How to get OSCP ( Offensive Security Certified Professional) certificate
Perhaps, “offensive” security is the best translation of the area of activity that we will talk about today. Of course, Offensive is also offensive, and even aggressive, but now it's not about that.
So, you have not yet lost faith in a career in the field of information security, but you are finally convinced that most of the certificates from vendors are senseless paper, not worth your time. One of my colleagues already offers to hand over to everyone who paid for the exam the certificate of Vendor Certified Dumping Specialist and this is the end of this whole circus. But let's be realistic, training and certification is a serious business, and it will not go anywhere in the near future.
All the worse, if the knowledge and skills that you decide to confirm are not tied to any particular vendor. I already talked about CISSP , but what about practical skills in the field of information security?
On the one hand, there is the extremely popular Certificated Ethincal Hacker exam. I have absolutely no doubt that he is popular solely because only after passing this exam you can officially be called a hacker. The problem here is different: you will also have to agree that you became a hacker by simply answering 125 questions correctly. Despite the absurdity of the situation, this exam is extremely popular in the West and is simply necessary for individual positions, especially in the public and military sectors.
On the other hand, there is the great and terrible SANS and their Cyber Guardian program. It sounds very cool, the certificate of completion, as I think, is personally presented by Mr. Keanu Reeves in his popular image. And there is only one minus - the cost of several thousand dollars for all the pleasure.
Remains the last - OSCP. A lot has been written about this certification, now it's my turn.
So, having gone through denial, anger, bargaining and depression, you begin to prepare for surrender. Looking ahead, I want to say that you will go through all these stages more than once in the process of preparation, moreover in a different order and even in bizarre combinations.
After paying for the course, you get a heavy pdf-file, several video files with comments and access to a virtual laboratory. Doesn’t it bother you yet? That's right, there will be no “training" here. The PDF file contains reference information on utilities that you most likely already know: nc, curl, find, and the like, and also briefly talk about the Kali Linux distribution toolkit. Strictly speaking, you gave the money for the opportunity to learn on your own, and the virtual laboratory will help you with this.
In total, the virtual laboratory has a little less than 60 machines: workstations, member servers, mailers, websites and much more. Initially, I planned to do a little more than half to assess the level of difficulty of the tasks in the exam. But whom I deceive, in the end did everything. At the same time, the network lives its own life, users write letters to each other and go to web pages, and servers ask each other for some information.
In addition, the network is divided into subnets separated by firewalls, and at some point you can even get to the holy of holies. It took me a little less than 40 days to get all the cars. Of course, there are quite a few passing tasks, and there are real monsters. Google who Pain, Sufferance, and Humble are. For each of them it took me a lot of time. There is also gh0st, but it is a CTF-style car, and it is seriously out of the general context.
The course description says that you do not need any serious experience in order to start practicing. But actually it is not. Novice specialists are unlikely to take up this task, and experienced engineers are suitable with very different baggage. An experienced cryptography specialist can easily deal with Sufferance, a seasoned DBA will figure out Humble in 10 minutes, and an experienced Linux administrator will crush Pain in two.
In any case, you will spend most of the time studying and experimenting. This is the whole OSCP. While you will be engaged in laboratory machines, you will have the opportunity to communicate with the same students on the forum. However, the clues there are forbidden and the best you hear is “Try harder!”. So-so motivation.
The time in the lab network will inevitably come to an end and the time will come to reserve time for the exam. And this, perhaps, is the biggest difference between the OSCP course and all the others. No questions, no “put in the right order”, no “choose the most correct answer." None of this will happen. There will be one day for hacking 5 servers and one day for writing a report on exactly how you did it. Everything.
This year, by the way, the rules have changed a bit, and now you will need a webcam to pass the exam. A representative of Offensive Security will connect and will monitor what is happening on your screen, as well as directly in the room. This is not particularly annoying and after 15 minutes you forget about it. Alas, this is an inevitable consequence of the popularity of the exam and as a result of attempts to cheat.
In my case, the exam lasted 12 hours from the start to access to the last server. A few more hours I spent on rechecking all the actions taken and recording screenshots. Bingo!
And now a little criticism that can be found on the network.
Firstly, expensive. It's like that. But what are the alternatives? SANS courses are even more expensive, and I have not heard anyone buy them for their own money.
Secondly, they do not teach anything. It's true, the OSCP course alone does not teach anything. In the book, the basic toolkit is very superficially analyzed, and you almost certainly knew it all that way, and I generally am silent about the videos. But the essence of the course is different - you must teach yourself everything, and for this all conditions are created. There is too much material to fit in any textbook.
Thirdly, old cars. This is also true. If I am not mistaken, the most recent operating system that I met on the lab network was Windows Server 2012R2. I look at it this way: new vulnerabilities are discovered every day. Imagine how much the course would cost if it was updated daily? The main thing that this course can teach is the methodology, and it is absolutely independent of the age of the discovered vulnerabilities. On the exam, by the way, the situation is the opposite - fresh Windows 10 machines, patched kernel linux-machines and stuff like that.
Fourth, the exam tests no knowledge. Here I am forced to agree, albeit partially. In fact, the exam tests not so much your skills as such, it tests your time management skills, your ability to work in stressful situations and your multitasking. The most important thing is how you can follow the methodology and not be distracted when the solution seems already obvious. After 10 hours at the screen, the logic may begin to fail, the attention is scattered, and you begin to walk in circles. This is where your fundamental knowledge, as well as the ability to distract and look at the problem from another angle, will come in handy.
What's next? Offensive Security itself does not offer any of the next steps in certification. Separately, there is an exam on the security of wireless networks, web applications and a little apart is an exam for developers of exploits.
A certificate is, of course, great, but in fact, the best you can learn from the OSCP course is knowledge. Knowledge that will inevitably become obsolete if you cease to independently engage in your education.
Sergey Polunin ,
Team Leader, Design Department, Gazinformservice LLC
Sergey’s blog in English can be read here.