How to obtain an OSCP (Offensive Security Certified Professional) certificate
Perhaps, “offensive” security is the best translation of the area of activity that we will talk about today. Of course, offensive is also offensive and even aggressive, but now it’s not about that.
So, you still haven’t lost your faith in a career in the information security field, but you’re finally convinced that most vendor certificates are meaningless paper, not worth your time. One of my colleagues is already offering to give everyone who paid for the exam the Vendor Certified Dumping Specialist certificate, and this is the end of this whole circus. But let’s face it, training and certification is serious business, and it won’t get anywhere anytime soon.
It is even worse if the knowledge and skills you decide to confirm are not tied to any one provider. I already talked about CISSP, but what about practical skills in the field of information security?
On the one hand, there is the modern Certified Ethical Hacker exam. I have no doubt that it is popular solely because only after passing this exam can you officially be called a hacker. The problem here is different: You will also have to accept that you became a hacker simply by answering 125 questions correctly. Despite the absurdity of the situation, this exam is extremely popular in the West and is required for individual positions, especially in the public and military sectors.
On the other hand, there is the SANS and its Cyber Guardian program. It looks great, as I think, the certificate of completion is personally presented by Mr. Keanu Reeves in his popular image. And there is only one negative point: the cost of several thousand dollars for all pleasure.
Remains, the latest OSCP. Much has been written about this certification; Now is my turn.
So after going through denial, anger, haggling, and depression, you start preparing for surrender. Looking to the future, I want to say that you will go through all these stages more than once in the preparation process, also in a different order and even in strange combinations.
After paying for the course, you get a heavy pdf file, various video files with commentary, and access to a virtual lab. Doesn’t it bother you yet? That’s right, there will be no “training” here. The PDF file contains reference information on utilities you probably already know: nc, curl, find, and the like, and also talk briefly about the Kali Linux distribution toolkit. Strictly speaking, he gave the money for the opportunity to learn on his own, and the virtual laboratory will help him with this.
In total, the virtual lab has just under 60 machines: workstations, member servers, banner ads, websites, and much more. Initially, I planned to do a little more than half to assess the level of difficulty of the tasks on the exam. But the one who cheated, in the end did everything. At the same time, the network lives its own life, users write letters to each other and go to web pages, and servers request information from each other.
Furthermore, the network is divided into subnets separated by firewalls, and at some point it can even reach the most holy place. It took me a little less than 40 days to get all the cars. Of course, there are quite a few passing tasks, and there are real monsters. Google who is Pain, Sufferance and Humble. For each of them, it took me a long time. There’s still gh0st, but it’s a CTF-style car, and it’s way out of the general context.
The course description says that you don’t need any serious experience to start practicing. But it really is not. Novice specialists are unlikely to take on this task, and experienced engineers are suitable with very different baggage. An experienced crypto specialist will easily deal with Sufferance, an experienced DBA will discover Humble in 10 minutes, and an experienced Linux administrator will crush Pain in two.
In any case, he spends most of his time studying and experimenting. This is all OSCP. Although you will participate in laboratory machines, you will have the opportunity to communicate with the same students in the forum. However, tracks are prohibited and the best you hear is “Try more!”. More or less motivation.
Time in the laboratory network will inevitably come to an end and it will be time to set aside time for the exam. And this, perhaps, is the biggest difference between the OSCP course and all the others. No questions, no “putting in the correct order”, no “choosing the most correct answer”. None of this will happen. There will be a day to hack 5 servers and a day to write a report on how exactly he did it. All.
This year, by the way, the rules have changed a bit, and now you will need a webcam to pass the exam. An Offensive Security representative will connect and monitor what is happening on your screen as well as directly in the room. This is not particularly annoying and after 15 minutes you forget it. Unfortunately, this is an inevitable consequence of the popularity of the exam and as a result of cheating attempts.
In my case, the exam lasted 12 hours from start to last server access. I spent a few more hours rechecking all the actions taken and recording screenshots. Bingo!
And now a little criticism that can be found online.
Firstly, expensive. It is so. But what are the alternatives? SANS courses are even more expensive, and I have not heard anyone buy them for their own money.
Second, they teach nothing. True, the OSCP course alone does not teach anything. In the book, the basic tools are discussed very superficially, and you almost certainly knew all this and that, and I generally don’t keep quiet about the videos. But the essence of the course is different: you must teach yourself everything and for this all conditions are created. There is too much material to fit in any textbook.
Third, old cars. This is also true. If I’m not mistaken, the most recent operating system I met on the lab network was Windows Server 2012R2. I see it this way: new vulnerabilities are discovered every day. Can you imagine how much the course would cost if it were updated daily? The main thing that this course can teach is the methodology, and it is absolutely independent of the age of the detected vulnerabilities. On the exam, by the way, the situation is the opposite: new machines with Windows 10, patched Linux kernels and the like.
Fourth, the exam does not prove any knowledge. Here I am forced to accept, although partially. In fact, the exam does not assess your skills as such, but also your time management skills, your ability to work in stressful situations and your multitasking. The most important thing is how you can follow the methodology and not be distracted when the solution already seems obvious. After 10 hours on the screen, the logic may start to fail, the attention is scattered and start walking in circles. It is here that your fundamental knowledge, as well as the ability to distract and look at the problem from another perspective, will be useful.
Whats Next? Offensive security itself does not offer any of the following steps in certification. Separately, there is an exam on the security of wireless networks, web applications and a little apart is an exam for exploit developers.
A certificate is of course excellent, but in fact the best you can learn from the OSCP course is knowledge. Knowledge that will inevitably become obsolete if you stop participating independently in your education.