Enumeration and Time - An OSCP review

thegoodbye

I passed my OSCP exam last week. After taking some time to reflect, I thought I’d write a little bit about my experience. This forum already has some good threads with reviews, but I just wanted to pass along some additional advice in hopes that it will help a student in preparation for the exam.

One of the questions I pondered while preparing was, "How do I know I'm ready?" For everyone that is different, but I felt ready after I had rooted about 35 lab machines in the public network. Of the 35 machines, I went back and re-rooted about 25 machines using a different method. I focused on the lab machines that did not have dependencies. I did my best to not use Metasploit. Other students on this forum have listed Vulnhub machines that they recommend in preparation for the OSCP. Here’s one such thread that lists a few relevant machines - http://www.techexams.net/forums/security-certifications/116262-oscp-starting-13-12-2015-a-5.html .

Some students have recommended some other prep certs or books to assist in preparation. I found that google (enumeration) and the PDF that came with the course were more than sufficient. However, if one has the time to dedicate to learning, the more quality sources the better.

I didn't use the admins, nor did I work directly with any other students during my lab time. The forum can be a useful resource if you're stuck on a machine. This was especially helpful in determining if a machine is directly rootable. Additionally, I recall coming across at least one admin post that hinted about a particular lab machine possibly being a "retired" exam machine. Rooting this machine was fun and not only helped hone my way of thinking, but also gave me confidence that I was ready for the exam. Had I not enumerated the forums, I wouldn't have had this information.

On exam day, I calmly executed what I had learned. I had enough points to pass about 10 - 12 hours in. I did not use Metasploit during the exam. Before you start your lab time, I recommend reading and reviewing https://support.offensive-security.com/#!oscp-exam-guide.md to understand what will be necessary before you sit for your exam. This will help you prepare during the labs as if you were sitting the exam. I also chose to enumerate dozens of OSCP reviews so I had an idea of what to expect on exam day. I cannot overstate how important enumeration is to ensure success in the lab/exam. It's so important, I've even bolded it.

The hardest part of the exam is finding enough time to prepare in the lab environment. Think of it as training for a Marathon. For many, the hardest part is the long hours of training -- the blood/sweat/tears. By the time the day of the marathon comes, you're just executing what you've trained for. The OSCP is no different. For you to be successful, you have to put the time in.

I had a blast preparing for the OSCP and I highly recommend it. Offensive Security did a masterful job of giving you just enough information without holding your hand. This isn’t perfect certification and there are some areas that could be improved, but I firmly believe that the OSCP is the best entry level certification on the market today.

Kalabaster

Excellent little overview. Thanks, man. It's almost time for me to start my journey.

Mooseboost

Congrats on your pass! Glad to hear you enjoyed the journey.

JoJoCal19

Congrats on your pass!

bluesquirrel

congratulations for passing the exam!

Have started since a couple of weeks the OSCP adventure. Any suggestions on the best ways to successfully enumerate (best settings to use per tool, which are the best tools to use, etc.) ?

Many thanks in advance!

thegoodbye

Make sure you go through all of the pdf exercises and videos before attacking the lab. I know there are a few lab exercises that have you run a set of tools on the lab. Do those and once complete, go back to the pdf and finish.

I'll give you a little bit of what you're asking for, but I'm not going to give you everything, as it will only hurt you in the long run. To be fully prepared for the exam, you should understand both the commands you're running, and why.

Nmap: -- At minimum, know what -sS, sT, sV, Pn, -p-, oA and sU do and when to use them. Understand that you may start with a basic -sS scan that does the top 1000 ports and the output should be fairly quick, which will get you started on a host. Maybe then you decide to run a nmap -sT -sV <ip address> -p<interestingport1,2,3>, which also will provide a relatively quick output, depending on the ports selected, and how many. While this is happening, a full port scan could be run on tcp or udp, which will generally take longer(especially udp). Know how to Understand the nmap scripting engine (/usr/share/nmap/scripts). Understanding https://nmap.org/nsedoc/ will also help. As you go through the labs, you'll see some common ports over/over. Learn what they are. When you run a scan and see a non standard port that's used, it may be worth a look. The pdf covers most of what you need to know on the nse.

Active Information Gathering: Know everything in this section in the PDF, especially enum4linux and snmpwalk. What do these outputs look like on a locked down host? What do they look like on a host that may be "leaking" more information than it should? What type of information can I glean from this and how can I use that to my advantage?

Web Enumeration: See if robots.txt exists. You should be very comfortable using Nikto/Dirbuster . Know how to pass credentials to both scanners so an authenticated scan may be run, even though this isn't always needed. Have a look at /usr/share/wordlists on Kali . Know how to use Burp Suite to accomplish some of what you do with a tool.

sqlmap - Know how to use this, but understand that it's not allowed during the exam. Make a list of some common things you can try manually.

nc - this is your bread/butter. Understand how to move nc to machines. The pdf covers this well, but there are other ways that require thinking differently. Understand that not all "built in" nc's are the same .

priv esc - After getting a low priv shell, enumeration begins again. Know how too priv esc on a machine using multiple methods. The obvious https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ and FuzzySecurity | Windows Privilege Escalation Fundamentals should be thoroughly analyzed. There are other guides out there, but these are fundamental. Not all machines will have an obvious kernel or OS exploit. If you've never run dir /? in windows , you should. If you've never run man ls, you should. Other favorites include man mount and man touch .

What other software is installed? Who owns these files (dir /q)? Understand what folders/files are installed on some of the default installations. What does seeing Program Files (x86) vs Program Files indicate? Is my exploit going to work on a machine with this particular architecture? If there is a LFI, but I don't know what OS the machine is running, what are ways to check that? Here's one forum I used that gave me some useful information on this question during the labs -- https://www.quora.com/How-can-I-tell-what-version-of-Windows-is-installed-on-a-hard-drive-without-booting-it . Look at timestamps (dir /od). Some of these can provide hints to the path forward.

Research: Understand that you'll often come across software that you've yet to see before. Some hosts may take extensive research to find gain an understanding of how things are setup/installed. Know common default username/passwords to save you time (admin/admin, admin/password, root/root, root/password, etc). Exploit as many hosts in the lab as you can, using as many methods as possible. This will help prevent an "Oh s***" moment on the exam because you're clueless on how to proceed. Read the readme to understand what you're doing whenever possible.

Hopefully this helps. I kinda just smashed together some ideas in my head. This is not an exhaustive list, but it should help give you a glimpse into the proper mindset. Remember, the OSCP isn't difficult -- it's just time consuming.

bluesquirrel

thank you very much for all the information and tips shared ! Really appreciated !!!

I like especially your conclusion: "Remember, the OSCP isn't difficult -- it's just time consuming." ... I will try to keep it in mind during the difficult times

Have you already decided which will be your new adventure?

chrisone

Great read! Your words are inspiring! Congrats on the pass what is next for you? any interest on OSCE?

thegoodbye

I'm going to take off until the end of the year and just relax. Having prioritized my time on the OSCP, I've neglected other areas of my life that I need to catch up on. Next year I'll look at SANS 660 or 642. At this point in my career, I have enough experience/knowledge that their 500 level classes are mostly review. CTP/OSCE will likely be started by this time next year... maybe sooner if I get bored, but will require a lot of pre-study.

JasminLandry

Congrats on the pass

veesmeet

Its very sad that I couldn't pass OSCP for three times. Someone please help me. I can share details.

goatama

veesmeet wrote: »

Its very sad that I couldn't pass OSCP for three times. Someone please help me. I can share details.

Sounds like you need to try harder.

veesmeet

I know that that I need to. Its just so frustrating to not know what went wrong even after the exam. So with OSCP it can happen that you walk out of the exam BLANK.

Kalabaster

goatama wrote: »

Sounds like you need to try harder.

Clearly what he needs to do, is try hardererer!

winona_ryder

thegoodbye wrote: »

I'm going to take off until the end of the year and just relax. Having prioritized my time on the OSCP, I've neglected other areas of my life that I need to catch up on.

Hear, hear. I have found that I get so caught up in the problem solving and troubleshooting that insane amount sof time can go past. I'm lucky that my wife is patient and understanding.