Ambiguous OSCP exam restrictions

lkadsjfi4lkadsjfi4 Registered Users Posts: 1 ■□□□□□□□□□
"You cannot use any of the following on the exam: Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
Any tools that perform similar functions as those above are also prohibited."
"You may however, use tools such as Nmap (and its scripting engine), Nikto, Burp Free, DirBuster etc. against any of your target systems."

Aren't Nmap, Nikto, Burp, and Dirbuser doing mass scans for vulnerabilities?

Would netcat be allowed? How about vulndetector? How about a tool like w3af which has tools to exploit found vulnerabilities, if I don't use those tools and just take advantage of scanning capabilities?

Is there a fine line between how many, or what types of scans a vulnerability scanner does that decides whether it's a "mass vulnerability scanner" or not?
Besides, couldn't someone just make an nmap script (allowed) to accomplish what some of the programs they consider "mass vulnerability scanners" do?


  • EANxEANx Member Posts: 1,077 ■■■■■■■■□□
    If you have to nitpick about exam requirements, are you sure you're ready for it? And maybe scripting functionality in a basic tool is the idea. It's not hard to download a tool that takes a lot of the thought out of the process. If you can design a script for a basic tool though, you probably have a better sense of the objectives and process to get there.
  • TeKniquesTeKniques Member Posts: 1,262 ■■■■□□□□□□
    Maybe run some of those tools not allowed on the exam vs. those that are ... you'll see the difference real quick and answer your own question. If the course and exam was about automating everything then those tools would be allowed, but it's not and is more focused on having you do some research into the things you find and how to exploit them.
Sign In or Register to comment.