OSCP (starting 13/12/2015)

I guess I'll start my own thread on the OSCP, because there's not much information about what you're really getting into with the OSCP on their website, YouTube, Google, etc. There's written reviews, but even then it's in vague terms. I think it's useful to know what you actually do in the course and what sort of experience different people have.
My background:
I'm honestly in over my head and one week in already disappointed with the lack of actual education in the videos and manual. The majority of the exercises for the first half of the book are effectively repeating the example they just demonstrated, i.e. "if we do ABC we'll get XYZ - now you try ABC and see if you get XYZ", so you're on your own educating yourself further about most topics. I'm very lucky I have a friend and colleague who've both passed the OSCP, and a penetration tester as my manager.
I'm very interested in getting involved in a study group with anyone doing the OSCP starting now for the next 3 months, an IRC channel, Skype, whatever, the knowledge acquisition would be exponential with a team based approach to this material.
My background:
- 5 years as a Security Analyst (policy, compliance)
- <6 months as a Vulnerability Analyst
- SSCP, CISSP
I'm honestly in over my head and one week in already disappointed with the lack of actual education in the videos and manual. The majority of the exercises for the first half of the book are effectively repeating the example they just demonstrated, i.e. "if we do ABC we'll get XYZ - now you try ABC and see if you get XYZ", so you're on your own educating yourself further about most topics. I'm very lucky I have a friend and colleague who've both passed the OSCP, and a penetration tester as my manager.
I'm very interested in getting involved in a study group with anyone doing the OSCP starting now for the next 3 months, an IRC channel, Skype, whatever, the knowledge acquisition would be exponential with a team based approach to this material.
Comments
Have you tried grey hat hacking 3rd or 4th edition? -- They have good primers on C, x86 Assembly, Python and bash.
If that is not in depth enough try the art of exploitation. I thumbed through it and it seems like a good read.
Resources list:
http://www.amazon.com/Hacking-Ethical-Hackers-Handbook-Fourth/dp/0071832386/ref=sr_1_1?ie=UTF8&qid=1450964901&sr=8-1&keywords=grey+hat+hacking
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_1?ie=UTF8&qid=1450964966&sr=8-1&keywords=the+art+of+exploitation
http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_6?ie=UTF8&qid=1450964966&sr=8-6&keywords=the+art+of+exploitation
I don't know when I will start but if you need to bounce some ideas around in PM or IRC let me know.
There are 100s of things you will learn during the OSCP course. If you are stuck on something, just move on to something else. I find the videos and pdf boring, but the Lab is a lot of fun. If I were you, I would jump into the lab and learn everything you can about all of the servers. start with nmap -p- -sV -A 192.168.x.201-254. Stay positive. Constantly being frustrated will ensure you fail.
I hope it will get better...
Navy Seals are given basics requirements that are almost a joke once they start BUD/s. Eventually, it all comes down to will power for them. Same thing for you. Some people have the heart to do what it takes, no matter what, and some people look for excuses. Which end of the bell curve are you on?
Guess you'll find out, won't you?
Kinda awesome if you think about it. You actually get the chance to look into your very being and see what you are made of. Hopefully you don't fail, hopefully you can be proud of who you truly are.
Try Harder.
It's a balance between a challenge and an education. The OSCP is comparatively light on education and more of a challenge, which is fine, it's just important to be aware of that when considering the certification.
In terms of my progress, I've skipped the buffer overflow exercise that I was stuck on, after spending nearly a week on it. I managed to work with an admin and another student for a while on it, but ultimately their suggestions were things I'd already tried dozens of times. I did learn a few things, but can't justify the time I'm spending on it so I'm moving on.
Either you'll overcome or you'll quit. Pick one.
You are complaining because a hard course is actually hard.
People like you are why older generations call younger generations pussies. You thought you could just pay the money and the skills would be handed to you on a silver platter. You aren't willing to work for it. You aren't willing to lose sleep or sacrifice things you enjoy.
You've made it clear what kind of person you are, just quit now. You can blame it on the program all you want, that's what people do when they can't make it in show business, sports, or the military. On the bright side, you'll have more time for your vidya games and Mr. Robot reruns.
I won't waste my time reading whatever BS reply you make, because I know it'll just be some stupid justification for your lazy attitude. If you truly wanted you prove me wrong, you'd stop complaining and earn the OSCP like a champ.
That's what you probably wanted to hear, but not what I said at all.
The rest of your post is really presumptive and not in line with anything I've said or what I've done with the course so far. I've spent 4-6 hours a day for the past week on just one chapter of the material. You're "lazy" and "pussy" comments are childish and uncalled for. If you look to the left you'll see I already have two certifications which I think is a good start for someone with no formal InfoSec education.
I haven't blamed the course for anything. The purpose of the thread is for anyone considering the OSCP to see a log of another experience with the course, what it covers, what you learn, what you need to know, and what the course material is like. If my experience is finding the course material thin, I consider that useful information for a potential student.
Don't you think it'd be more beneficial to give someone a small nudge in the right direction and allow them to find the answer on their own would be a better way to go about it?
Sheiko I myself haven't taken the course or exam but I know a number of people who have one of them being sexion8 who used to frequent this forum. His post below is focused around the CEH but is completely relevant to the base knowledge of the OSCP and would be a great starting point for you. I also provided some links to the ethical hacker forum as well, this forum is a goldmine for some technical discussions but is unfortunately no where near as active as it was a few years ago. Sexion also has a number of good posts over there as well, but I can't seem to find them since he used a different name over there.
http://www.techexams.net/forums/ec-council-ceh-chfi/35544-so-you-want-take-ceh-read.html
https://www.ethicalhacker.net/forums/viewforum.php?f=58
https://www.ethicalhacker.net/forums/viewtopic.php?f=58&t=9115
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
We all have jobs and families and sometimes spending days and days on a something that could've been resolved within a few minutes with a little hint from admins makes people a bit upset.
I checked with uname -a and figured i686 is 32-bit, however it looks like I've chosen Debian 64-bit when manually setting up the VM. I've used a VMware program not listed in their welcome manual too, so now I have to copy everything from one image to the new one, what a mess, my fault though.
To anyone starting the course who's new to virtual machines, don't use VirtualBox.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
...now to be negative again. There's an exercise where they give you the code for a medium sized script, the problem is that whatever font or text they have in the manual has a different character set that breaks the exploit, what should be a "-" is actually a "–" (notice how they're slightly different). There's a thread on the official forum where people have spent days trying to get it working only to be finally told it's this one unrecognised character...
I get when they have you re-write scripts or alter exploits, there's an educational component to that, but this feels like it's just there to **** with you and waste lab time. They give you a special Kali Linux image specific to the course, why aren't the larger scripts included in the image?
I setup the image that came with the course on VMware Fusion and it installed as what I believe is the 64 bit version (i686). I didn't manually setup the image, I just opened the "executable" and it set itself up. How would I switch to the 32 bit version if I'm using the one that came with the course?
http://downloads.kali.org/kali-486-vm.rar
Thats the cleaned up url from mine emails. or go direct and pick the last one https://www.offensive-security.com/kali-linux-vmware-arm-image-download/
The class image version installs as 64 bit, so I'm confused.
I went to a friend who's already completed the OSCP years ago and he stepped me through a simple exploit and it was immensely helpful. I'll likely be using him as a mentor for the next two months, I doubt I can do this on my own. In the "pwned" machine though I managed to copy across fgdump (after about two hours of troubleshooting FTP, not considering interactive commands and the binary option), and then managed to enumerate some password hashes, and from that successfully use John the Ripper, and given the account names I suspect they'll be of use on other machines. The first instance of momentum since starting the course.
It's disheartening when I read people getting root access on multiple machines within the first week of the course, where I have just one (with help) nearly a month in, and I've not been light on study either, hours every night. I guess the certification attracts the kind of student who already has knowledge in this domain. I'm either well behind the average student, or maybe the certification has a very high failure rate.
A lot of those users got some experience and they have some good programming skills others are using metasploit, etc, etc and the last part is do not believe everything you read!!!!
It is your personal IPS to stop the attack.
Lets see if my speed increase.
It is your personal IPS to stop the attack.
I have root/administrator privileges on four boxes and a low privilege shell on a 5th, which I'm 95% sure I'm using the right exploit and the issue is on my end with my Kali Linux or Metasploit installation, so I moved on. I'm still working with two friends who've passed the OSCP, they're not giving me answers but just helping with resources, general knowledge, syntax issues, etc. I know that will result in accusations of "spoon feeding" and "hand holding"...
If knowledge acquisition is your goal then I highly recommend working with others through your study, there's no reason to limit yourself.
I still have disagreements with the way the course is delivered, but whatever, it's their product they can do whatever they want with it. To quote my friend who passed the OSCP - "I knew nothing coming into the OSCP, and that's why I still know nothing now".
If I get some time tonight I'll put together a list of some useful resources and topics I've been going through.
It is your personal IPS to stop the attack.