About This Review
I began the OSCP certification process in November 2016 and finally (due to a host of reasons) obtained the certification in March 2017. Since that time, I have attempted to help many others that are on the same quest by way of advice on Twitter and elsewhere. What follows in this post is my review of the course, the tools/configuration I used throughout my studies (and even now performing professional pentests), as well as some of the areas budding OSCP'ers should focus on. There are a lot of great OSCP reviews out there so I encourage you to look for them and give them a good read also. I'll try not to duplicate what most of them point out already. What isn't included, nor will I entertain via email, Twitter, etc. are specific answers to lab machine challenges, exam machines, specific methods the exams uses, and the like. One thing all OSCP'ers know, and come to hate and love at the same time, is the phrase 'Try Harder'. Trust me, when you’re working a system for a while, maybe a few days in some cases, and you finally get root or NTAUTHORITY\SYSTEM on it all on your own you will understand why.
The PWK course consists of a 375-page PDF study course manual, accompanying videos, and access over a VPN connection to a huge number of (around 50) vulnerable machines. The course PDF doesn't exactly walk you through every method being taught, and this is a good thing. Part of the genius for any Offensive Security course is that they are designed to plant a seed of information, leading you to inevitably research that subject further on your own via further reading, videos and posts online that you can scrounge up, and eventually trial and error on virtual machines. For many it may be frustrating in the beginning, especially if you've been catered to by past educators or courses with step-by-step instruction. OSCP'ers need to remember, however, that this course is setting you up to be able to perform penetration tests start to finish, including note taking, report writing, and documentation professionally. As a professional pentester, you will have to perform a lot of research on your own. If that doesn't sound like you, pentesting is probably not for you. Back to the course. As you progress through the course and the videos, you will be expected to perform exercises at the end of each module. I highly encourage you do so, as you will need every single method during the virtual lab machines as well as the exam itself. Furthermore, document those exercises for a chance to gain extra points on the exam if you submit the exercise report along with the exam report. These extra points could very well be the difference between pass or fail. More importantly, documentation structure and writing is something you need during all pentests anyway, that is what clients pay for, including mitigation and remediation techniques, so the sooner you get used to doing it the better off you will be as a professional.
The OSCP exam is a grueling (and I mean that in every sense of the word) 24-hour test of your penetration testing skills, endurance, ability to control stress and maintain focus while performing a full-blown penetration test. In fact, the exam was so grueling for me that it took me two attempts to finally pass it. That isn't uncommon mind you and I've heard of some taking as many as five attempts to pass it. Failing that first exam after working so hard leading up to it was disappointing, but I learned what I needed to train up on further in doing so. This is so true of a career in pentesting…constant training, failing, being humble and self-aware enough to learn why, finally getting it right, and more training. Keep that in mind for any of you that may not make it on your first or second attempts. You will have another 24 hours immediately following the exam to write and submit a formal, professional penetration test report to OffSec to be graded.
If you’ve read any other OSCP reviews you’ll know that effective methods for sitting the exam are varied and really up to each individual as to what works for them. What worked for me was ensuring that I took frequent breaks to clear my head (especially when I felt stumped), eat regularly, and generally maintain a steady balanced pace throughout the exam. Notice I didn't mention sleep...because you probably won't get any. I think I slept a total of 3 hours in the 24-hour period. Time management is also absolutely crucial. Some follow absolute time blocks, and some wing it. I did a little of both and adjusted as needed. Again, somewhat how it works in real world pentesting. Time will move very fast once the exam begins however so have some sort of a system in place. Have your scripts and toolbag ready. Contrary to popular belief, there isn’t just one absolute way to perform a penetration test, or, in this case, the simulation of one.
As for what you’ll need knowledge wise, like I said before, all the techniques in the course manual and what you’ll learn trying them in the lab. Don’t skip past any of them, even if you have experience in them. Both exams I took needed mostly all of it to a varying degree. Make sure you have a solid pentest methodology. Recon, Vulnerability Identification, Exploit, Enumeration, Privilege Escalation, and Data Exfil (in the form of trophy txt files here with hashes in them) is a pretty standard methodology that works well. Keep in mind this methodology is cyclical, especially when it’s time to escalate privileges. It is also dynamic. You may go back to recon before even attempting an exploit, this way of thinking will become quite evident as you work through the course and lab machines. Lastly, remember to document along the way. Even if loosely because you only have another 24 hours after the exam VPN connection drops to get the final report submitted to OffSec.
Kali, Tooling, and Gear
The course suggests that you utilize the Kali 32-bit VM they provide you with but I rolled my own mainly because I wanted to customize a lot of the tools and ensure they are up to date with current exploits, etc. Should you do the same, do be sure to use a 32-bit Kali version because the buffer overflow and exploit writing portion of the course requires it. There are ways to compile 32-bit code on a 64-bit distro of course but when you get to the Linux buffer overflow and exploit writing portion, you’ll have problems. You will also be doing buffer overflow and exploit writing for Windows as well so heads up on that. For my Kali configuration I loosely followed JollyFrog’s Kali Configuration notes available here a few posts down in the thread. I really like Terminator for my shell sessions. It allows a lot of panel customization, text logging, quick custom command macros, and a number of other cool features. For instance, I setup my custom commands flyout so that with a click of my mouse I was able to initiate a Metasploit meterpreter multi-handler, fire up a temporary Python webserver, or even type out entire VBS/python/shell scripts on a compromised target shell terminal and then execute them. It proved to be a huge time saver during the exam and I continue to use and expand those custom command macros to this day. A quick vanilla screenshot of how I currently have things setup is below.
UPDATE: Due to a few requests, to enable the custom commands flyout, you have to enable it in Terminator's Plugins section. Go ahead and enable the Logger plugin as well and you will have a log of all keystrokes within each terminal. A screenshot of that is below:
Speaking of scripts, you will want to become comfortable with manipulating python and ruby scripts, or even developing your own. I created a pentest file directory and storage script, ptfileprep, that will take multiple host IPs, Nmap scan output, and other formats to create appropriate directory structures for each machine in the list to store files, exploits, and notes in very quickly. You are welcome to use it and/or modify it to your liking. For my note taking and documentation I utilized Microsoft OneNote extensively. OffSec suggests KeepNote but I already used OneNote quite a bit anyway and it offered a lot more stability and features over KeepNote in my opinion. Some of the things I like about OneNote is speed, cloud storage, and searchable text within images, which with all the screenshots you will be taking this is huge! My typical page structure for each machine being worked on is below for a basic idea of how I do it.
KeepNote hasn’t been updated since 2012 and seemed to be sluggish and buggy to me so I gave up on it after only a few hours. I’ve never regretted sticking with OneNote. It's very powerful and there are a ton of features in it. There are of course many pentest database engines like LAIR, Dradis, and even Metasploit's basic loot collection that can automatically collect data and store it in an efficient form if you so choose to go that route but your mileage may vary because they don't, to my knowledge, support screenshotting, etc. Also, choose a text editor you like. I have used Sublime Text for a long time now and love it, but many swear by vim or other editors. Also, there is an interesting somewhat newcomer Visual Studio Code by Microsoft that looks very interesting, is cross platform, free, open source, and has a ton of extensions and plugins. I haven't really utilized it much but plan to do so. Lastly, and this should go without saying, be sure to backup your VM, data, notes, custom scripts, exploits, and other items via multiple snapshots, cloud with revisioning enabled, or whatever method you prefer.
For gear and hardware, most computers that can sufficiently run VMs will suffice. For the course you will only be required one Kali VM to be running anyway. That said, more is always better. My current rig is a Lenovo W530, 32GB Ram, 2TB SSDs onboard with a triple monitor display set. Yeah it looks cool but it is also highly functional. I can run high amounts of VMs including entire domains with domain controllers, etc without issue and it allows me to play out all kinds of pentest scenarios. It is also what I utilize to make a living so Return on Investment (ROI) worked pretty well in my case. Since you will be conducting this course over the internet, a solid ISP connection is crucial. The last thing you need is to be fighting connection issues, especially during the exam.
Areas to Study
Below are some additional brief areas to focus on before starting and during your OSCP journey.
Know your tools. If I were placed on a "pentest island" for this course and had a limited toolset, I’d want nmap, netcat, python, exploitdb, dirb, and a text editor like sublime-text. You will need to use many more throughout the OSCP, but at least know how to work the basics of those before starting. The course will teach you how to use them but having a basic idea will help get you up to speed quicker. Note: there are restrictions on using Metasploit (and a few other tools) on the exam. You can only utilize exploit modules on one machine during the exam and will get an automatic fail if you use it again on another. By the time you take the exam you shouldn't need it anyway. In fact, I didn’t use any of the exploit modules during either of my exam attempts. During the lab you can use Metasploit as much as you like, and it is encouraged because real world pentesting many times depends on it for speed and other reasons, just don’t depend on it without learning how to exploit vulns manually.
Learn to enumerate, automatically via tools/scripts and manually, based on the system you are attacking be it a webserver, windows, or linux because 1) it will provide quicker vulnerability identification and 2) will be very important when you go to do privilege escalation.
Related, learn various privilege escalation methods for both windows and linux. There are some very good posts on this out there on this topic. G0tmi1k has a great Linux Privilege Escalation post, as does Fuzzysecurity on Windows Privilege Escalation. Both have some of the best ideas to get you started. Additionally, I highly recommend Andrew Smith's Windows Escalation Video:As well as Jake Willi's Linux Escalation Video:
All pentesters eventually compile their own methods, tools, and scripts to find privesc vectors for each type of system but there isn’t a sure shot method that will always work. This is where experience and being able to think outside of the box comes heavily into play. I developed a few python scripts and .bat files to perform some quick checks for me but sometimes it just comes down to intuition, getting a feel for, and hunting the target system or application. Just remember that whenever you are manually hunting, it might be an opportunity to create a script to do it much quicker and efficiently. This also relates to real world pentests as most engagements only last a week or two at max on average to cover a large attack surface depending on scope so speed and efficiency will come into play heavily as you move further into your pentest career.
Learn about pivoting. No, really, do it. A lot of budding pentesters disregard this or don’t give it much attention and I guarantee you it is needed for the lab and in the real world. An excellent pivoting intro by Artem Kondratenko is here. SANS also has a good paper on it here. This can be hard to practice in your own lab if you’re not comfortable with setting up different network segments within your chosen VM environment. Build up a VM lab to practice exploit writing, pivoting, and other techniques you’ll encounter. I created an extensive home VM lab that does this to allow me to work on pivoting techniques, drop in vulnerable targets, as well as practice data exfil from within a firewalled environment. @da_667 also has an excellent book on building up a VM lab that shows you in detail how to build one. My typical VMWare VM lab environment setup is below for a basic idea.
You'll notice the agency.local folder. All VMs in that folder are segmented behind the Sophos UTM or pfSense firewall. Exploiting vulnerabilities while you're on the same subnet as your target is one thing, doing it when they are behind multiple segments and firewalled with both ingress and egress filtering is a whole different ball game! Perhaps another blog post here will detail that in the future.
Overall, I enjoyed the course. Again, it is very different from traditional instruction but there is a method to OffSec's madness so when you get frustrated with it, keep your head up and push on, taking breaks for a day or so when necessary. It certainly is the best hands on course I’ve ever experienced. The course won’t make you a 'Senior Pentester' but it will definitely get you started on your journey. For those with a lot of experience, I'm sure you will also learn something that you didn't know before taking the course.
This is the first post for this blog. A blog that I plan to regulary post to on all things offensive security, penetration testing, and red team related (yes there is a difference between those last two.) As always, questions, comments, and concerns are welcome. You can find me on Twitter. I'm always willing to help those entering this exciting field as much as possible and I'm sure, no matter what your skill level, I can learn something from you. Below are just some of the people that I continue to learn an enormous amount from, view as highly valued mentors, and/or have had a positive influence on me whether they realize it or not. Some are not mentioned for "interesting reasons". Regardless, thanks to all of you: