Sunday, March 27, 2011

OSCP (Offensive Security Certified Professional) Course Review

I promised myself I would write summary of the OSCP class once I completed it, since there isn't much information about it.  It's not a very well known certification, but it's well respected by the people that are familiar with it.  There's quite a bit that is secret, such as the details of the exam, but I'll try to give you an idea of what to expect if you're considering taking the class.  I took it in the winter of 2009-2010, so some details may become outdated as time goes on and the class is revised.

Prerequisite Knowledge and Time Commitment
You can buy 30 or 60 days of class/lab time, and you can also buy 30-day extensions. It culminates in a 24 hour straight exam (you don’t have to use the whole 24 hours) which you can schedule whenever you want starting after 6am (Central Time) if I recall correctly. The test is fairly cheap to retake, so it's more of a time/pride thing to pass it on the first time than it is a matter of cost.  

I’m sure some people could pass the test without even taking the class, but there are also some people on the other end of the spectrum who start with no knowledge of Linux. I had some very basic experience with the topics covered, and I think I figured the time commitment was about 355 hours. I did the 60 day lab, then waited a bit, then extended it for another 30 days to finish the final challenges, then did some additional studying on my own. I started in October and took the test in April. 

The Course
The course material is something like 13 chapters (I think you can find the syllabus online) and it has a video and PDF that go through each. It goes through a lot of the basic security stuff (e.g. ARP spoofing, password cracking, etc.), but in the middle it hops into what I consider the main section, which is on exploitation through metasploit, as well as fuzzing and writing your own exploits. It gets into some intermediate exploit writing, but for the most part it’s simple stack-based buffer overflows. It gives you a good introduction into these topics, then kind of drops you into the deep end and gives you some IP's to root.  Some more training, examples of rooting boxes would have been nice here for someone who isn't a professional pentester.  Once you finish all the class material, there are a set of final challenges which are basically just some boxes to root. There are also quite a few additional boxes on the network that you can root. All that prepares you well for the test, but it doesn’t give you the answers.

The part about the class that I hated, was that if you asked almost any question, the answer would usually be this, “http://www.offensive-security.com/when-things-get-tough.php”. Even when I tried abstracting my question so it wasn’t related to the class, it was very tough to get an answer from anyone in #offsec. On one hand, it is good to not serve people the answers, but on the other hand when your'e completely stuck I don't think it's too much to ask whether you're headed in the right direction.  If I wanted to learn everything on my own without any guidance, I wouldn't have paid for the OSCP in the first place.  Having said that, overall it was an awesome class and I’d recommend it.  It’s so much fun to finally root a box that you've been attacking for the last 8 hours.  In short, it's probably one of the most frustrating yet satisfying experiences you'll come across.

Tips
· Do the class while it’s cold out. It was much easier to park myself in front of the computer on the nights and weekends during the winter.

· You don’t need to take that good of notes like it implies in the beginning, but you should keep track of exactly which boxes you have rooted. All they really care about is whether you pass the test (and your going the extra miles if it’s border line).

· If you want additional practice, set up a lab or enter one of the many online CTF’s. I found NetWars to be good practice, but it doesn’t look like they have rounds going anymore.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete