set it up myself, but I didn’t do it for the moment. I have a feeling I could easily spend 2 or 3 days of fun on that chapter alone in a mini lab. I hope that’s not a mistake, but I grasp all the information and follow it completely, including what exactly happens on the OSI level with ARP requests on network devices, so I’m ok with that.

      I pretty much already scanned the whole network for a lot of stuff and documented it good, some of those scans took like hours, but with good results, I must stop using the xxx.xxx.xxx.0/24 when doing my scans because I end up scanning computers that I’m not allowed too, so I’m now scannign the xxx.xxx.xxx.192/26 subnet, I can’t have one for .200 to .254 so only scanning an extra 3 or so 🙂 You do get an immediate email saying ‘what’s up!!’ but that’s a good thing, they seem to know what you’re doing.

      Unicorn doesn’t allow you to give 200-254 as an option for hosts, you need Unicorn to give 192/26 or 0/24, that’s why I ran into trouble…

      This weekend will be all Buffer Overflow weekend, and it’s OK if I only stay with 1 module.. I wanna grasp the basics very good 🙂 !!!!

    • #48920
      hayabusa
      Participant

      Sounds like you’re really enjoying yourself.  Keep it up!

    • #48921
      UNIX
      Participant

      @sternone wrote:

      I will tonight also look on amazon what good beginners books I could buy for some more Assembly information. Any advise ?

      I’d recommend the Intel Software Developer Manuals.

    • #48922
      Jamie.R
      Participant

      there are also lots free video on security tube that cover Intel assembly and stuff like that.

    • #48923
      Triban
      Participant

      Nice updates guys!  Keep it up!  Makes me want to take the course but time is limited at the moment. 

    • #48924
      sh4d0wmanPP
      Participant

      Hmm, I really wanna do this course but lack the time right now. I can recommend Smashthestack.org IO challenges for anybody that wants to improve their exploitation skills before opting for OSCP. I found it beneficial as it improved my gdb knowledge and general Linux exploitation skills.

      Currently contemplating if I should do eCPPT in the mean time (since they have flexible labtime) but a bit scared I know most of it already.

      If you need custom shellcode and have no access to metasploit, this is a good resource: http://www.shell-storm.org/

    • #48925
      Jamie.R
      Participant

      Thanks for the resources

    • #48926
      dynamik
      Participant

      @sternone wrote:

      I will tonight also look on amazon what good beginners books I could buy for some more Assembly information. Any advise ?

      As mentioned, Security Tube has a good Linux assembly primer available. I’m not of the fan of the AT&T-style syntax, so make it a homework lessen to convert the examples to Intel-style and use nasm instead 😉 http://www.securitytube.net/groups?operation=view&groupId=5

      http://www.amazon.com/Assembly-Language-Step—Step-Programming/dp/0470497025/ref=sr_1_6?ie=UTF8&qid=1345306985&sr=8-6&keywords=assembly is the best written resource I’ve found for getting started in assembly. Some of the reviews bash it over a chapter where he uses a weird analogy to explain counting in bases other than 10. I agree, it’s weird. However, you should already know how to convert between hex, binary, and decimal, so just skip it. The other problem is that the debugger he used was unfortunately dropped from the Ubuntu repo shortly after the book was published. Just use Evan’s Debugger or grab an old version of Ubuntu (8.10 works, I believe). This is another Linux resource. You’ll probably be working mostly on Windows, but aside from the system calls, it’s going to be nearly identical because it’s the same hardware. This book uses the Intel-style syntax.

      http://www.amazon.com/Professional-Assembly-Language-Programmer/dp/0764579010/ref=sr_1_5?ie=UTF8&qid=1345306985&sr=8-5&keywords=assembly goes beyond the book I referenced above (and is actually mentioned as a next-step at the end). This probably goes above-and-beyond what you’re looking for at the moment. It covers floating-point arithmetic and various extensions to the instruction set over the years (at least up until 2005 when it was published). It’s an interesting read, but like I said, probably not entirely relevant. This book unfortunately uses the AT&T-style syntax, but it’s another opportunity to practice converting the examples to Intel-style 😉 (granted, you’ll probably find a lot of AT&T-style examples in the Linux world, so it’s good to be acquainted with both)

      As awesec mentioned, the Intel developer docs are going to be your end-goal. You’re not going to find a more complete and comprehensive resource.

      @sternone wrote:

      Unicorn doesn’t allow you to give 200-254 as an option for hosts, you need Unicorn to give 192/26 or 0/24, that’s why I ran into trouble…

      Not the best use of unicorn scan, but:
      for i in `seq 200 254`; do unicornscan -p p 192.168.1.$i; done

      You could also use the largest range within the limit and use the above for the stragglers.

      @sh4d0wmanPP wrote:

      Hmm, I really wanna do this course but lack the time right now. I can recommend Smashthestack.org IO challenges for anybody that wants to improve their exploitation skills before opting for OSCP. I found it beneficial as it improved my gdb knowledge and general Linux exploitation skills.

      Currently contemplating if I should do eCPPT in the mean time (since they have flexible labtime) but a bit scared I know most of it already.

      If you need custom shellcode and have no access to metasploit, this is a good resource: http://www.shell-storm.org/

      Yes, nice links. Remember that exploit-db.com has a lot of custom shellcode as well.

    • #48927
      sternone
      Participant

      Thanks for your comments ajohnson, I appreciate it.

      I just finished watching the first 5 videos of SecurityTube on Assembly for Hackers. I will watch the rest probably tomorrow. I speak and understand completely Hindi English now fluently ! 🙂 Great work from that guy, he’s awesome and a good teacher.

      I also ordered the 2 books from Amazon plus the one that I wanted to read since a while : http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470/ref=wl_it_dp_o_pC_nS_nC?ie=UTF8&colid=35XU0SBV7PHQ&coliid=I2DKCYHPPNDRZF

      I know that the 30 days to finish the lab isn’t going to work. It will be a 90 day walk for me, that’s for sure.

      My question is: Are the offensive books on Amazon are worth it ?

      Metasploit: The Penetration Tester’s Guide
      Metasploit Penetration Testing Cookbook
      Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
      The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy

      ??

    • #48928
      dynamik
      Participant

      @sternone wrote:

      Thanks for your comments ajohnson, I appreciate it.

      I just finished watching the first 5 videos of SecurityTube on Assembly for Hackers. I will watch the rest probably tomorrow. I speak and understand completely Hindi English now fluently ! 🙂 Great work from that guy, he’s awesome and a good teacher.

      No problem. It’s funny how quickly you can adapt to a strong accept. As with Vivek, a good friend/ex-coworker of mine was from Colombia and had a very strong accent. I could barely understand him for the first couple days we worked together, and then I just suddenly stopped noticing it. 

      @sternone wrote:

      I also ordered the 2 books from Amazon plus the one that I wanted to read since a while : http://www.amazon.com/The-Web-Application-Hackers-
      Handbook/dp/1118026470/ref=wl_it_dp_o_pC_nS_nC?ie=UTF8&colid=35XU0SBV7PHQ&coliid=I2DKCYHPPNDRZF

      WAHH2 is a great book, good choice. If you’re looking for a bit more in-depth read on SQLi, consider http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240 as well (no rush, it’ll take you awhile to get through WAHH2; save that for a rainy day). Syngress also has an entire book dedicated to XSS, but I haven’t had a chance to go through it yet.

      @sternone wrote:

      I know that the 30 days to finish the lab isn’t going to work. It will be a 90 day walk for me, that’s for sure.

      Yea, 30 days is a really aggressive schedule. You need to space out all the frustration, so you don’t get an aneurysm  😉

      @sternone wrote:

      My question is: Are the offensive books on Amazon are worth it ?

      That totally depends on the book.

      @sternone wrote:

      Metasploit: The Penetration Tester’s Guide

      That’s a very good book, especially for someone with little-to-no Metasploit experience. Also, it’d be hard to go wrong with Dave Kennedy and all the OffSec guys (along with a stamp of approval from HD Moore). Sil wrote a review not too long ago (http://www.ethicalhacker.net/content/view/418/2/). Remember that Security Tube also has a Metasploit series, and there’s always Offensive Security’s free course as well: http://www.offensive-security.com/metasploit-unleashed/Main_Page

      @sternone wrote:

      Metasploit Penetration Testing Cookbook

      I don’t have any experience with this one, and it seems to overlap a lot with the previous resource. I’d start with the other one and the free course and see if you feel like you need another written resource beyond that.

      @sternone wrote:

      Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

      This book actually looks like it has decent content, but the title is ridiculously embellished. That’s unfortunate. Just glancing at the ToC shows that about half the content is basic material that you’d probably find in most penetration testing resources. It’s probably got a few chapters that would stand out and be worth a cheap used price, but $60 seems pretty steep.

      @sternone wrote:

      The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy

      I’d drop this one off your list of potentials. It’s probably a fine book for what it is, but I don’t think it’s going to teach you anything you’re not covering elsewhere.

      If that wasn’t enough, Tom from Hacking Dojo also has a book that, in addition to generation penetration testing techniques, also covers some business and project management information. This isn’t as exciting as popping a box, but it’s important information for aspiring professionals: http://www.amazon.com/Professional-Penetration-Testing-Creating-Learning/dp/1597494259/ref=sr_1_1?ie=UTF8&qid=1345319341&sr=8-1&keywords=professional+penetration

      This one also covers a lot of general tools and techniques and may be worth a look: http://www.amazon.com/Penetration-Testers-Source-Toolkit-Third/dp/1597496278/ref=sr_1_1?s=books&ie=UTF8&qid=1345319091&sr=1-1&keywords=open+source+penetration

      You’re on your own as far as all those go. Just go with what looks interesting to you. You’ll find that you’re going to have diminishing returns with each resource you use. You may find the first book you read to be 95% new and exciting, but your fifth or sixth book may fall to 15-20%. You’ll probably get something out of any resource you go through, but you need to determine if that’s going to be the best use of time and money.

    • #48929
      sternone
      Participant

      Thanks ajohnson for your efforts. Great advise for anybody wanting to have a good advise on some books  🙂

      I was really surprised to see that after getting a shell on my first exploit the application actually didn’t crash. It gave me a shell and it kept on running. It was my idea that buffer overrun hacks always crashed the application or the server, apparently it did not.

      When I exited my shell, the application closed but I guess I could fix that with a good JMP to a good location in the code when the shell code exits.

      Great!!!

    • #48930
      sh4d0wmanPP
      Participant

      I think the following three books will give you the most knowledge combined with the OSCP track, although it can be pretty complex:

      Metasploit: The Penetration Tester’s Guide
      The Shellcoder’s Handbook – Discovering And Exploiting Security Holes
      Web Application Hacker’s Handbook (not sure how much web-attacks come back in the exam as they also seem to be developing a webapp track)

      I did read “Advanced Penetration Testing for Highly-Secured Environments” but it is not as advanced as the title suggests. Better pick it up second hand and use the money you save to put into obtaining more certs or have a beer.

      Further more I like to mention:
      Ninja Hacking – Unconventional Penetration Testing Tactics and Techniques

      This books covers some unrealistic attacks but also hands out a nice selection of attacks that can be used and usually not come back in other books. For example I liked the mention of disrupting an admins routine to add stress to his daily work and by doing so make him less focused on the work at hand. I know most attacks will be out of scope but nevertheless it is a nice read and of course these tactics can be applied by blackhats without restriction.

      On my “to read” list:
      Rootkits – Subverting the Windows Kernel
      Practical Packet Analysis 2nd Edition

    • #48931
      sternone
      Participant

      Thanks for the advise Sh4dowmanpp

      UPDATE ON MY DAY NUMBER 8

      I just found a nasty problem that took me practically all Sunday to fix.

      I’m happy on one hand that I found it, but I’m disgusted that I lost a whole day trying to find the solution, thinking… did I really learn somebody because they made this stupid thing ‘part of the learning process’ ?

      I mean, if there’s one negative comment I can give about the OSCP course it’s what I have done today fixing that problem they put in there ‘intentionally’ …

      I’m a little pissed off now, so it’s time for a break, no more OSCP today !!!!

      >:( >:(

    • #48932
      S3curityM0nkey
      Participant

      Nice advice Sh4dowmanpp… those are all great books.

      Sounds like you need a little rest Sternone…. get some air and some sun….

      Hope the rest of the training goes well  😉

    • #48933
      beastmode19888
      Participant

      Man I took this course and it is a beast when you get the exam. Stay on top of everything your doing. I did not pass the Exam but I took this exam before I became a Ethical Hacker. I h ave used the skills I learned to increase my Hack Game in the cyber world. I have been capable of creating new up to date videos for others to review that may help them pass exams such as the OSCP.

      [glow=red,2,300]http://www.youtube.com/beastmode19888[/glow]

      My videos have been posted by others on SecurityTube.net and also Tweeted. I hope that some of the videos will inspire all if any to want that drive to get to the next level.

      When money is right I will be returning to achieve my OSCP Cert.

      Remember “Try Harder” and I intend to

    • #48934
      Jamie.R
      Participant

      Cool sounds like everyone who done this has learned lots it makes me want to do the course even more than I already do.

    • #48935
      sternone
      Participant

      DAY NR 10

      Ok ok ok. I was pissed. I took a day off yesterday to let it rest a while and thinking it over. I learned an important lesson on Sunday.

      Here it is :

      IN PENTESTING NEVER TRUST ANYTHING…….. NEVER!!! 

      NEVAHHHH!!!!

      You see, they teached me a lesson. Probably a good one.

      I started with unit 7, using others people exploits. BT is such a good distro,  If they would ask money for it, I would pay !!!

    • #48936
      ricercar
      Participant

      I did 90 days at the end of 2011, abandoned it due to time constraints, and started again on the 13th. I learned a LOT since I stopped!

      9 servers with root shells!

    • #48937
      sternone
      Participant

      MY WORKSTATION

      Ok guys,

      I did do something cool today, I ran BT on different screens. After months working in the ‘most hated file on the linux platform xorg.conf’ I finally just got it running with a virtualmachine running under linux.

      Ok guys, I have to confess. I like my monitors !!!

    • #48938
      cd1zz
      Participant

      Damn. My setup sucks balls.

    • #48939
      YuckTheFankees
      Participant

      I don’t know man, I think you may need to add another screen on the bottom (4 and 4)..then it would be a real hackers lab.

    • #48940
      Jamie.R
      Participant

      Wow that looks like a pretty sweet setup.

    • #48941
      dbest
      Participant

      @sternone – what the …….

    • #48942
      sternone
      Participant

      @YuckTheFankees wrote:

      I don’t know man, I think you may need to add another screen on the bottom (4 and 4)..then it would be a real hackers lab.

      Funny, I have it, but it’s not connected, I needed it for another PC 🙂

      I have 2x NVIDIA Quadro NVS450 and on the other PC it’s a ATI 2640

    • #48943
      satish.lx
      Participant

      @sternone – you make me jealous

    • #48944
      sternone
      Participant

      REPORT DAY 12

      So I finished doing the buffer overflow stuff twice. I feel like it’s kind off important and I tried different payloads and stuff. I want to know it good both for linux and windows. Damn linux has some cool debugging tools I had no idea off, why would somebody ever pay for a program when we have anno 2012 such an amazing open source library ? 😉 Support ? Bah, if you’re IT minded you shouldn’t have any problems these days. I do understand for small non IT minded companies. But for the big corporations, I know how they work, and have worked with them myself for many years, they can put the right people on it and fix the problems themselves. I guess they still think : “Nobody got fired by buying IBM…”

      Ok guys… back to OSCP !

      This is it, I’m 2/3rd into the course and this is basically the first time I explicitly read in the manual : (not exact words, but it’s how I interpret them)

      “Go scan ip’s in your range in the lab and try to hack them using exploits you just learned to find and use”

      !!!!!!!

      Let’s gooooo!!! Who needs sleep ? I SLEEP WHEN I’M DEAD!!!

      (probably will have to use their ‘TRY HARDER’ mantra from now on in the coming 9000 days or so 🙂

    • #48945
      dbest
      Participant

      Buffer overflows are fun… aren’t they?  I need to work on a few more…

    • #48946
      sternone
      Participant

      ARE YOU KIDDING ME !!!!

      2:09 AM

      I JUST HACKED MY FIRST SERVER IN THE LAB GOT ROOT !!! YIHAAA

      a full buffer overflow with reverse bind shell!!!>

    • #48947
      UNIX
      Participant

      Maybe this one helps to get a better understanding of the basic exploit development process: http://strategicsec.com/2012/08/16/exploit-development-for-mere-mortals/

    • #48948
      YuckTheFankees
      Participant

      Was it one of the “low hanging fruit” or did you use a buffer overflow?

    • #48949
      YuckTheFankees
      Participant

      I’ve currently rooted 6 machines but my main focus for the next week is to get a system with either a buffer oveflow or some type of web app/sql injection attack.

    • #48950
      sternone
      Participant

      Buffer overflow with reverse bind shell.

      I’m kinda happy that I used that as my first rooted box 🙂

      I tried first a server but I gave up after getting halfway on it. Only did a little, then I just said, let me try some other servers. then the second one I buffer overflowed it. I LOVE BUFFER OVERFLOWS!!! They are freaking cool.

      I can’t say if it was low hanging fruit since I only rooted 1 yet.

      Played on that server for 2 hours now going to take a quick nap 🙂

    • #48951
      sh4d0wmanPP
      Participant

      Hehe I know the feeling you had since I recently started to play around with buffer overflows on the IO challenges of smackthestack.org

      My biggest problem was understanding how to find the return address in gdb. By now it is going smoothly and I am a bit dumbstruck I did not understand this a few years ago. Also learned to abuse SETUID programs and using an egg + envirnoment variable to exploit programs. Very nice!

      Anyway I will book the OSCP as soon as I am back from my Bangkok trip. Decided to skip on OSWP and ECPPT. OSCP is just awesome.

    • #48952
      satish.lx
      Participant

      You guys using Metasploit for buffer over flow or manually process? I am interested in manual process.

    • #48953
      DragonGorge
      Participant

      Metasploit is pretty powerful and can facilitate delivering a BoF exploit but I don’t think it’s capable of actually finding it in an application. But give HD Moore time…I’m sure he’ll come up with a way eventually.

      BoFs are still a more or less manual process.

    • #48954
      sternone
      Participant

      Manual

      You can’t use Metasploit on the exam.

    • #48955
      DragonGorge
      Participant

      @sternone wrote:

      You can’t use Metasploit on the exam.

      Just to clarify, from what I’ve seen online you can use Metasploit during the exam for things such as scanning ports & creating payloads, and at least in one case, exploit. I’m not clear if the single Metasploit use is a) because you’re only allowed one or b) there’s only one box you can use Metasploit against.

      Have you heard something different sternone?

    • #48956
      shadowzero
      Participant

      I suggest learning to hack without metasploit. You’re allowed to use it in the labs, so when you pwn something with metasploit, figure out how to do it without metasploit. You can even look at the exploit module itself in metasploit to see how it’s doing it, and maybe you can adapt it to a single script.

    • #48957
      dynamik
      Participant

      You can only use Metasploit once for exploitation, but it’s explicitly disallowed on some systems (this will all be detailed in your exam guide). Simply generating shellcode with msfpayload / msfvenom does not count as performing exploitation with the framework, and I’m sure using the aux modules for scanning or whatever doesn’t count either.

      Metasploit’s a great tool, and everyone should know how to use it, but it’s an extremely small part of the exam, at most. You should spend the majority of your lab time using and adapting stand-alone exploits. You can always go back and re-exploit a vulnerability using the framework if you’re curious about the differences it.

    • #48958
      sternone
      Participant

      Question:

      I’m finally getting some books tomorrow, which one should I read first ? Thanks for the advise!!

      Tomorrow Friday I get :
      1. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
      Dafydd Stuttard, Marcus Pinto
      2. Metasploit: The Penetration Tester’s Guide
      David Kennedy, et al
      3. Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
      Chris Sanders
      4. Assembly Language Step-by-Step: Programming with Linux
      Jeff Duntemann

      On Monday I get:
      5. The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
      6. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
      7. Professional Assembly Language (Programmer to Programmer)
      Richard Blum

      THANKS !!!

      PS: I’m probably finishing up the pdf of OSCP in a few days.

    • #48959
      dynamik
      Participant

      I’d focus on your lab time while you have it. If need to take a break from that, I guess the Nmap book would be the most general and useful at the moment for you.

      Regardless of when you do them in relation to the others, I’d do 4 > 7 > 5 when you want to move more into assembly and exploit development.

    • #48960
      sh4d0wmanPP
      Participant

      For OSCP I would adopt the following order:
      6: Look for the parts you don;t know or can save you time/automation/scripting or parsing
      2: but only sections on payload creation, shellcode, meterpreter
      4: read assembly ouput near fluent
      5: focus on stack overflows both in Linux and Windows. Learn the specific tools on both OS’es

      Save 3, 1 and 7 for after OSCP as I think it might go to deep and you will not be able to master this in depth in time for the exam.

      I am actually doing something similar but before I sign up as to save my lab time. Good luck!

      @ Cyberspirit: this is how I tend to study. I try to be able to do most attacks without using any tools. Purely by scripting, abusing the shell and making use of available cmd’s/tools native to the OS or API’s. If this gets me stuck I use an automated tool and see if it can complete the attack. If it does I tear apart their logic until I can do it by hand myself. This cost a tremendous amount of time but allows me to perform even when tools are blocked.

    • #48961
      cyber.spirit
      Participant

      @shadowzero wrote:

      I suggest learning to hack without metasploit. You’re allowed to use it in the labs, so when you pwn something with metasploit, figure out how to do it without metasploit. You can even look at the exploit module itself in metasploit to see how it’s doing it, and maybe you can adapt it to a single script.

      Yeah its better to make ur hand dirty with writing exploits a exploitation technics but avoid msf is not a good idea u can do it before msf if u dont get the answer then use msf

    • #48962
      UNIX
      Participant

      @aweSEC wrote:

      Maybe this one helps to get a better understanding of the basic exploit development process: http://strategicsec.com/2012/08/16/exploit-development-for-mere-mortals/

      The materials from Open Security Training might also help to better understand some of the exploit development basics.

    • #48963
      sternone
      Participant

      DAY 15

      Did some extra studying in the 6 books I received from Amazon today.

      It’s clear that to succeed in the exam I will need much more knowledge than the videos and the pdf file. I took a step back and start reading. Couldn’t resist today and rooted another box!

      I have 2 now. Whohoo 🙂  ;D

    • #48964
      sternone
      Participant

      Just got another one. Ok, I have the 3 most easy servers of the 50.

      🙁 That leaves me with 47 hard ones  ;D

    • #48965
      azmatt
      Participant

      Keep up the good work bud. I’m planning on trying this at some point in 2013 so these threads are invaluable.

    • #48966
      Anonymous
      Participant

      Great read to OP.  I’m on day 25 and wish I was alot further ahead then where I am.  I’ve gotten into 3 machines in the last 2 days with many more to go.

      Great course so far, just hope I have enough lab time left to get through everything.  (bought the 90day package).

    • #48967
      sternone
      Participant

      I stopped working in the lab and I’m reading for the next weeks now.

      I hate doing stuff without knowing exactly what I’m doing 🙂

    • #48968
      dynamik
      Participant

      @sternone wrote:

      I hate doing stuff without knowing exactly what I’m doing 🙂

      I understand what you’re saying, to an extent. It’s important to learn the fundamentals, so you’re not just flailing about, but you’re never going to be in a pen test where everything’s routine and transparent. You’re going to find custom applications, security controls you haven’t encountered before, admins paying attention to the network for the first time in a year and changing things as you’re trying to work, etc. Being able to adapt and think critically are enormous pieces of the puzzle, maybe even more so than preexisting knowledge. You can’t acquire those skills by reading.

      Taking weeks off of a limited amount of lab time seems like a waste to me. Just dive in and experiment, even if you’re only working on the 5-10 pages of the lab guide you read that day. That’s what the environment is there for; you can easily revert a mistake.

    • #48969
      shadowzero
      Participant

      @ajohnson wrote:

      Taking weeks off of a limited amount of lab time seems like a waste to me. Just dive in and experiment, even if you’re only working on the 5-10 pages of the lab guide you read that day. That’s what the environment is there for; you can easily revert a mistake.

      +1 to this. Experiment, make mistakes, learn from your mistakes. The more mistakes you learn from in the lab, the less you’re likely to make in the real world and the exam.

    • #48970
      sternone
      Participant

      thanks for the advice, I finished these books :

      Metasploit – the penetration tester’s guide
      Practical Packet analysys

      I’m currently reading :

      The Web Applicatino Hacker’s handbook

      I’m also extending the lab for 90 days.

      This trip is going to take much longer than I anticipated, mostly because of the huge workload of learning stuff on your own, you guys have to admit, the OSCP is all about the lab, it has less to do with learning from the videos and the pdf’s. I see them more as a ‘practical example’ of theoretical stuff you have to learn on yourself. I wish I knew it before so I could have digged the books before I took the OSCP plunge. For that I would say their text what you should know before the OSCP is kind off misleading.

      That might explain why almost nobody passes the test the first time.

    • #48971
      cd1zz
      Participant

      Almost nobody passes the OSCE the first time. OSCP has a higher success rate the first time around.

    • #48972
      azmatt
      Participant

      @sternone wrote:

      thanks for the advice, I finished these books :

      Metasploit – the penetration tester’s guide
      Practical Packet analysys

      I’m currently reading :

      The Web Applicatino Hacker’s handbook

      I’m also extending the lab for 90 days.

      This trip is going to take much longer than I anticipated, mostly because of the huge workload of learning stuff on your own, you guys have to admit, the OSCP is all about the lab, it has less to do with learning from the videos and the pdf’s. I see them more as a ‘practical example’ of theoretical stuff you have to learn on yourself. I wish I knew it before so I could have digged the books before I took the OSCP plunge. For that I would say their text what you should know before the OSCP is kind off misleading.

      That might explain why almost nobody passes the test the first time.

      It sounds like you’re being very smart about this.

      Thanks for sharing these books, please post any more that you really wish you had read first.

      I want to make sure I’m ready to get the most from the course and I’m planning on just extending 90 days right at the start to make it a non issue.

    • #48973
      sternone
      Participant

      DAY 20

      Okay okay OKAY again 😉

      I listened and read more in the books but meanwhile took 1 server out with many ports opened and worked on it.

      Found one way to enter it, so I rooted it, that puts the number on 4.

      Not a lot. Step by step… but happy I rooted another one.

    • #48974
      sternone
      Participant

      DAY 21

      Another day, another server ? I rooted another one. And this time, I have to say it was really really cool meaning -without spoiling it for the others- that I came across something that I said: Hey I might use this on server X, I tried it, and it worked.

      Puts the counter on 5 servers rooted so far. Let’s do some more reading further on the day and try another one tomorrow.

      Instead of trying several servers at once, I now try to take 1 server out per day and try to hack it. Focused on only 1 server. It seems to be a little less frustrated and let me go deeper on the server but it makes me need to read more and more 🙂

      Let’s see if I can hack another one tomorrow!

    • #48975
      jjwinter
      Participant

      Do the servers contain any data that assists you exploiting other systems? Lists of usernames, fake company info, docs, browser history, cookies, etc.. or are just a clean image a server OS with patches missing or hackable services running? Does a hashdump on one help you on others?

    • #48976
      sternone
      Participant

      I can just say: They look just like a real server.

      They are not like a clean image with patches missing, that’s for sure.

    • #48977
      jjwinter
      Participant

      That is good to know, I was concerned that their lab environment would like something I could setup at home, just with more VM’s running on better hardware or something.

      Is getting through firewalls, managed switches, VLANS, IDS’s and the like included? How realistic is this environment?

    • #48978
      sternone
      Participant

      Check out their pdf on their site, they address your questions.

      Every server I came across has specific applications running.

    • #48979
      sternone
      Participant

      DAY 22

      Started with SQL Injection and managed to bypass one web authenticate login to the admin console on a server I didn’t rooted yet. So I guess that’s a half server hacked today 🙂

      I must say, Hacking Web Applications is a BIG subject, and the PDF and the Videos cover it only on the surface, back to reading books now !!!!

      I’m also planning to re-read the PDF and review all the videos starting from tomorrow.

    • #48980
      dynamik
      Participant

      Most servers can be compromised directly, but you will occasionally require information or functionality from another system. You should investigate each application, service, and system thoroughly as you go. Don’t assume each system exists in a bubble.

    • #48981
      sternone
      Participant

      Thanks, just rooted another one and finished the half one too 😉

      That puts the number on 7 boxes rooted.

      ;D

    • #48982
      Jamie.R
      Participant

      Cool sounds like its going well 🙂

    • #48983
      sternone
      Participant

      Just rooted another one.

      I was trying different stuff on that server and in my notes I wrote about a vuln: NOT WORKING – TRIED

      But I said, really, and I tried it again, a little more deeper this time, and it worked!

      Meaning… I can be wrong too, it’s not because I say it’s not working that it’s not working 🙂

      Counter is now on 8 rooted boxes.

    • #48984
      shadowzero
      Participant

      @sternone wrote:

      Just rooted another one.

      I was trying different stuff on that server and in my notes I wrote about a vuln: NOT WORKING – TRIED

      But I said, really, and I tried it again, a little more deeper this time, and it worked!

      Meaning… I can be wrong too, it’s not because I say it’s not working that it’s not working 🙂

      Counter is now on 8 rooted boxes.

      Try harder, try different. 🙂

    • #48985
      sternone
      Participant

      DAY 23

      Another day, another ROOT !

      COUNTER: 9 ROOTED BOXES

      It seems to be that the exploits I tried when I started the lab that aren’t working are working now. How is this possible ?

      Hate to admit it, but it’s maybe because I’m getting slighter better at it. I still have to say that I consider this all to be ‘low hanging fruit’ so far.

      One strange thing happened today, I tried to exploit a certain service with a know overflow bug by MS. I crashed the server really hard. So hard maybe that when I reverted it several times, that one service is not coming up at all. That service also ran for several weeks so I’m wondering maybe it’s a service that another hacker opened ? I have a complain about the labs, I’m hacking a server and I’m not the only one, all of the sudden the webdir is full of exploit code., I revert it, but the other guy who’s also working on it, puts back quickly his exploit code. I kinda hate that 🙁

      I’m also still in my student network and no sign at all of any links to any other networks. Still a really really long way to go imho !!!

    • #48986
      sternone
      Participant

      Just rooted nr 10.

    • #48987
      shadowzero
      Participant

      @sternone wrote:

      I have a complain about the labs, I’m hacking a server and I’m not the only one, all of the sudden the webdir is full of exploit code., I revert it, but the other guy who’s also working on it, puts back quickly his exploit code. I kinda hate that 🙁

      You can try asking on the IRC channel if someone else is working on it and see if they’ll let you have a go. Otherwise, move on to another machine.

    • #48988
      sternone
      Participant

      Rooted another one.

      Counter is on 11 !!  ;D

    • #48989
      jjwinter
      Participant

      There must be some limit on how many students are allotted lab time at the same time, otherwise you would bump into each other all over the place. Do they tell you what that limit is?

    • #48990
      shadowzero
      Participant

      No, but I believe on the registration page they’ll let you know if a particular slot is full and you won’t be able to book for that time frame.

    • #48991
      sternone
      Participant

      routed another one, counter is now on 12 rooted boxes !!

      I’m calling it the day now. I’m seeing some things double  😛

    • #48992
      dynamik
      Participant

      @jjwinter wrote:

      There must be some limit on how many students are allotted lab time at the same time, otherwise you would bump into each other all over the place. Do they tell you what that limit is?

      They don’t have a single lab. It’s the same experience, but there are multiple isolated student networks.

      Aside from occasionally having to revert a system someone else borked, the only real problem I had with other students was that their artifacts would completely give the vulnerability/exploit away. This only happened a few times, but it was a fairly anticlimactic way to compromise a system…

    • #48993
      cyber.spirit
      Participant

      wow what a big topic i think its the longest topic in this forum. Lol

    • #48994
      sternone
      Participant

      DAY 24

      I wasn’t going to exploit today, I had a buzy day but I said to myself: why not. This is fun right ? 😛

      So I rooted another one ! A kinda important one IMHO.

      COUNTER: TOTAL SERVERS ROUTED: 13

    • #48995
      S3curityM0nkey
      Participant

      Dude your killing it… nice work!

    • #48996
      sternone
      Participant

      Thanks, but I think I’m running out of options… all the low hanging fruit has been consumed. I’m scared that I’m finished  😮

    • #48997
      S3curityM0nkey
      Participant

      Don’t think like that! Just need to step it up a gear and … wait for it… Try Harder! You will be fine. Take a little rest and then approach it with fresh eyes.

    • #48998
      shadowzero
      Participant

      Congratulations. It gets harder on from here, so you must try harder.

    • #48999
      sternone
      Participant

      Just rooted another one, and Yihaaa!!! It’s my first server connecting to the other network !!!!!!

      TOTAL SERVERS ROUTED: 14

    • #49000
      S3curityM0nkey
      Participant

      Nice one! See told you not to give up 🙂

    • #49001
      sternone
      Participant

      LOL!!!!!!!! Just rooted another one !!!

      SERVER COUNT : 15 !!!!!!

    • #49002
      jjwinter
      Participant

      Yar! Keep good notes. Make sure they says things other than “F-u #%@%!@  Server 14!”

    • #49003
      S3curityM0nkey
      Participant

      Dude your on FIRE!!!

    • #49004
      sternone
      Participant

      I can’t anymore.. I really need sleep now ! haha

      Strange, sometimes a buffer overflow that worked before is not working anymore.

      I had it before, i reverted twice and then it worked again. Some exploits say in the code: this works only for 70% …  ??? ???

    • #49005
      S3curityM0nkey
      Participant

      @sternone wrote:

      I can’t anymore.. I really need sleep now ! haha

      Strange, sometimes a buffer overflow that worked before is not working anymore.

      I had it before, i reverted twice and then it worked again. Some exploits say in the code: this works only for 70% …  ??? ???

      I guess it all has to do with memory locations…. and finding the right one!

      Go to bed….

    • #49006
      shadowzero
      Participant

      @sternone wrote:

      I can’t anymore.. I really need sleep now ! haha

      Strange, sometimes a buffer overflow that worked before is not working anymore.

      I had it before, i reverted twice and then it worked again. Some exploits say in the code: this works only for 70% …  ??? ???

      Some exploits may take a couple of tries before it kicks in.

    • #49007
      sternone
      Participant

      Rooted another one !!!!!

      Maybe it is THE most important one.. because… THAT’s what we wanna see right baby ??

      SERVER COUNT : 16 !!

    • #49008
      hayabusa
      Participant

       Looks ‘slightly’ interesting.   😉

    • #49009
      sternone
      Participant

      Routed another one.

      One confession: This one box took me literally the whole day. That wasn’t an easy one. Like a whole day.

      Glad I rooted it.

      I’m going to get into the tunneling stuff soon and might stop hacking the student network.

      I can always come back and do the other servers anyway.

      SERVER COUNT 17

    • #49010
      dynamik
      Participant

      @sternone wrote:

      One confession: This one box took me literally the whole day. That wasn’t an easy one. Like a whole day.

      It only gets worse. I went from rooting five per day at the start, to one every five days towards the end.

      @sternone wrote:

      I’m going to get into the tunneling stuff soon and might stop hacking the student network.

      I can always come back and do the other servers anyway.

      Not all systems exist in a bubble. Don’t skimp on your research and info gathering.

    • #49011
      sternone
      Participant

      ROUTED ANOTHER ONE! SERVER COUNT 18

      This was another nasty one. Buffer exploit days seems to be over…  🙂

      It’s all web script hacking and SQL injections from now on…  :-

    • #49012
      sternone
      Participant

      DAY 27

      Routed another one: SERVER COUNT : 19

      This was nasty again. No more low hanging fruit folks. I had to hack an application, then change a lot of settings in an application so I could finally have executed code.

      Wow. Not easy and very time consuming.

      Do all servers have multiple access ways ? Or is that only with a few ones ?

      I’m also wanting to know exactly what tools you can use on the exam so I know what to practice with.

      The lab is getting really harder now.

    • #49013
      UNIX
      Participant

      @sternone wrote:

      Do all servers have multiple access ways ? Or is that only with a few ones ?

      I’m not sure if all, but when I did the labs I discovered on quite a few machines more than one way to get root/SYSTEM. 🙂

    • #49014
      shadowzero
      Participant

      Some have more than one way. Some have red herrings. Some have only one way. The notorious ones, usually only have one way. 🙂

    • #49015
      hayabusa
      Participant

      It’s been said many times…  the big tool note on the exam is Metasploit…  You’ll be given a limitation regarding its use.  (How many times and on which boxes)

      Aside of that, you should know we can’t really give you a direct “this is what you should know how to use on the test”

      I’ll say this, though.  Automation is your friend.  You’ll find you can accomplish more, faster, if you have automated some tests (either prepared before or during the exam), that you can be doing multiple things, at the same time.  Just as in many real-world tests, you ‘likely’ won’t have time to attack the exam boxes with a ‘single-threaded’ manner / mindset,

      Make sure you’re comfortable with BASH or some other scripting methods.

    • #49016
      sternone
      Participant

      DAY 28

      Rooted 2 more servers. But the big news is, I got the network key for the IT Department !!! There it was… I grabbed it and inserted it !!!

      SERVERS ROUTED : 21

    • #49017
      azmatt
      Participant

      You’re killing it man!! Keep up the good work.

    • #49018
      S3curityM0nkey
      Participant

      Got to say that this is one of the best threads about the OSCP on this forum. The blow by blow account is great!!!! As soon as I have finished moving house I plan on doing the PWB training!

      Not sure I have the brains to do the cert but the training sounds great!

    • #49019
      azmatt
      Participant

      I’m in the same boat money. I know it’s going to hurt but I’m going to try anyway. I just signed up for the ninja sec course to try to learn as much as possible pre PWB.

    • #49020
      sternone
      Participant

      I try to read as much as I can to know about tunneling now.

      The OSCP is extremely frustrating in not guiding you where you should learn what. They only show you what you ‘can’ do and then it’s up to you.

      Ok, thanks OSCP, you showed me this now, and I understand what you’re doing, but I have to learn more about it. Where and what should I learn exactly ? Oh.. try harder. There you go. Well I got some reply to you: fuck you too.

      >:(

      That sucks. Bigtime.

      If I had knew, I would not started the lab before I would have read other books and done more experience. I would like to know if real newbies unexpierenced hackers really succeed in the test on the first try.

      It’s frustrating. While I am hacking myself true the lab succesfully, I’m frustrated in the pain it needs to figure things out myself without having some guidelines that are more than ‘showing you what can be done’

      Hacking is every time different, and how can you learn it by only seeing 1 example and then basically they tell you to go fuck yourself ?

      As you can read from my post. I’m kind off sick of googling around and reading stupid blogs to try to learn something more in depth.

    • #49021
      azmatt
      Participant

      Sorry you’re hitting a rough spot man but you’be made a lot of progress and you’ll make a lot more. You’ve hacked 21 more servers than me and most others here 🙂

    • #49022
      shadowzero
      Participant

      The course gives you the fundamentals. It’s up to you to take it to the next level.

      You’re right, you can’t learn or master anything from just one example. That’s what the lab is for. Practice on it, make mistakes, learn from your mistakes. More importantly, expect to spend a lot of time doing research outside of the course material if you intend to hack into all the machines in the lab and pass the exam challenge.

    • #49023
      sternone
      Participant

      2.44 AM

      Ok, got a server rooted in the IT DEPT using tunneling.

      That was cool stuff.

      Is it normal that my typing is slower now ?  😀

      But I’m still pissed on Offensive Security on letting me read 100’s of blogs of folks that can count their pubertal hairs on 1 hand.

    • #49024
      sternone
      Participant

      That puts the servers rooted on 22

    • #49025
      jjwinter
      Participant

      Continued thanks for the updates as you go through the labs. Nice job working through the tunneling problems.

      You should submit your posts to a sleep deprivation study forum too.

    • #49026
      shadowzero
      Participant

      @sternone wrote:

      2.44 AM

      Ok, got a server rooted in the IT DEPT using tunneling.

      That was cool stuff.

      Is it normal that my typing is slower now ?  😀

      But I’m still pissed on Offensive Security on letting me read 100’s of blogs of folks that can count their pubertal hairs on 1 hand.

      Not sure what blogs you’re reading. There are blogs geared towards penetration testing written by professionals. You can always just read RFCs and white papers.

    • #49027
      hayabusa
      Participant

      @sternone wrote:

      But I’m still pissed on Offensive Security on letting me read 100’s of blogs of folks that can count their pubertal hairs on 1 hand.

      WTH are you talking about???  

      A.) Offensive Security ‘letting’ you read something, or ‘making’ you read something?  What you see now is what you’re going to see in real life.  You’ll often need some info on an exploit or topic and have to go find it.  I don’t recall Offensive ‘making’ me look at anything, in particular.  Specifically if you’re referring to blogs.  Blogs are others’ writings, not Offensive’s.

      Maybe you’re just venting about something, but your vent just made no sense, as written…

    • #49028
      dynamik
      Participant

      You’re killing me, dude. If you just want walk-throughs of how to exploit systems, hop on SecurityTube and watch the videos. There is no shortage of that type of instruction available, and that is not remotely the purpose of this course.

      What do you think a real pen test is like? Do you expect to be able to walk into an organization and completely understand how everything is configured, how their custom in-house applications work, etc., right off the bat?

      You’re currently working on what, 40-50 systems over 90 days? Try hundreds or thousands of systems over five days. There’s always going to be weird stuff you’ve never encountered before, and you need to be able to adapt and get acclimated to that environment quickly. That gets stressful while dealing with fast-approaching deadlines. You can’t just stop when you’re burned out and return to a troublesome system after taking a weekend off.

      While some of the non-standard configurations in this course are frustrating, there’s probably more of that in the real world. Try dealing with NAC or other controls that’ll shutdown or temporarily disable your switchport if triggered, or users (surprisingly) taking their system to IS when an exploit unexpectedly triggers an AV alert. Try adding the complexity of things that break after being subjected to a basic nmap scan; I’ve yet to visit a client that provides “revert” functionality (unless you count rebooting the system after yelling at the tester).

      This type of work is rarely easy, things rarely go as expected, and you’re never going to master everything. You can view this as challenging or frustrating, and I think your perspective will really determine how far you’ll go professionally.

    • #49029
      shadowzero
      Participant

      This course is meant to be difficult, and I think those of us who’ve earned our OSCPs like it that way. The difficulty and hands-on aspect is what separates it from other certifications. Dumbing the course down waters down the reputation of the certificate.

      You need to be able to think quickly, out of the box, and pull rabbits out of your hat. The exam will test you on that. Think of it as a black box test on an organization. No hints, no information before you step in. That’s part of the challenge. Everything you learn in the lab, and out of the lab, will come in handy.

    • #49030
      sternone
      Participant

      @hayabusa wrote:

      @sternone wrote:

      But I’m still pissed on Offensive Security on letting me read 100’s of blogs of folks that can count their pubertal hairs on 1 hand.

      WTH are you talking about???  

      A.) Offensive Security ‘letting’ you read something, or ‘making’ you read something?  What you see now is what you’re going to see in real life.  You’ll often need some info on an exploit or topic and have to go find it.  I don’t recall Offensive ‘making’ me look at anything, in particular.  Specifically if you’re referring to blogs.  Blogs are others’ writings, not Offensive’s.

      Maybe you’re just venting about something, but your vent just made no sense, as written…

      A/ Yes, I’m talking about Offensive not really having or using any course material explaining in ‘debt’ to let your learn the material. I don’t need them to write a 20000 pages book, I would expect them to tell me what to read. But even that is : “try harder”

      Was there a B coming up ? Let me give you one :

      B/ Because I’m out there looking for material I come across all kind of sources wasting days of valuable time, I don’t see what the use is of this.

      This is a big warning for people want to jump in the OSCP course. It’s absolutely not for newbies. Basic linux and programming adminstrating skills won’t do it here. You need to study much more before attempting it. Otherwise you could be left out frustrated.

      I’m venting what I want here in here, I started this thread not to get people into buying the OSCP lab, I started this lab to explain my findings with this course.

    • #49031
      sternone
      Participant

      @ajohnson wrote:

      You’re killing me, dude. If you just want walk-throughs of how to exploit systems, hop on SecurityTube and watch the videos. There is no shortage of that type of instruction available, and that is not remotely the purpose of this course.

      Exactly, the OSCP is about the labs, not about you expecting to let the Offensive guys ‘learn’ you a lot. You need to do it on yourself. Future customers of Offensive need to understand this before jumping in.

      What do you think a real pen test is like? Do you expect to be able to walk into an organization and completely understand how everything is configured, how their custom in-house applications work, etc., right off the bat?

      You’re currently working on what, 40-50 systems over 90 days? Try hundreds or thousands of systems over five days. There’s always going to be weird stuff you’ve never encountered before, and you need to be able to adapt and get acclimated to that environment quickly. That gets stressful while dealing with fast-approaching deadlines. You can’t just stop when you’re burned out and return to a troublesome system after taking a weekend off.

      While some of the non-standard configurations in this course are frustrating, there’s probably more of that in the real world. Try dealing with NAC or other controls that’ll shutdown or temporarily disable your switchport if triggered, or users (surprisingly) taking their system to IS when an exploit unexpectedly triggers an AV alert. Try adding the complexity of things that break after being subjected to a basic nmap scan; I’ve yet to visit a client that provides “revert” functionality (unless you count rebooting the system after yelling at the tester).

      This type of work is rarely easy, things rarely go as expected, and you’re never going to master everything. You can view this as challenging or frustrating, and I think your perspective will really determine how far you’ll go professionally.

      I agree completely on what you write. But you aren’t paying your customers to learn something. I did it to Offensive. But they are lacking that part. They have a good lab and they have a good framework providing that lab. Their marketing text about what you should know before starting this lab is – to say the least- very misleading.

      There’s no way that with basic programming skills and basic linux and windows administrating skills you are able to pass that lab and test successfully. Maybe somebody has done it. but the other 95% won’t.

      Sorry you Offensive cool-aid drinkers are reading something that you don’t like, but again, I post what I think for future Offensive customers. Let’s say they are warned.

      About the giving up part. That’s not what I did. I hit bottom on the course motivation to do what ? Exactly… to get deeper into tunneling and hacking my first tunneled server. On the same day. That doesn’t sound like giving up does it ? Just explain me why it does.

    • #49032
      tturner
      Participant

      While I have not taken the OSCP curriculum, I have done a lot of other training. My biggest complaint is being spoonfed material. It makes for an easy and fun class but it’s not helpful. When I encounter systems in the real world there is rarely a ready howto that takes into account all the avenues of attack for that system or one that addresses the unique contextual environment of that system. It is for this reason that I intend for OSCP to be one of my next certifications.

      There are plenty of certified pentesters that don’t know how to do more than run automated tools. What you are complaining about is in my opinion the defining characteristic for the OSCP and why it is so well respected in the community. If it is giving you that much heartburn, then perhaps you are pursuing the wrong career path. Pentesting is 60% research, 30% writing reports and only about 10% actual exploitation/post exploitation. (OK my percentages may be a little off but you get the point) If you do not enjoy research then you may want to rethink your career choices.

      *edit* After re-reading this post it appears I am bashing other training providers. That’s not entirely the case but wanted to clarify here. I highly value the SANS training I’ve attended, and will usually use them as the defacto technical security training for any of my new hires. But there’s no denying you don’t work as hard for the material. My style of learning is such that anything that causes me significant pain tend to remain in my brain longer.

    • #49033
      sternone
      Participant

      I just warn people that are thinking of getting the OSCP rating by working true their videos and their PDF documents and working in the lab their butt off isn’t going to work pass the OSCP.

      It needs an extremely high time consuming and high individual effort of reading several books and researching on your own without any guidelines from the teaching company Offensive in this case. You are out there on your own to read the books you ‘think’ are interesting, read the texts you ‘think’ will help you and watch hours of other videos on the internet you found yourself and ‘think’ they will help you.

      Remarks from people like you who ‘think’ the OSCP is awesome because they swallowed the marketing of it and they think that it let’s you try harder  is a great thing but haven’t even tried the OSCP makes no sense at all. I’m not saying that OSCP is not good for you, as I read your signature with all your ratings you already achieved you are probably in a very much better situation than I am with no ratings but only programming, linux and windows administrating experience and a love for security. I would probably first get those 4 letter abbreviations like you have before attempting the OSCP.

      Again, my posts lately are more of a warning to the people considering getting the OSCP. They have to think twice.

    • #49034
      dynamik
      Participant

      It sounds like the core issue here is that there is a significant disparity between the course and your expectations of what the course should be.

      Additionally, I think a lot of us are confused by your “warnings” since everything you’re saying is public knowledge. In terms of the labs and exam, yes, you need to supplement the course with tons of outside resources. Yes, it’s going to be an excruciating experience that you’re going to have to struggle through on your own. Yes, you may be required to make several attempts to pass the exam. None of this is a secret.

      Keep in mind, it is entirely possible to get through the course (PDF/videos) with basic Linux/Windows/programming/networking experience. This will net you the CPEs, general knowledge, and/or whatever else you were hoping to get out of the course. They also make the complete syllabus available on the course page, so you can review that and brush up on any weak areas ahead of time.

      Completely owning the lab networks and passing the exam is an entirely different matter, and doing so will require a great deal of perseverance on your part. This challenge is exactly why the PWB/OSCP experience is viewed as favorably as it is, and why the certification is as highly respected.

      How much did you research the course before taking the plunge? All of this is clearly detailed in nearly every related post in these forums and reviews on the various blogs I’ve seen (OffSec even links to two of them on the OSCP page). I don’t understand why you’re so surprised to find the course as it is.

    • #49035
      hayabusa
      Participant

      sternone – I think you’re being overly critical.  Had you READ any of the previous posts on EH, regarding OSCP, you’d have been warned that there is a LOT of self-study and areas where you’re expected to ‘figure things out’ on your own.  If you didn’t research it first, whose problem is that?  I don’t personally shell out my money, for a course, without having at least a DECENT forewarning of what I’m getting myself into.

      This is the value of the certification.  It truly IS one of very few, on the market, that ultimately WILL reflect real-world situations.  Nobody is going to spoonfeed you, if you’re paid to do a pentest.  If company X hires you, and they have NOTHING that exposes a common vulnerability, you’re going to be all alone.  

      So, you paid Offensive to teach you.  Let me ask you… (and be honest)  Of what they ‘specifically taught you’, per your complaint, how much did you already know?  Was everything you paid for worthless, and common knowledge you already had?  Who, from your high expectations and knowledge, teaches what they taught you, for less?  Just curious.

    • #49036
      hayabusa
      Participant

      It seems that ajohnson and I are on the same page, as our posts hit, simultaneously…

      🙂

    • #49037
      DragonGorge
      Participant

      sternone

      I completely empathize with you re. the port forwarding section. When I went through it I was similarly confused/disappointed by the lack of content.

      However, the later sections aren’t like this. Keep going – it gets better.

    • #49038
      sternone
      Participant

      I’m blown away by the amount of time you need to put into of ‘figuring out’ what to learn on yourself and what pisses me off the most is that they don’t give you the source where to find correct information.

      That is offensive’s choice and their responsibility. I’m just frustrated and have to undergo it.

      I have read about other people complaining about this very matter.

      Did I learned ? Hell yeah i did. Would be strange if I wouldn’t by putting so far approximately more than 150 hours of my time in it. Is it enough what they give me ? NO AND THAT’S WHAT I’M COMPLAINING ABOUT. I have a feeling I’m on 30% of what I need to know. So my guestimate would be that a person should be ready to put around 400 to 500 hours of study time in this course to achieve the rating.

      From my experience it takes about double the time to achieve an OSCP rating compared to get a Cisco CCNA rating.

      I did not complain about paying, i did not complain about the quality of their labs, why do you put this in my mouth ?

      What you guys do now, stating that hey, you know what, that’s just your own fault, deal with it, you should be smart enough before, and why are you so stupid to even start this course since you’re not a great pentester yet, is absolutely not in line with what their marketing material states. It states clearly that you if you have knowledge of linux and scripting you should be fine.

      I will tell you: you’re not.

      Well I will deal with it. No problem.  But not without posting about it in this thread about ‘my OSCP journey’.

      Don’t like what you read ? move on, there’s other nice stuff on this forum that’s in line with your dogmas.

      So now I have heard so far:
      1. It’s your own problem, you should be smarter before, even much smarter than we write on our marketing material
      2. You only do it to get adored, maybe I need a shrink ? People making the effort to post on forums only do it because they have to prove something to the world. Is it a phallus problem maybe ?
      3. I’m not reading you anymore because you’re not drinking the cool aid, and that’s your own fault too.
      4. Hey, real pentesting is even harder, why should we have to learn you even more ? Figure it out for yourself dude!

      * TRY HARDER AND SHUT UP *

      Ok guys. I get it.

    • #49039
      hayabusa
      Participant

      Ok…  Enough’s enough.  If you TRULY read what we said, NONE of it was attacking you.  I’ve wished you well, now I’m done with it.  If you have a question on something that I can help you with, I’ll gladly respond.  Otherwise, I’m not going to expend any more time or energy, arguing points that obviously don’t matter.

      Cheers, mate!

    • #49040
      UNIX
      Participant

      @sternone wrote:

      There’s no way that with basic programming skills and basic linux and windows administrating skills you are able to pass that lab and test successfully. Maybe somebody has done it. but the other 95% won’t.

      The requirements are meant as the things you need to know to get started with the course – not the requirements to pass the exam. You should increase your knowledge throughout the course, so that eventually you can pass the exam.

    • #49041
      impelse
      Participant

      LOL,LOL, LOL

      We all agree that this training is painful and good. Sometimes we get the frustration, for ex.

      In the pdf and video you do not have any mention or way to do privilege escalation, sure when you get a couple of machines in the lab, you got shell but with very low limited connection and now what, begin to google, begin to read different way until you make it, sometimes you are looking for in some place that they are bad and you did not learn anything, it is frustrating but this is the good new: WHEN YOU FIND THE WAY/ANSWER YOU WILL NEVER FORGET IT.

      So in other words they are teaching you how to find a way in in your mind with some system you will find in the reality, sure myself I felt a frustration, that’s the reason try harder….. but later you are strong.

      I spent three weeks with 2 machines with escalate priviledge, I did not make it but I learn a lot of internal process in Windows (and I am a senior lever server admin), sure I moved on but after a while I begin to get more ideas, eventually I will get it…… (I added the lab time twice)

    • #49042
      Eleven
      Participant

      So to get to take the OSCP, you have to first take Penetration Testing with BackTrack.  How much does that training cost, and is there a written exam for the OSCP, or is it all a lab?

    • #49043
      hayabusa
      Participant

      The course is PWB (course costs are at the bottom of the page):

      http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/

      The exam is a 24-hour practical, hands-on exam (the only ‘writing’ you’ll submit at the end is documentation of how you did what you did, during the course and exam.)

    • #49044
      Eleven
      Participant

      @hayabusa wrote:

      The course is PWB (course costs are at the bottom of the page):

      http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/

      The exam is a 24-hour practical, hands-on exam (the only ‘writing’ you’ll submit at the end is documentation of how you did what you did, during the course and exam.)

      Crap.  I searched all over http://www.offensive-security.com for it before I asked, and apparently I should have enabled scripts to see it.  😮  

      I used to think GPEN was the best pen testing cert, but OSCP seems the best to me now.  The lab looks like a great way to make sure someone truly understands what they’re doing and how to do it.

    • #49045
      hayabusa
      Participant

      It’s been my personal favorite, so far (except for OSCE, which I’ll be rescheduling an exam for, in the near future.)

      No worries about not spotting it.  Glad I could help.  🙂

    • #49046
      termight
      Participant

      @sternone I understand your frustration, I got to know of OSCP back in the days when it was PWB (2008). During those days I was busy on my Cisco certification track of which currently I hold the following CCNA,CCDA,CCNP,CCDP and CCIE-Written not forgetting my MCSE+sec. I was and still am a Cisco and Microsoft guru until my company got hacked I was so embarrassed and frustrated that I quit the job (reasons being I didn’t know what,who and where to starts troubleshooting from cos my anti-virus, firewall and all security measures failed me). In 2010 I decided to embark on OSCP but realizing I have a weakness in programming i started studying C, Assembly, Linux,Bash and now Python just to get a solid foundation before starting the OSCP. Do you know the number of books I’ve bought? forums I join etc. just because of OSCP, which i’ll be taking next year even after taking the eCPPT. I always ask myself what will I do with my CCIE certification thus if I pass the lab and still the companies I work for gets hacked? Even Pentagon, RSA, Microsoft, Amazon etc do get hacked.

      I think OSCP is not your usual Microsoft and Cisco exams that you study 1 book or CBT and the question you get in the final exams is about what you learnt from the book. No with OSCP it is what you get in real world, just a Little advice join forums underground sites IRC etc. they help.

      After all your effort if it still doesn’t pay off I bet you, with the same amount of time and effort you put in OSCP you can pass any CCIE exams on the 1st try.

      Don’t give up give it a second short. Money is hard to come by do don’t let it go.

    • #49047
      sternone
      Participant

      You are a CCIE and passed the practical lab test for the CCIE in one of the CISCO labs worldwide and claim that ‘once you pass the OSCP you can pass any CCIE lab’ ??  😮 😀 😀

      Funny stuff !!!

      Like I say, I guestimated 400 to 600 hours to pass the OSCP, I think it’s way more to reach a CCIE

    • #49048
      termight
      Participant

      @sternone wrote:

      You are a CCIE and passed the practical lab test for the CCIE in one of the CISCO labs worldwide and claim that ‘once you pass the OSCP you can pass any CCIE lab’ ??  😮 😀 😀

      Funny stuff !!!

      Like I say, I guestimated 400 to 600 hours to pass the OSCP, I think it’s way more to reach a CCIE

      Don’t get me wrong, I am not yet a CCIE I only passed the written exams. All i’m saying is with CCIE R&S you only have to study about 13 books visit forums practice, practice and practice I know many CCIE’s who passed the exams on first try and with one year of preparation. CCIE deals with OSI layers 1-7 starting with the Cisco hardware itself, but with OSCP and real world hacking you deal with different OS’s BSD,Windows,MAC’s,Firewalls, Cisco Router etc. All i say is hacking is more packed than CCIE so with the effort you put in a year to pass OSCP with that same effort you can pass CCIE.

      But what happened to you, you created this thread with enthusiasm and even posted snapshots of rooted lab rats. I jealous you so why are you giving up. Note. there wouldn’t be fun all fruits were hanging low……… in short hope you can guess what am about to write next.”T** *a***r”.

    • #49049
      sternone
      Participant

      You need to read better. When did I said I’m giving up ?

      The written of the CCIE is nothing compared to the lab. The written is just.. the written.

      It’s the CCIE lab that will kill you.

    • #49050
      Catalyst256
      Participant

      Blimey this thread has got big..

      First off sternone, well done on your progress so far you should be proud of what you have achieved.. 🙂

      I’m about 50 days into my lab time, so far I’ve watched about 20% of the videos for the course and only used the PDF as reference material.

      I think I’ve rooted just over 30 boxes now. This isn’t to brag, I’m not a pentester or security expert this is the first time I’ve EVER tried something like this. My biggest ally (and worse enemy) is Google, and I’ve lost count of the number of hours I’ve spent looking for something to gain access, even when its been staring me in the face I’ve still struggled (man have I struggled).

      My point? the course material is good, but limited (like it’s supposed to be) I’ve learnt more from trial and error or working it out myself than from anywhere else and for me it’s the best way to learn.

      I’ve spoken to people that have rooted most of the boxes in the labs, it doesn’t bother me, I’m happy with my progress and what I’ve learnt and if I don’t get them all then I don’t get them all, it’s not a race against others on the course it’s a personal challenge.

      If I’m honest, I expect to fail the exam the first time around, and I won’t mind if I do (don’t get me wrong I hope I pass), but this course isn’t easy, nothing I read ahead of starting made it sound easy, but by god it’s fun.

      Anyway that’s my speech over.. 🙂 my only advice sternone would be regardless of how annoying/frustrating or annoying you find the course, enjoy the experience, learn what you can and when in doubt… Try Harder (sorry couldn’t resist). 🙂

    • #49051
      dynamik
      Participant

      @T3rm1ght wrote:

      But what happened to you, you created this thread with enthusiasm and even posted snapshots of rooted lab rats.

      @sternone wrote:

      When I read about Offsec I said: THIS IS IT! Don’t give me that CEH theoretical bull, I wanna have hands on challenge me that it hurts and I wanna cry stuff !! I ran to get my wallet and ordered my slot right at the spot.

      Seriously. It seems like you’re complaining for getting exactly what you wanted 😉

      @Catalyst256 wrote:

      I’m about 50 days into my lab time, so far I’ve watched about 20% of the videos for the course and only used the PDF as reference material.

      Is there a reason for this? It seems like you’re doing yourself a bit of a disservice and making things unnecessarily difficult. It really doesn’t even take that long to get through.

      @Catalyst256 wrote:

      I think I’ve rooted just over 30 boxes now. This isn’t to brag, I’m not a pentester or security expert this is the first time I’ve EVER tried something like this. My biggest ally (and worse enemy) is Google, and I’ve lost count of the number of hours I’ve spent looking for something to gain access, even when its been staring me in the face I’ve still struggled (man have I struggled).

      My point? the course material is good, but limited (like it’s supposed to be) I’ve learnt more from trial and error or working it out myself than from anywhere else and for me it’s the best way to learn.

      I’ve spoken to people that have rooted most of the boxes in the labs, it doesn’t bother me, I’m happy with my progress and what I’ve learnt and if I don’t get them all then I don’t get them all, it’s not a race against others on the course it’s a personal challenge.

      That’s excellent progress. Someone will always be further along than you; there’s definitely no reason that should bother you. If you ever have time to worry that, spend that time in the lab instead 😉

      Struggling through something is not always enjoyable, but you usually gain a much better understanding of the inner workings of a given technology, and you’re not likely to forget the attack technique. Trial-by-fire is the way to go.

    • #49052
      Catalyst256
      Participant

      The only reason I haven’t read all the material is due to a burning desire to play in the labs, and I learn best by doing instead of reading.

      I had done some of the basics before (nmap scanning that sort of thing) so as soon as I had access I was in the labs scanning and enumerating away.

      I agree things would have been a bit easier if I read the material but we each do things differently and I’ve still enjoyed doing things the hard way.. 🙂

    • #49053
      sternone
      Participant

      I began with digging in the Assembly language books I bought.

      And my mind wonders.. 20 years ago we used a program called softice. Why did that ever stopped being the number 1 debugger in this world ?

      http://en.wikipedia.org/wiki/SoftICE

      They say business reasons. Nobody’s using assembly debuggers anymore ? I think that’s strange no ?

      Is there anyone who used to use softice like me ? Or know more about it ?

      Those were the days 🙂  😀

    • #49054
      hayabusa
      Participant

      I did use it, in days past.  Now, for Win32 debugging, I’ve pretty much settled on Immunity’s debugger.

    • #49055
      satish.lx
      Participant

      @sternone – Oh! man you refresh my memory… I was using SoftICE while ago.. I cracked lots of license software keys, cracked games etc.. Just for fun.. I thought softice got absolute because i never heard from anybody.. You are second person, first i am.. myself. lol  🙂

Viewing 145 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?