Google

Offensive Security’s PWB and OSCP — My Experience

Written on:October 9, 2013
Comments
Add One

cert-logo-oscp

Overview

Recently I took the Offensive Security Penetration Testing with Backtrack (PWB) course, passed the exam, and achieved the OSCP certification.  I learned a ton and earned my most rewarding cert yet.  There are several great reviews of the course but I figured I’d provide my perspective. 

Motivations

In my current job I’m lucky enough to touch on all aspects of information security from policy and process development to application security testing. The latter (which is where I spend the majority of my time) requires that I keep my technical skills sharp.  I’m a big believer in training that takes a hands-on approach.  I’ve attended SANS training before but I had recently heard many good things about Offensive Security. The pricing of the courses made it an easy sell and the 90+ days of available lab time (you can extend it if desired) meant it would not be another cram-session course.  After reading several online reviews I decided this would be the next professional development course for me.

Course Registration

You can register for 30, 60, or 90 days of lab time — I chose 90. I registered in mid-June of this year and the timing was less than ideal as my wife was approaching her third trimester of pregnancy — meaning my anticipated exam time would be about two weeks before the baby was due. Definitely not the best for my stress levels but I knew that if I didn’t squeeze it in now, I might not have a chance to get it done for a while. Registration requires the use of a non-free email address (no gmail, yahoo, etc). Once you’ve applied for registration, you’ll receive an email with some basic instructions and a link to continue the registration process. If you proceed, you’ll receive a lab connectivity guide and software to test the VPN connectivity. They ask you do this before you submit any payment to ensure you will have no problems accessing the lab environment. Once you’ve successfully tested your connection you can submit your payment. On the first day of your scheduled course, you’ll receive an email with some more instructions as well as the course materials (pdf course guide and videos).  You can visit the FAQ page which contains additional information about the registration process here: http://www.offensive-security.com/faq/

Course Prerequisites 

The prerequisites for PWB as cited by Offsec are “a solid understanding of TCP/IP, networking and reasonable Linux skills”.  With that knowledge you should have no problem getting through the course but I do have some additional recommendations for prospective students to ensure you get the most out of your course time: 

You should be comfortable with scripting. 

I use scripting regularly in my day-to-day work and it proved very valuable during the course. You’ll find yourself repeating enumeration steps over and over and automating tasks via scripting saves so much time.  What language you choose is pretty much up to you but the majority of exploits you’ll run across will probably be written in either Python or Perl.  The course does cover bash scripting but it can’t hurt to familiarize yourself with it ahead of time if it’s not one of your strong suits.

You should be comfortable with Linux and Windows command line syntax. 

This wasn’t an issue for me, but if necessary, take some time to ensure you can navigate the CL in both OS’s. There’s a lot of material covered in the PWB course so you don’t want to be struggling with the basics at the same time.

You should be familiar with Assembly and a debugger

Since buffer overflows are just one of the many topics you’ll cover in the course this might be the least important of the recommendations but I think if you have some knowledge of Assembly and using a debugger you’ll be ahead of the game.  If you want to take a free crash course on Assembly check out http://www.securitytube.net.  I recommend the Assembly Language Megaprimer for Linux, the Windows Assembly Language Megaprimer, and the Buffer Overflow Exploitation Megaprimer for Linux.  If you watch and comprehend these video series, you should have no problem tackling the basic buffer overflow exploits presented in the PWB course.

Get your “attacking” machine up and running. 

The course recommends the last version of Backtrack but I used the newest version of Kali with no problems.  The directory structure is organized a bit differently so you’ll have to adapt accordingly when following along with the video lessons but it’s no big deal. I personally prefer virtualization so I used a Macbook Pro running a Kali VM on VirtualBox. I would recommend updating the VM before you start the course and once you have everything working, don’t touch it again until after you’ve completed the exam. You don’t want a failed software update or misconfiguration to derail your progress.

Devise an organized note-taking and backup approach. 

Clear, thorough, and organized notes are a key to success. You’re going to cover a lot of material in a relatively short amount of time and when it comes time for the exam, you’ll be glad you kept yourself organized. I used KeepNote to organize all of my notes. It’s cross-platform (Windows, Mac, Linux), comes pre-installed on Kali and is very flexible. 

As I went through the course, I took notes and organized them accordingly.

KeepNote1

When it came time to tackle the lab systems, I used a similar approach, tracking the enumeration and exploit activities for each machine, in detail. This proved valuable when it came time to write the report.

KeepNote2

To ensure my notes were constantly backed up, I synced my KeepNote files with Dropbox (via a auto-sync folder on my host OS). This is also where I kept my PWB lab/exam report and backup copies of my screenshots. This way, I could access them from any machine and ensure I always had the most current copies. I also took regular snapshots of my Kali VM.

The Course

I would say there are really three components to the PWB course — the “scripted” course, the lab environment, and the exam. The course materials are fantastic – a 300+ page PDF Lab Guide with hours of accompanying videos. The idea is go to chapter by chapter watching the videos, reading the course guide and performing the related exercises. You’ll cover everything from service enumeration to buffer overflows, to password and Web Application attacks. You’ll learn some pretty cool file transfer, port redirection, and tunneling methods. You’ll be able to try your hand at almost all of the attacks in the lab with the exception of ARP spoofing for obvious reasons. If you want to see all of the topics covered in the course, check out the syllabus here.

You’ll also be given access to a Windows VM on which you can compile and test exploits before attempting them on the lab targets. In addition, you’re provided access to an online forum as well as IRC chat where you can usually find an Offsec admin online. I’ve read some course reviews by past students that used the forum/chat quite a bit and others not at all. I personally only used IRC once and that was when one of the machines was misconfigured and had to be fixed by an admin. Even though I didn’t use them a lot, I thought they were great resources to have available. Just don’t expect to get any answers or freebies.  From what I’ve read you might get a hint or more likely you might get the Offsec motto: “Try harder!”. Besides, it’s much more rewarding to figure out a really tough exploit on your own and it’s the best way to learn.  

I’m glad I registered for 90 days of lab time.  As I went through each chapter, I found myself researching a lot of related topics and taking the time to test my own ideas.  It was nice not having to worry about running out of time.  There were some topics, such as Web Application attacks, that I was more comfortable with, so I spent considerably less time on these chapters. This afforded me even more time to research areas that I haven’t had as much exposure to, such as port redirection and tunneling. That’s the beauty of this course – it doesn’t spoon feed you everything or force you to spend equal amounts of time on each topic.  It presents the basics and encourages you to learn about each topic on your own. In many respects what you get out of the course is relative to how much effort you put in.  In all, I spend about 30 days on the scripted course material.

A word about course documentation…

You will be required to submit a final report at the completion of the course (following your exam). This lab report will ultimately contain your completed course exercises, your lab work and your exam results. I can’t stress enough the importance of documenting your progress as you go.  Offsec provides you with a report template but don’t put it off until the last minute!  I’ve read some PWB course reviews from students that have had reports in excess of 500 pages – mine was about 260. 

If you don’t happen to perform penetration testing professionally, you’ll realize that Offsec is trying to impress upon you the importance of thorough and clear documentation.  Just remember that in addition to serving as proof of course completion, the assessment report should be able to walk the reader through the exploit and replicate it. Take notes, take screenshots and stay organized!  This is especially true for the lab and the exam.

The Lab Environment

You are given access to about 50 disparate systems (varying OS’s, service packs/kernels, 3rd party software, etc), each with its own remote and local vulnerabilities waiting to be discovered. These systems span multiple networks, several of which are only accessible via exploitation and the various port redirection/tunneling techniques covered in the course. You should make an effort to access all networks, including Admin, and exploit as many systems as possible. 

The course material introduces you to many of the enumeration and exploit methods you’ll need to exploit these systems and the lab is your chance to put that knowledge into practice (and continue to learn much more!).

Some systems you might exploit relatively easily while others (with names like Pain and Sufference) will put you to the test. My advice is to avoid Metasploit as much as possible. If you exploit a system with Metasploit, see if you can find the same exploit on exploit-db.com and try again. You’ll learn so much more and it will help you when it comes time for the exam.  Familiarize yourself with Exploit Database and SecurityFocus as they’ll be invaluable resources for finding relevant exploits. 

I recommend reverting (rebooting) each lab system before you try to exploit it. Remember that you’re in a lab environment with other students making changes to the same systems. There were a couple of instances when I forgot to revert a system and thought I had discovered an exploit only to find out it was put there by someone else. There will be times when you’re working on a system and someone else reverts it. While it is frustrating, it’s a fairly rare occurrence because there are so many systems across multiple lab networks and you’re limited in the number of available reverts per day (so use them sparingly!).  

Another piece of advice is to enumerate, enumerate and then enumerate some more! This goes for both pre- and post-exploit.  Once you’ve got root on a system, don’t just move to the next one. Remember, the lab is intended to mimic an organization’s network environment and you may find files or information on one system that will help you exploit others.  

I’ve said it already, but make sure you keep good notes for each system you exploit — document open ports/services, networking data, OS/service packs, detail your exploits step-by-step and record any goodies you find (password hashes, etc). Be sure to take screenshots as you go. I kept all of this information organized within KeepNote and then transferred it to the formatted lab report periodically. I recommend updating your lab report after every couple of systems you exploit so you don’t end up with a massive reporting task at the end.  

Different aspects of the lab will be challenging depending on your knowledge and experience.  For me, many of the web-based vulnerabilities came relatively easy but some of the Linux privilege escalation exploits were challenging (and that much more fun!).  I took the time to script the Linux privilege escalation enumeration step and learned a lot in the process (a bit more on that later).  

During the lab time, I probably invested about 4-5 hours a day during the week and 6 hours a day on the weekends. In addition to a full time job and a wife in the last trimester of pregnancy I can tell you I had a lot on my plate. I’ll also say that it was well worth it. You can certainly get by with less time but again, I took the opportunity to learn everything I could about each topic and delve into other related topics along the way. By about day 75 I had gained access to all networks (including Admin) and got root/SYSTEM on 42 systems (including most of the tougher ones such as Pain, Ghost, and Niky) with limited shell access to several more. I still had a couple of weeks remaining in the lab but I decided to take that time to prepare for the exam.

Exam Preparation

Exam prep really starts from day one of the course but I took the last two weeks of my lab time to pull everything together and thoroughly test my scripts and exploits.  Here’s some recommendations:

Script your enumeration

You’ll likely develop several custom scripts and use a variety of tools when enumerating in the lab.  I chose to tie all of these together into one comprehensive script that could be launched against one or many targets.  Here a basic overview of what my script did:

  • TCP/UDP nmap scans to identify open ports/services for additional enumeration (see below)
  • DNS enumeration (via dig)
  • HTTP/S enumeration (via additional nmap scans and web file/directory brute forcing)
  • MS-SQL enumeration (via nmap)
  • SSH enumeration (account guessing via Hydra)
  • SNMP enumeration (via nmap and onesixtyone)
  • SMTP enumeration (via nmap and custom account guessing scripts)
  • SMB enumeration (via samrdump)
  • FTP enumeration (via nmap and hydra)

Of course you’re only limited by your imagination and scripting skills so I’m sure there are plenty of additional enumeration steps that you might think of automating. For me, the key was identifying the minimum tasks I wanted to perform while considering time and exam limitations (you won’t be able to use automated vulnerability scanners such as Nexpose, Nessus, etc). As a result I made sure to craft the script to only run the applicable enumeration scripts (based on running services) and omitted automated vulnerability tools.  Having a single script that orchestrates and formats the output for all of these various scans saved me a ton time. When it came time for my exam this proved especially useful because the exam guide gave specific instructions for one of the target systems and while I was working on that system I launched my enumeration script against the rest of the target IPs.  By the time I had gotten root on my first exam system, enumeration had completed for the rest.  

Per request, I’m providing my enumeration scripts below.  Please note that these scripts come as-is with no promise of accuracy and no intent to update.  

Recon Scan
recon_scan.zip
Version: 1.0
8.9 KiB
1518 Downloads
Details
Script your privilege escalation checks

Linux privilege escalation can be a complicated task as there are so many possible vectors. Running commands one-by-one is tedious and time-consuming, especially when you have to repeat it across many systems. Again, this was another prime opportunity to leverage the power of automation.

Here’s an overview of what my Linux privilege escalation script identified:

  • Basic system info (OS/Kernel/System name, etc)
  • Networking Info (ifconfig, route, netstat, etc)
  • Miscellaneous filesystem info (mount, fstab, cron jobs, etc)
  • User info (current user, all users, super users, command history, etc)
  • File and Directory permissions (world-writeable files/dirs, suid files, root home directory)
  • Files containing plaintext passwords 
  • Interesting files, processes and applications (all processes and packages, all processes run by root and the associated packages, sudo version, apache config file, etc)
  • All installed languages and tools (gcc, perl, python, nmap, netcat, wget, ftp, etc)
  • All relevant privilege escalation exploits (using a comprehensive dictionary of exploits with applicable kernel versions, software packages/processes, etc)

I wrote it in python and uploaded it to each Linux system I compromised to automate all of my enumeration actions and if necessary, privilege escalation exploit discovery.  Per request, I’ve included a copy of the script for download below. Note that this script come as-is with no promise of accuracy and no intent to update.  

Linuxprivchecker
linuxprivchecker.py
Version: 1.0
24.7 KiB
2338 Downloads
Details

There are several other Linux and Windows privilege escalation scripts freely available and I did try a few, but writing my own allowed me to easily customize the checks I wanted to perform and taught me a great deal more. If you want to get some ideas for additional privilege escalation check out these resources:

Organize and pre-compile your exploits

I kept all of my exploits organized in a customized file structure on my Kali machine but taking the extra steps of pre-compiling and testing the Windows-based exploits really saved me time.  I made it a point to modify, compile, and test every remote and local Windows non-Metasploit exploit I could find.  I organized my compiled exploits and made a very basic chart with the exploit name, MSXX-XXXX number, Exploit-db number, and applicable Windows OS versions. 

ExploitChart

During the exam if I came across a situation that required a remote or local Windows exploit, I could simply reference my chart and test the pre-compiled exploit.

Per request, I’ve uploaded an unformatted csv example below. Please note these only represent the exploits that I was able to compile and confirm. I make no guarantees regarding its accuracy or completeness.

MS Privesc And Exploits Table
MS_privesc_and_exploits_table.csv
1.8 KiB
1157 Downloads
Details
 

The Exam

I registered for the exam about two weeks before my lab time ended. At your allotted exam start time (I chose 10 am on a Friday) you’ll receive the VPN connectivity pack and exam guide that provides instructions, identifies your target machines, and outlines any restrictions. As many other PWB review sites have stated, there are limitations on the use of Metasploit as well as automated vulnerability scanners such as Nexpose or Nessus so once again, don’t depend too heavily on these during your lab time! Don’t worry, you’ll get very specific instructions on what is and is not allowed when you receive your exam guide. You are allotted 24 hours for the exam, with an additional 24 hours to complete and submit your lab/exam report. Each of the target machines is assigned a point value and you need a minimum number of points to pass the exam. I’m not sure if these ever vary, but in my case I needed 70 out of 100 points to pass. In all, it took me 8 hours (with breaks) to accumulate enough points to pass the exam. I still had one more system that I had not exploited but I chose instead to finish and submit my report (which took about another 2 hours).  Though I was tempted to use the remaining 16 hours to get that last system, given that my wife was 9+ months pregnant, I wanted to avoid any scenario that involved me not finishing and submitting my report before she went into labor!  With the report submitted, I slept soundly that night and received confirmation of its receipt the following morning.  I received notification that I passed the exam and achieved the OSCP certification that Tuesday. 

As far as recommendations for the exam, remember to get plenty of rest the night before and take frequent breaks. I took one after every system I completed with a longer dinner break once I had accumulated enough points and before I completed my report. Try and focus on one system at a time but don’t get bogged down. If you get really stuck, move on to another system. Again, organizing my notes/scripts, automating the enumeration and pre-compiling the Windows exploits allowed me to really focus on relevant exploits without wasting too much time. 

Conclusion

This was the most fun and challenging course I’ve ever taken.  It’s also the most satisfying because although the course material is excellent, much of what you accomplish is due to your own hard work and commitment to Try Harder! I learned a lot and I can’t recommend it enough for anyone that wants to wants to get access to a quality lab environment and hone their pen-testing skills. Since exploit development is one of my areas of interest, I definitely plan on taking the Cracking the Perimeter course as well as the Advanced Web Attacks course (once it’s offered online).  


83 Comments add one

  1. Jason says:

    Thanks for the awesome review. I’m going through the course as we speak. I’m at a wall right now with getting any new machines owned. Do you think I could take a look at your scripts you used for enumeration? Would be really awesome.

    • Mike Czumak says:

      Absolutely Jason, I’ve updated to post to include my scripts. Just note that these were written for my personal use with no intention for portability so updates to environmental variables (file paths, etc) will be necessary and I can’t guarantee their results. The act of writing the scripts proved just as valuable as the scripts themselves so I would encourage you to review their functionality and then go through the same exercise if you have the time.

      – Mike

      • Jason says:

        Awesome, thanks! Yea I learned a lot so far and learned about how to write the scripts. I just like to see what others have done and what their method of thinking is when looking at the scripts. Thanks again.

  2. Martin says:

    Great post! I’ll soon be scheduling the exam myself.

    With regards to the recon script, I had tried something similar myself… however, neither my attempt or this runs quick enough on my machine to even consider using it in its entirety in the exam.

    Did you really run this script as-is? If you did then I think I need a few more cores in the aging machine sitting under the desk :).

    • Mike Czumak says:

      Thanks Martin. I did use the script pretty much as-is (commenting out any type of vuln-scanners like nikto since it’s not allowed for the exam). Since I used the python multiprocessor library I didn’t find it to be all that bad in terms of performance since each system is scanned simultaneously…especially with the small number of systems on the exam. I was running it on a VM w/ only 2gb of memory allocated; Mac host w/ 4gb total RAM, i7 processor. That being said, I purposefully run the nmap stuff first in the script to quickly get all of the open ports and running services so I can begin reviewing it as the script continues. The only thing that I found didn’t finish was the password cracking, but by then I had all I needed :). Believe me, it’s definitely not the most efficient and could probably use some serious attention from a better coder, but it served its purpose for me. If it really is running too slow you may decide to do something similar but only with nmap and none of the other service enumeration scripts. All the best on the exam! — Mike

  3. Todd says:

    Did you have any issues with the ftprecon portion? I seem to get tracebacks but I can’t find the culprit. With that said, I’m fairly new to python.

    • Mike Czumak says:

      I didn’t have any issues, but that’s not to say my code isn’t to blame. Since I never planned to distribute it I left out all error handling which is why you’re getting those tracebacks. One possible culprit is the hard-coded read/write locations. I took the quick route and hardcoded the read path to my wordlists as well as the write path to the results (wordlists/userlist, results/%s_ftphydra.txt, etc). If your dir structure is not the same, you’re going to get errors. If you want to post the originating error from the traceback I might be able to assist, though a Google search might also help, especially if you’re new to python.

      - Mike

      • Todd says:

        Mike,

        Thanks for being so willing to help. I see what you’re saying about the hard coding, but I looked through your code and matched my directory structure. I like the way you laid the code out regardless of maybe it not being the best way. It’s a good learning experience for me. I’m using it as a tool in that way. I’ve already owned a lot of the boxes but wanted to rerun some scans with scripting, etc. to look at better ways to do it. Here’s the error. I removed the IP in the paste just because:

        INFO: Performing nmap FTP script scan for XXX.XXX.XX.XXX
        Traceback (most recent call last):
        File “./ftprecon.py”, line 14, in
        results = subprocess.check_output(FTPSCAN, shell=True)
        AttributeError: ‘module’ object has no attribute ‘check_output’

        What’s strange is that if I run the ftp script by itself, it completes fine. Thanks again.

        • Mike Czumak says:

          Todd,

          That error looks like an issue with the import statement. Since it’s pointing to a function of the subprocess module, I’m guessing that’s the culprit. I just tested it on my end and had no issues. What’s weird is that none of the other scripts are raising the same exception, yet the all import the same.It’s a long shot, but is it possible you have another module or file in your path or local folder called subprocess that might be causing a conflict? You can see your imports at runtime by running python with the “-v” switch (python -v reconscan.py). Another shot in the dark, but you might try and add “from subprocess import *” to your import statements for just the ftpreconscan and see if that changes anything. If neither fix the issue, it still may be an import problem so you could research that further. Otherwise you may just want to run that one on its own. I’m afraid that without seeing it myself I won’t be much more help.

          - Mike

  4. Todd says:

    The main area having trouble with now is a box that has a RAT but I can’t seem to pop. Can’t seem to get a read on the way in. :)

  5. Came across your priv checker script on one of the OS lab systems yesterday, and just wanted to say it’s a really useful script! Definitely going into my toolkit.

    Congrats on the OSCP. It sounds like we are in a similar situation, new baby due in four weeks and starting to sweat about taking the exam.

    • Mike Czumak says:

      Thanks for the feedback, glad you found the script useful. Big congrats on your upcoming new addition! I was definitely glad I was able to take the exam just in time. I was sweating it too but everything worked out perfectly in the end. Best of luck with the exam and more importantly with the new baby. — Mike

  6. ezee says:

    wow, thanks for taking the time to post this. I started PWB on the 22nd of DEC, and just finished the 113th video today. whew. I am switching to the PWK courseware on Jan 1st (free upgrade if you purchased after Nov), after which I plan to spend an additional 30 days on the pdf/videos again before moving on to a few months of labs. I will probably spend 6 months as well, I’m in no hurry.

    I’ve read about a 1/2 dozen posts like this today and reddit threads, and this is the most complete and helpful of the bunch.

    Mike can you also post your list shown here so that we may do the same? This is great advice.

    http://www.securitysift.com/wp-content/uploads/2013/10/ExploitChart.bmp

    Thanks.

    • Mike Czumak says:

      Thanks, I really appreciate the feedback and I’m glad you found it useful. Per your request, I’ve updated the post to include my list of MS exploits in unformatted CSV form. It represents all of the exploits I was able to compile, test, and confirm. Having this reference and the pre-compiled exploits at-the-ready was worth the prep time before the exam. Enjoy the course and best of luck on the exam. – Mike

  7. ezee says:

    Mike, I just can’t thank you enough for this helpful info, and appreciate how you took care to provide helpful info without any spoilers…that’s respectable.

  8. ezee says:

    xposted this blog entry in a related discussion on reddit.

    http://www.reddit.com/r/AskNetsec/comments/1tw7od/oscp_crew_overlooked_tools/

    leaving this here for the google spiders.

  9. gd says:

    Thanks Mike for this interesting review. Especially Your MS exploits csv file. I would like to have more information about one of them (MS08-067 exploit db 7104). Could we exchange on it in private? I have some issues to compile correctly this exploit.
    Thanks for your reply and congratulations for your cert.

    • Mike Czumak says:

      Thanks for the feedback. If you’re trying to compile 7104.c on Kali via wine and you’re getting ‘undefined reference’ errors, make sure you include all of the necessary libraries — lwsock32, lrpcrt4 and lmpr. You can always find out which library is the culprit by searching MSDN for the reference (e.g. “UuidFromString”) and checking which library it belongs to. Alternatively, I just tested on Windows XP using Visual Studio 2010 and it compiled with no errors. I just sent you an email in case this didn’t address your problem. — Mike

  10. gd says:

    Thanks mike.

    See my email.

    I’ll let you know.

    GD

  11. Vitor Durans says:

    Thanks for the great review Mike and congrats for your new certification.
    In your opinion, is this a certification for a more experienced professional or guys like me, entering in the infosec field not so long can take the course and be succesful in the exam either?
    Best regards!

    • Mike Czumak says:

      Thanks Vitor. As you probably know, Offsec bills this as their entry-level course/cert with the caveat that “a solid understanding of TCP/IP, networking, and reasonable Linux skills are required” and I think this is pretty accurate. Just make sure you have a grasp on the fundamentals of networking, operating systems, and scripting so you can focus your course time on learning the “security-centric” material. I reference a few resources in the review, but there are plenty of others you can use to prepare. I think the good thing about this course is that if you have little to no experience in security you’re going to learn a lot and even if you are experienced, you can use the time to explore the topics in much greater depth. You might consider looking at the syllabus and if there are areas you are truly in the dark about, you can do a bit of pre-course self-study. That said, the videos and course guide do a great job of introducing and demoing the concepts and then it’s largely up to you to research and practice them until you feel you have a firm grasp. Remember, you can always extend the lab time if needed. Hope this helps. — Mike

      • Vitor Durans says:

        Thanks again Mike. So, I’m looking for a hands-on course, I’ve been working with linux OS in a ISP then I think the TCP/IP, networking and linux I can handle.
        I’ve also searched for other courses like the CEH from EC-COUNCIL, the syllabus from both are not so diferent, but many of the reviews I’ve read about the CEH people say that is a little theoretical and it could be more hands on.
        Nowadays, I’m concerned about the skills a course can give me, and the certification come as a consequence.
        So, do you think this skills can be obteined more from OffSec than EC-COUNCIL?
        Thanks again for the feedback.

        • Mike Czumak says:

          If it’s a hands-on, practical application course you’re looking for I personally would skip the CEH and go with the OSCP. I haven’t taken the CEH exam, but I’ve read some of the material and taken plenty of multiple-choice style exams to know that it probably won’t be what you’re looking for. If you want to get an overview of some pen-testing/security concepts, buy or borrow a CEH exam prep guide and give is a read, but I think the OSCP is better suited for the skills you’re after. You’ve got the right approach regarding skills vs. certification…you can get a lot out of the PWK/OSCP if you’re willing to invest the time and the certification is an added bonus.

  12. Dave says:

    Great review! what can you say about the network secrets txt file?? any advice?

    Thanks

    - Dave

    • Mike Czumak says:

      Thanks Dave. Advice about finding them? Enumeration, enumeration, enumeration! When you’ve popped a box, don’t be too quick to move on without looking around. Obviously there are only a handful of network-secrets.txt files so it’s a matter of rooting the right machines but if you don’t find it on the one you’re on, you may find other interesting data that will net you another owned box.

  13. Rich Baker says:

    Thanks for the great write-up. It’s very useful as I plan to pursue this as well. Also, congratulations on the baby!

  14. Chris says:

    Great review
    I am in the course now, I have a bout 60+ days left on my labs, and zero scripting experience. I have been getting there each night as time permits to try and play, but I wonder if I am in over my head. For a novice, aside from the pdf and videos, are there other resources you might recommend to help prep for the exam ?

    • Mike Czumak says:

      Chris,

      The course covers so much material, it’s difficult for me to provide a blanket list of other resources. I know you said “aside from the pdf and videos”, but you’ll definitely want to methodically review these resources carefully, perform the example exercises a few times, and figure out where your weaknesses lie. That way you can identify which topics you need to consult other resources. It’s no coincidence that the first ~130 pages of the course guide cover the essential tools, enumeration techniques, and scanning. It’s key you have a grasp on these concepts because they will play a major role in both the lab and the exam. The lab is a great playground that sets this course apart from others, but it will serve you well to approach this as if it were a real penetration test. Scan and enumerate, documenting your findings as you go. This is how you’ll organize your plan of attack for each system and find vulnerabilities and clues for others.

      For bash scripting you might want to have a look at the video “Bash Scripting 101 for Pen Testers” (http://www.securitytube.net/video/6006). SecurityTube is a great resource for learning the basics of Assembly, Buffer Overflows, etc. They also have a relevant video from Mark Baggett on proxychains http://www.securitytube.net/video/925. For web application security, there are tons of great free sites out there. If you want a book, I’ve found no other single resource greater than The Web Application Hacker’s Handbook. For Buffer Overflows, I have some tutorials on my site (Windows-centric with more on the way) and Corelan Team’s site is also a fantastic resource. For scripts and cheatsheets (reverse shells, sql injection, etc) check out http://pentestmonkey.net/. FuzzySecurity recently posted a thorough tutorial on Windows Privilege Escalation (http://www.fuzzysecurity.com/tutorials/16.html). Again, this is only a sample of the resources available out there. If you have an area in mind that you’d like to learn more about, let me know and maybe I can suggest others.

      Don’t get discouraged. You can get a lot out of this course if you work through the material slowly and practice applying the concepts in the lab. The hands-on application of the topics will benefit you a great deal.

      I hope this helps. – Mike

  15. Brad says:

    Did they change the timing? I thought you get a full 24 hours to pop the boxes and another full 24 to write the report.

    • Mike Czumak says:

      I didn’t hear that they changed the timing. Are you referring to something in my post or something you heard elsewhere?

  16. Chris says:

    @Brad -
    Here is what they told me on my welcome letter.

    You will have 23 hours, 45 minutes to hack a live lab environment similar to the exercises in the course
    * During the first hours of the challenge, one of our staff members will be online on IRC (irc.freenode.net in the #offsec channel) and the Jabber network (offensive-security@jabber.org) to assist you if problems arise.
    * You need to send your lab and exam report to challenges@offensive-security.com within 24 hours of the end of the challenge

  17. Chris says:

    @Mike –
    Thank you for the very thorough reply ! Loads of resources in there, I will certainly check out. I check out the videos and pdf as I can during the day at work, then try to apply the labs at home in the evening. So far progress is slow, but with some of your scripts as examples, and the resources you mentioned I may have found some new motivation. Many thanks ! I have never really used the IRC before, is it worth adding a client to talk it up in the offsec channel ?

    • Mike Czumak says:

      You’re welcome. You certainly have nothing to lose by getting on IRC–you may get some useful guidance. Best of luck!

  18. Maxx says:

    Hi can you also upload your userlist offsecpass list? Would be very nice. Thx for this awesome tipps. Kind regards maxx

  19. ad says:

    Hi Mike,

    Thank you for your great review and I do agree that yours is the most comprehensive and helpful compare with others.

    With regard to exploit #7104 from exploitdb, I managed to compile it but it seems that it doesn’t work, the Win32 service on the target machine always crashed after receive the shellcode.

    Do you mind to share your .c and executable files with me via e-mail please?

    Thank you

    -da

  20. Jay says:

    Mike,

    I need your advice on usage of password files. Text files like “rockyou” have an impressive list of potential passwords, but brute-forcing with these large files can take some time. For instance, I was trying to brute-force RDP with ncrack and the rockyou text file, and it seemed to take forever.

    From your experience, are we expected to use these large files for brute-forcing in the PWB/PWK course and exam? I am asking from a time-constraints perspective.

    Thanks

    • Mike Czumak says:

      The short answer is no, I would not necessarily default to a large file such as “rockyou” for every password guessing attempt. At the same time, it’s all about using your time wisely so if you identify an exposed service that you want to try a password guessing attack, you might try a larger list and while that’s running, focus your attention on another system or service. It partially depends on the service you are targeting — services such as RDP, telnet or others with response delays/timeouts/automatic disconnects can add significant time to the process and you don’t want to go overboard on your password list. For password audits in general (PWK course or otherwise) I recommend tailoring your password list as much as possible — usernames/passwords of already discovered and cracked accounts, keywords pertinent to your environment/users, etc. Start with as small a list as possible and work your way up to a larger list if necessary. For example, for this course I had one list that contained the most common passwords to which I continuously added any newly discovered username and cracked password that I found in the lab. I think you’ll find for the exam that you don’t need to go overboard and you always have the option to move to a larger list. Hope this helps. – Mike

  21. Jay says:

    Many Thanks, Mike

  22. Olivier says:

    Hi Mike,
    Thanks a lot for your feedback. You mentioned that it was not always possible or useful to use vulnerablity scanners (Nessus, OpenVAS, etc.). So how did you select CVEs, exploits, payloads to compromise the targets ? Please could you elaborate a little bit?
    Thanks in advance,
    Olivier

    • Mike Czumak says:

      Olivier,

      While vulnerability scanners such as Nessus have practical, time saving application in real-world testing efforts, they are not allowed on the exam and should not be relied upon when performing the lab. The course is designed to ensure you have the skills to identify this same vulnerability information manually and highlights why enumeration and discovery is such a fundamental step in the pen-test process. In terms of how to do it, the lessons on information gathering, recon, and and port scanning are key … use nmap to determine open ports and services or telnet/nc to banner grab; what OS is running? what applications and versions are discovered? are there known exploits in exploit-db for any of these? Through these enumeration techniques you will discover vulnerable services and select your payloads accordingly. Hopefully this answers your question.

      - Mike

  23. fei says:

    Nice review and congratulation. I had subscribed to the latest Penetration with Kali and I have learned so much from the course material (BO, Tunnelling, File transfer and etc). However, things start to change when I move on to the pentest on hosts in the lab segment.

    Pawning the first few hosts with metasploit is relatively easy but that is not the right way (as the exam does not encourage the use of metasploit) and compiling codes from exploitdb/security focus may not be straight forward, especially when it comes to cross platform compilation (compiling windows C in linux environment). It could be discouraging when I only had 4 hours per day to work on the lab (busy working during day time), and yet stuck on getting the exploit from exploitdb/security focus working. I may need to find some hacking buddy from its IRC channel.

    I decided to extend the lab as I could not finish pawning all the hosts in just 30 days.

    The above are based on my knowledge and experience, please do not be discouraged to take on the PWK.

  24. yassine says:

    Mike, Thanks you for this important resource and information that’s helpful for us ad beginner who prepare for this certification .i have just one other request (and i know we ask you so much :( ,thank you again for that ),could you share with us your study note because it’s seem rich of information, even if i’am preparing the pwk version of the course, it will be helpful to me. you have my email :)

    • Mike Czumak says:

      Unfortunately nearly all of the notes I have are specific to each system in the lab (specific scripts I used for a given target, the steps I took to get root, goodies I found, etc) and I wouldn’t want to share those. If you have a specific question about a topic, I’d be glad to help though. -Mike

  25. Peter says:

    Hi Mike,
    Great post, I must say.

    I am taking the OSCP course as I type in.
    I am kinda stuck in finding the “right” exploits in exploit-db & securityfocus. The search term doesn’t always return the right exploits you’re looking for.
    Any piece of advice on improving the search capability.

    Thanks!

    • Mike Czumak says:

      Thanks Peter. Regarding searching for exploits, you may be better off using Google, especially if you have limited information about a target software/service. You can always narrow your search to sites like exploit-db by using the site:exploit-db.com Google dork.

  26. Peter says:

    Gotcha. Thanks !

  27. Eric says:

    Mike this is an awesome post. Thanks for giving back. I just passed the CEH and now taking this OSCP course. I was trying to get a feel of how the exam was setup or how to approach it. All I do for the company I work for is scan find vulns write a report about how they will affect the system or the environment. We don’t exploit but I do exploit in my lab. So yes I do all the recon and identify security problems with systems…. I do a little scripting with bash and python. I’m good at reading others script then picking it to work as I would like it.. I say all of this to ask you or anybody on the blog is the exam pretty much the way I’ve been explaining how I work? Long as you go through the course and remember how to do things take good notes it should be smooth as the exercises?

    • Mike Czumak says:

      Thanks Eric. Yes, I thought the lab was the perfect prep for the exam. Really the exam is not much different … just fewer machines and the added pressure of a lot less time. If you feel comfortable with the course material and techniques practiced in the lab, take good notes, organize your materials, and develop your plan of attack ahead of time, you should be well prepared for the exam.

  28. Peter says:

    Hi Mike,

    +1 praise for your post. I’ve just finished pwning my way through the labs and will have my exam soon. Your Linux script was very useful, and I’m now adapting your recon scripts to my taste. This is by far the most useful and comprehensive post on OSCP you can find nowadays on the ‘Net.

    I’m also having trouble with exploit-db 7104 (service code exec). It seems to crash Win XP SP3 every time. If you look at the metasploit module for this, there are lots of different cases in there. What did you do to modify it?

    Also, you probably can’t go in detail, but it is worth spending the time compiling the remote exploits? I’ve got all my privilege escalation ones, but I find the remote ones on exploit-db hard to compile, and even when you are able to, they are quite fiddly and only work on certain specific Windows versions.

    BTW, here is the link for the enlightenment exploit pack by spender, which was very useful in the PWK labs to escalate in some Linux machines: http://grsecurity.net/~spender/exploits/enlightenment.tgz

    Thanks and regards!

    Peter

    • Mike Czumak says:

      Thanks for the feedback Peter, I’m really glad you found the post and scripts useful. Yeah, the remote exploits, including 7104 can definitely be finicky and specific in their targets. In fact, I don’t know that I ended up using 7104 at all, but I was able to successfully compile most others (though I ended up using multiple flavors of Windows to do so). Compiling the privilege escalation scripts were my primary focus as well and certainly proved useful. You may not end up using any, but for me having the remote exploits was good peace-of-mind as I simply didn’t want to have to deal with troubleshooting a compilation error during the limited exam time frame. That being said, you probably shouldn’t get too hung up on the ones that you can’t compile easily.

      It sounds like you’re doing all of the right things to prep for the exam. Best of luck and thanks for sharing the link to the Linux privesc exploit.

      - Mike

  29. itsmario says:

    Hi Mike,

    I was wondering if usage of provided online rainbow cracker for pwk was allowed during the exam or are we expected to crack passwords on our own?

    • Mike Czumak says:

      The exam instructions you receive will list any restrictions. That being said, I don’t recall there being a restriction for my exam.

  30. Diego says:

    Hi Mike,

    thanks for your great post !!

    I have a doubt I hope you can help me. I am thinking about facing this cert. English is not my mother language. I can read English without problem and, usually, I can understand spoken English (it depends a lot on the accent). However, I am a little scared I can not understand the videos (So far, I’ve been able to follow the one in the Offensive-Security web site). Are the videos really important? I mean, can I learn all the stuff needed just by the pdf guide?

    Thanks a lot.

    • Mike Czumak says:

      Thanks Diego. I must admit I can’t entirely relate to your issue for this course since English is my first language but I hope my response helps. The video posted to the Offsec site is exactly like the videos in the course so if you understand the spoken accent, you should have no problem. A lot of the benefit you will get from the videos is from watching the demos so even if you don’t understand every spoken word I think you’ll still find them useful. I would consider the videos a good supplement to the pdf guide as they sometimes go into more detail and reinforce the written examples. Also keep in mind much of what you get out of the course will also come from your own research outside of the pdfs and videos. – Mike

  31. en says:

    Hi Mike,

    I was wondering if you could share same information that you shared with gd?
    I’m trying to make 7104 exploit work and having problems
    It compiles fine but gives errors when executing it.

    Thanks in advance

    • Mike Czumak says:

      Unfortunately I experienced the same thing — compiled, but errors when executing. I didn’t use that exploit and haven’t yet taken the time to see why it’s failing. Sorry I couldn’t be more help. -Mike

  32. yassine says:

    hey Mike,
    i am preparing the oscp lab, i got 21 host until know. I want ask you if you couldgive me a small hint (without spoiling too much) about this too host in the IT DEPT 10.1.1.236 and 10.1.1.251.i searched for a direct exploit using the info about the service from nmap enumerating, but non result, i want to dirbuster the 2 webserver un the hosts but it’s almost inpossible because pivotiong made the thing too slow.
    So if you could give some help, i will realy apriciat that.

    Thanks,

  33. Krautcomputer says:

    Big thanks for this writeup. Especially the insight into how you organised and consolidated the information helped me to get started. I find it quite challenging to keep a clear view of all the vast amounts of info I gather about the targets. I tried a few tools like magictree and armitage. But so far only keepnote met my requirements when it comes to structuring the info (i.e. grouping hosts) at least half.

    What do you use these days to keep host info organised?

    • Mike Czumak says:

      Thanks. Regarding what I use for organization, I’ve developed standard document templates to record my test results and all gathered system info which then translates directly to my standard report template. I tend to work within those documents most of the time (which really helps me to standardize my approach) but I will still use keepnote or even notepad++ as “scratch” paper as I go. I would share the templates but since I developed them for my organization they’re technically not my IP to distribute. – Mike

  34. Ashish says:

    Hey Mike,

    Can you share the notes that you had prepared using keepnote. It would be great..

    Thanks,
    Ashish

    • Mike Czumak says:

      Ashish,

      The only keepnote notes I’ve maintained are those pertaining to how I rooted each of the machines and those I cannot share.

      - Mike

  35. Melvin Fernandez says:

    Hi Mike,

    Thanks a lot of this great post.I have searching for quite some time on whether to go ahead for this course.Thanks to you will go ahead this month and register for it.I wanted to go for the CEH exam but as most people say its all theory.Will this examination be too tough for a beginner ?
    Thanks
    Melvin

    • Mike Czumak says:

      Thanks Melvin. When I took the OSCP course and exam I did already have quite a bit of experience, but I believe that if you’re willing to put in the time to study and get all that you can out of the course, you’ll have success on the exam. Regardless of whether you pass the exam the first time or not, you will get real value out of the course if you invest the effort. Best of luck.

      - Mike

      • Melvin Fernandez says:

        Hi Mike, Thanks for your reply.Could you suggest me any other books / material that could help me in this exam .In the examination do they ask everything from the course they provide? — Melvin

        • Mike Czumak says:

          Melvin, check out my comment from 25 Feb of this year in response to Chris’s question. I do mention some specific recommended resources by topic. Let me know if that helps.

  36. Purushottam Bhandari says:

    Hi Mike/Everyone,

    First, i would like to say a Big thanks to Mike and all other contributors. I am reading your blogs from last few days and it helped me a lot to clear many of my doubts. As i am beginner and planning to enroll for PWK, just want to have your suggestion about the rode map to OSCP(i have done CCNA). As i have done CCNA, jumping in to PWK is correct or not.?
    FYI- i am reading things online, if i can have some of study material from you for preparation, that can be a real help and then i can be more prepared and confident, in 1-2 month i will join the PWK Course. As i just want to utilize my Money and time wisely:-),,,, PLEASE SUGGEST.

    Highly appreciate you for your suggestions and help for study material….:-)

    • Mike Czumak says:

      Thanks for the feedback. As far as a road map to the OSCP and preparation for the PWK course, that really depends on your current level of knowledge/experience. I think that the Offsec recommendations are sound — you should have a solid understanding of TCP/IP/networking (which you should have from your CCNA) and familiarity with Linux and Windows OS. Scripting knowledge (bash/python/perl/etc) certainly helps too. Aside from that, take a look at the course syllabus and see if there are things that are completely foreign to you. If so, there are many online and print resources that can help you. Refer to some of my prior comments on this post for specific recommendations. While the OSCP cert is great, I think the real value here is in the quality of the course and the lab. Master the material and the cert will follow. You will get a lot out of it (regardless of your current skill level) as long as you are willing and able to invest the time. Let me know if there are any other questions I might be able to answer for you. Best of luck – Mike

  37. Purushottam Bhandari says:

    Thanks a lot for your helping hand on it.:-)

  38. Ban says:

    Thanks for your time and efforts you spent to provide such great review. In fact, this is the best review I found so far for this course!

  39. Kylie says:

    Thanks Mike for these scripts, they look great. I’ve changed the hard coding to match my directory structure, but I’m getting a whole heap of Traceback errors. Do you know what could be causing them?

  40. Kylie says:

    Have another quick question Mike, how long is the script supposed to take to run, because mine never seems to end?

    • Mike Czumak says:

      Thanks for the feedback Kylie. To address both of your questions…if I recall correctly, the last step of the script is the password attack which can run for quite a long time (the reason I made it last). At this point I usually let it run while I review the results from all of the other scripts and formulate the plan of attack. You’ll probably get to the point where you can manually stop the password attack portion of the script. Regarding the traceback errors, I’d have to see them to better understand. I’ve sent you an email so we can communicate directly. -Mike

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>