Wednesday 13 April 2011

Passed OSCP - I'm back and blogging

I've not blogged a great deal in the past month or so. This is mainly because I have been focused on my studies.

This blog is just to say, that I have passed the OSCP, which has got to be one of the most challenging and worthwhile IT Security courses and certifications that I know of.

The OSCP
OSCP is a unique 24 hour exam; A live online Pen-test, in which the candidate must complete 5 hacking challenges to break into several computer systems (that you have never seen before), gain root or system-level access, and collect a trophy file to prove it.

You then have a further 24 hours to document and submit your results, explanations, and supporting proof, in a Penetration Test Report.

It's a tough exam. Apparently most people fail at their first attempt, but I passed it first time :o)

What's next
The next part of my study plan is to finish the OSCE (which I already started studying) - Yes, I'm actually looking forward to this 48 hour monster-exam! (Just need to do some more study and 0-day research...)

I now have a ton of letters after my name, but OSCP is probably the one I value the most (as would anyone else who has attempted it) as it demonstrates real capability, rather than knowledge.

33 comments:

  1. Replies
    1. Hey Guys !

      USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
      All Leads have genuine & valid information

      **HEADERS IN LEADS**
      First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
      ->$5 PER EACH

      ->Hope for the long term deal
      ->Interested buyers will be welcome

      **Contact 24/7**
      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. what exactly do you mean by "as it demonstrates real capability, rather than knowledge." ?

    ReplyDelete
  3. Hi Anonymous,

    What I meant by that was that I feel it is one thing to know that it may be possible to exploit a vulnerable system with a certain exploit, but a different thing to be able to actually do it, and prove that you can do it.

    OSCP proves that you can manually find vulnerabilities, in systems you have not seen before, customise exploits, and use them to gain access to the system. This is a different layer of skills.

    Many security experts have knowledge of the tools, exploits, and techniques which are "possible" to use (a CEH course could teach some of that) but much fewer people can actually "do it".

    Ben

    ReplyDelete
  4. Well done Ben, I'm beginning the course myself, any tips you can give me? I'm struggling with the report as not sure how I should approach this being new to Security.

    Any help would be appreciated ;-)

    ReplyDelete
  5. My top tips

    1) Expect to buy more lab time (I found 15-day blocks was good)

    2) Start your report early, when you have pwned 5 to 10 systems. It will help you with ideas.

    3) The lab is big, and some systems are very hard. Expect it to be hard, but don't give up hope.

    4) Don't try to run before you can walk, take your time, and get really familiar with exploits and systems before you move on.

    5) Hacking at this level is all about enumeration. Enumerate everything, and when you have done that - enumerate more.

    6) There are some good hints and tips on my blog, and elsewhere on the web. For PwB most of the answers are somewhere on the web - some you will have to customize, and a few you will have to invent.

    Ben

    ReplyDelete
  6. Ben
    For PwB most of the answers are somewhere on the web - some you will have to customize, and a few you will have to invent. -----

    Can you please provide a link

    ReplyDelete
  7. Hi tux,
    I'm not sure I understand what you are asking for (exactly).

    But, if you are studying PwB, and are asking me "Where are the answers?" - then I feel you have misunderstood a core purpose of the course.

    What you need to do is work out (for yourself) "How to find the answers", not just "find the answers".

    That is a massive difference.

    There is no link I can provide you to give you that.

    Ben

    ReplyDelete
  8. Congrats :) I'm looking over some material for the OSCP myself, will apply for it when I have some spare cash. How long did it take you to complete it? Did you get time to sleep? Anything else worth mentioning?

    ReplyDelete
  9. Hi Sean,
    I probably took about 10 hours on the exam to get enough points, but I carried on trying to get the last system - nearly got it but ran out of time...

    The course can take you a long time, before you are ready

    ReplyDelete
  10. Mate,

    Congratulations but don't get too hyped up . From what I can see on the outline, any Unix admin with > 4 years experience will ace this exam. Well done still .

    ReplyDelete
  11. No Anonymous, I really feel you have misunderstood. This is not a course about Unix administration - in fact, nothing like it.

    ReplyDelete
  12. Maybe,you misunderstood. How much Unix experience did you actually have going into this course ? See if you did, then you would have realised that a majority of the stuff covered are things that most Unix admins will tackle on a daily basis. The only exception will probably be buffer overflow attacks which in fact anyone with a decent grip on ASM will tackle with ease .Have you read the ART OF EXPLOITATION or SILENCE ON THE WIRE ?

    ReplyDelete
  13. Ok, if you think you are ready, sign up for the course

    ReplyDelete
  14. Good job ben I respect your hard work.
    I'm now working on my report :/ pain..

    hopin to be in your league soon :p

    Regards,
    Dom

    ReplyDelete
  15. Good stuff Dom, best of luck with the exam.

    You will find that there are no leagues ;o) Everyone knows unique things, nobody knows everything, and there is always more to learn.

    Have fun.

    ReplyDelete
  16. yea dude, have to agree with that

    and we all know the above anonymous said abt the course is totally a joke. :p

    my test is in two days,
    im gettn even more nervous by reading all you guys' review :/
    and sadly my system corrupt.. i lost my student report..
    which means i need HIGHER score to pass the test now..


    Dom

    ReplyDelete
  17. what was your study plan for this exam , what course u toked before taking labs ,do u recommend SANS Wed Pen Test Course .

    ReplyDelete
  18. PwB was one of the first pentesting courses I took, though I would not recommend that, as it is rather hard.

    It is the best course there is though, but you will need lots of time and enthusiasm to get you through.

    The SANS web course is a good complement to PwB as these two courses don't cover a lot of the same material, but they are both very important if you want to be a good pentester.

    ReplyDelete
  19. which more important to learn before taking the course python or shellscripting?

    ReplyDelete
  20. hi ben...just curious im planning to take OSCP as well as soon as i passed CPTE from mile2...im wondering what is the PWB material/course you keep saying?

    ReplyDelete
  21. Hi ben, I was wondering if I could ask your opinion on something. I am currently studying a msc computer science degree and want to get into pen testing. I am trying to decide whether to do another msc but in ethical hacking at abertay university, msc information security at royal holloway or learn oscp full time. Sorry this is off topic! Many thanks in advance

    ReplyDelete
  22. dark_knight_baby,

    PWB is the course, and OSCP is the exam.

    Anonymous,

    I would steer away from the academic courses, as academia doesn't tend to be up to speed with the cutting-edge of the real-world. OSCP is a good option, but you will learn the most by practical application of the techniques, working for a company that does pentesting (as their main line of work).

    I did it "the wrong way round" - i.e. doing OSWP, OSCP, OSCE - and then getting a job as a pentest - but there is no "right way" - and I did have the advantage of already having around 10 years experience in the IT Security industry.

    So, do OSCP, or find a company that will start you off as a junior pentester/consultant (or preferably both).

    ReplyDelete
  23. i signup in pwb course and i am certified CEHv7 & ecsa-lpt .and watching videos and practice it in my laptop kindly tell me that what type of exploits we can use in 24 hrs exam. on exam is points are divided into different servers and minimum points to pass this exam is 70 points . i started from basic level not have knowledge of bash. in exam buffer over flow method is used i am facing difficulty in it. kindly suggest me . i have little very basic knowledge linux but i am developing it as course go on i can easily understand what is going on course. i am too depressed abut this exam.

    ReplyDelete
  24. hello guys, any one is having oscp material including guide and vedios....please share please....

    ReplyDelete
  25. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  26. ****Contact Me****
    *ICQ :748957107
    *Gmail :taimoorh944@gmail.com
    *Telegram :@James307
    *Skype : Jamesvince$

    SPAMMED&VALID FULLZ WITH ALL PERSONAL DATA+DL NUMBER

    -->FULLZ FOR UNEMPLOYMENT BENEFITS
    -->FULLZ FOR PUA & SUA
    -->FULLZ FOR TAX REFUND


    +High quality and connectivity
    +If you have any trust issue before any deal you may get few to test
    (As legit Vendor)
    +Every leads are well checked and available 24 hours
    +Fully cooperate with clients
    +Any invalid info found will be replaced
    +Credit score above 700 every fullz
    +Payment Method(BTC,USDT,ETH,LTC & PAYPAL)
    +Fullz available according to demand too i.e (format,specific state,specific zip code & specifc name etc..)


    *Format of Fullz/leads/profiles

    °First & last Name
    °SSN
    °DOB
    °(DRIVING LICENSE NUMBER)
    °ADDRESS
    (ZIP CODE,ANY STATE,CITY)
    °DL State+RESIDENTIAL State
    °PHONE NUMBER
    °EMAIL ADDRESS
    °Relative Details
    °Employment status
    °Previous Address
    °Income Details
    °Husband/Wife info
    °Mortgage Info


    $2 for each fullz/lead with DL num
    $1 for each SSN+DOB
    $5 for each with Premium info
    ID's Photos For any state (back & front)

    (Price can be negotiable if order in bulk)


    OTHER SERVICES

    +(Dead Fullz)
    +(Email leads with Password)
    +(Dumps track 1 & 2 with pin and without pin)
    +Hacking Tutorials
    +Smtp Linux
    +Safe Sock
    +Server I.P's
    +HQ Emails with passwords

    *Let's do a long business and good profit

    ReplyDelete
  27. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>2$ each with SSN+DOB+DL
    >>5$ each for premium (also included relative info)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    Socks, rdp's, vpn's
    Server I.P's
    HQ Emails with passwords

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  28. Your article is very informative. I have read it and like it very much. thanks for sharing I'll come to your website again, it's great.
    룰렛사이트탑

    ReplyDelete
  29. FRESH&VALID SPAMMED USA DATABASE/FULLZ/LEADS
    SSN PROS

    ****Contact****
    *ICQ :748957107
    *Telegram : @James307
    <><><><><><><>

    USA SSN FULLZ WITH ALL PERSONAL DATA+DL NUMBER
    -FULLZ FOR PUA-SBA-UBER-DOORDASH
    -FULLZ FOR TAX REFUND
    $2 for each fullz/lead with DL num discount for bulk order
    $1 for each SSN+DOB--discount for bulk order
    $5 for each with Premium info--(income detail,employment detail,Good credit score)
    ID's Photos For any state (back,front,selfie & ssn )
    Young age data
    Any age range data available
    UK data-Canada data
    (Price can be negotiable if order in bulk)
    <><><><><><><><><><><>
    +High quality and connectivity
    +If you have any trust issue before any deal you may get few to test
    +Every leads are well checked and available 24 hours
    +Fully cooperate with clients
    +Any invalid info found will be replaced
    +Payment Method(BTC,USDT,ETH,LTC & PAYPAL)
    +Fullz available according to demand too i.e (format,specific state,specific zip code & specifc name etc..)
    <><><><><><><><><><>
    +US cc Fullz
    +(Dead Fullz)
    +(Email leads with Password)
    +(Dumps track 1 & 2 with pin and without pin)
    +Hacking & Carding Tutorials
    +Smtp Linux
    +Safe Sock
    +Server I.P's
    +HQ Emails with passwords
    <><><><><><><><>
    *Let's do a long term business with good profit
    *Contact for more details & deal

    ****Contact****
    *ICQ :748957107
    *Telegram :@James307

    ReplyDelete