Calling all Penetration Testing with BackTrack (PWB)/OSCP students!

the_hutch · February 2013

They will send you the procedures to test lab access (you have 48 hours to do this). Once tested, you then have an additional 24 hours to process your payment at a link they should send you. So a total 72 hour process. If you don't process your payment within 72 hours, you will be bumped from the class.

And yes, I did the 90 day package.

the_Grinch · February 2013

Ah ok, figured it would be something like that. Of course they sent me an email saying my account didn't qualify as a non-free email account (I work for a university, so unsure when .edu became non-free, but ok).

the_hutch · February 2013

Did you address the issue with them? I'm sure if you explain that you work for the university and its not a student email account, they should hook you up.

the_Grinch · February 2013

Aye, they sent me an email asking me to change it or send a copy of a photo id. I did that and was good to go. Will test the VPN when I get home and then pay them

Bring on the pain baby!

the_hutch · February 2013

The VPN client installation is extremely easy. I was up and running in less than a minute. Then I blasted the lab network range with a few nmap scans. Then I noticed that the lab connection procedures request that you not scan the network.... oops :-/

the_Grinch · February 2013

Haha! Like a kid with his father's gun (yay Jurassic Park reference!)

r0ckm4n · March 2013

It's a great course for sure and fun.

bobloblaw · March 2013

Any updates?

I'm planning on grabbing the CEH by the end of April as a little start. Any suggestions to prep prior to beginning the 90 day?
What else should I familiarize myself with before tackling OSCP? I figured I'd let Hutch give it a go and then just do what he does.

the_hutch · March 2013

Despite what everyone says, I feel like I wasted way too much time trying to prepare for this course. I spent a lot of time making sure I was completely proficient in Python, Perl and Ruby. It was a waste of time. While you will use them in exploits, most exploits follow a very similar format, and there are a select few modules in each language you have to use (specifically, the system and TCP/UDP socket modules), and the course does well to introduce these. This makes the learning curve in this part very easy. And for the most part, you only need to modify existing exploits.

Don't get me wrong, the course is EXTREMELY difficult. The real difficulty is in learning to identify the most effective attack vector (without using vulnerability scanners) and understanding how the exploit works well enough to make very basic modifications to an already existing POC (Proof of Concept) script. You are going to spend countless hours on the course, but in my experience (up to now...), its more in familiarizing yourself with unique vulnerabilities than it is with learning how to code in Python, Ruby, Perl, etc...

I would recommend some basic Bash scripting skills (because it will be helpful in recon and info gathering), an understanding of TCP/IP and basic Linux skills. Nothing more. Its going to be painful. But if I had to do it over again, I would have enrolled in this course a long time ago...and would not have wasted my time on SPSE and other scripting endeavors. I don't feel that they really benefited me that much (not as far as this course is concerned, anyways).

***

Despite the frustration (and there is a lot of that)...the course is AMAZING. Loving every minute of it

.

bobloblaw · March 2013

Good to hear. I fear the extreme monotony of anything with extensive coding. If I wanted to program I would've been a programmer.

Great feedback as usual. Keep us updated. I can't be the only one interested. What date are you looking at to test? Gonna try and do it any earlier? I have a feeling I'll want to use the entire 90 days if/when I do it.

One more - How much time are you dedicating daily to it?

impelse · March 2013

The_hutch

You feel that it is easy now because you are not wasting time trying to modify the exploits, because it is easier for you to understand it for your programming knowledge.

In my case I spent hours trying to modify the exploits or make it work when I was compiling in C.

It is very frustrate to make it work, you know that's the exploit you need but you cannot make it ready to exploit, lol

the_hutch · March 2013

@boblo...

I have no intention of registering for the exam until I have popped every box in the labs. So at this point, hard to say, but I suspect I will use most, if not all, of the 90 days (and possibly and additional 90). Also, I'm planning on taking advantage of the lab environment while I have access, and using it to prep for both SMFE (SecTube Metasploit Framework Expert) and CPTP (Certified Penetration Testing Professional). I'm planning to take the test for each of these before taking the test for OSCP. But I'm using the OffSec labs to prep for all of them.

I'm dedicating 2-3 hours each week day. And about 6-8 hours on a weekend.

@impelse

I certainly did not mean to imply that the course is easy. I think it is a very difficult course. Even with my scripting experience, I'm still spending hours troubleshooting and/or debugging code with a lot of the exploits. Anyone taking the course should expect to spend a lot of time working with the scripts. But I don't feel like my efforts to learn Python, Perl, and Ruby inside and out, has really given me a distinct advantage. Don't get me wrong...this is a very difficult course. My only point was, proficient knowledge of these languages is not going to be extremely helpful. Its going to suck regardless. A basic knowledge of them might put you at a slight advantage, but basic understanding of them isn't tough to pick up.

stock1337 · April 2013

registered the exam last year but fail horribly. Stuck at the assembly topic and trying to improve the web pentest skill the moment. I will probably re-register the lab again on May or June and aiming to pwn all lab boxes. So far I only got one flag/password in the lab... Probably will go try again end of the year for the challenging exam , or early next year. anyone with the similar timeline here? stock1337

Kylie87 · June 2013

What did you guys do for exercise 4.7? Seems like everything I try is still taking ages to do the full scan?

the_hutch · June 2013

Don't remember what 4.7 is, bu since you mentioned scanning. I'd advise to not bother with full scans. Everybody develops their own approach.
Many just start with:
nmap -iL hostlist.txt -A

Personally, I start with:
nmap -iL hostlist.txt -sV -O
...which is a little faster.

Then once you have enough to start working with. Run your other scans while you're doing outside research.

For UDP...I don't use nmap. Unicorn scan and MSF Auxiliary udp_sweep.

Master Of Puppets · June 2013

I just wanted to point out that this thread is AWESOME and to thank you all for sharing your experience!

Also, if it's not too much trouble, I was wondering if you OSCE guys could tell us a little about that course and exam. And if a comparison could be drawn between the OSCP and the OSCE.

the_hutch · June 2013

Master Of Puppets wrote: »

Also, if it's not too much trouble, I was wondering if you OSCE guys could tell us a little about that course and exam. And if a comparison could be drawn between the OSCP and the OSCE.

As far as I recall, I think the only OSCE that we have on here is killj0y and he isn't real active. So you might not get much response on this one. I haven't taken the CTP/OSCE course, so mostly what I know is hearsay...but my understanding is this:

PWB/OSCP - Mostly focuses on executing documented attacks, intelligent usage of tools and modification of publically available proof of concept exploit code. There is absolutely NO exploit development in PWB. Some might disagree with me here, but I'll stick to what I said. There is a module in PWB which introduces some of the basics of how exploit development would be performed, but it is all done within the context of already known vulnerabilities. You take a skeleton exploit (already existing exploit code) and then use a debugger to modify it to make it work on a different OS and/or architecture. But the hardest part has already been done for you. You know exactly what to fuzz and exactly where the vulnerability lies when "developing" the exploit.

CTP/OSCE - Focuses almost entirely on advanced exploit development. It teaches you how to intelligently perform fuzzing to identify vulnerabilities that have not been discovered or documented. And focuses heavily on developing exploits for those vulnerabilities. There is also more emphasis on advanced web-application penetration testings. Once again, in PWB/OSCP, you are mostly going to be working with commercial web-applications that have documented vulnerabilities, and you just have to use existing documentation (or code) to figure out how to exploit them. CTP/OSCE is more focused on intelligently identifying vulnerabilities in homegrown/internally-developed web-applications that do not have documented vulnerabilities.

So both are PenTesting courses. But with CTP/OSCE, you aren't going to be able to rely on existing documentation. You have to find the hole and weasel your way through. Little documentation will be available to tell you where the hole is. Once again, this is all hearsay... Hopefully I'll be able to give you more feedback in a few months, when I enroll in CTP.

ipchain · June 2013

Master Of Puppets wrote: »

I just wanted to point out that this thread is AWESOME and to thank you all for sharing your experience!

Also, if it's not too much trouble, I was wondering if you OSCE guys could tell us a little about that course and exam. And if a comparison could be drawn between the OSCP and the OSCE.

Glad you found it useful. I will comment on CTP/OSCE later on today, so stay tuned.

Also, @the_hutch - there are more OSCEs on this board, we just aren't very active.

the_hutch · June 2013

Lol...five minutes after posting, I am proven wrong. Sorry ipchain. I won't forget you again :-/

Killj0y · June 2013

the_hutch wrote: »

As far as I recall, I think the only OSCE that we have on here is killj0y and he isn't real active. So you might not get much response on this one. I haven't taken the CTP/OSCE course, so mostly what I know is hearsay...but my understanding is this:

PWB/OSCP - Mostly focuses on executing documented attacks, intelligent usage of tools and modification of publically available proof of concept exploit code. There is absolutely NO exploit development in PWB. Some might disagree with me here, but I'll stick to what I said. There is a module in PWB which introduces some of the basics of how exploit development would be performed, but it is all done within the context of already known vulnerabilities. You take a skeleton exploit (already existing exploit code) and then use a debugger to modify it to make it work on a different OS and/or architecture. But the hardest part has already been done for you. You know exactly what to fuzz and exactly where the vulnerability lies when "developing" the exploit.

CTP/OSCE - Focuses almost entirely on advanced exploit development. It teaches you how to intelligently perform fuzzing to identify vulnerabilities that have not been discovered or documented. And focuses heavily on developing exploits for those vulnerabilities. There is also more emphasis on advanced web-application penetration testings. Once again, in PWB/OSCP, you are mostly going to be working with commercial web-applications that have documented vulnerabilities, and you just have to use existing documentation (or code) to figure out how to exploit them. CTP/OSCE is more focused on intelligently identifying vulnerabilities in homegrown/internally-developed web-applications that do not have documented vulnerabilities.

So both are PenTesting courses. But with CTP/OSCE, you aren't going to be able to rely on existing documentation. You have to find the hole and weasel your way through. Little documentation will be available to tell you where the hole is. Once again, this is all hearsay... Hopefully I'll be able to give you more feedback in a few months, when I enroll in CTP.

Sorry for the late feedback. Well, the_hutch is pretty much spot on. OSCE/CTP is more about buffer overflows and exploit development while OSCP/Pentesting with Backtrack is more about pentesting in general. OSCE is going to have you searching for "new" vulnerabilities of software by fuzzing. In OSCP, you need to identify software and research known vulnerabilities. Lastly, once you have found a working, "appropriate" exploit, you will change it for your environment. In other words, OSCE="fuzzing/debugger/common sense" and OSCP="Google/Metasploit/common sense".

If you have the option, I would suggest that you take both courses. Start with the OSCP and then, the OSCE. You will need to document your finding in both courses and submit very detailed reports for both. As far as length of time, I would say 60 days will do for the OSCE. For the OSCP, I would say at least 60 days. As far as the exams, we cannot say much except what you already know. OSCE exam is harder. Extremely hard. You will have 48 hours to finish it while it is 24 hours for the OSCP. However, with hard work, you can pass either exam. I noted things you can do for practice on the OSCE on my blog. Hopefully I answered your questions somewhat.

the_hutch · June 2013

Killj0y wrote: »

I noted things you can do for practice on the OSCE on my blog.

Killj0y...I'm sure you've listed it elsewhere before, but could you drop the link for your blog again. I'd definitely be interested in checking it out.

Master Of Puppets · June 2013

That pretty much lines up with my research. Thanks again guys, very helpful as usual. I will definitely go for OSCP and than OSCE but I don't know when. I have done a lot of research, to say the least, on both and your experiences have helped me get a good idea as well. Without a doubt, this is for me. Told my boss about it and he was surprised I didn't bring it up earlier

But even he told me to wait as we have a lot of projects to get done in the following months. School has been demanding too.

Looking forward to your CTP journey, Justin! It's going to be awesome for sure. Oh, and I'd also be interested in Killj0y's blog.

Killj0y · June 2013

the_hutch wrote: »

Killj0y...I'm sure you've listed it elsewhere before, but could you drop the link for your blog again. I'd definitely be interested in checking it out.

No problem. Blog is Agoonie.

Links on OSCE:
Agoonie: OSCE REWIND

Agoonie: Passed OSCE "Cracking the Perimeter"

Agoonie: Practice: OSCE

ipchain · June 2013

Apologies for the late reply, ran into some issues that needed to be addressed yesterday.

I believe both the_hutch and Killj0y are spot on. It's important to note that both OSCP/OSCE are independent of one another. In other words, PWB/OSCP focuses strictly on penetration testing techniques you can use to successfully compromise a given host. CTP/OSCE focuses on exploit development for the most part, but it also touches on some other topics such as advanced web application attacks, bypassing AV engines, backdooring executables, owning Cisco routers, and so forth. The 0-day angle is a big part of the course, so students can expect to spend considerable time fuzzing applications to find security holes, etc.

The CTP labs help you re-enforce the concepts you have learned through the course materials, but they are considerably smaller than PWB's. This makes perfect sense as students will be doing a great deal of research throughout the course, so they shouldn't have to worry about having to compromise a large number of hosts in 'X' amount of time.

The best piece of advice I can provide to future students is simple -- know your stuff. CTP will push you to your limits, and you will never be the same once you are through with it. There's a reason why you are given 48 hours to complete the exam - it is no walk in the park. Ensure you have the concepts down, and practice, practice, practice!

Having said that, good luck to all of you. Let the fuzzing begin...

r0ckm4n · June 2013

Killj0y wrote: »

No problem. Blog is Agoonie.

Links on OSCE:
Agoonie: OSCE REWIND

Agoonie: Passed OSCE "Cracking the Perimeter"

Agoonie: Practice: OSCE

Nice posts! Thanks for sharing.

r0ckm4n · June 2013

ipchain wrote: »

There's a reason why you are given 48 hours to complete the exam - it is no walk in the park.

I am sure it's no walk in the park, I have only taken the OSCP exam, but twice as long and I bet it is at least twice as difficult.

Two of our sharpest pentesters took the OSCE and failed on the first attempt. One of them even wrote an article for Corelan.

the_hutch · June 2013

ipchain wrote: »

...it also touches on some other topics such as...owning Cisco routers

I didn't know this, but definitely good news. This was one of the areas where I was a bit disappointed in PWB/OSCP. I was expecting to at least address pwning network devices.

r0ckm4n · June 2013

Here's a question for ipchain and Killj0y, or anyone else that has their OSCE. I was told that he lab time was not important and to get the minimum time. This person told me that the training materials would point you in the right direction and lab time wasn't important like it was in PWB. What are your thoughts? I burned through a lot of lab time with PWB, due to not managing my time wisely and I don't want to have to spend a lot on lab time.

Killj0y · June 2013

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

I cannot speak for other OSCEs, but for me, lab time was easier to manage with the OSCE. I think for two reasons. One, I had already been through an OffSec course before (OSCP) so I knew what to expect, how to manage my time and how to study/test. Secondly, you can test more on your own time with the OSCE. I could start up my own VMs and download vulnerable software to research/test/exploit. In other words, in the OSCE course, I could study even if my lab time was over. You cannot do much of that with the OSCP course.

Now, there are certain sections of the OSCE that you will need lab time on but you will know which ones once you take the course. Again, I suggest to everyone that they should take both courses if they can. Also, don't be afraid to take either course. They are both great courses.

My 2cents.

the_hutch · June 2013

Killj0y wrote: »

I could start up my own VMs and download vulnerable software to research/test/exploit. In other words, in the OSCE course, I could study even if my lab time was over.

This is actually how I've started preparing for the course. I noticed recently when working with the exploit database online that there are links to download the vulnerable software associated with a lot of the exploits. So I've got my Windows VMs (courtesy of my TechNet account) and my linux VMs (courtesy of...well...open-source, lol). And I'm just installing the software and then attempting to write the exploits myself based on the general information provided in the CVE info. When I get stuck, I'll briefly reference the existing exploit code for the piece I'm stuck on. As of now, I feel pretty comfortable with writing the exploits, once I know how to crash it. My problem is finding the crash (without cheating and looking at the existing exploit code). My fuzzy kung fu is seriously lacking. So more than anything, I'm hoping OSCE can help me improve my fuzziness

I've also noticed that the "Way-Back Machine" can be helpful in downloading vulnerable software (www.archive.org). Just enter the vendor website in the Way-Back Machine and then open the archived version of the site that dates back to when the vulnerable software was available for download. You'd be surprised how many you can still find this way.

Calling all Penetration Testing with BackTrack (PWB)/OSCP students!

Comments