I finished my Bachelor Degree in Computer Science in 1999. Since then, I have spent most of my time has a web application developer to eventually became a Java application architect. I have also been a database administrator on Oracle SQL-Server and MySQL. Finally, I have been a business analyst (I hate this job), a team lead, a project manager and even an assistant director (4 month replacement)!
After school, I never stop studying. I started a Master in Computer Science (Distributed Algorithms) that I didn't finish (2 babies arrived in the middle of it...). I own 3 certifications: Project Management Professional (PMP), GSEC and CEH.
I started my own company more than 3 years ago. I now do consulting as a Java system architect.
All that to say that I am not 17 years old (I am 34!) and I am very serious when I start something.
IT Security path
After 10 years as a web apps developer, I needed another challenge. I was hesitating between 3 things: 1) IT Sec, 2) Developing my own application and 3) become a full time woodworker and build kitchen cabinets! (I am currently building mine...). I gave myself a full year to investigate these three options. But after 6 months, it became clear to me that: 1) I L-O-V-E It Sec!!, 2) After 3 prototypes of applications (2 XBox 360 games and a web app scanner) --> postpone in the future, 3) Woodworking will be my hobby. So go for IT Sec!
Although I always was interested in IT Security, I really started to study this topic in February 2009. And up to August 2009, I was more "poking" around to find out if I really wanted to do that. Defcon 17 (July/August 2009) was a revelation to me! So since then, I have spent an enormous amount of time studying. And by that, I mean an average of 2 hours a day for a full year! To me, this isn't work, it is a game! I love it!
I studied for CEH and GSEC more or less at the same time. I wrote both exams with only 8 days between the two (January 2010). After that, I started Penetration testing With Backtrack (PWB) in March of this year.
Penetration testing With Backtrack (PWB)
What a great course! Nothing compares to this. Really, this is the best way for me to learn. Period. This forum is full of reviews about this course and my post is becoming quite long, so I will keep it short. I would give a 95% mark to this great and excellent course.
Preparation for the OSCP exam
I have been through the PWBv3 videos 3 times.
The first time, I just sat down, relaxed and enjoy all the information coming at me. My goal was to get an overview of all the material.
Then, I did all the "normal" exercises. I went in the lab and hack my way into something like 8 machines. Things were becoming tougher, so I decided to go through the videos again.
The third time I watched the videos, I did all the "Extra Mile" exercises, read the 400 page long PDF (many things aren't in the videos!) and hack a total of 18 machines, including pivoting into other subnets. I also took a total of 120 days of lab time!!!
I this point, I had learned a gigantic amount of stuff. I became good I writing Python scripts and I developed my own pen testing methodology. At the end, I was randomly choosing a machine in the lab and I could hack it in about 2 hours (my last 6 targets took me about 2 hours each). So I figured it was time for me to challenge the OSCP exam.
OSCP: First attempt
I cannot say anything regarding the exam, but my own vision of it is that it is much tougher than the machines in the lab. In the lab, the Offensive Security team says that there is always at least 2 different ways of pawning a box. Maybe it is not the case for the exam? I can't tell. Also, I never spent more than 5 or 6 hours strait in the lab. In the exam, after 20 hours, you start to make stupid mistakes... But anyway, I got a mark of 60% (you need 70% to pass!).
OSCP: Second attempt
I then realize that I needed more tools in my toolbox. So right after this exam, I focused big time on what I had missed. By far the biggest thing was privilege escalation. So I spent a lot of time on this. Than a little bit more than 2 weeks after the first attempt, I tried it again.
After 45 minutes into this second exam, I already had 60 points (I let you make the relation with the first attempt...). So first, I was a bit disappointed to get a "similar" exam. Than I though that I would go for 100%. But after 24 intense hours of hard work, I failed it again... Mark: 60%.
My first failure was tough to take, but this one was very difficult. Other than OSCP, I failed 2 exams in my entire life (1 at the university, and CEH because I studied the wrong material...)! I spent 16 hours trying to convert a shell into root/admin and couldn't do it! At this point, I was ready to give up on OSCP...
OSCP: Third attempt
Two months and a half after the second attempt, I gave it a third try. After three times, even if you get a 100% mark, you would still have a bitter taste in your mouth. So between the second and the third attempt, I read my scans 20 times, installed new VMs in my lab and added more tools in my toolbox. Believe me, you can ask me any questions related to the course material and I would know the answer. In addition, I have practice them all many times.
So I got my exam yesterday morning and it was tougher! Only one of my previous tricks worked and after 9 hours, I only had 10 points. So I stopped and call it a day.
My personal opinion
• PWBv3 is an excellent course, close to being perfect. But the certification exam requires you to know (and master!) way more than what is in the course. I would say the course, including the lab and the exercises covert about 60% of the exam. Again, this is my personal subjective opinion!
• I don't think the exam is faithful representation of a real pen test for many reasons: 1) You can't use a vulnerability scanner; 2) You can only use Metasploit once and can't use Core Impact, etc; 3) You cannot do reconnaissance; 4) Many old and vulnerable services are installed but hardened in the backend. This creates many dead-ends; 5) No firewalls/IDS/IPS blocks you (good for students but not real-life...); 6) You have to do everything in 24 hours
• Also, if I was doing a real pen test, I am pretty sure I would have done a very good job! I mean when you have a shell or you are able the dump the backend database, crash an application or even just show exploits for vulnerable services, you have already done a lot! In real life, you don't get half the points for "only" having a shell...
• The course lacks two things: 1) Privilege escalation techniques and 2) Penetration testing methodology. Otherwise, great course!
• The lab machines are easier to hack then the one in the exam. Again, my humble opinion.
• This great certification should maybe be separated from the course. So anyone could go straight to the exam if they are already experts. This way, if the course doesn't teach you everything you need to know, then it is ok.
• People with a server admin background are definitively starting way ahead of network and developers...
Although failing exams is never a good feeling, I am not frustrated at all. I have learned so much. I don't have the certification, but I got knowledge now, which will help me continue in this field. After all, my ultimate goal is not doing a pen test of networks, but to pen test web applications. So I will probably continue on my learning path and move on from OSCP. I may give it a try in a few years, but for now, I need to move on.
Thanks for reading this rather long post!