Some thought on doing the OSCP14 Jan 2017
I can see now that I haven’t updated this blog in quite a while. This is due to the fact that I have been doing the the course Penetration testing with Kali Linux (PWK - OSCP). Today I got the email from Offensive Security that I passed the exam, and that means that I am now a Offensive Security Certified Professional.
Before I decided to take the course I spent way to many hours reading reviews and threads on reddit about the OSCP. One thing that I was always looking for was an answer to the question: when am I ready to take the course? And, what background do I need to have? So in this post I am going to try to answer those questions and share my ideas and recommendations.
I don’t have any professional background in infosec at all. My background is in political science, and I spent quite a few years at uni doing my undergrad and graduate studies. When I finished my grad-program I got a job at an embassy, where my only interaction with technology was with Word, Excel and PowerPoint. At that time I started getting more and more annoyed by the fact that I was basically computer illiterate. I was sitting in front of the computer all day long, but I had no idea of how it worked. Of course, in an office environment where the average age was pretty high I was considered a power user. I was the youngest person in the office, so I became the unofficial IT-support. I turned computers on and off, and I did it well.
Anyways, I got a hold of a really old laptop and installed Linux on it. For absolutely no other reason than to satisfy my own curiosity. After I had installed it I didn’t really know what to use it for, so I just started exploring it. Meanwhile I started becoming more and more fascinated with programming. It seemed like magic to me. They said that everything is zeros and ones, and from that some mysterious levels of abstraction generate this amazing experience that is the computer and the internet. The fact that computers were so far away from what I had studied really intrigued me. So in my free time I started dabbling with python. That was about two years ago.
I started a study-group with some other infosec-nerds that I got to know over the internetz. And together we have been pushing and helping each other to become better hackers. Something that has been really valuable.
How I organized the OSCP
I created a directory structure with one directory for each machine, with subdirectories for enumeration and privesc and loot.
I saved all my progress in a private gitlab repo.
I wrote notes, exam-report, lab-report and exercises in markdown with sublime. And viewed it in the browser, and then converted it to PDF using the browser. There were some issues when converting it to PDF, but all in all I still think it is more convenient than using KeepNote or OpenOffice/Word.
Every time I learned something new I added it to a book that I have been writing. It was, hands down, the best idea I had. It helped me so much. The book is written with gitbook and is searchable and can be read as epub, PDF or online. It is available here: I still don’t have a name for it. I went back to it again and again. I really hate having to google the same thing over and over again. I like to have everything I need neatly structured at the same place. It is still messy and a lot of it is half-written. But you are more than welcome to fork it and make it yours, add and remove content as you wish.
Another thing that I did that worked out really well was that I wrote two pentest-templates. One for Linux and one for Windows. And in each of those templates I outlined all the steps and checks I needed to do. For enumeration, privilege escalation, and for post exploitation. Having check-lists really sped up the process and it made sure I checked all possible vectors before moving on.
For the exam I wrote a pretty comprehensive enumeration scripts, it is based on this great script, but very heavily modified. I just ran that with the target hosts as arguments, and it created a file-structure, imported the templates I mentioned above, ran specific scans according to open ports and outputted the result in the correct directory. The script also added in the correct IP-address on every command mentioned in the template file, and it also added some enumeration-output right into the template file. So that was kind of nice to have. It is far from perfect and have some issues. But over all it was pretty useful. The templates and script can be found here.
If anyone else is in a similar situation as I was. By that I mean coming from a non-technical background and wanting to do the OSCP, I would recommend the following:
- Make Linux your daily OS.
- Always use the command line to do things, even if the GUI is faster and easier.
- Once you are comfortable with the bash-shell power up! Use Oh-my-zsh or something like that. It will change your CLI-life.
- Program something every day. Even if it is a useless program. But some useful ideas might be: client/server programs, reading and writing from files, issuing commands from your scripting language (I use python) and then parsing the results.
- Start doing VM:s from VulnHub. Don’t be afraid to cheat by reading other writeups. In the beginning it will be necessary to cheat, to cover your unkown unkowns, what you don’t know that you don’t know. There is a lot of it, and almost impossible to find if you don’t know what you are searching for. Make sure to always understand what you are doing. But if you have tried to understand something for several hours but you just can’t figure it out, just move on. You don’t have to climb Mount Everest on your first day.
- The motto for Offensive Security is Try Harder!. And that really is great advice for the OSCP lab machines. But for learning in general it might not always be optimal. If you want to learn math it might not be the best idea to pick up a book on calculus when you don’t know addition. You could probably “Try harder!” and get through your calculus book, but it might just be smarter to start with the basics of math. So my, less catchy, version of the motto would probably be:
Try Harder! Unless you have tried really hard but it is just way out of your league. Then move on to something easier and then come back when you know more.
- Write your own writeup for every single VM that you pwn. Even if you don’t publish it anywhere. It will still help you articulate your process and thoughts.
- Once you have done maybe 15-20 vulnerble VMs from VulnHub and you are starting to get comfortable with that, start learning Windows. Around half of all the OSCP machines are Windows, and it is by far the most common OS in a corporate environment. So really learning the ins and outs of Windows will be necessary. Due to the fact that Windows is not free software it is a lot harder to find VMs to practice on. However, the latest metasploitable is Windows. So that is a great starting-point: Metasploitable 3. Otherwise you can just download legal Windows VMs here developer.microsoft.com and then install vulnerable software and exploit it. It is not as entertaining as a CTF-like VM but it is still a great way to learn.
Regarding educational resources I would really recommend this:
A Penetration Testing - A Hands-On Introduction to Hacking by Georgia Weidman. It is very similar to the OSCP material. So if you can get through the Weidman book and successfully complete all the exercises you should probably be pretty confident for the OSCP.
Metasploit Unleashed really is a great resource to learn metasploit. Which you will have to learn.
Also, one last note. When I started researching OSCP I wanted to know what kind of internet speed you need. Since I live in an area with really poor connection. I did the whole course with the internet speed of a shared 2 mbit connection. It is absolutely nothing I would recommend anyone of doing, sometimes you can get lag when connecting through RDP or even in the terminal. But for the most part I didn’t really have any problem.