Oscp
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□_Dark_Knight_ wrote: »I totally agree. Thanks for the welcome
Anytime. So, set a date for the OSCE yet?
That GPEN you have is nice as well. For anyone looking for a more straight-forward pen testing course, I'd highly recommend that. I think the GPEN and OSCP compliment each other immensely. -
_Dark_Knight_ Member Posts: 7 ■□□□□□□□□□Anytime. So, set a date for the OSCE yet?
That GPEN you have is nice as well. For anyone looking for a more straight-forward pen testing course, I'd highly recommend that. I think the GPEN and OSCP compliment each other immensely.
I don't think I have the guts required to sit the OSCE. At least not yet
I have come close to signing up but alas I didn't follow through.
I have to agree with you again though, the GPEN compliments the OSCP quite well. I stopped listening to the audio after a while and just read the manuals. Ed speaks at the speed of light -
L0gicB0mb508 Member Posts: 538Some interesting responses, and I do respect everyone's opinion on the class. I'm pretty well finished with it, I haven't set a date for the challenge yet. Anyway, on with the hate (just kidding).
I have no issues with a class that challenges you to think outside the box. Actually I really prefer a challenge. I love the challenge this course has provided, but that was never my issue here.
My issue is I paid for someone to teach me about ethical hacking. I paid for some expert level knowledge to be passed in my direction. I didn't pay for a class that tells me to go read the foundational material from a wiki page. I expected that to be taught, that's why I paid for the class. If you ask for help you get the old "try harder".
This is my opinion of course. So far everyone but me seems to really think it was awesome. Maybe I'm just missing something, I dunno.I bring nothing useful to the table... -
_Dark_Knight_ Member Posts: 7 ■□□□□□□□□□L0gicB0mb508 wrote: »Some interesting responses, and I do respect everyone's opinion on the class. I'm pretty well finished with it, I haven't set a date for the challenge yet. Anyway, on with the hate (just kidding).
I have no issues with a class that challenges you to think outside the box. Actually I really prefer a challenge. I love the challenge this course has provided, but that was never my issue here.
My issue is I paid for someone to teach me about ethical hacking. I paid for some expert level knowledge to be passed in my direction. I didn't pay for a class that tells me to go read the foundational material from a wiki page. I expected that to be taught, that's why I paid for the class. If you ask for help you get the old "try harder".
This is my opinion of course. So far everyone but me seems to really think it was awesome. Maybe I'm just missing something, I dunno.
I completely understand where your coming from. I felt the SAME way in the initial stages hell what am I saying through out the ENTIRE course.
But it was one HELL of ride. -
L0gicB0mb508 Member Posts: 538_Dark_Knight_ wrote: »I completely understand where your coming from. I felt the SAME way in the initial stages hell what am I saying through out the ENTIRE course.
But it was one HELL of ride.
i like your style. It is one hell of a ride. It's full of crushing defeats and some very good wins haha.I bring nothing useful to the table... -
JockVSJock Member Posts: 1,118I was at a infosecurity outing where I live and two guys talking two had alot of praise for these certs. I was wondering what others though of these say Vs the SANS certs?
thanks***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown -
L0gicB0mb508 Member Posts: 538JockVSJock wrote: »I was at a infosecurity outing where I live and two guys talking two had alot of praise for these certs. I was wondering what others though of these say Vs the SANS certs?
thanks
These are a lot cheaper and more "hands on" than most of the SANS stuff. They also don't hold your hand nearly as much. It's pretty enjoyable once you get passed the delivery of the content. That's really been the only complaint I have had.
Update on my progress.
I've finished all the course videos and most of the labs. I should be scheduling to take this in the next week. I'm messing around in the labs as we speak. Just messing around I was able to get a shell on 3 servers, so I feel pretty confident on the lab. This course has definitely helped me in my technical understanding of attacks. No matter what, it's been pretty fun.I bring nothing useful to the table... -
slinuxuzer Member Posts: 665 ■■■■□□□□□□For anyone who is not an OS or app pen tester by profession, I would recommend the following course of action to be performed for a month or two before you actually start the PWB (OSCP) course:View the tutorial videos at Offensive Security to get an idea of what the class materials are like.
- Download and install BackTrack 4 on a laptop or VM and update/upgrade it over your Internet connection. Read/watch the BackTrack 4 Guides and Howtos.
- If you are unfamiliar with Ubuntu (Debian) Linux or KDE, should learn how to configure networking, install and upgrade software packages using both the GUI shell and the command line.
- If you do not know Linux at all, you invest in an Intro to Linux book or class to learn all you can about using and managing a Linux box. The objectives of the CompTIA Linux+ certification is an excellent reference of Linux commands and features you should know.
- Browse through the tools on BackTrack available in the /pentest subdirectory and the KDE menu. Become familiar with the use of the more common pen testing tools.
- Know how to write simple bash shell scripts or other types of UNIX or Linux shell scripting.
- Knowing either Perl or Python is a great help in the OSCP class; they are used by several of the assignments. Spend some time learning to write very basic programs in either or both of these languages.
- Install the LEO XML editor, view the LEO demo video and the Leo Screenbook, and familiarize yourself with using LEO. You’ll need to install Python 2.x if you haven’t already.
- Understand the fundamental organization and operational principles of computer architecture (e.g., stack, heap, CPU registers). Understand the lifecycle of a running program and how it “lives” in the computer.
- Learn the basics of Intel x86 assembly language and how it is used to create an operation program.
- Learn how to use Ollydbg or IDA Pro to load and step through the execution of a program. YouTube has a lot of videos on these disassemblers. Books on reverse engineering do as well.
- Become familiar with the structure and content of the Milw0rm and Exploit Database and SecurityFocus Web sites.
- Read through the posts in the forums at forums.offensive-security.com. You will gain access to more forums after you have signed up for the course, and read through the posting on those as well.
- If you are not on IRC then now’s the time to learn how by visiting the Offensive Security channel at [URL]irc://freenode/offsec[/URL]. For an IRC client, I use the ChatZilla add-on for FireFox.
If you manage to accomplish most of these tasks before starting the actual PWB class, you will be well ahead of most of your fellow classmates. Much of your introductory work will already be completed and you won't waste valuable lab time trying to figure out how to do things like use Linux commands, write shell scripts, or install software. Instead, you will be ready and confidant to connect to the virtual lab and start working on the PWB modules.
Thanks JD, this is the info I was seeking the CISSP forum, this is a great post.
I would also like to add to anyone interested that located at
Heorot.net • Index page
There are some "Live Cd's" that are basically .iso's you can run in Vmware player, these are vulnerable *nix machines that you can pentest against, now if only they would have had all this when I was 14 -
mshadow Member Posts: 16 ■□□□□□□□□□You really need to understand some basics concepts of programing and memory layout.
The exam has you writing an exploitCPTE, C|EH, OSCP, CCA, ACSP -
dijital1 Member Posts: 64 ■■□□□□□□□□In comparing the 2 (Offensive Security and SANS), OffSec's course teach real world technical penetration testing skills. In other words, someone that is able to get through all of the course material and pass the exam, has a very strong foundation in the technical skills required for penetration testing.
You're taught how to think like a hacker along with understanding the process of real world penetration testing.
SANS material while being excellent, is not nearly as hands on or process driven. If you can do both the OffSec courses and SANS that of course would be your best bet, but dollar for value, it's difficult to beat the OSCP offering. -
xcircusmusician Registered Users Posts: 2 ■□□□□□□□□□Hi Guys/Girls: This Thread has been very useful. I'm going to take the OSCP in about a month. I am Network+, Security+, and CEH Certified. A couple of quick questions if I may --
I have 'little Python/Perl' experience, but I fiddled around with C++ programming 'years' ago.
I've been exploring BT4, and now it seems that I should be using BT3 (Correct?)
Any advice/suggestions would be greatly appreciated. Thanks in advance
Post Script:
Yes I actually am a 'Ex-Circus Musician'
Bass player for the Bently Bros Circus -
2BeOrNot2BE Registered Users Posts: 1 ■□□□□□□□□□Hai guys, as always.... thank you for the guide, been thinking really hard whether or not should i be taking this examination with my current skills ><. From the previous posts shows that i need to be familiar with linux scripting and basic configurations. Need to learn more
Again thank you ^^ -
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■L0gicB0mb508 wrote: »These are a lot cheaper and more "hands on" than most of the SANS stuff. They also don't hold your hand nearly as much. It's pretty enjoyable once you get passed the delivery of the content. That's really been the only complaint I have had.
Update on my progress.
I've finished all the course videos and most of the labs. I should be scheduling to take this in the next week. I'm messing around in the labs as we speak. Just messing around I was able to get a shell on 3 servers, so I feel pretty confident on the lab. This course has definitely helped me in my technical understanding of attacks. No matter what, it's been pretty fun.
How did the exam go? -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□veritas_libertas wrote: »How did the exam go?
-
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■Bl8ckr0uter wrote: »I don't think he took it or he didn't pass. I think he said something about his experience going to poop and he started to hate Offensive Security. I'd really want to take this course but I know I will only be able to afford the 30 day length. I have quite a few books that I am going to read to prepare for it. Maybe by the time I get to the point when I am ready to take it, I will have more cash on hand. Are you planning on going for it Veritas?
No, just curious. We had someone give a presentation at our Greenville ISSA, and during the presentation he talked about his experience getting the OSCP. He seemed to really like the whole experience. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□veritas_libertas wrote: »No, just curious. We had someone give a presentation at our Greenville ISSA, and during the presentation he talked about his experience getting the OSCP. He seemed to really like the whole experience.
-
ipchain Member Posts: 297veritas_libertas wrote: »No, just curious. We had someone give a presentation at our Greenville ISSA, and during the presentation he talked about his experience getting the OSCP. He seemed to really like the whole experience.
OSCP is unique in many ways. I have enjoyed the experience so far, and although I've had to interrupt my OSCP studies to focus on the CISSP, I plan on extending my lab time for another 30 days once the CISSP results are out.
Save a bit of money and go for it - it's an adventure you won't regret embarking on! I will post a review once I get through it all and take the exam, but so far so good!Every day hurts, the last one kills. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Save a bit of money and go for it - it's an adventure you won't regret embarking on! I will post a review once I get through it all and take the exam, but so far so good!
-
ipchain Member Posts: 297Bl8ckr0uter wrote: »Would you say that it has been worthwhile and worth the money? Moreso than GPEN? Also (as I know you are a Senior security resource) all other things equal if you saw someone with OSCP, CCNP, CCNP:S vs someone with SSCP,CCNP,CCNP:S which person would you lean towards for a JR security analyst role (again all other things being equal including personality, experience, etc)?
The $750 I paid for OSCP was definitely worth it, no doubt about it. OSCP is different than GPEN in that it actually pushes you to your limits. You'll be required to not only do research, but also learn new programming / scripting languages on the fly, etc.
To answer your question, I would definitely consider someone with OSCP/CCNA for a JR security position as opposed to someone who only has CCNP/CCNP:S. You're looking for a security engineer, not a network engineer after all.Every day hurts, the last one kills. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I guess I should as in your opinion which holds more value for JR level security analyst SSCP or OSCP?
-
ipchain Member Posts: 297Bl8ckr0uter wrote: »I guess I should as in your opinion which holds more value for JR level security analyst SSCP or OSCP?
In my opinion, OSCP holds more value than SSCP and CISSP. Some people might disagree with me on this, but I value 'technical' certifications a lot more than those who are solely based on 'theory'. Give two lines of shellcode to a CISSP and he/she will be clueless. Give them a copy of BackTrack 5 and ask them to encode a payload...the list goes on and on.
Reading a 1200 page book in preparation for SSCP or CISSP isn't worth your time and money, unless it is a requirement to keep your job. I'm still looking for answers as to why I did it...
Don't want to hijack this thread, so I apologize to the OP if I deviated from the original topic.Every day hurts, the last one kills. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□In my opinion, OSCP holds more value than SSCP and CISSP. Some people might disagree with me on this, but I value 'technical' certifications a lot more than those who are solely based on 'theory'. Give two lines of shellcode to a CISSP and he/she will be clueless. Give them a copy of BackTrack 5 and ask them to encode a payload...the list goes on and on.
Reading a 1200 page book in preparation for SSCP or CISSP isn't worth your time and money, unless it is a requirement to keep your job. I'm still looking for answers as to why I did it...
Don't want to hijack this thread, so I apologize to the OP if I deviated from the original topic.
Interesting. Very interesting indeed. Oh and ditto on the threadjack but this thing is so old I don't think anyone would mind if we breath a little life into it.
I only planned to do SSCP because well, I don't really know to be honest. There was a job I wanted at one time that listed CISSP and SSCP as desirable so I guess that's why I planned to do it. I mean my goal isn't being a policy C&A type of infosec professional plus i don't want to do CISSP just yet. The OSCP course looks pretty interesting and fun. Part of the issue is that HR people don't care about OSCP for the most part. They only want CISSP and maybe GSEC or CEH. In fact until recently, the only security jobs in my area listed CISSP and that was it. I want to bring value to myself and to whatever company I work for and I think being able to validate security is what all security analyst should be able to do (hence OSCP). I don't know lol I'd love to do both but if it comes down to it, I need skills more than policy knowledge (since my next position will probably not be one where I am making policy).
I could be wrong though so that's why I was asking you. -
ipchain Member Posts: 297Bl8ckr0uter wrote: »Part of the issue is that HR people don't care about OSCP for the most part. They only want CISSP and maybe GSEC or CEH.
Unfortunately, that is indeed part of the problem in the world we live in. While CISSP touches on certain topics that are of paramount importance to the overall security of an organization, the reality is that most organizations already have standards, policies, procedures and guidelines in place. So, if you are looking to hire a CISSP to manage your firewall and do intrusion detection/prevention, chances are your organization will have to pay for additional training as that individual will not have the appropriate set of skills to do the job. If that is the case, then WHY did you require the CISSP certification in the first place? I truly respect every CISSP holder, but I don't see much value in the credential itself.
OSCP deals with the offensive side of security, meaning the bad guys who are trying to break into your organization's network. What about the defensive side? Well, if you know the offense, then you should know what to do to prevent bad guys from breaking in. CISSP tells you that you should have firewalls, but it doesn't tell you how the bad guys can bypass them. CISSP might tell you to use split-DNS and load-balancers as a best practice, but it does not tell you that attackers can still find the real IPs and attack them. Security goes beyond CISSP, OSCP/OSCE and any of SANS' certifications, to be honest with you. Security can get real deep real quick, so only those who can see and understand the 'whole' picture will be able to make a difference.
In retrospect, if I had a choice, I would do OSCP/OSCE over any SANS' certification except maybe SANS 660 or SANS 709/710.Every day hurts, the last one kills. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□+Rep. Thank you very much for your perspective. I think I know which way I am going to go.
-
ipchain Member Posts: 297Bl8ckr0uter wrote: »+Rep. Thank you very much for your perspective. I think I know which way I am going to go.
Anytime buddy. I hope you were able to find some value in what I said.Every day hurts, the last one kills. -
demonfurbie Member Posts: 1,819 ■■■■■□□□□□i wanna do this line of certs but sadly im gonna have to do the ones HR departments/DoD see useful firstwgu undergrad: done ... woot!!
WGU MS IT Management: done ... double woot :cheers: -
docrice Member Posts: 1,706 ■■■■■■■■■■I didn't realize this was a resurrected thread. In any case, my current plan is to hopefully go through SANS 542 at the end of the year during the holidays (maybe try for the cert in Q1) and eventually go through the OSCP some time next year. I figure it'll be a good warm-up round before a real pentesting course.
My only experience with Offensive Security is the OSWP, and that was a blast ... even if it was more on the short and sweet side of things. The course fee isn't a big deal for me, but the time requirement is. With my current job, I barely have any spare cycles during weeknights or weekends since I need to be productive almost constantly. I can take a few days off to go through SANS 542, but the OSCP will probably take me at least two or three months out of me, and that's extremely expensive in terms of time management.
But I've spent the last couple of years focused mostly on the defensive side. I need to see how it works in the other direction so I can help improve the defensive posture at work. The OSCP would be the ideal plan for that.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
rogue2shadow Member Posts: 1,501 ■■■■■■■■□□I'm 100% starting this in January with the 90 day package. Maybe we should start up a thread about the lab experience and the pain we endure throughout it (of course without revealing any specifics).
-
ipchain Member Posts: 297rogue2shadow wrote: »I'm 100% starting this in January with the 90 day package. Maybe we should start up a thread about the lab experience and the pain we endure throughout it (of course without revealing any specifics).
That is a great idea. Perhaps we can even motivate each other!Every day hurts, the last one kills.