This article originally appeared on Jul 20, 2019, posted by Joey Lane and has been republished unedited and in its entirety with permission from the author. Original post: https://blog.own.sh/oscp-osce-oswp-review/
It’s no secret that Offensive Security offers some of the best technical training in the information security field. Their brand has become synonymous with penetration testing in the eyes of most tech recruiters on LinkedIn.
Some of the most common questions I get on LinkedIn are related to the OSCP/OSCE/OSWP certifications. Some people even go as far as asking for solutions to their exam machines. Sorry, you won’t be finding anything like that here (TRY HARDER). I will however offer an honest review and offer some tips to help you decide if you are ready to take the plunge into any of these 3 awesome courses!
Offensive Security Certified Professional (OSCP)
The flagship OSCP certification could be considered one of the most valuable bullet points a penetration tester could put on their resume. To be recognized as an Offensive Security Certified Professional, the student must complete a 24 hour lab exam which will put their understanding of pen test methodology to the ultimate test. The journey is very rewarding even for experienced penetration testers, but it is only the beginning!
Penetration Testing With Kali
The PWK course is the prerequisite training for the OSCP certification. While anyone can sign up for this course, a solid understanding of TCP/IP, networking, and reasonable Linux skills are definitely required. Experience with Bash scripting and python will help greatly as well. During this course you will be given access to a student lab network to hone your enumeration and exploitation skills. Take advantage of this lab time as much as you can. I personally recommend purchasing 90 days of lab time right off the bat when signing up for this course. It might seem like a lot, but it is worth every penny. The lab is very well thought out, and designed to challenge you at all levels on your journey to OSCP. Not to mention it’s actually pretty fun. The adrenaline rush of finally getting root on a machine you’ve been stuck on for days is something you will eventually miss once you’ve completed the course. No matter how frustrated you get in the lab, you will appreciate every moment of it once you’ve completed the journey! The PWK course also includes several hours of video training, as well as a PDF document. You will learn the very basic fundamentals expected of a successful penetration tester such as:
- Passive/Active Information Gathering
- Vulnerability Scanning
- Buffer Overflow Basics
- Working with Exploits
- Data Exfiltration Fundamentals
- Privilege Escalation
- Client Side Attacks
- Web Application Attacks
- Password Attacks
- Metasploit Framework
The OSCP Exam
The OSCP exam is a 24 hour lab based exam which will test your technical skills as well as your time management skills. The student is expected to exploit a number of machines and obtain proof files from the targets in order to gain points. There are 100 possible points on the exam, 70 are required to pass. None of the machines on the exam are unreasonably difficult, but you must avoid falling into rabbit holes. If something seems overly complicated, you may want to step back for a moment and enumerate the target again. The real challenge in this exam is managing your time effectively. Ensure you plan to take breaks for meals, and to clear your head when you feel stuck.
One critical skill I will emphasize is note taking. You will be expected to document your path to success in the form of a professional penetration test report. You are given an additional 24 hours after the exam to prepare and submit the report. This will be much easier if you take good notes during the exam. I suggest reviewing the exam guide in advance to ensure you understand what is expected. Offensive Security also provides a template that you can use for your report, I suggest using this. During my exam I used a note taking application (CherryTree). I would create a page for each exam machine, and sub pages under that for each of the sections in the exam report template. I also added sub pages for my scan results, and any console output I wanted to save. Doing this for each machine will help ensure you don’t forget anything while writing the report. Find a note structure that works best for you, and stay organized.
This exam can get frustrating if you don’t manage your time well. My advice would be to practice multitasking. For example, when looking closely at one machine, try to have scans running in the background against other machines. Combine this with good note taking skills and you’ve got a solid foundation to manage this exam!
Helpful OSCP Links
Below are some links to articles I found helpful during my OSCP journey:
- Penetration Testing with Kali Linux Reporting
- OSCP Certification Exam Guide
- Offensive Security Forums
- Windows Privilege Escalation Fundamentals
- SQL Injection Cheat Sheet
- Reverse Shell Cheat Sheet
- Spawning a TTY Shell
- Basic Linux Privilege Escalation
Offensive Security Certified Expert (OSCE)
If the OSCP exam sounded rough then brace yourself. The OSCE is a complete nightmare. To become an Offensive Security Certified Expert, you must pass a 48 hour lab examination that will thoroughly test you on web exploitation, Windows exploit development, anti-virus evasion, x86 assembly, hand crafting shellcode and more. This course is not for the faint of heart!
Cracking The Perimeter
The CTP course is the prerequisite training for the OSCE certification. Unlike the PWK course for OSCP, you cannot just simply sign up for Cracking the Perimeter. You must first solve a challenge to prove you are ready. Make no mistake about it, if you can’t beat this challenge, you are not ready for this course. If you feel like you’re ready to take a stab at it, you can find the challenge here!
The CTP course is slightly different than the PWK course was for OSCP. You are once again given access to a lab environment, however this time you will not be sharing the lab with other students. You will have your own dedicated machines, and will be provided with access to them right off the bat. During the course videos and PDF guide you will walk through advanced topics and use the lab machines to complete the course exercises. The exercises will touch on topics such as:
- Cross Site Scripting Attacks
- Directory Traversal / LFI Attacks
- Backdooring PE Files
- Advanced Exploitation Techniques
- Exploit Writing (0 day approach)
- Attacking Network Infrastructure
- Bypassing Cisco Access Lists using Spoofed SNMP Requests
- Sniffing Remote Traffic via GRE tunnels
- Compromising Router Configs
While the course does a great job walking you through each of these topics, additional research is absolutely necessary in order to prepare for the exam. A fundamental understanding of x86 assembly is also required to be successful. The CTP course assumes you already have this going into it, after all you did successfully complete the fc4.me challenge right? ;)
If assembly is not a subject you feel comfortable with, I would suggest taking the x86 Assembly Language and Shellcoding on Linux course on Pentester Academy before attempting the OSCE exam. While it is specific to Linux, this course helped me out so much with my assembly knowledge gaps, I can’t praise it enough! You will thank me later, trust me!
The OSCE Exam
This exam can be summarized in one word. Brutal! Time management is absolutely critical in this exam. Once again you will be taking the exam in a dedicated lab environment. You will be expected to complete a number of objectives on the target machines in a 48 hour period. You are given an additional 24 hours afterwards to write a professional report detailing your methods and thought process for each objective. I am being vague here as I do not want to spoil anything about the exam, but to give you an idea of how ugly this can get, my report was almost 100 pages!
My first attempt at the OSCE exam ended in utter failure. I had completed all the course material multiple times, done additional research, and practiced various types of buffer overflow exploits on random binaries. I barely obtained half the points required for a pass. There are 90 points possible on this exam, 75 are required to pass. The exam is structured in such a way that you literally need to complete almost every objective to hit the 75 point mark. So where did I fall short? ASSEMBLY! Hence my suggestion to REALLY take your time and learn the fundamentals of x86 assembly before attempting this exam. You don’t need to be an expert in it, but you will be expected to manually craft some very tricky shell code to exploit a target with some very frustrating restrictions in place. If you aren’t comfortable with the x86 registers and common OP codes, you will fail.
After being humbled in my first attempt at this exam, I took a few months off to mentally recover. I took the x86 Assembly Language and Shellcoding on Linux course to help fill my assembly knowledge gaps. It was a little dry, but so helpful that I would recommend it to anyone pursuing OSCE. After completing that course, I went back and redid some of the OSCE course exercises and found myself understanding the assembly code MUCH better. After another month or so I finally felt I was ready to attempt the exam again.
After getting plenty of sleep the night before, I began my 2nd exam attempt at noon on a Saturday. I worked through about 12 hours straight and had almost half the points I needed to pass. I was feeling confident. After taking a meal/sanity break I went back to it and managed to knock out a high point target before the end of the first 24 hours. I now had almost all the points needed to pass, but not quite. I was feeling burned out, so I decided to sleep. The next morning I woke up with a fresh mind to tackle the last remaining objectives…that didn’t last long. Once again I was getting beaten down by the unanticipated turns this last machine was taking. I felt frustrated, defeated, confused. This exam felt like the hardest thing I had ever done. I continued to push through. With only a few hours to spare I finally managed to catch a break! When I popped a shell on this box, all the frustration and confusion turned into a feeling of accomplishment that cannot be described. I was pretty sure I had enough points to pass, but I needed to get my notes together. I still had an additional 24 hours to write the report, but I had been so frustrated with this machine that I was falling behind on my notes during the exam. Finally after writing an extremely long and detailed report, I got to play the waiting game. I waited and waited and slowly went crazy waiting for the official word from Offensive Security. After 5 grueling days of waiting, I finally received confirmation that I had passed and earned my OSCE!
Helpful OSCE Links
Below are some links that I found helpful during my OSCE journey:
- OSCE Study Plan
- Shellcodes database for study cases
- Exploit Dev 101: Jumping to Shellcode
- ASCII Table and Description
- Bypassing AntiVirus Scanners (PDF)
- Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
- Hex Calculator
- Heap Overflows For Humans 102
- Jumping with Bad Chars
- Using SHORT (Two-byte) Relative Jump Instructions
- Online Hex Converter
- x86 Assembly Guide
Offensive Security Wireless Professional (OSWP)
Offensive Security also offers a course on wireless penetration testing called WiFu! Successfully completing this course and the corresponding 4 hour exam will earn the student the Offensive Security Wireless Professional (OSWP) certification. While the exam is no where near as difficult as the OSCP or OSCE exams, the course itself contains a ton of valuable information that any successful penetration tester will find valuable if conducting a wireless assessment.
Offensive Security Wireless Attacks (WiFu)
The WiFu course is the prerequisite training for the OSWP certification exam. As with OSCP and OSCE, the student is provided with video training, as well as a PDF document. The PDF contains a TON of information about 802.11 wireless networking. Unlike the OSCP and OSCE courseware, you will likely not need to do a lot of outside research to pass this exam. Everything you need to learn is contained in the videos and PDF.
One major difference between the WiFu course and PWK/CTP, is there are no online labs. You will actually need to create your own lab to complete the course exercises. This allows you to practice all the aspects of wireless penetration testing with your own hardware. I personally used an older Linksys E1200 router with DD-WRT firmware, and an ALFA AWUS036NHA wireless card to complete all of the lab exercises, though Offensive Security has their own lab hardware recommendations here.
During the WiFu course you will practice various types of attacks, mostly focused on the aircrack-ng suite of tools. To give you an idea of what to expect, here is the basic course overview:
- IEEE 802.11 Wireless Networks
- Packets and Network Interaction
- Linux Wireless Stack and Drivers
- Aircrack-ng Essentials
- Cracking WEP with Connected Clients
- Cracking WEP via a Client
- Cracking Clientless WEP Networks
- Bypassing WEP Shared Key Authentication
- Cracking WPA/WPA2 PSK with Aircrack-ng
- Cracking WPA with JTR and Aircrack-ng
- Cracking WPA with coWPAtty
- Cracking WPA with Pyrit
- Additional Aircrack-ng Tools
- Wireless Reconnaissance
- Rogue Access Points
The OSWP Exam
The exam for the OSWP is pretty straight forward. You will be expected to SSH into a remote machine, and crack a series of wireless networks that are within range of that machine. Unlike the OSCP and OSCE, there are no point values associated with these tasks. You are expected to complete all tasks to pass. You will be given just under 4 hours to obtain the keys to all the target networks, and honestly this should be plenty of time. If you have gone through all of the courseware, and practiced each of the different attack types in your home lab, the exam shouldn’t be too tough. Just make sure you take good notes as always, as you will once again be expected to write a report documenting your attack methodology. Overall this was a fun course and exam. I would recommend it to anyone who is new to penetration testing and is interested in wireless network security!
Helpful OSWP Links
Below are some links that I found helpful during my OSWP journey:
- OSWP Certification Exam Guide
- Aircrack-ng Newbie Guide for Linux
- Tutorial: How to crack WEP with no wireless clients
I hope you enjoyed reading this!
Please feel free to connect with me on social media, it’s always great to collaborate with other infosec professionals! If you found this information useful, I would greatly appreciate skill endorsements on LinkedIn!