Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
Intro
Ever since seeing my first buer overflow, Ive been excited with the (in)security of software and systems. A fellow
student (https://www.smrrd.de/) told me about penetration testing and the PWK course (formerly known as PWB). I
was impressed with his ability to pop shells over the network and decided I wanted to do that as well. I had played
around with several CTF-type challenges and a little bit of Reverse Engineering before but I wanted to formalize my
education and see what I really knew. I quickly found out that there was a lot more to be learned. The PWK course
oers a lot of opportunities to continue research on your own in order to get the most out of it. If there would be
one thing I would tell soon-to-be OSCPs, it would be to do it for the learning experience, not for the mere piece of
paper. In the remainder of this post I want to share my experience from start to certification, including some tips I
would have found useful before starting the course. I hope you will, too! Additionally, over the next weeks, I will
share a couple of techniques and scripts which I researched during my OSCP experience on this blog.
Certification Process
Although there is a live training version of the PWK course, most students will want to register for the online
version. You can register on Oensive Securitys Registration Page (https://www.oensive-security.com
/preregistration.php?cid=21). During registration, you can choose between 30, 60 or 90 days of VPN lab access. A
lot of people wonder which is the right amount for them. However, you cant really go wrong since you can extend
your time in the lab as often as you like. With the amount of time I was going to be able to spend in the labs and
my previous knowledge (see next section) I went for 60 days and extended for another 30 days this year since I
didnt get to take my exam after my first time in the lab. It all depends on how much time you are able to invest.
I initially registered so I could have my exam just before starting my final thesis for university. Since the course also
collided with my final exams my stress levels were pretty high during that time. In the end, I didnt get my exam
done in time and postponed it to this year after getting settled in a new job. But thats the thing with the course,
you can always step back, learn more, try harder and come back to finish what you started.
After registration (with a corporate email address or proof of identity in case you try a free mail address) you receive
course documentation in form of a pretty elaborate study guide and several hours worth of video material.
Additionally, you receive your VPN connection package which allows you to connect to the student lab. Everything
is pretty clearly explained so with a standard Kali Linux installation including OpenVPN, you should have no trouble
1 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
getting started. For more information on the registration and curriculum, visit the ocial PWK oering
(https://www.oensive-security.com/information-security-training/penetration-testing-with-kali-linux/).
2 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
the PWK course. Of course you can use a free virtualization software such as VirtualBox as well. I used the most
current Kali VM on VMWare which may dier slightly from the ocially recommended version. But since a
pentester should be able to adapt and not just blindly run exploits, it may even be a good exercise. However, I
would suggest not updating your OS between the final lab days and your exam because you might mess up some
important configurations. After every session in the labs I took a snapshot and backed everything up to a NAS.
As useful as KeepNote is to organize your thoughts and to keep track of your exploits, I strongly recommend to
prepare and write your lab report (Word or OpenOce) in parallel. I failed to finish my lab report in time because I
couldnt quickly compile it from my notes. My note organization didnt match the recommended report structure
and KeepNote gave me a hard time exporting the actual notes into something useful. Fortunately I had enough
points during my exam but after putting all these hours in it was frustrating nontheless.
As a final thought: make sure to keep your notes constantly backed up. I used my personal NAS, but any cloud
hosting provider (Dropbox etc.) will do. And as with any good backup, know how to restore your files if something
goes wrong.
Study Material
The study material for the PWK course consists of a 365-pages PDF lab guide and several hours worth of videos.
The lab guide is fantastic and touches on a variety of topics ranging from finding your way around Kali Linux over
bash scripting and network sning to exploit development and some seriously confusing tunnelling techniques.
For most chapters, it leaves exercises to the reader and challenges you to conduct further research on your own. If
youre like me, you will be so intrigued by some of the techniques that this part will be the most fun. As with
anything they do, Oensive Security will challenge you to try harder. Dont just read through the guide, try to
understand every little detail and work through every exercise. It will definitely pay o in the long run.
The videos, which are intended to support the lab guide, are really good, as well. Personally, however, I dont like
video tutorials that much since I am forced to follow a given speed and I dont have the level of control I have when
3 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
reading. But since the videos contain some additional information, you should go ahead and watch them, anyway.
Since I started when the course was still called Pentesting with Backtrack, I can confirm that Oensive Security
does a good job on keeping the material up to date. Some techniques may be somewhat outdated, but they are
still the basis for a lot of common attacks today. There is no need to develop a ASLR- and DEP-bypassing exploit if
you dont understand the magic behind the actual buer overflow vulnerability. So kudos to Oensive Security for
keeping the material relevant while still sticking to the very basics. The upgrade process itself was very smooth for
me. I was eligible for a free upgrade, was sent detailed information on how to get my new course material and
connect to the new PWK labs. According from the ocial pricing page, you now have to pay a fee to upgrade from
PWB. But I think if there is an update during your certification process, you will get it for free.
For more information on the content of the course, check out the ocial Course Syllabus (https://www.oensivesecurity.com/documentation/penetration-testing-with-kali.pdf).
4 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
One final piece of advice for your time in the labs. Try to get on the IRC channel early on. You wont get a lot of help
from the admins if you expect plain answers. But there are a lot of other students there and its really good to have
a partner in crime to discuss exploits and attack strategies with. You will notice that no aspiring OSCP will just give
away anything. You can discuss, ask questions, share thoughts. This makes your isolated life during the course
easier. Thanks to Evangelos Mourikis (https://vagmour.eu/) (@teh_h3ck (https://twitter.com/teh_h3ck)) for helping
me through the last weeks!
Exam Preparation
In my case, I booked my exam a couple of weeks after my lab time ended. I planned to prepare extensively but
since I had a lot of other stu on my plate I guess I did a lousy job on that. Primarily, my preparation consisted of
organizing my notes and cheat sheets and preparing all scripts I gathered during lab time. I also tried to write my
lab report which I failed to finish. These are my tips on preparing for the exam, even if your time is limited.
I think you get the idea. I tried to map my organization to the methodology I wanted to use for the challenges
encountered during the exam. If you want to go the extra mile you can pre-compile all privilege escalation exploits
you used in the labs and organize them accordingly. This might save you a lot of time in the exam.
I kept all other information in my KeepNote notebook while creating a separate notebook for the exam. This way,
the exam notebook would only contain information relevant to the final report and I could look up previous attack
strategies, cheat sheets and bookmarks in the other one. In fact, during the exam, it might be useful to think back
to some of the techniques you applied to the lab machines. Even if its just a special flavor of a file transfer
technique: it might save you time! As well as blood, sweat and tears of course.
5 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
them manually one after another, you can streamline your process into one handy tool. During the exam I used a
slightly modified version of the Recon Scan Script by Mike Czumak (http://www.securitysift.com/osecpwb-oscp/). He has a great blog post on the OSCP including multiple really useful tips and scripts. After obtaining
my certification I wanted to do things dierently which is why I started a little project called WrapMap.
Basically, WrapMap oers a wrapper around nmap using the python-nmap library (http://xael.org/norman/python
/python-nmap/) in a slightly modified version. It runs asynchronous nmap scans and executes custom modules
based on the results. In the modules you can do everything you want to and return results to the main script which
writes a bunch of output files. The tool is intended to be used when nmap NSE scripts dont cut it and you want to
incorporate other tools (sqlmap, nikto, ) in your enumeration script. The tool is open source and I would love to
see some modules be contributed! You can find it here: WrapMap on GitHub (https://github.com/n3ko1/WrapMap).
File Transfer
I really profited from scripting all dierent techniques around file transfers (i.e. not simple (T)FTP). For example, I
wrote a script which automated the process of logging in to a WordPress page, editing a template of your choice to
include your PHP backdoor and uploading a binary file to Windows using the debug.exe technique. Mastering and
scripting these techniques will save you time and trouble in situations where you need to get a file to a target. In
fact, I will dedicate a separate blog post in the future to file transfer techniques.
Privilege Escalation
Privilege Escalation was one of my weak spots going into the exam. However, there are some really great
resources on the topic which help you understand it and script a lot of the steps. Check out the following links:
Basic Linux Privilege Escalation (http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html) and
pentestmonkey (http://pentestmonkey.net/category/tools/audit). The latter is also a great resource for other cheat
sheets and little helper scripts.
As you see, a lot of things have already been created. You should take that as a challenge to build your own tools
on top to exactly do what you want them to do. And in the process, you will notice that you suddenly understand
things on a whole dierent level. And if you do build cool stu, make sure to share it!
To sum it up, if you managed to penetrate the majority of systems in the lab you have a great starting point for the
exam. On top of that, organization and automation are key to success in my opinion. Make sure to align everything
with a strong methodology and you should be good to go. And dont forget to get a good night of sleep!
6 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
Conclusion
Its easy to say that this was the greatest certification I obtained in my career since it is my first. Whether or not the
piece of paper enhances my CV, the learning experience was absolutely amazing. It is true that you find all the
information from the lab guide somewhere on the internet for free. But the main selling point is the virtual lab
environment. It is set up perfectly to teach and intrigue you, to tease and infuriate you. You will find hidden
features, even laugh out loud. I can only recommend it to anyone who want to break into the wide field of
penetration testing.
Thanks Osec for this experience! I will be back and try even harder.
certification 1 (/categories.html#certification-ref)
oscp 1 (/tags.html#oscp-ref)
pwk 1 (/tags.html#pwk-ref)
pentesting 1 (/tags.html#pentesting-ref)
certification 1 (/tags.html#certification-ref)
oensive 1 (/tags.html#oensive-ref)
security 1 (/tags.html#security-ref)
Follow @n3ko101
Previous
7 of 9
Tweet
Tweet to @n3ko101
Archive (/archive.html)
Next
12/27/15, 11:08 AM
1 Comment
Recommend
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
1
!
n3ko1.github.io
Share
Login
Sort by Best
5 months ago
Subscribe
Privacy
2015 Lucas Bader with help from Jekyll Bootstrap (http://jekyllbootstrap.com) and Bootstrap
8 of 9
12/27/15, 11:08 AM
http://n3ko1.github.io/certification/2015/05/27/oscp---offensive-...
(http://getbootstrap.com)
9 of 9
12/27/15, 11:08 AM