As a developer who works mainly on the defensive side of the software security battle, it’s easy to lose sight of the difference in complexity between defending and attacking a system. When you have a sufficiently large surface of attack, finding your way in is much more probable than covering every security hole there is. This potential loss of perspective is the reason I think any defensive actor in the security field should constantly exercise the offensive side.
With this in mind and with the desire to improve my penetration testing skills, I started to look for a course and/or certification that suited me. The landscape is by no means lacking. Some options, however, focused a bit too much on theory and less on practice. Those options are great for someone just starting out in security, but I was looking for something more.
I found OSCP (Offensive Security Certified Professional Certification), which is offered by the same people who maintain Kali linux and the Exploit Database. Offensive Security has been a prominent and respected player in the penetration testing market for a while due to their development, maintenance, and funding of BackTrack Linux. BackTrack was later rebuilt as Kali Linux, the most utilized distribution for digital forensics and pen testing. Research into the OSCP certification revealed opinions ranging from “wow, what a course!” to “not for the faint of heart”. Everyone was also praising the hands-on approach to learning and the excellent lab environment where you could practice what they preach.
The Course
I felt OSCP best suited my criteria and provided a sufficiently hard challenge. The course material consists of an 8 hour video series and a 350 page lab guide. It follows the usual attack methodology: recon, exploitation, enumeration, privilege escalation, persistence, data exfiltration, pivoting. For each step you’re guided through the theory, which tools to use and how to use the information you gain. There are also sections dedicated to developing buffer overflow exploits. These will teach you fuzzing, how to create an overflow exploit, and also how to do a full reverse shell.
You will need to do a significant amount of individual research above and beyond provided course materials in order to widen your array of skills and tools sufficiently for success. I think this is what separates OSCP from other certifications. They plant the seed, leading you to scour the Internet searching for deeper knowledge on the subject. This is not a step-by-step course!
The Lab
The lab component is actually what makes OSCP stand out. You go headfirst into a virtual environment which simulates a real enterprise network totaling 50 machines – a Public Network, an IT Department, a Development Network, and an Administrative Department. The network is very realistic and some computers actually talk to each other. Your challenge is to hack your way through to the admin machines deep in the network. The course motto of “try harder” becomes immediately evident when you try to put theory into practice in this lab. You will need to do a lot of research and conjure a great deal of patience and tenacity – but, it’s all worth it in the end.
The Exam
The final exam is a whole other story. You don’t get the standard issue multiple choice test. Instead, you have 24 hours to hack your way through 5 completely unknown machines and gain root privileges on all of them. It sounds bad, but it can actually feel fun at times – especially as you inch your way through the many barriers. It does take a toll, however. Your ability to control stress, maintain focus, and manage time will be thoroughly tested. In preparation for the big day, I even loaded my home desk with a myriad of bars, chocolates, and anything that would keep me going – I ate almost none of them. Time moves very fast once you start the exam. I also found it was very easy, both in the lab and in the exam, to get stuck on one path and go down a proverbial rabbit hole, thinking it’s the way through. You need to know when to ditch the angle you’re currently working on and try a new one.
When the 24 hours pass, you get the feeling you are done, finished, that you can just relax…
Nothing could be further from the truth, unfortunately. After hacking your way through the machines, you need to write a professional penetration testing report on the whole process and you have another 24 hours to submit it. This is where OSCP focuses on the business side of the story and emphasizes the ability to put pen on paper and deliver a document that is useful for decision makers. Nothing is graded unless it is properly explained in the report. This means you need to carefully document your thoughts and actions during the actual penetration test. Writing that report after the grueling 24 hours is no easy task – but an essential exercise to ensure you have the skills to communicate findings in a useful way to business stakeholders.
Closing
The OSCP madness should be enough for anyone who wants to hone their penetration testing skills. It won’t make a seasoned pentester out of you, but it will set you running on the path. I’m sure that even senior pentesters can learn something new from the 50+ machines you can hack and slash in the lab. It also gives you the feel of how much easier it is to break a complex system than it is to protect it – insight any security engineer should have. I highly recommend the course and the certification exam. You can find out more about them on the Offensive Security site.
Bogdan Ionita
Computer Scientist