Sorry I haven't been active much on here for the passed couple of days. Last Thursday I opted for the Offensive-Security Certified Professional certification. For those of you who don't know, Offensive-Security is a company offering hands-on penetration testing courses utilizing the linux distrobution BackTrack. A majority of these people are core developers of the BackTrack Live CD, which is a must for anyone interested in Network Security. They offer courses known as WiFu, which is dedicated towards Wireless Access Point Auditing using the Aircrack-ng suite. Penetration with BackTrack (Previously known as Offensive-Security 101) - which is dedicated toward network penetration testing,Cracking the Perimeter (CTP) which is most likely one of the most advanced hardcore hacking classes out there, and their instructor led course Advanced Windows Exploitation (AWE), which is based around the courses name.
I officially enrolled in Penetration with BackTrack v3 early February and signed up for the first day that the class begun (March 21st, 2010). I originally purchased 60 days lab access.
Prior to walking into the course, I had been using BackTrack ever since it's version 2 release back in 2007. The course requires a basic prerequisite of basic familiar skills & networking knowledge. My background walking in is I had a solid programming background as well as good Metasploit, Nmap, Password-Based Attacks & Information Gathering Skills. I had also played a little bit around with replicating Buffer Overflow Exercises. I figured since Ryan Linn did a solid review of the Penetration Testing with BackTrack v2 course, which basically reflected my opinions of the course, I would save myself some time and give out my commentary on the newly updated sections in the course; The linux buffer overflow module they added & the web application attack vectors they added. I also figured I'd add in my experience about the exam as well as some minor critiques of the course.
First off, the whole course itself is amazing. I felt the labs definitely helped prep me for the exam, and while I didn't finish all of the Extra Mile optional exercises, these really did come in handy. The Linux Buffer Overflow section walked through exploitation of a Linux application and debugging it with the famous linux debugger gdb. My syntax with this tool was pretty rusty, but I found a useful demonstration of it on securitytube (which I'll be posting after this short review). The linux buffer overflow section even includes a section on avoiding Address Space Layout Randomization (ASLR) which I thought was pretty neat. The entire section on Win32 Exploitation was pretty solid, and the windows application we broke was straight forward enough that even beginners with little or no programming experience would be able to follow (with some minor reference links).
The web application attack vector section was pretty strong. Muts and the gang prepared a vulnerable web application for the course which was susceptible to SQL Injection, Local and Remote File Inclusion and Cross Site Scripting (XSS). This is where I took advantage of the time to get to pick up on some of these skills. The vulnerable web app helped me out a lot because I hadn't played with way too much web application attack vectors in the past at all. I was also able to download the web application locally and use Xampp Lite to practice the attacks when I ran out of lab time. The videos walked through MSSQL and MYSQL Injection, a brief demonstration and usage of SQLMap, Browser redirection & cookie stealing, LFI and RFI. I was able to pick up on the SQL Injection stuff pretty effectively since I had SQL experience from a class I had taken.This section was very solid.
What really made the course enjoyable was the fact that they've made the network simulate a real live attack environment. The offsec guys have written scripts that automate tasks that everyday users would do (like browse to pages, check e-mails, etc) and your able to pull off cleverly crafted client-side attacks. This was pretty neat considering you were able to build up your client-side attack skills in real life like scenarios. The lab itself is large with well over 40 machines spread out over 4 subnets for you to penetrate. Machines on the lab were windows boxes (I remember seeing a windows 7 machine or two, a few vista boxes & server 2008 machines as well as your standard Windows XP machines & 2003 servers, etc), as well as Linux machines. I even came across a Mac OS machine in the lab, but wasn't able to break it.
Another thing that made things more simple is that once your signed up, your given a control panel, where your allowed to revert machines on the network within 30 seconds. Doing this you were able to restore the lab machines back to their initial state then you'd be able to attack them again. I found myself doing this a lot through out the course, especially on machines where services would freeze up and remote exploits wouldn't get through. A majority of the operators on their IRC Channel #offsec are pretty helpful, but there was a couple I stayed away from when I needed help. Of course within the first week of the class, I got used to hearing the words, "Try Harder" so much that I'd wake up every night thinking the offensive-security team was in my house right beside me (just joking).
One more new feature of Penetration Testing with BackTrack was the overall final report. This had to be turned in with your notes for the course (which were taken with an application called Leo or Basket). I personally worked on the report for about 20-30 hours and it came out to an 85 page pdf file. The offsec guys give you a link to a sample demo report and I worked off of that. The report is pretty straight forward and formal. Mine consisted of ports and services enumerated from the lab machines I had penetrated successfully along with the vulnerability exploited, a paragraph explaining the steps I used to gain entry to the machine, a recommended fix to attempt to patch the issue as well as a severity level, proof-of-concept link if a public exploit was used and a screen shot for proof I gained access to the machine. I also had an appendix section for files retrieved from the machines penetrated and more. Toward the end of my 60 lab days I wanted my report to look pretty good, I also failed to use every single one of my days so I figured I would re-up on 15 extra lab days. I figured this would give me time to go back and penetrate the machines I had hit, take screen shots for the report and go after some of the one's I missed.
My official exam date was scheduled almost a week after my 15 lab days expired. In between those days I worked on the report and practiced breaking the vulnerable web application that came with the course on one of my local virtual machines. Finally Wednesday hit, the day before the exam. The exam itself is 24 hours hands-on practical challenge and believe me some have taken that long. I was sure to stock up on enough caffeine (monster energy drinks) the day before the exam, just to make sure I would be able to stay up for the challenge.
About 5 minutes from my scheduled challenge I received my oscp exam connection pack which allowed me to vpn into the exam network where all the machines I had to hit reside. At first it came to me as a relief. Seeing all of the machines on the same network meant I wouldn't have to employ some tricky tunneling techniques to maneuver between subnets. Without going into too much detail about the exam, x amount of machines exist on the network and each machine your tasked to break into it and obtain SYSTEM / Administrative / Root privileges on. A couple of the tools in your attack arsenal are limited for the exam. It requires you to think outside of the box and plan out your attack surface more thoroughly before progressing onward. I started at 10am (Pacific Standard Time) and only had rooted 1 machine by 4pm. By the time I crashed around 230am I had my official 70 points that I needed to pass the exam. I was pretty brain dead around then, had spent my day in my room listening to music, only getting up for a drinks and bathroom breaks. I remember being so focused and having to pee so bad that my bladder became an outcast. I kept thinking, "I'll just try to get this machine real quick within 30 minutes, then get up and pee...", but that's what a course with Offensive-Security will do to you. Friday morning around 8 o clock, I got up and wasn't 100% satisfied with having just the level of points to pass the exam, I had machines left on the network to root and that means I had to "Try Harder". I officially ended the exam having 1 machine I didn't obtain full permissions over but I did earn a low privilege shell on it.
The exam overall was very challenging. Having some basic python background, I was able to quickly craft 1 script that came in handy during the exam (and 2 or 3 that I used throughout the lab exercises). I enjoyed the course a lot, and liked the fact that the machines in the lab and exam were very challenging. I enjoyed the step machines on the lab networks an exam. The machines where it wasn't necessarily a remote root exploit that got you into the box, but an overall attack strategy you had to plan out on pen and paper or in your head to compromise the system. My overall OSCP challenge took around 17-18 hours. The course was the best class I've been in so far. The course content videos were excellently put together and I'd highly recommend Offensive-Security's training over a ton of other training vendors out there today. Walking into Penetration Testing with BackTrack, I may of well been on my way into the field of penetration testing, walking out of the course I feel like I've become a more ethical and respectful person with what one can do with their knowledge. I've learned countless attack vectors and strategies and have had to implement offensive security techniques in a practical lab environment. I not only leave as an Offensive Security Certified Professional, I also leave having acquired techniques that'll benefit my future in the Network Security world.
My overall suggestion to those taking the course or planning on taking the course is to study, study, study! The topics presented in the course are great, but further reading on these topics do help too. Having knowledge in a scripting language does definitely help. Even a beginner programmer would have an easy time understanding the discussed python & bash code. Be sure to screen shot every successful penetration and mine the compromised host for useful files, your bound to find something. If it's possible, try to make some friends in their IRC channel that could share hints and notes with when doing the lab exercises; This is what really helped me out. Here are a few reference links I found useful during the course:
http://milw0rm.com/ (Which was up at the time)
The only negative if any, is I wish there would've been a little bit more metasploit coverage. More specifically on the meterpreter section regarding tunneling techniques, etc. I also wished ssh was mentioned and demonstrated use of similar to how plink.exe was. Tunneling's pretty tricky and maybe the portfwd feature of the meterpreter and more of the ssh syntax wasn't covered simply because it wasn't needed on the exam. The web attack module was very good but I was surprised Cross Site Request Forgery wasn't demonstrated in the course videos. If anyone has questions or thinks I should include more info feel free to PM me.