.

Anyone did OSCE (CTP) ?

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed May 19, 2010 7:59 am

Anyone did OSCE (CTP) ?

Hey,

I am almost done doing OSCP and I love it. I would like to start OSCE in early fall. Did anyone on this forum completed the CTP course and passed the OSCE certification?

I am curious to hear some review/feedback.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Aug 17, 2010 9:58 am

Re: Anyone did OSCE (CTP) ?

I recently did the course and I can only say good things about it.

Cracking the Perimeter is a journey of practical hacking combined with imaginative thinking allowing you to perform complex hacks in order to, yes penetrate / crack the perimeter.

Even within the Web Application Security part I learned something new and during the rest of the course I learned a lot about shellcode, overflows, and everything else mentioned on their website which is a must to know (in hardcore depth) if you want to pass the certification.

I used many hours within the labs where I made sure to learn everything I could and more about the course material.

I don't think anyone will regret doing this course, cause it's probably one of the hardest if not the hardest certification to achieve at the moment  ;)
Last edited by MaXe on Tue Aug 17, 2010 10:04 am, edited 1 time in total.
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Aug 17, 2010 3:28 pm

Re: Anyone did OSCE (CTP) ?

Welcome to the forums MaXe!

Can you give any required skills/recommended resources to fill in the gaps between the OSCP and OSCE. It was my impression that the OSCE was significantly more advanced, and it wasn't intended to simply be a natural continuation of the OSCP.
The day you stop learning is the day you start becoming obsolete.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue Aug 17, 2010 5:32 pm

Re: Anyone did OSCE (CTP) ?

I start on the 29th, so I'll be sure to try to fill in the blanks as I go.  I haven't done OCSP, so taking on the OCSE was a little intimidating.  I finally decided that I had enough interest in the topic to invest the time and enough background to not be wasting my money so I bit the bullet and went for it.  I'll post back by mid September and let you know if I think it was a mistake.

If anyone can share some insight (besides what's in the syllabus), please do so.  I've already paid, so I'm stuck, but I would like to know about others' experiences. 

I made the decision after hearing the same thing as MaXe said echoed by everyone who had taken the course (I won't regret it).
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 17, 2010 7:03 pm

Re: Anyone did OSCE (CTP) ?

While I've not paid for it, yet (and won't be until my medical situation is squared away and I'm off these darned meds,) this one is on my list, for one of my next certs to do.  So by all means, let us know what you think of it, former33t (and any others who challenge the course.)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Aug 20, 2010 6:45 am

Re: Anyone did OSCE (CTP) ?

@dynamik: The syllabus gives an idea of what to expect: http://www.offensive-security.com/docum ... llabus.pdf and you should be able to complete http://fc4.me/ as well. You can try out the FC4.me challenge without registering.

The skills I think that are required to do the course only would be:
- Web Application Security knowledge. (PHP, MySQL and Apache)
-- You should be able to understand how most if not all vulnerabilities within PHP works.
-- Here's a good "article" to read: http://forum.intern0t.net/offensive-gui ... irgod.html
-- Have a good understanding of how the HTTP protocol works.

- Stack Buffer Overflows with and without SEH overwrites
-- You'll learn a lot about overflows in the PWB course but there are other resources available too.
-- You should be able to understand this perfectly: http://forum.intern0t.net/cinema/video-21/
(Here's an article about this old exploit: http://en.wikibooks.org/wiki/Metasploit ... owsExploit )

- Shellcode and Assembly Instructions / Opcodes
-- You should be able to write simple shellcode or be ready to become dedicated to write your own shellcode.
-- If you're not a shellcode "writer" you should be ready to manually write it yourself.
(Metasploit can't always help you in cases where you must use advanced methods.)

- Generic knowledge about networks and other protocols
-- You should know how the TCP/IP (and UDP) protocols function though you don't have to be an engineer.
-- Have a basic understanding of spoofing and man-in-the-middle attacks.

Note: Knowing a scripting language such as Python, Perl or perhaps PHP (CLI) is a good idea too.

You should also have a lot of patience, the will to learn new topics (in-depth, don't avoid any of the exercises) and have a lot of time you can use in the labs to study the course material and the following exercises.

If you choose 30 days it may be some very intensive 30 days, and if you choose 60 days then you should be able to have spare time in between. (I did this course after work in case you wonder.)


About the examination, well I won't disclose too many details on that. But everything covered in the course is only the beginning and you should therefore dedicate a lot of time to learn Web Application Security and Software Exploitation / Security in-depth. (This includes self-written (custom) optimized shellcode and a lot more!)

One shouldn't be intimidated by these facts, because it is one of the greatest journeys I've ever taken and I believe it really is one of the toughest if not the toughest certification at this date. If you have this certification, then I know you're above average within IT-security / Hacking  ;)


@former33t: I haven't done the PWB Course neither the OSCP examination, but it is possible to do and understand the CTP course if you have a good understanding about IT-security / Hacking. You won't regret this course ;-)
I'm an InterN0T'er
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Aug 20, 2010 8:02 am

Re: Anyone did OSCE (CTP) ?

Great review MaXe!

I am challenging OSCP tomorrow morning and IF everything goes well, OSCE would probably be the next one.

The skills I think that are required to do the course only would be:
- Web Application Security knowledge. (PHP, MySQL and Apache)
-- You should be able to understand how most if not all vulnerabilities within PHP works.
-- Here's a good "article" to read: http://forum.intern0t.net/offensive-gui ... irgod.html
-- Have a good understanding of how the HTTP protocol works.


I am also looking at a very good web app pentest course. Would you consider OSCE to cover web app exploit in depth?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Fri Aug 20, 2010 8:38 am

Re: Anyone did OSCE (CTP) ?

H1t M0nk3y wrote:Great review MaXe!

I am challenging OSCP tomorrow morning and IF everything goes well, OSCE would probably be the next one.




You will be find tomorrow in your challenge.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Aug 20, 2010 8:40 am

Re: Anyone did OSCE (CTP) ?

Thanks impelse.

I am almost ready now. Just one or two things to read and practice and I relax until the exam.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Aug 20, 2010 9:29 am

Re: Anyone did OSCE (CTP) ?

Yep... relax!  ;)  Let us now how it goes.  Excited for you.  It's quite an experience!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Aug 20, 2010 9:31 am

Re: Anyone did OSCE (CTP) ?

Thanks for the feedback, MaXe.

I got through their registration challenge quickly, but I really don't want to give me a false sense of where I stand in terms of the course content. I'm solid on the networking side of things, decent with the web stuff, but I am completely lacking on shellcoding/exploit development side of things.
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Aug 20, 2010 9:48 am

Re: Anyone did OSCE (CTP) ?

H1t M0nk3y wrote:Great review MaXe!

I am challenging OSCP tomorrow morning and IF everything goes well, OSCE would probably be the next one.

The skills I think that are required to do the course only would be:
- Web Application Security knowledge. (PHP, MySQL and Apache)
-- You should be able to understand how most if not all vulnerabilities within PHP works.
-- Here's a good "article" to read: http://forum.intern0t.net/offensive-gui ... irgod.html
-- Have a good understanding of how the HTTP protocol works.


I am also looking at a very good web app pentest course. Would you consider OSCE to cover web app exploit in depth?




Thanks and good luck!

The CTP course will give you some ideas about Web Application Security in-depth and the examination will prove that point, but it does not cover everything there is and you should have a very good base either from another certification or by self-study.

I don't know of any certifications within Web App Sec that are worth doing but I'll be glad to hear of any  ;)


dynamik wrote:Thanks for the feedback, MaXe.

I got through their registration challenge quickly, but I really don't want to give me a false sense of where I stand in terms of the course content. I'm solid on the networking side of things, decent with the web stuff, but I am completely lacking on shellcoding/exploit development side of things.


Sounds good, but you should focus on learning more about Exploit Development then and of course Shellcoding even though most of this is covered within the course quite well (don't forget to use the forums too). I can't say that you'll know everything about exploit development after the CTP course, cause you won't but you'll have a better understanding especially if you've played with a few simple Stack Overflows in the past ;)


Note: Nothing within the CTP course and the OSCE examination is impossible to do, but it is quite hard. (Especially the exam.)
Last edited by MaXe on Fri Aug 20, 2010 9:55 am, edited 1 time in total.
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Aug 20, 2010 10:02 am

Re: Anyone did OSCE (CTP) ?

Oh yea, I've got Gray Hat Hacking, The Shellcoder's Handbook, and Hacking: The Art of Exploitation on my reading list. I fully intend on being prepared.

Thanks again for the feedback :)
The day you stop learning is the day you start becoming obsolete.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Fri Aug 20, 2010 10:36 am

Re: Anyone did OSCE (CTP) ?

@dynamik
Nothing related to this thread, but just wanted to tell you that if you ever start learning from shellcoder's handbook use an old distro for the first 4-5 chapters. Preferably Redhat Linux 8 and above.
The examples used in these chapters assume that you've absolutely no protection enabled in your system- NX bits, ASLR... Even Redhat Linux 9 uses ASLR, built in the kernel and can't be disabled, and so you won't be able to use it for a LOT of exploits.
Majority of these protections can be disabled in the current distributions but there are still hidden elements which prevent your code from working properly. I learned all of this the hard way :-[

It's still fun to first test your code in an old distro and then try to make it work in the newer ones :P
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Aug 20, 2010 11:02 am

Re: Anyone did OSCE (CTP) ?

I think I saw you make note of that before, but thanks for the reminder :)
The day you stop learning is the day you start becoming obsolete.
Next

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software