Offensive security certs: OSCP and OSCE review

Written by  on April 30, 2018 

Today I’m going to talk about a couple of certifications that I have from offensive-security.com. As a lot of your security researchers always wonder and think about the best way to get into the industry and the best certification to get I want to let the community know about what do I have and how it went. So I will start with the OSCP and then the OSCE.

OSCP

Offensive security certified professional, also known as OSCP is the certificate you get after completing the “pentesting with kali” course and doing the certification exam. The course itselfs, focuses on pentesting. So if you do the course you can expect to get a general overview of what computer security is in a red team perspective. The course covers the full penetration testing process, so in its first chapters you start with the recon process by scanning networks for detecting alive hosts, scanning boxes, knowing services and versions and so on, then you move on the exploit finding process with both custom frameworks as metasploit or self compiled exploits found “in the wild”, another interesting point is that the course also let’s you test processes such as lateral movements and network pivoting as you do the entire course by combining the theory given in video/pdf with a real lab network where you can connect via VPN and play with more than 70 boxes distributed in different network segments.

So, if what you’ve read from now sounds interesting to you, here we go with a more detailed structure.

PRE REQUISITES

This course/cert is getting so popular these days on the internet, and also a lot of myths, legends and a general opinion are growing with it. Yes, this getting an OSCP is not easy at all, you’ll have to work hard and get familiar with a lot of topics and tools but it can be done. A lot of people that I know who want to go for this course often doubt a lot about if they have the required level or not, some of them spend or plan to spend a lot of time preparing by themselves  for the course due to the fear of failing. Doing some preparation for the course may be good but in my opinion it’s not that necessary if you already match the pre-reqs and it can only lead you to get more nervous and lose some time, and also, if you get over-prepared, then why to go for an oscp? Don’t get me wrong, having a cert is great, but you have to learn and enjoy while you do the course, that’s what it is for. So here we go:

  • A solid understanding of TCP/IP. Knowing about: subnetting, routing, common ports and so.
  • Knowing about network services, ex: What is ftp and how it works? http/https? dns?
  • Knowledge in Operating systems administration, ex: cd’s and ls’s but also knowledge about user accounts, permissions, basic security
  • Knowing what an exploit is (not necessary, knowing how to create one).
  • Some practice in writing scripts: python, perl, bash
  • Some programming experience in C is very welcome
  • Knowing what Kali Linux is, having it installed and so.
  • Bonus points if you can read ASM and have a strong understanding in computer architectures (Von Neuman arch and so)

Of course, if you have more than that you are way more than ready to go. But as I tried to say before, this is not an advanced course, so I strongly recommend you to take this course and try to learn as much as you can during the whole process.

HOW IT WORKS

You have registered to PWK for getting your oscp, now what? The thing is simple. First you register and pay for the course, then they send you the course materials via a download link (make sure to have a backup of all the materials), also your user and password and a VPN package for letting you play inside the labs network.

After that you’ll have to test your connection to the lab network by using your credentials and a program such as openvpn in Kali. Once you make sure everything is working OK and have your kali box ready to play you’ll have to go through the videos and pdf’s and follow the course. At some points actions on the lab network may be required. After completing the course materials and making a report of every exercise you have done, you’ll have to jump to the lab network and hack as many boxes you can.

Regarding to the lab time, you can take 30, 60 or 90 days of lab time and you can extend that at the end. I personally took 60 days and done fine.

DURING THE TRAINING

Keep in mind that at the end of the course, if you want to have the PWK and OSCP you’ll be required to deliver a full report about what you’ve done in the course (exercices), a report about the machines you’ve successfully compromised during your training and the resolution of the exercises presented in the final exam, so from day one, document absolutely everything you do, even if it’s just a screenshot and or a copy and paste from your terminal, doesn’t mind, a very well made report about what you’ve done during your lab time may help you at the end.

Here I will focus on what to do after doing the basic training. After you finish the course you are encouraged to go inside the lab and hack as much as you can. The lab is basically a simulation of what you can find during the average pentest on a large company, so you have a lot of different machines, and every one of them can be hacked in some way, maybe with a metasploit exploit, maybe with some bruteforcing, maybe with a custom-adapted exploit, maybe with stolen credentials from another box, who knows? You have to find it out. As the offsec team uses to say, you are pushed to “think out of the box”, see the network as a whole thing not just some boxes put together, and “try harder” every time you fail in attacking a box to get it done at the end.

In general terms, be ready for getting a lot of frustration both in the offsec lab network and also in real life, but if you are in this “industry” I’m sure you already know about that. Be ready to focus in a topic for hours, then know when to rest, know when to go back, etc. As they say:

You gotta know when to hold ’em, know when to fold ’em, know when to walk away, know when to run.
Managing your resources (time, energy, motivation) is important during the lab.
Getting into the technical stuff I strongly recommend you to hack as many different boxes as you can and at least do some network pivoting. You need to be confident in: using tools, adapting exploits and web hacking, at least.

PREPARATION FOR THE EXAM

A lot of people ask about how to know when you are ready for the exam. I’ll go straight to the point in here: You should be confident in nmap, metasploit, netcat, burpsuite, and these tools and also you should have compromised at least 25 boxes in the lab network including at least one “hard to hack” box such as gh0st, pain, sufferance or such. Keep in mind that this is just my personal opinion. I remember that I booked 30 days on first, then after finishing the lab I booked another 30 days just to hack all the remaining machines and be more confident while I was also writing my tools.

THE EXAM

Once you are done with the course and the lab, you’ll have to book your exam. You’ll select a date and that’s it. In the OSCP exam you have 24 hours to complete a number of tasks in several machines of a private network you connect to with a VPN, just like in the labs, but with a more reduced number of boxes and more specific things to do, you can figure out what will they ask you. After you finish, you’ll have 24 hours more to write a report about what you’ve done and how and thats it.

The day before the exam is important, I recommend you to spend the day before organizing your Kali (or whatever) setup with your tools, making sure everything works and you know where each tool is, write some custom cheat sheets and of course organizing your shells and exploits.

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

Also, prepare your workspace. Check your internet connection, check that you have plenty of snacks, redbull or whatever keeps you up.

My experience during the exam was: The night before I had a really good and long sleep, then I woke up at 8 in the morning to connect to the vpn and start with the exam. I first made a general look at the exam paper and scanned each one of the IP addresses, some of them were web some of them not, I started looking inside each service for basic stuff, then I made some sort of “round robin” and decided to spend X time on every box and rotate if not making any progress. By 12 in the morning I had a couple of boxes rooted. I spend the whole afternoon stuck in one box and at about 7pm i managed to get root, but i lost a lot of time there. I managed to get root access on another one and partial access on the last one so I ended up getting my certification 🙂

I won’t reveal any details about the exam, but if you have done good in the lab you are more than ready for it!

I strongly encourage you to go for the OSCP, this is getting really demanded for security, specially for pentest positions in a lot of companies worldwide these days.

OSCE

PRE-REQUISITES

As this is NOT an entry level course, the pre-requisites here are way more demanding that in the OSCP. You can say that if you are an OSCP holder you almost* have what it’s needed to go for an OSCE. What was that “almost” about? I personally recommend you to go for an OSCE if you have a lot of experience in computer security and want to get a certification or if you have your OSCP AND you have some experience in the computer security field (wrote some tools, found an exploit, work experience, conferences participation) and so, otherwise you may pass but I think that it’s better to combine work experience and academic experience in this field to expand your knowledge.  According to technical skills, you have to know about pentesting but I also strongly recommend you to have SOME experience in reversing, exploiting and assembly language (ia32). So

  • Pentesting experience knowing about the pentest cycle
  • Being confident with; nmap, nc, metasploit, burp suite and in general all the tools presented in PWK
  • Knowing how to debug with OllyDebugger and gdb, knowing some IDA and Radare2 is bonus points
  • Knowing what basic ASM; JMP ESP, NOP, CALL, MOV and such.
  • Being confident using web app testing platforms like the burp suite
  • Being confident in computer programming; web programming and general OS programming. Knowing how to read code.
  • The “try harder” mindset

As I said this is not an entry level course. You may learn a some of the pre-reqs during the course but note that this course is not as the PWK-OSCP, here you won’t have a virtual lab with a lot of boxes to hack here the thing is different. The CTP-OSCE course is different, it focuses on complex attack scenarios and giving the student the skill of analyzing these scenarios and being able to BREAK the perimeter at some specific point to end up completely bending the network, so they assume that you already know how to perform a pentest, they will teach you about how to perform in complex situations while learning more about exploiting and attacking custom software. For example, in CTP you’ll learn about antivirus bypassing or you’ll study case-studies such as how to turn a simple XSS vuln to a complete network takeover.

DURING THE TRAINING

Before you sign up for CTP you have to complete a challenge at

fc4.me

The challenge is relatively easy to solve, it’s designed to check if the student is ready or not for working with the course material as this is not for beginners and offensive-security wants to keep you for losing your time with a thing that’s not (yet) for you, also they want to keep this certification as something valuable. My personal advice is: don’t cheat on the pre challenge

So after getting your pre challenge, you are ready for the course. They will send you all the materials which are pdf and video as usual and you’ll have to work on those materials yourself. So no extra challenges, no virtual lab, just you and your taks. They will ask you to understand and recreate a lot of exploits and case studies. I personally suggest you to go on the exploit-db and recreate a lot of exploits in web apps and in binaries and also go and look for old versions of popular software and try to find some exploits there that was what I did and I even got published on the exploit db with this.

Getting familiar with code analysis in web applications and in debugging, reversing and exploiting software is fundamental and you have to do that by yourself in the training based on the study cases. You can also try, for example, to write your custom fuzzers or toolsets for antivirus bypass.

PREPARATION FOR THE EXAM

The preparation for the exam is very simple here. Go through every exercise and example presented in the course and make sure you understand not only how to write the actual exploit that’s being presented but also you understand perfectly how that exploit was found, how does the shellcode works there and everything. Getting familiar with shellcode is SUPER important, so you have to know about how to generate shellcode, how to WRITE IT YOURSELF, how to avoid things like bad chars, small buffers, the stack, how to make calls to the windows api, how to encode your payloads with different encoders (all metasploit and others).

If you know the enemy and know yourself you need not fear the results of a hundred battles.

THE EXAM

The OSCE exam lasts for 48 hours (+24 for reporting) instead of the 24 hours you have in the OSCP. The format is quite similar but not exactly the same here, you are also required to access a VPN network and perform certain tasks on certain boxes but here you can pretty deduce that it will be more about exploiting (and crafting your own exploits from zero) rather than a regular pentest. I won’t lie to you, the exam is hard, by the way that was one of the hardest things I’ve done in my life in the academic field, but it can be done. The main difference between the OSCP and OSCE exams, regarding to preparation is the time window you have here. Trust me, you can’t perform well here if you go straight 48 hours no sleeping no resting. One of the new things you’ll have to take into account here is how to manage your time. You’ll have to plan your sleep really well but not only your sleep, also your walks, your eating time and everything if you get exhausted and you have lack of sleep and food, your brain will go away and you’ll easily get stuck in simple things.

A lot of exam tasks require you to understand pretty well what are you doing and what goes behind the service, the program or whatever you are auditing, so read twice, breath, think, read again and then start doing. Try to recreate some things locally if you get stuck, if you have reverse engineering skills, use them. Don’t use automated tools, except maybe a fuzzer.

My personal experience with this one was: I had a good sleep the night before as I always try to do, then I started my exam at 12 and I spend the first day working on one of the boxes, I got stuck all the afternoon since I realized about “the trick” and then I got in easily, I also completed one simple task in another box during the night. I went to sleep for about 6 hours and spend the second day working on “the hard” box, I’m just going to say that I had to be “veeery creative” to get in, the thing is once you get your certification, one thing you can do is to go to a private section in the forum and compare your “answers” with other students, there you’ll realize how create you can be to solve the challenge.

I was a really really really good experience and also an exhausting and mentally bending experience the same way.

I want to thank offensive-security.com for putting these amazing training material available.

 

And here you can see my beloved certs 🙂

Category : interesting stuff

Tags :