Two days ago I did my first attempt at the OSCP exam. I have not passed -YET.
The exam is a 24 hour exam where I was expected to gain reverse shell on three or four out of six machines that I’ve never had contact with before. It was a lot of fun mapping them, finding their weak spots and figuring out which one of the numerous weaknesses could be exploited. However, I wasn’t able to exploit any of them end to end.
Use Kali Linux to pwn all the things
OSCP is very prestigeous, and for a reason. There are no multiple choice questions, but you show your hands on skills in an environment with tons of clues that can lead you very far in the wrong direction. The process of learning for this exam has been deeply rewarding, and I feel more rooted than ever in my skills as a security tester.
I love the way that the lab and the instructions focuses on manual testing, the human component, encouraging deep learning, exploration and creativity. Emphasis is put into testing systems with very simple tools, and learning how to operate the Kali Linux built-ins to their fullest.
The OSCP exam does not only require you to be able to do end-to-end exploits. It requires you to do so manually, in very limited time, against totally unknown systems. You’re expected to be able to use exploit code written in any of at least nine possible languages, running on two different OS’s.
Fixing vulnerabilities or understanding their root cause is out of scope. A syllabus needs to have clearly defined boundaries, so I think that’s good. OSCP helps you gain very deep knowledge in exploiting technical vulnerabilities, but it’s important to keep in mind that remote exploitation is a very small subset of the whole IT security domain.
Penetration testing is hard
Penetration testing is hard by nature. We’re often using side channels or smart hacks to learn things about systems that the designers did not think of. I love working like this, taking the perspective of the bad guy and try to find and patch the weak spots before they are exploited.
Skillsets needed for penetration testing:
- Good exploratory tester
- Good understanding in the security domain
- Good system administration in Linux and Windows
- Good developer in several languages
- Good at keeping order and documentation
Among these skills, my current weakness is in software development. This is no wonder, because I’ve never worked as one and I don’t have formal education as one. I’ve done many, many online tutorials in various languages, and because I never collaborated with anyone on it, I never really understood the concepts and gave up a dozen times. First time I single handedly wrote and debugged a function that actually worked was 10 months ago, and since then I haven’t had development as part of my work description. So this is probably the most important piece of the puzzle that is lacking for me.
You’d better believe though that the OSCP has motivated me to improve this though! This is where I will focus most effort before taking the OSCP exam again.
Offensive Security training is harder
Pen testing is hard. That said, I think that Offensive Security makes this experience harder than it needs to be.
No pre-enrollment guidance
Most other courses give you a rough estimate about what pre-knowledge you need to have, recommendations on where to aquire the knowledge that you may lack, and maybe even pre-enrollment assessments.
Offensive Security does not offer this guidance. They sell lab access of 30, 60 and 90 days, but without mentioning to whom the different packages might be suitable. What level of experience and work effort is expected in order to get as much as possible out of the labs? There is no buyer’s guide. I had to rely on other students’ testimonies and sift through dozens of blog posts to be able to make a rough estimation about pre-knowledge, and as seen above, that estimation was not sufficient.
There is an 11 page syllabus but it doesn’t help very much when there’s no explanation on how deep we go into these subjects. And key skills like Python are not even mentioned!
Steep learning curve
The level and pedagogic effort varies wildly between modules. One of the first chapters is an introduction to Bash piping – a very important, basic skill. Just a few chapters later the student is expected to translate her newly gained exploit development skills from Python to C (!). There’s a vast difference in knowledge level required for those two modules, even though they are part of the same course towards the same audience.
OSCP – just like many other online courses – has a steep learning curve. They gently hold the students hand for the first example and then confront them with an indecipherable wall to bang their head against as the next example. It’s common for this to happen when the ones who are making a course are subject experts, but not as good teachers.
I documented 30 bugs in the student materials
I do not know whether all the videos are the same age, but at least some of them are around 6 years old and have not been updated since. In general, the PDF has less faults than the videos. They have mostly overlapping, but not identical content.
The instruction material is a 380 page PDF and a series of videos. I have noted down 30 verifiable bugs in this material. I define bugs as typos, incorrect instructions, obsolete commands or faulty software.
One mandatory module is impossible to perform because Offensive Security hasn’t updated the affected virtual machine image, and has left it like that for at least eight months (!).
Thing is, when you enroll you get very clear instructions NOT to apt-get upgrade the machines and to only use this exact image, because otherwise some training modules may not work. This primes the student into expecting that the software is verified to work as intended, and that it is continuously upgraded. Also, the fact that we pay for this course also primes a student into thinking that the instructions are actually correct.
“This is not for the faint of heart”, the webpage states. “Try harder” is the motto of Offensive Security.
I don’t want the security community to be an elitist group excluding people with “faint hearts”. I’m one of those people. I spent my first 25 years looking in to the hacker world in awe, but not daring to enter. Not thinking I was made of the right stuff, that I didn’t have what it takes. Therefore my biggest obstacle is sentiments like this: that security research is something very special and very cool that only the chosen ones can do. Some of the characteristics that this is chosen upon are necessary, whereas some are arbitrary.
Another student in the student forum I think wrote it nicely:
From what I have learned, the main part of the course is to build resilience to wall head banging 🙂
I wouldn’t end that sentence with a smiley. Some of the head banging is part of life as a continuously learning, curious and creative IT professional. But a great deal of it is plainly unnecessary, and most of it can be easily fixed.
Learn all the things!
I have read many other students’ blogging about how rewarding a process the OSCP has been for them. I am clearly critical of a subset of how this certificate is designed. However, I am also very happy with the journey I have made and will continue to make. It ain’t over yet, and I have a very clear picture of what I need to do in order to gain that elusive certificate. The OSCP has deepened my fascination for IT security even further.
I really want to do this!