When i became one of the lucky winners of the EH.net Offensive Security prize giveaway i got the feeling i had to do something in return. Lets start with a big thank you to Donald who made all this possible: Thank you.
When i decided to write down my experiences with this course i created a new file on my desktop and paused to think of an appropriate name. Since i did not wanted to write just another review, but provide something extra, i hesitated after i typed PWB REVIEW. Due to the fact that i want it to be more then a review, i had to come up with a different name. The first option that came to mind was PWB blog, cause i tend to write short pieces throughout the course to take you all in on the journey that lays ahead of me, but i did not find it the right term to use. It came to mind when i thought of my earlier days when i had the time to play video games (all good things come to an end). I remember playing games like Resident Evil with a stack of printed papers next to me, telling me what to do at a certain point in the game. These documents are called walkthroughs. Now dont get me wrong, i will not help you pass this course or tell you detailed inside information about the course/exam itself, but i will tell you how i got from the point of deciding to take the course, to the point of getting back my results from the test, which are hopefully high enough to pass .
Before you continue reading, i want to state that this walkthrough is published as is. Sometimes i will look back and change a few words or so, but i hope that in the end i will have a representative version that can truly add something to the existing information that is already at hand. I also hope i will continue to have the time to update it and keep everybody interested during the process and in the final result. Please keep in mind that this is my first encounter with writing something (hopefully) worth publishing in any form, so any comment is welcome and appreciated!
First lets start with the big question if you are ready to start with this course. The course is not your average certification or exam you might have taken before. The experience i have is with both self study and courses, but i knew from the start that this will not help me with this course. My current knowledge is based on my ISC2 associate certification and my CEH certification. Since i did the "ISC2 Associate" exam by self study i can only compare it with the actual exam. This consist as you may know of 250 multiple choice questions which you have to complete within 6 hours, and score more then 70% to pass. CEH is exam wise not much different: 150 multiple choise in 4 hours and also a score of 70% or higher to pass. The 6 day course i took for CEH consisted of many theoretical information with some time to play with tools on the side to get a feeling how these techniques are applied in the real world. CEH really puts you in the ethical hacker thinking mode. Now most certificates are this way, but i knew from the start PWB is completely different. I think the PWB course is perfect if you think you have enough theoretical knowledge about ethical hacking, and want to turn this into practical experience!
The approach for this course used by offensive security is that learning for this certificate will be "hands on" as much as possible. This makes it perfect for people that already have some experience or obtained some sorf of certification in the penetration testing field. This also makes PWB less suitable for people that don not already have experience or some other, more theoretical certificate in this field. The study material consists of a syllabus that is used to guide you through the required learning material, which is backed up by videos that can be downloaded from their virtual lab. Yes, you also get access through a VPN to a virtual lab where you can immediately try out your freshly obtained hacking skills. There are multiple vulnerable systems with different operating systems that are hooked together within multiple infrastructures. This gives you a big playground to poke around in without doing any harm. The exam will also be held in your virtual lab. Your objective is to break in an extra secured part of the network and gain access to the main computer. After this you will, just like in real life, report your findings in a penetration report that will represent your exam. This will be scored on several points like succes, documentation and completion. There is also another factor to make it more interesting: time! The penetration test must be finished within 24 hours. After this you get another 24 hours to finish up your report instead of sending in just loose notes. If you succeed you may add the OSCP (Offensive Security Certified Professional)title to your name. This wraps up about all there is to know about the course itself. So what is the first step to become an OSCP? Thats right, registering!
Registering was a little different because of the "me winning the course" element. but some parts are the same for you if you decide to start the course. First you register through the website with a valid, non free email address so the people at OffSec can validate your identity and do some background checks if needed. I received a mail that my ISP email address was not sufficient, and they needed another email address to complete my registration. If this fails, so i was told by the email, they would required a scanned copy of my ID. The second email i provided seems sufficient to prove my identity so we are ready for the next step. After this you receive an email with credentials to a test account where you can test you connectivity to the VPN server. There is a link provided to a connectivity guide if you dont know how to test it. Here you can also get a copy of backtrack that is tweaked for the course. Since i received this email fridays after worktime on my work address, i missed the 48h window where the account needs to be tested in. After sending an email explaining my situation i was supported nicely by one of the OffSec employees by extending my test credentials for another 24. I received an email back within a working day, so the help service at OffSec is good. When you tested the connection to the VPN server you can continue with registering for the course. The advice here is to have a decent computer (you will probably run the Backtrack image you downloaded in VMware or VirtualBox, so make sure you have sufficient memory and processing power) and internet connection (since you will be downloading some video's). After supplying the neccesary details you get to choose your payment options, which consists of either paypal or master/visa. Since i had a voucher code i dont have any experience with the actual payment proces, so you are on your own on this one. After payment you receive a mail that registration was succesful and you will receive another mail with credentials when the course starts. On to the course!
After receiving the confirmation mail on the starting day of the course, which by the way was nice on time, i logged in to the VPN with the credentials provided. The first thing i noticed was the presence of a webbased "dashboard" functionality which provides a nice overview of your personal information. It gives a heads up on the status of the systems available, and the possibility to reset any changes you made on the Host Servers if you happen to break them. It also lets you control the Windows XP rig that you may use to test things locally. Here you have the option to reset the password, or completely reset the system if you wrecked it beyond repair. Giving on the list of servers you can reset in the dashboard, there are about 20 servers that can be exploited. No additional information is displayed, but that is ofcourse the challenge of the course. Another neat function is the posibility to see how your progress is doing. The network is divided into 4 different LANs. You already have access to the first one, but the objective is ofcourse to get access to all of them. If you hack specific servers in a particular network you can download MD5 hashes which can be used to update the status in your dashboard. There is also a hash brute forcer at hand on one of the servers, so you can use that if you are in need of some computing power. After seeing the dashboard and the servers that are available my first impression was: this network is HUGE! at first it is hard to get a good overview of the entire VPN, but after a while you get a pretty clear picture of the complete network at hand. so much to play with, so little time...
After finishing the first 5 modules it is time to post my first impressions about the exercises. At this point i have not played in the lab much because of the nature of the first modules. As many of you might know, the first modules teach you some backtrack basic bash/shell scripting, information gathering techniques and port scanning. The list of modules can be downloaded from the offensive security website, so i suggest you have a look at it to see what you can expect from the topics addressed if you are interested. You can either follow the course guide provided, or let the lab videos guide you through, just remember that they complete eachother, so dont just go blind with one or the other. Another trap is wanting to go too fast. i for example thought after the first portscans it would be a walk in the park and soon found myself trying all kinds of attacks (which got me nowhere cause they were either too simple, too difficult or not in scope at all) without even looking at the course material. This might work if you are lucky, but it is not the intention of the course. The first module teaches some basic shell scripting while getting familiar with the virtual lab. From this point on i knew that my weak point (wait...lets stick with complete lack of) of programming/scripting skills would come back to haunt me. No less it took me just a little bit longer then the average person to complete the exercises (i think), but those credits go to Muts for doing a hell of a job explaining things and taking you step by step through example exercises. At some point i found myself stuck in a part i didnt have any prior knowledge about, and the help forums came up with just the right pointers to get me going again. There are tons of information there you can use with the exercises, so if you cannot make it on your own, there is enough information available to keep you going. Despite my lack of programming/scripting knowledge, i find the exercises fun to do. i cannot wait to get started with the real lab exercises and to start hacking away on all those victims just sitting there waiting for me to come along. i wonder how much knowledge and time is needed to, as i phrase from pokemon: gotta catch em all! another great part of the course is that you are forced to document your findings within the labs carefully because every piece of information is needed for your pentest report. This gives you a great overview and in depth knowledge about the network at hand. I generally like the way the course is put together and the way you are escorted through the modules. This gives you a confident feeling and makes you think you can hack the planet! (but lets stick with the lab for now).
I finished all the modules that are covered in the videos and skipped in a fast pace through the last ones in the lab guide. Some topics were complete new for me like ARP spoofing, buffer overflows and client side attacks. Thanks to the good and simple explanation that takes you step by step through the process i managed to get through them with succes. The further i got in the course, the more i was amazed of the knowledge that the course comprehends (and i lack).ou I want to give massive kudo's to the Offensive Security team for this course. You know you are watching/learning from true professionals when they master the difficulty of the art, but make it look easy. This is exactly what they do.
After finishing the modules i started to review the information gathered about the labs you collect through the exercises. The reconnaissance part gives you heaps of info about the targets in the labs, but found out quick enough that i had to start documenting properly. I started with putting all the important information i gathered in the sample test report you receive at the start of the course. This helps in getting that overview of the target and lets you set that aim for your first targets. I tried to spend a full day in the week on this course doing exercises and practicing, and an hour a day to read/watch the material. At this point i am halfway through the 60 days i have, so i recommend everybody to take the 60 day course.
Now we got that out of the way it is time for the interesting part: The lab machines! At this point i only spend a few hours in the lab, which comes to about the 24h you need for the exam. At this point i targeted about three machines. results? Nothing! Remember that feeling i talked about earlier that you can hack the planet? This gets shot into a thousand pieces when you actually start on the lab. At first this got (and still does a little) me really frustrated and insecure about my freshly aquired knowledge, but then again, if it would be a walk in the park everybody would be OSCP certified.
At this point i can identify most of the vulnerabilities that the machines have, and theoretically explain how to exploit them, but when i try the exploits that are discussed in the material in practice i always seem to find a little twist that makes it not work the way it supposed to. The frustration feeling i got with this experience quickly turned into motivation to try harder and get as far as possible in the labs. I got this feeling that once you have hacked your first one, the next few will come within no time, and guess what: i was right! After spending another few hours in the lab i managed to get into a few machines! I see that the difficulty of the machines varies from 1 click hacks to almost impossible. All i can think of now is that this is more challenging and most important, more fun then i could imagine! This is like playing around in the biggest playground there is, and get certified at the same time. Once you have experienced this you will never want to take a normal certification course again!
Hacking along and preparing for certification
Ok, my labtime is officially over. I managed to get into about 60% of the hosts which leaves me with an unsatisfying feeling. If i knew the lab was going to be this big and hard i would have stared way earlier then i did now. i spend the first half working through the material which i could combine with playing around in the lab, but didnt. i suggest to start immediately if you want to get into the other subnets and make sure you get at least the 60 day course. The skill level of the lab differs from click and hack to complete manual procedures which makes it a pleasant environment to play in for everyone. You are certain to find a challenge regarding of the skill level you have prior to the course.
this brings me to one of the most burning questions at the moment: how hard is OSCP and is it suitable for beginners? i would say NO. If you have no prior knowledge in pentesting/ethical hacking this will knock you down and leave you in the gutter. Unless you have aquired the techniques of hacking and know how to penetrate systems you will have a very difficult time to gain the knowledge required to do well in the labs. I'm not saying its wasted time, because you will learn (a lot!) and you have sufficient time, you probably will have a decent chance to pass. i found it hard to find time because of my new job which kept me pretty busy and i guess you will have occupations too, so keep that in mind. Compared to CEH, wait...what is there to compare? i thought about this a long time but i cant seem to find any similarities between the two courses. the only way to describe it is as followed: CEH: start talking it. OSCP. start doing it!
At this point i am working on my report that you will need to hand in once the exam is finished. I am describing all the hacks i made within the labs and the exercises i made during the course. Remember to make it as complete as possible to make it look just as a real pentest report. I planned my exam somewhere next month, this give me some time to go over the material again and to put in some work on some of the extra mile challenges to make sure i completely understand all the techniques mentioned. i have no idea what to expect, but i am preparing for hell! wish me luck!
last update before the exam:
This is my last update before i will take the exam this weekend. It will be less informative then the previous posts i made but i want to give you all a view on how i stand thowards the exam, mental wise. i cant stop thinking about the score hit monkey got on his first try. I believe we are skillwise pretty equal. Giving the fact i am only in security for about 1.5 years now, i almost cant believe how far i already came, but the big question is will it be enough? i really want to pass the exam just to prove i learned all these skills and that i can put them in use.
At this moment i feel pretty confident about the knowledge i have optained. The one thing that worries me most is the time window in which i have to operate. Because i am on almost the other side of the earth, none of the starting times are great. You have the option of choosing several starting times going from 4pm to about 22pm. This means you will have to pull an all-nighter, no matter how good you are. This gives the whole experience a nice ring to it though. Pulling an all nighter just like real hackers do in movies. Can you imagine the dark room, lighted by just a computer screen, and the only sound you hear is the soft thicking of the keyboard and the brain cracking of a hacker that is working his ass off to get that root-shell? just thinking about it makes me all hyped up to get stared! Luckily i took a day off (sort off) so i can prepare myself for this. i'm planning on getting plenty of food and drinks (caffeine is your friend is such situations) so i dont have to waste any time on less important things like if i have enough to fuel my body for this experience.
After practicing in the labs i found out that if i really put myself to it, i can hack most of the hosts without any real problem. The only thing is that when i do, i dont have a time limit in which i have to finish. Some of the hosts took me a really long time because of the extra knowledge required to make the actual hack. Luckily not everything is chewed out so you really have to think on your own to achieve the result wanted. Because of my slim pre-knowledge this takes me longer then with someone who has more experience. the best advice in these situation IS just to try harder. In the end i get there, but with significantly more time and effort. I think time will be my biggest enemy. Wish me luck and i will post my post exam experience when i'm ready to do something else besides sleeping.
Results are in:
I got Pwnd...
No seriously...like a script kiddie. I cant really figure out what happened. Maybe it was the long night, the fact i was more nervous then a bouncing toothpick, or perhaps just lack of skill? Anyway the mail was right on time, i logged in, started on the first host and bam! 5 hours gone. I was almost there but decided to let it go cause time was ticking. i went for the other hosts where i pretty quickly got a shell on one of them, but spend hours to make it a root one. No luck. The other hosts were just playing with me. I found several vulnerable services, but somehow i couldnt get that shell. And then, time's up. I got nothing! No shell, No exploit that worked for me. Perhaps this was where my lack of programming skills came in. I spend too much time figuring out how to make the exploits run, let alone if they worked. I feel defeated, almost humiliated. Even though somewhere i keep thinking wow, i cant believe how much i have learned in the past couple of months. At this point im having trouble to be entheusiastic about it, but thats just to blame on the exam results, and the 3h sleep i got.
I expected it to be hard. Heck, i was even sure i would need all the luck in the world to pass, but this result left me bedazzled. I guess this closes the ever ongoing CEH vs OSCP debate. Even if you can pass the CEH exam with two fingers up your nose, OSCP is a whole different ballgame. this certification truely separates the men from the boys.
the positive thing about this is that now i know where my weak points are. i will work on them first, expand my skills further, become more knowledgable and eventually i will succeed. i have never given up on anything in my life, and this will not become my first. I feel there is no point in taking the exam again any time soon, but when i feel i have progressed both skill and time wise, i will be ready for the biggest challenge of my life once more...I wish we could end this walkthrough with better news, but hey, guess i just have to: try harder...
Exam retake time...
lets cut the crap about how nervous i was and uncertain if i would finally make it: I PASSED! i cant describe how happy i am that all that hard work finally payed off. i did a lot of research on the parts i messed up the first time, and after a lot of reading, practice and hard work all my effort got me where i wanted to be, an OSCP.
Like i said before, time was my greatest enemy. it took me a heck of a long time to get the steps that i wanted to take to the commands to get them done. when i stumbled upon a nasty twist it just took me too long to figure it out, and that is mainly to blame on the fact i'm quite new to the game. I really enjoyed every minute of it. It is a great course where you will learn more then any other certification course, for sure. The material is clear, to the point, very well understandable for all skill levels and i recommend that if you decide to only do the exam, to take the course just to get an idea of what you can expect. Besides that it is just plain fun to play around in a lab like that. The only remark i have is that the exam could be a little bit more in line with the course, cause some techniques i needed in the exam were not mentioned in the course. After all an exam is to test if you see if you master the material. However, you should be prepared to take the exam journey alone, cause no matter how hard you will try, nobody from the forums or IRC channel will help you, no matter how hard you try
I am hooked on the way offensive security makes you think and work on your own. i discovered you can talk all you want about tools, techniques and hacking in general, you will only truly master it by doing it. i hope you had as much fun reading this as i had writing it, and do not be afraid to ask any questions about the course and exam. I would like to thank the guys at offensive security for this wonderful experience that i will stay with me forever, the admins at the IRC channel for being patience with me and leaving me all by myself in that pit full of lions, snakes and other animals you do not want to be alone with, and last but certainly not least, EH.net and in particular Don, for making all this possible for people like me, and by that i mean all of us. Thank you
If anybody (Don or the guys at OffSec) has any remarks about this, please contact me!
earning my stripes appears to be a road i must travel alone...with a little help of EH.net