.

Career Refresh - OSCP or OSCE

<<

vulnski

Newbie
Newbie

Posts: 2

Joined: Thu Feb 16, 2012 6:55 pm

Post Thu Feb 16, 2012 9:10 pm

Career Refresh - OSCP or OSCE

Hi (new to the EH board) ,
Just recently decided to join, hoping to rub elbows with fellow security practitioners and contribute...

I want to pursue a security cert or 2 to sharpen my skills and improve my marketability, I have experience and am not new to security.
in the past I've held CCNA, Solaris, CWNA & other related vendor certs.
(most long expired but I am going to renew my CCNA.)

Though I don't really consider myself an expert, I am somewhat versed in security, networking, linux (incl. using backtrack), compiling from source, using sniffers, wireshark,  testing exploits & using frameworks like metsaploit, etc...
I also have moderate experience in Reverse Engineering, developing IDS & AntiVirus signatures, analyzing exploits & threats and using commercial tools & vulnerability scanners.

My coding skills should be considered mediocre to weak at best.
I have basic understanding of ASM & how the stack works, know what a function in C is & how to write one.
Script wise, so-so  I can get by and Google is my friend when I get stuck...
I've dabbled in Python, Perl & C, but again I'm not an expert.
I am definitely rusty on alot of the reverse & debugging stuff having not done it in a while but I can pick right back up.

With that said, I am debating whether to take the OSCP or OSCE course.
I've looked over the course Syllabus for both & like the subject matter both have to offer.
I did notice that I do already have experience in many of the areas covered in PWB/OSCP (same applied for the eCPPT which I also looked at).
I've been a PenTest Linux Distro user since the days of Auditor, Phlax, etc... So I think I can pass on alot of the intro to Backtrack stuff.
I know how to use nmap, snort, tcpdump, etc..familiar with network attacks, arp poisoning, etc...

I want my money to be well spent, which means I don't want to too much re-hash of stuff I already am familiar with.
I want to (hopefully) master something new, improve, learn skills & techniques and get certified in the process.

I took Saumil Shah's Exploitation Lab at Blackhat 2011 last summer and had a blast, I did just fine in that class.
But that was instructor led & focused on 1 area.

I have much to learn in the areas of shellcode writing, exploit writing, vulnerability discovery & web app testing.
As well, I would ultimately like to not be dependent on pre-packaged exploits and tools.

What do you guys think, go for OSCE or am I asking for it (in pain)?
I'm not looking for the easier route (note: by no means am I saying OSCP is easy!), but I also can't throw money around and would not want to get in way over my head by biting off more than I can chew.

My anticipated 'hard core' study time I can commit to would be about 2 months, fortunately my present engagement allows me time to study & work from home I would like to use this time wisely and develop + polish skills.

My next cert after getting a Pen Test cert would be the CREA or GREM certs.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Feb 16, 2012 9:47 pm

Re: Career Refresh - OSCP or OSCE

Personally, I wouldn't go OSCE if you haven't done OSCP, yet.  While it wouldn't necessarily kill you to try, without, I think you'll learn a LOT from OSCP, and the experience will help.

I've been in pentesting for a handful of years, myself, and did OSCP a couple of years ago.  I'm in OSCE now.  It's not for the faint of heart.

Won't 'discourage' you, but I think any / all folks here, who have experienced both, will likely agree with me.

Regardless, good luck, let us know how you proceed, and keep us posted on your experiences.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Fri Feb 17, 2012 8:43 am

Re: Career Refresh - OSCP or OSCE

Having done both, they're really pretty different. OSCP is a fantastic course, everyone in this arena should take it. I would start there. Just for fun see if you can get past the OSCE registration page. If you can, put it on the back burner and do it after OSCP. However, if you're looking to increase your marketability, neither of these certs will help unfortunately. They still don't have the traction they deserve.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 17, 2012 8:56 am

Re: Career Refresh - OSCP or OSCE

I also agree that you should start with OSCP. It's more intense than the syllabus will lead you to believe. For example, when you say you have experience with ARP Poisoning, I assume you mean you understand how it works and can carry it out with Cain or Ettercap. Well, have you ever manually edited ARP packets with a hex editor and then performed ARP Poisoning using Bash scripting and file2cable? The course will start out kind of basic for someone with your level of experience, but that just lays the foundation for more advanced topics. They've also beefed up with the web app material in v3, which I felt was a great improvement.

I think you'll still get enough out of the course to make it worth your while, and the certification exam will likely still prove to be challenging. If you're feeling confident, you can save a bit of money by getting a package with a shorter amount of lab time.

If you haven't already, you should also check out the free Metasploit Unleashed course: http://www.offensive-security.com/metas ... /Main_Page
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 17, 2012 9:06 am

Re: Career Refresh - OSCP or OSCE

If you want to learn a lot of different topics, that you can use for practical exploitation as a pentester, then you should go for OSCP. The other certification, OSCE, is heavily targeted on exploit development such as 0days, and is not as broad as OSCP. Another person once said, OSCE is for targeted threat elimination, while OSCP is for more regular penetration testing. (It's probably the best base you'll currently get compared to any other course offering pentesting.)

As it seems like you already know the drill with exploit development, I think you might get more value out of OSCP, as OSCE is great and has lots of pain, but the labs are also a lot bigger for PWB students, so I think you'll benefit greatly from that too  :)
I'm an InterN0T'er
<<

vulnski

Newbie
Newbie

Posts: 2

Joined: Thu Feb 16, 2012 6:55 pm

Post Fri Feb 17, 2012 3:13 pm

Re: Career Refresh - OSCP or OSCE

Hi, thanks for the input folks I really appreciate and am glad I asked!
I think I will go for the OSCP.

After more research & reading stories, its evident I will still get ALOT out of it & it will help me step my skills up in areas where I am rusty or inexperienced.

i have edited packets manually in a hex editor, however not for pen test purposes.
You are right though, outside of Cain & Ettercap I really could learn alot on the Offensive side to minimize reliance on pre made tools.

Hopefully I can handle the OSCP & come out certified in a couple months!
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 17, 2012 3:19 pm

Re: Career Refresh - OSCP or OSCE

I think that's a wise choice.  Good luck, and if you have questions as you move forward, there are plenty of us here, who have been through OSCP, to ask questions to.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dbest

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Jun 23, 2011 1:14 pm

Post Sat Feb 18, 2012 3:18 am

Re: Career Refresh - OSCP or OSCE

While the OSCP training is awesome, I would certainly plan the training so that you can make the most out of the lab access. I did register for the training, but lost most of my lab hours due to work and family related activities.
CISM, CEH, CISA, ISO 27001 LA

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software