OSCP questions for starter
mirror51
Member Posts: 84 ■■■□□□□□□□
hi guys,
I have few questions for OSCP exam
1. Does all machines for OSCP (like windows , linux )are 32bit or 64bit. I mean do i need to do SLAE32 and SLAE64 as well.
2. For OSCP , do i need to know Assembly Language , GDB in depth ? i mean something like writing from scratch
3. How much C programming i need to know for OSCP ?
The reason i am asking is My Next target after OSCP is OSCE , so am collecting materials from every where.
I started with Assembly langage , GDB , C programming etc and look like i am down the rabbit hole so i was thinking may be first get OSCP and then concentrate on low level stuff
Any ideas ?
I have few questions for OSCP exam
1. Does all machines for OSCP (like windows , linux )are 32bit or 64bit. I mean do i need to do SLAE32 and SLAE64 as well.
2. For OSCP , do i need to know Assembly Language , GDB in depth ? i mean something like writing from scratch
3. How much C programming i need to know for OSCP ?
The reason i am asking is My Next target after OSCP is OSCE , so am collecting materials from every where.
I started with Assembly langage , GDB , C programming etc and look like i am down the rabbit hole so i was thinking may be first get OSCP and then concentrate on low level stuff
Any ideas ?
Comments
2. No, that is out-of-scope for the course. You could write your own shellcode if you want, but msfvenom is allowed.
3. If you understand the basics of pointer arithmetics and C syntax you are gold. Troubleshooting compilers, linkers, compiling for different architectures is far more important.
Is there any single book , which i can read which can give me nutshell idea of thing i need to know.
Current there are 1000s of resources and i still dont have idea about what needs to be done.
I want single book which i can just give vague reading and i get familair about what i need to do and then i will in detail.
Also i want to know that is it possible to pass OSCP without Metaspoilt , I read on blogs that they only allow to use Metaspoilt on one machine.
I really dont want to waste time on it if i cant use it. I better find other methods , which can help me in there
If you've heard about the exam limiting the usage of Metasploit, I would try additionally harder not to lean or rely heavily on it. It doesn't mean it's usage isn't important. My personal opinion about the exam is nothing should be shared about it at all. This includes people who have passed it or people who have failed it who want to give others a heads-up. This isn't unfortunately the case and now more information can be found out about what to expect on the exam at this point on the internet than ever before.
The exam wouldn't hold as much reputation as it does if you could pull down Metasploit and pass the exam. Being ready for anything is key.
Your best bet is finding vulnerable VMs, and taking related courses does nothing but help.
If you aren’t a pentester in your daily job, I would tell you to budget no less than $2,000...basically two 90 day periods of labs. Honestly that isn’t unreasonable considering OSCP carries a lot of street cred.
What would you recommend , As i never had any pentesting experience before
1. Watch VulnHub Machines walkthrough videos on youtube , to get an idea whats basically done in pentesting
2. Then read all materials etc to get more idea
3. Then start HackTheBox without any help
or I have to do Vulnhub all by myself ?
I won't sugar coat this, this course is not easy and requires an absolute ton of work even with previous pentesting experience. It will require you to do an incredible amount of research on your own, often times without any assistance, and will require a continued drive and determination to push through to the finish line. You can most certainly do it, but be prepared to work long hours with effectively zero sympathy or help being offered by anyone along the way.
What exactly has caused you to zero in on the OSCP at this point in your InfoSec career/path? What other InfoSec based certifications do you already have? If you have zero experience in pentesting at all it might be worth dropping back and moving a little slower by starting with something like the CompTIA Security+ followed by the CompTIA PenTest+? If you already have those then please disregard that advice.
All that said, below are a few recommendations for this course:
1. Be willing to work hundreds of hours, on your own, with little to no help from others.
2. Know going in that this will be very difficult given your lack of preexisting experience and except to be told "Try Harder" outside of the official channels of support (IRC, OffSec forums, etc).
3. Watch pretty much everything that IppSec has ever put out, he is solid gold
https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
4. Work on machines on HackTheBox, if you have a VIP account then I believe you will have access to retired machines, which makes the IppSec videos even more valuable as you can work through them step by step with him. I do not have a VIP so I am not sure.
5. Work on machines from VulnHub.
6. Be willing to research concepts that you do not understand for as long as it takes to understand them.
7. Never give up and never surrender. If you truly want this then just keep fighting the good fight until you eventually win, failing is simply learning yet another way not to win and with enough failures you will succeed!
OSCE
1. I took the SecurityTube Linux Assembly Expert (SLAE) in order to prepare for the OSCE registration challenge
Assembly Language and Shellcoding on Linux « SecurityTube Training
2. Don't lookup the solution to the OSCE signup challenge, if you can't legit do it on your own without needing to get a walk through on how to sign up then you are not ready.
3. I have no idea what else as I just started the OSCE a few days ago.
Goals for 2019 : OSEE
Goals for 2020 : OSWE
Thanks securitychops for your valuable info.
I have extensive experience in programming, bash, linux sysadmin ,network, cloud but not specific in pentesting.
So i am used to solves issues, finding bugs, spending countless hours on PC everyday.
Last month someone came to pentest in our company and he told me about OSCP.
It was that day , i decided that i will do the same , no matter how much time it will take.
I dont want to waste money on other certification which i dont want. That money i can spend on OSCP even if i fail many times.
I am ready to work hard , as i already do that in other areas like AWS etc, i am just changing the subject but rest all i do it every day.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
The more you understand about Windows/Linux, Internal workings of an OS, Security Concepts, report writing, etc the better you will be when taking the course.
@Slyth - that's a really interesting comment about Red Team Nation. Never heard of them, but I'm looking at their course now. How would you rate their course in terms of difficulty, is it more beginner oriented or it assumes you already have some experience in the field? And is it all video based, or does it include a practical component as well?
Personally I use a 2015 Macbook Air for just about everything I do in life (older i5, 8GB of RAM). Kali runs inside a VM with 4GB of RAM. Boom! That's it! You're set!
Now a lab, that's something else entirely
-> IT Testlabs for everyone!