OSCP and Elearn's Web Application Pentesting eXtreme

Hey guys, so here is my dilemma.

I began the OSCP journey a couple months ago. Like for many, two months wasn't enough to fully master the "Art" of pen testing. Felt like I barely even scratched the surface.

Fast forward a few months (2 I believe) I now have the GCWN from GIAC (Giac Certified Windows Security Administrator) during that time-off from OSCP... I downloaded VM's from VulnHub, participated in SANS CTF style event and discovered the wonderful world of "War Games" and other online hacking puzzles. Oh, and I had the pleasure of attending my first DEFCON.

Ok enough side-tracking. My question. Especially for those with both OSCP and Elearn Web App Pentesting experience...
Would it be a good idea to delay my next shot at the OSCP for a few months and complete the Web App Pentesting course in order to better arm myself with more knowledge that would be then applied to another 3 month extension of the OSCP, or would this be overkill.... and not a good idea?

BTW I'll be at SANS Network Security 2015, doing my second work-study (GSEC). If anybody is also attending let me know!

Find more posts tagged with

Comments

mokaz

rudegeek wrote: »

My question. Especially for those with both OSCP and Elearn Web App Pentesting experience...
Would it be a good idea to delay my next shot at the OSCP for a few months and complete the Web App Pentesting course in order to better arm myself with more knowledge that would be then applied to another 3 month extension of the OSCP, or would this be overkill.... and not a good idea?

i'll try to focus onto one thing after the other and especially toward OSCP i'll try to plan as much time as needed and tackle it in one shot -- I've done a planned vacation break of 3 weeks while doing OSCP/PWK and i needed two more weeks to get me going 100% at getting back in it, you forget very quickly, its an whole environmental habits you're getting while in the labs...

Bodanel

I suggest you finish your OSCP. I was talking with one of the instructors from WAPTX and he told me that WAPTX is pretty hard and that is not an intro course. WAPT I think you could do it but lots of info from OSCP would help you with WAPT.

xXxKrisxXx

Having gone through Penetration Testing with BackTrack (at the time I earned my OSCP), picked up the eWPT from eLearnSecurity's Web Application Penetration Testing course, and currently enrolled in their WAPTX course (long sentence) - I suggest you finish out OSCP.

The more, 'time-off' you take from going through PWK the less you're going to be focused in on honing your practical skills that you get in that course by breaking away at the lab environment. You sound like you're just putting off PWK. I'm not sure if you've officially enrolled in it and your lab time has expired so now your chasing other content material to help fill knowledge gaps or what. Either way, The PWK courses section on Web Application Security is pretty basic, and I wouldn't suggest venturing out and taking an eLearnSecurity's course then come back to it. There are other ways you can practice hands-on web penetrating, download bWapp or Mutillidae and start breaking away at it.

I'm going to second Bodanel here. You do not want to enroll in the eWPTX (Advanced) course if you haven't taken the eWPT (Standard) course. The advanced course covers a lot they don't cover in the standard course - and going into topics like XSS/SQLi Filter/Evasion Techniques isn't anything you're going to have to know to earn your OSCP. It's all useful don't get me wrong, but those skills are more relevant to Offensive Security's Web Expert (OSWE) Certification.

If you are already enrolled in PWK, I strongly encourage purchasing the lab time, commit yourself a few hours a day to the labs. You commit yourself to chasing down the flags, the hands-on owning, post exploitation, pillaging compromised machines, cracking passwords, potentially pivot and repeat and slowly make your way onto the last Subnet. It's the whole mind set of being able to sit down and commit yourself to solution solving that will get you ready for the OSCP exam.

Going off and taking supplements for Web Application Security when that's just one of the small areas you need to be familiar with to break into a handful of machines in the lab environment is only going to lead you down a deeper rabbit hole. You need to get in the every day mindset of being in the lab environment, breaking into machines and getting the hands-on experience.

This isn't to say that eLearnSecurity's courses aren't hands-on, they certainly are, but the best thing that will help you here is what comes with the course for preparation of the OSCP Exam. This is simply the Lab Environment accompanying the course.

SANS Network Security is coming up less than a month away, you're talking about piling on a course like SEC401 that has a lot of topics, is going to require a lot of indexing for the exam, and those GSEC Books are not thin (I know this). If you go off and sign up for an eLearnSecurity course now, not only are you balancing another security course, but how are you going to actively study for the GSEC, the OSCP, (and possibly the eWPT or eWPTX)? I think you would be biting off more than you can chew at that point. Make you point of focus on finishing up PWK, earning your OSCP before having walked into SEC401 so you can start fresh and actually breath. I only suggest this if you're currently enrolled in PWK though. If you're enrolled and have been stalling, purchase more lab time and get this exam out of the way because it's one that you really can't put off. You don't want to try to take it on if you haven't been hacking away at the labs.

I do highly suggest checking out eLearnSecurity's courses whenever you have more of a free schedule. I think trying to take more than 1 course at once is setting yourself up for failure in a way.

If you have anymore questions let me know. I've taken SEC401, PWB/PWK, and eWPT/eWPTX (although I haven't earned the eWPTX yet). Good luck.

rudegeek

Wow everybody's responses are deeply insightful. I'm taking GSEC the week of September 12th (the course).
Right now just trying to finish my VCP (I'm currently a Sys Admin) I've scheduled the test 3 weeks from now.

Basically, my question was would I benefit from the additional web app pen testing knowledge that Elearn would provide. But, from the sound of it... it looks like OSCP is the way to go before the foray into the Web APP world.

To clarify, not currently enrolled in the OSCP. I did two months of 2-3 hours daily. And then had other things come up (other certs). Like I mentioned I'm currently a sys admin and my boss hinted at a pay increase after the GCWN and VCP.
I think I will give it another shot come October (3 months of lab time), and as suggested.. hack away at Mulltidae and the other vulnerable Web App machines in the meanwhile...

With your guy's suggestions in mind. I'll do WAPT before WAPTeXtreme...

If anybody has done SANS SEC 542. How does that course compare with the WAPT stuff. Content, cost, etc?

Thanks guys. You all ROCK!

UnixGuy

rudegeek: Just a slightly off-topic question, does your employer pay for certs/courses (specially SANS)?

rudegeek

@UnixGuy I wish. They pay for my certs once I pass them, VCP, CCNA, Microsoft etc.
The first SANS course I took was work-study, they helped a bit with the 900$ and paying my flight, and hotel. And, not making me use any PTO. It was GCWN (definitely some knowledge gained that I have since applied). For the GSEC that is coming up next month I will be using my vacation time and paying out of pocket (another work study).

The way I see it is that it is an investment for myself. Just like the OSCP, that is out of pocket since it is security-based.
I might be applying for the Security Analyst position with the company and hopefully then it will be in more of their interest to help me out with upcoming stuff.

UnixGuy

@rudegeek: good investment! Good luck! Doing SANS via work-study is definitely reasonable and a worthwhile investment.

xXxKrisxXx

Hey rudegeek, Glad the response helped out a bit. I've also had the opportunity to go through the latest SEC542 material recently (though I haven't paid for the GWAPT Voucher). The material is very well put together. SANS recently updated the course content and changed around what you do on day 6 of the class. It used to be you break into some vulnerable web applications on the VM and capture flags that route. The latest update of SEC542 comes with NetWars which is very interactive. You basically go through and answer questions and work your way through levels scoring points along the way.

I can't speak for Version 2 of eLearnSecurity Web Application Penetration Testing course, but I found Version 1 pretty good. I was more impressed by the eWPT Exam more than anything. I enjoy a good practical challenge for a certification attempt and like how eLearnSecurity makes you write up a penetration testing report. Though the GWAPT Certification is more widely known and respected over the eWPT/eWPTX, you already know that GIAC allows for open-book multiple question exams. When you walk away from a certification challenge that contains demonstrating practicality versus answering multiple choice questions, it just feels a bit more sweet.

In terms of comparing the 2 courses - I really enjoyed how SEC542 is structured more around the methodology of Recon -> Mapping -> Discovery -> Exploitation. eLearnSecurity's WAPT Version 1 course was good, but it was mainly like here's what XSS is about, here's how you can exploit it, here's some lab scenarios to get some hands-on examples. Both SANS and eLearnSecurity's courses are very slide intensive. The difference is with SANS, you have the instructor explaining the slide bullets a bit more on point. In eLearnSecurity's courses your reading some slide content and description. I'll recommend SEC542 if you can afford it but it's around 5x the cost of WAPT. I enjoy how the SANS instructors explain the content while if you went for a cheaper training solution like eLearnSecurity, you don't have the instructor explaining the content, you're mainly there learning it yourself.

What eLearnSecurity offers that SANS doesn't so far that I've noticed is practical exams and a student forum area. I know there's a practical portion to the GSE, I am mainly just hinting at all of their other classes. I've sat back and watched eLearnSecurity grow from about late 2010 to the present. They may come off as rookies to the scene having only offered training for a handful of years, but it's been good training. If you have the money and can afford a SANS course, I always highly recommend it. If you are on a budget and you are looking to learn, check out what WAPT v2 has to offer.

There's some content overlap between SEC542 and WAPT. There's also content that's in one that's not in the other. What I don't recommend is taking both. You're better off taking 1 or the other and moving onto a more Advanced Web Application Penetration Testing course such as Offensive Security's Advanced Web Attacks and Exploitation, SEC642, or Web Application Penetration Testing eXtreme by eLearnSecurity.

NovaHax

I've done both. You are comparing apples to oranges. While there is some overlap, the subjects of the two courses are very different. I'd recommend continuing your current course of study (OSCP), rather than spreading yourself too thin. As you already mentioned, you only scratched the surface with OSCP.

Its not that I think you necessarily need to do it in that order. But if you intend to complete OSCP, I'd do that first. Just my 2 cents.

rudegeek

@xXxKrisxXx Thanks for the insight. I will probably end up doing SEC560 before I do 542. Hell, maybe even 503. We will see what the magical work-study roulette has in store next. After finishing my OSCP. I will definitely take a look at WAPT. $$$$ Talks.

The end goal is definitely a GSE. With that said I hope to have 2 SANS courses to my name before the end of year. Just so much stuff to study, so many directions to go. That is why I love Infosec

@NovaHax I was mainly looking for feedback in terms of; If I brush up Web App Pentesting will it allow me to have an easier time with the OSCP etc.
I'm definitely going to resume my OSCP journey in October. Just need to get that darn GSEC out of the way first. Still i'm dedicating an hour of my day in learning things to make my OSCP experience better, learning Python. Going thru the Fuzzysecurity tutorials (Windows Exploit Development series) The georgia weidman cybrary tutorials (Pentesting) and so on.

Anyone have other suggestions on what I should be getting better at before relaunching my Lab Time? Where would my time best be spent?

Mike-Mike

rudegeek - what do you currently do? are you in security already? I'm in Security, but not pentesting, and I'm going to want to learn pentesting, but I dont know if my employer will pay for all of that

edit - I know you said sysadmin, but that can mean a lot of things at different places

NovaHax

rudegeek wrote: »

@NovaHax I was mainly looking for feedback in terms of; If I brush up Web App Pentesting will it allow me to have an easier time with the OSCP etc.

Perhaps a little bit. But not much.

rudegeek

@NovaHax, I take it that Exploit Development (Modification) is the way to break into most systems I've probably successfully pen tested < 10.

rudegeek

@Mike-Mike I'm a Sys Admin. Mainly Windows. I am in the wonderful world of healthcare. 2K employee kinda place. My day to day involves break/fix/config of servers, and related apps. VMware,Web,App,Dns,SQL,AD,SUS,Symantec, just to name a few. Very little network config, although sometimes I get lucky enough to make changes to our Netscalars (Load Balancing) as we the SERVER team manage those....

I say mainly Windows, but I've built a few Linux systems so far. And when they break I.m basically the backup to figure out what went wrong since the OSCP has really challenged me to become the second most proficient Linux person on the team (our Linux Admin being #1 haha) My favorite being an OpenVas server for vulnerability scanning. So, slowly and surely I get most of the work on the security side of the house. For example, DLP Upgrade/ ReConfigure (shooting off way to many false positives). SUS upgrade/ Symantec Endpoint Manager install etc.

There is currently a Security Analyst opening where I work, and it is what i'm shooting for. Need to sit down with my boss and work on a strategy to get me there, and reassure him we can backfill my position and then I can move :P
Sometimes you become to valuable at something and it's hard to move from it. But, like I said I take initiative with anything security related. Currently testing Microsofts Advances Threat Analytics at home as well as Security Onion, to get some experience with these products and hopefully be able to implement them soon, and maybe an Open-Source SIEM as well (unless we get money for Splunk).

What do you do in Security currently? Oh, and I see you are in Kentucky, did you hit up Derbycon?
My employer won't pay for OSCP either , but who cares. It is an investment in my future, and hopefully soon enough it helps land me a PenTesting gig

BTW just incase anyone is wondering I'm taking my VCP exam next week. Hopefully, that is my last non-security cert for a while..... And then it is GSEC time.... and then back to the main objective of this year. OSCP. Whew.... my longest post so far! Hope everyone has a good weekend (I'll be studying).

Hornswoggler

How did this turn out? Sounds like a full plate and some ambitious goals... how many did you get knocked out in the past two years?

If OSCP is a bit steep and you have SANS access, 560 is an excellent course. I took it from Ed and he is great.

chrisone

finish the OSCP