Adding a few cents into the ‘OSCP Penny Jar’ of posts, I will detail my experience through a few posts with preparing for and taking the OSCP Exam offered by Offensive Security. This is post one of a three part series - (Skill Preparation, Taking the Course and Exam Preparation, and Exploit Resources).
There are a considerable amount of great resources on the internet to help you prepare for the exam. The best new is, they are all free (or nearly so). The caveat here is that the exam encompasses many different disciplines and, depending on your strengths, may require quite a lot of review before hand.
While you do not need to be a ‘master’ in anything to pass the exam, you need to be generally familiar with programming, networking, OS Commands (Linux/Windows), and manual bug finding/penetration testing. You will want to be familiar with a few basic enumeration tools such as Nikto, DIRB, and NMAP. The payload packaging tool MSFVenom, and the post exploit tool Meterpreter will also be used frequently. While you can use Metasploit throughout the labs, and once on the exam, I would caution against it. Metasploit is not needed either in the labs or to pass the exam, and you will learn much more by not using it.
Having so many resources available to learn from online, all resource listings will be at the bottom of the post.
Being proficient with scripting, such as with Python, Perl or Shell can really make things easier. You can automate your enumeration, both before and after the exploitation. A lot of time can be spent manually enumerating if you are not careful. If you do not have a favorite yet, I would recommend Python for this task.
Being able to read, write, and debug exploit code (both yours and others) is where you will be spending most of your programming time. Many of the exploits posted to the internet are either intentionally broken (to prevent skidding), need to be modified to fit your specific application version, or will need their shell replaced with your own.
At times, I found myself rewriting Metasploit scripts (or random ones from the internet) in Python to have a better understanding of what it was doing, and ultimately more control over what was happening. I developed some base modules that could be used to easily start different types of scripts. These will be shown in part three.
The following languages may come in to play throughout your experience:
- Variants of C
- Visual Basic
While some may say you need to be very proficient in networking, I personally do not believe this to be true. If you have the basics down - understanding the TCP handshake, UDP, how SSL works, how to use SSH, and creating a proxy tunnel - you will be good to go.
Many different network services, such as Email, Telnet or FTP, are used on the exam and in the labs. Understanding exactly how these work would be helpful, but it is not required. Network scanning with NMAP comes into play, but think of it as numbered doors. Each port is a locked (or maybe not) door that you want to get into.
Operating system versions will vary wildly, though none are very current. There are a good spread of both Windows and Linux based hosts. Knowing the command line for them is one of the most important things for the exam. The longer it takes you to do something (and you do just about everything on the command line) the longer the exam (or labs) will take.
This is what the entire course boils down to. Being able to see what seems out of place, or what may not be correct, and knowing what to do when you find it. The good news is, you don’t need to know everything. This is where Google comes in. If you find a CMS and don’t know anything about it, Google can tell you. Maybe Exploit DB or Security Focus has an exploit available. It is possible you can even download the source code and examine it for yourself.
The bad news is that being able to see these things comes from experience and practice. Watching web requests and spotting one that may be exploitable comes with time. Considering this is the “meat and potatoes” of the exam, this is why we are all here.
Below is a list of items I feel are relevant and helpful for each section. Some are free, and some are not. I do not get any money in any way from these recommendations, and no affiliate links are provided.
Code Academy - https://www.codecademy.com/
TreeHouse - https://teamtreehouse.com/
Learn Python The Hard Way - https://learnpythonthehardway.org/
Offers free web based learning, but does also have a book available (with digital content) for $30. This site walks you, step by step, through the basics of the Python langauge.
Violent Python - http://shop.oreilly.com/product/9781597499576.do
One of my favorite books to get started in Python with. Not only does it walk you through learning python, but you are making security oriented projects along the way. A bit light on the fundamentals (you may want to start with one of the above resources) but more engaging for me as someone who finds it hard to work through a book.
Hacking: The Art of Exploitation, 2nd Edition - https://www.nostarch.com/hacking2.htm
A bit “old” but nonetheless a good resource for getting into low level programming and buffer overflows. I made it about halfway through the book before I got too bored, but it did help to lay the foundation.
Smashing The Stack For Fun And Profit - http://insecure.org/stf/smashstack.html
A classic, again ‘old’, but ages more like a fine wine. Overall a great read (not too long) for understanding how the stack works, and how it can be exploited.
I am not a fan of dry material, and locating some ‘wet’ resources on Networking is not an easy task. Many people recommend Professor Messer who has a great video series on the Network+, which will give you a good base understanding.
Code Academy offers a command line course, for free. IBM has a write up on the Linux command line available. Many training providers like Udemy and Lynda also offer courses if you happen to have a membership. The best advice I can give is to simply use the OS and try to do as much through the command line as possible. If you use the OS at work, try to script out your tasks. If you get stuck in Linux, the man pagesare generally pretty helpful.
Given that this is such a broad category, and so important in all aspects, there are plenty of options available.
Vuln Hub - https://www.vulnhub.com/
Vuln Hub offers many user made Virtual Machines to download that are ‘reconfigured’ in multitudes of ways. They encompass everything from web to OS level exploits. Skill levels vary from beginner to expert and there is more content here than you would ever be able to get through. Walkthroughs are available for most of the machines if you get stuck.
Pen Tester Lab - https://www.pentesterlab.com/
Pen Tester Lab has a decent amount of free content that is well put together for practicing exploits. Similar to Vuln Hub but designed more as a training exercise than a “vulnerable machine”. They also have walkthroughs if you get stuck. I highly recommend this site, and the following modules:
- From SQL Injection to Shell
- From SQL Injection to Shell II
- Web for Pentester
- Web for Pentester II
- Linux Host Review
OpenDNS OWASP Top 10 - https://github.com/opendns/Security_Ninjas_AppSec_Training
OpenDNS (now Cisco) put together a great application that walks their developers through the OWASP Top 10. It has one page per top ten entry, and gives hints if you get stuck. The OWASP Top 10 is considered the standard in web exploitation (prevention) and this is another highly recommended course.
One of the most rewarding (figuratively and literally) ways to get practice is to participate in sanctioned bug bounties.
Bugcrowd - https://bugcrowd.com
Bugcrowd has a listing of participating sites, all companies that have expressly joined the site and allow, within their respective rules, manual penetration testing. They also have an excellent repository of articles on getting started, and being successful, in bounty hunting. If you are just starting in bug bounties, I recommend joining Bugcrowd and reading the following articles:
- Researcher Resources - Getting Started
- Getting Started - Bug Bounty Hunter Methodology
- Tips from Top Hackers - Bug Hunting methodology and the importance of writing quality submissions
- Advice From A Researcher: How To Approach A Target
- Guest Blog: Best Practices for Quality Bug Hunting by SatishB3
- Submission accomplished
HackerOne - https://hackerone.com
HackerOne takes a different approach and offers a ‘community-curated resource for identifying the best way to contact an organization’s security team’. Finding, and participating in, programs here requires a bit more finesse.