Basic OSCP questions

relegated

I have been preparing for my CISSP and hope to take it early 2018. I already have my SSCP, Security+, A+, MCSA, SonicWall certs and have been working in IT since like 2004. That being said I am awful at programming of any kind, I always have been and likely always will be.

In order to get your OSCP it looks like you need to take the Penetration Testing with Kali Linux course that costs $800 and includes 30 days of labs?

I have spent a fair amount of time in the security side of things and have messed around with Kali on various occasions but I am no pen tester. I have read it is a pretty brutal path to getting the OSCP and given my poor coding skills I'm wondering if I would be able to do it.

Vegeta75011

Hi!
i hope i will help you
i just passed my cissp today and i did have my oscp several years ago!


First of all, they have nothing in commom
OSCP is a 100% technical exam where the ultimate goal is grabing the keys of the kingdom
you work online in a dedicated environmemt for several hours and be ready to sweat
i’ve been at a pentest with kali session at Blackhat in LV and it was for me, as a pentester, quite easy but
the exam is not!
but the coding skills are not a barrier I think, i’m no dev like you
30days of lab is according to me not enough if you’re not full time on it and if you have nearly no knowledge on pentesting

CISSP is a security manager exam according to me
Totally doable if you’re not a pentester

As we say in France : dont run after 2 rabbits at the same time
my advice would be to focus on your coming CISSP, yiu will be so happy when you have it
and after ask yourself if you really wanna be a pentester, if yes go for OSCP it’s the best but if you dont wanna be one, forget about it
Another cert, easier for debuting in pentest world would be SANS GPEN(have it also) will give you a very good and precise overview on security and hacking

hope to help

regards

TeKniques

Everyone is different, but I would recommend to dive right in and don't let your lack of programming skills deter you. It would help, but is by no means a requirement to be able to take the course. I would be more concerned with being able to dedicate the amount of time that will be required to work through the course material and be able to research topics on your own. Good luck.

TechGuru80

Programming skills aren’t a prerequisite...the ability to learn and basic security skills are though.

Don’t be discouraged if it takes a while to achieve the cert...a lot of people have failed the first go around. I would not do 30 days...at minimum do 60...but 90 is better. If you don’t have the background in pentesting, you literally won’t pass in 30 days...barely enough time to get through the material let alone the lab.

shoey

Limited programming skills should not deter you from attempting this course... But I would DEFINITELY take the time to research people's OSCP blogs/posts prior to starting. It also would be benficial to take some time to research topics you are unfamiliar/inexperienced with prior to scheduling.

I had a month where I knew work/life wouldn't be crazy, so I purchased the 30 day PWK course and attempted to grind as hard as possible... It kicked my @ss. I cannot emphasize enough just how much I wish I had just purchased the 90 days. With that being said, I ended the course feeling as though I had learned and accomplished more with the PWK Lab than in any of my other certs.

I will be scheduling my second attempt at the OSCP early 2018 as well. Best of luck to ya! Let me know when you schedule your course!

N7Valiant

I don't know...

Is it an open Google exam, or do they include all the scripts you might need to execute in the Kali image?

I'm speaking only as a petty dabbler who followed a walkthrough to penetrate a VulnHub VM.


But one of the commands they had me execute to exploit a shellshock vulnerability looked pretty complicated and would not be something I could come up with on the spot. It's hard to imagine pulling that off without some programming knowledge, particularly with bash.

CyberCop123

relegated wrote: »

I have been preparing for my CISSP and hope to take it early 2018. I already have my SSCP, Security+, A+, MCSA, SonicWall certs and have been working in IT since like 2004. That being said I am awful at programming of any kind, I always have been and likely always will be.

In order to get your OSCP it looks like you need to take the Penetration Testing with Kali Linux course that costs $800 and includes 30 days of labs?

I have spent a fair amount of time in the security side of things and have messed around with Kali on various occasions but I am no pen tester. I have read it is a pretty brutal path to getting the OSCP and given my poor coding skills I'm wondering if I would be able to do it.

I'm deep into my OSCP Studies and just about to finish 90 days worth of labs... 30 days of that was spent solely on reading the PDF they provide which is 375 pages and also watching the videos - of which there's about 170.


I have strong Linux Skills, OK Python Skills but my hacking knowledge and experience wasn't strong other than hacking into about 4 VulnHub machines.


I think signing up for 30 days is insane in my own opinion as it's a lot of work and some of the machines you can be stuck on for days at at time. I've got a blog on here where I've been documenting my journey into OSCP and it's intense, hard, fun but has been very impactive. It's all worth it though.


One thing i said on my blog was I just don't see why some people are in such a rush. E.g. I've signed up for 90 days, but I'm going to sign up for another 90 as I want to hack into as many machines as I can and come away confident and hopefully with the OSCP certification. Some weeks I can get TONS of work done, sometimes not if work gets in the way, general life or I'm just feeling tired and not as productive as normal.


I think you're a good candidate to take the OSCP as you have some good background in IT. The OSCP does not involve programming. There is a tiny bit of scripting in the exercises but that is not programming, and it's not essential. The exploits used in the labs themselves rarely need much editing if any. Plus reading code is different to writing it.


I signed up for OSCP and it's the best thing I've done in a long time, it's my first ceritification and I'm glad I chose it. Good Luck with whatever you decide.

N7Valiant

O_O

Isn't it $600 for another 90 days? I just think it might have been cheaper to retake it another 10 times for the same price.

CyberCop123

N7Valiant wrote: »

O_O

Isn't it $600 for another 90 days? I just think it might have been cheaper to retake it another 10 times for the same price.

Haha yes it is. I may just extend for 30 days and then do the exam. I just want to reach 30 lab machines hacked and also maybe hack some in the other networks.


If I can hack Humble and Sufference I'll be happy too.

McxRisley

As other have said, don't let your lack of programming skills deter you. Programming skills will help you some in the course but plenty have passed without much programming knowledge (I'm one of those people). Just make sure that you can dedicate a significant amount of time to the course. I have a blog on here about my OSCP journey that many seem to like reading, it may give you an idea of what you can accomplish. I had 0 pentesting experience or knowledge before I started as well.

shoey

CyberCop123 wrote: »

I'm deep into my OSCP Studies and just about to finish 90 days worth of labs... 30 days of that was spent solely on reading the PDF they provide which is 375 pages and also watching the videos - of which there's about 170.


I have strong Linux Skills, OK Python Skills but my hacking knowledge and experience wasn't strong other than hacking into about 4 VulnHub machines.


I think signing up for 30 days is insane in my own opinion as it's a lot of work and some of the machines you can be stuck on for days at at time. I've got a blog on here where I've been documenting my journey into OSCP and it's intense, hard, fun but has been very impactive. It's all worth it though.


One thing i said on my blog was I just don't see why some people are in such a rush. E.g. I've signed up for 90 days, but I'm going to sign up for another 90 as I want to hack into as many machines as I can and come away confident and hopefully with the OSCP certification. Some weeks I can get TONS of work done, sometimes not if work gets in the way, general life or I'm just feeling tired and not as productive as normal.


I think you're a good candidate to take the OSCP as you have some good background in IT. The OSCP does not involve programming. There is a tiny bit of scripting in the exercises but that is not programming, and it's not essential. The exploits used in the labs themselves rarely need much editing if any. Plus reading code is different to writing it.


I signed up for OSCP and it's the best thing I've done in a long time, it's my first ceritification and I'm glad I chose it. Good Luck with whatever you decide.

I've been following your posts on the OSCP. Best of luck and much appreciated!!

shoey

N7Valiant wrote: »

O_O

Isn't it $600 for another 90 days? I just think it might have been cheaper to retake it another 10 times for the same price.

Yeah it would be cheaper to just pay for the retake (if all your looking for is a cert) but I'd rather have access to the PWK Lab (imho) to keep trying different exploits, etc. and continue to learn more.

TechGuru80

N7Valiant wrote: »

I don't know...

Is it an open Google exam, or do they include all the scripts you might need to execute in the Kali image?

I'm speaking only as a petty dabbler who followed a walkthrough to penetrate a VulnHub VM.


But one of the commands they had me execute to exploit a shellshock vulnerability looked pretty complicated and would not be something I could come up with on the spot. It's hard to imagine pulling that off without some programming knowledge, particularly with bash.

You can use any resources you basically want...google, books, etc.

The main thing with OSCP is that they don’t spoon feed you. You will learn the basic concepts of pentesting to build a foundation, but finding exploits that work, scripts, etc. are not included...that is what makes it quite challenging.

IaHawk

Suggest you take advantage of this free course at udemy "Automate the Boring Stuff with Python". This course is normally $50, but free for one more day.

https://www.udemy.com/automate/?couponCode=PY_ALL_THE_THINGS2

woo777

IaHawk wrote: »

Suggest you take advantage of this free course at udemy "Automate the Boring Stuff with Python". This course is normally $50, but free for one more day.

https://www.udemy.com/automate/?couponCode=PY_ALL_THE_THINGS2

Thanks for the link!

clarkincnet

IaHawk wrote: »

Suggest you take advantage of this free course at udemy "Automate the Boring Stuff with Python". This course is normally $50, but free for one more day.

https://www.udemy.com/automate/?couponCode=PY_ALL_THE_THINGS2

Awesome link!

relegated

@ IaHawk thank you, I just signed up.

Would you guys say that after passing the OSCP you will have enough knowledge to actually be able to use most of the tools in Kali in order to say fully test a .NET web application? In other words what kind of real world skills do you walk away with vs what I would say are very little to none with a lot of other certifications.

Hornswoggler

OP, I recently did the OSCP and like you I had an infrastructure background and very little programming experience. It's very possible to complete the course without being a programmer but there are parts that will be frustrating. You'll get experience "fixing" or customizing bad C and Python exploit code from the internet, and some of the exploits will require PHP or SQL syntax. I probably spent too much time with trial-and-error as I don't fully understand the syntax of those languages. You'll learn a ton. Don't let it stop you but I wish I had done a python and basic C course first. Error messages from compiling code using gcc would drive me nuts! I assume these things were easier for seasoned programmers.

CyberCop123 wrote: »

One thing i said on my blog was I just don't see why some people are in such a rush. E.g. I've signed up for 90 days, but I'm going to sign up for another 90 as I want to hack into as many machines as I can and come away confident and hopefully with the OSCP certification. Some weeks I can get TONS of work done, sometimes not if work gets in the way, general life or I'm just feeling tired and not as productive as normal.

I can see both sides. From a learning perspective, we're all different and come from varied backgrounds so take as long as you need to truly understand and master the topic. Be it 30 days or 30 weeks, we do this to learn and grow. In this sense take your time.

From a goal setting and time management perspective, having a 90-day countdown timer and financial consequence can be helpful to people like me. Without a clock ticking or the threat of spending hundreds of dollars renewing, I would probably take my sweet time and drag my feet. Instead I spent many hours per day focusing on the labs. I was looking forward to getting my life back after I passed. I would rather set an aggressive goal, dedicate myself to it for a few months, and have it over with than prolong the process. Pentesting is one of those fields where you want to be warmed up and stay in practice. We're all different but I need to light a fire under myself sometimes or else it doesn't always get done. YMMV.

Hornswoggler

relegated wrote: »

Would you guys say that after passing the OSCP you will have enough knowledge to actually be able to use most of the tools in Kali in order to say fully test a .NET web application? In other words what kind of real world skills do you walk away with vs what I would say are very little to none with a lot of other certifications.

No, it's NOT a web app hacking course. While it does cover some web app topics and quite a few lab boxes have web services running, it's not a complete application testing course. The web topics covered will help you better exploit web apps with default/weak passwords, uploading malicious files, writing to the file system, enumerating the target, and remotely executing code (LFI/RFI).

Upon completion of the course, you WILL be much more comfortable with kali and familiar with quite a few of the tools. As you learn how to do this stuff manually, you don't need a whole lot of tools. You'll have a systematic approach to hacking a target box. You'll know a dozen or more ways to establish a reverse shell and what to do with it (post exploit plunder, elevate to root, **** pw hashes, pivot, etc). You'll gain a better understanding of buffer overflows and how to write them. Plus lots and LOTS of practice!! It's a hands-on field where practice is necessary.