Wednesday, May 29, 2013

Review: Penetration Testing with Backtrack (PWB) / Offensive Security Certified Professional (OSCP)

I recently took the PWB course, and finally passed the OSCP exam (and I'm very happy now :))))))), that's why I was quite for long time.

This was one of the best training and certification I have ever taken. I knew before I have started that it will be very hard and time consuming, but it was even more than I expected. First, I’m not really experienced on this subject, I made the EC-Council’s CEH course before this, but that was mainly theory and very little practice. Having a C|EH did help, as the whole stuff was familiar (in theory!), and didn’t need to start from scratch.

The training itself starts with receiving about 350 page long study material (lab guide) and about 7 hours video. These are covering all the basics you need for the later lab exercises. They start with how to setup services in BT (Backtrack), what is and how to do port scanning, various service enumeration, information gathering in general. Then it moves forward for writing buffer overflow exploits, it goes through all the steps in very detailed manner. After that they teach you how to work with public exploits, basics of Metasploit framework and there are two client side exploit case studies as well. The next big subject is transferring files between machines (there are some really tricky ones), tunneling, pivoting, and password attacks. Finally they cover basics of SQL injection and XSS attacks. There are a few other smaller topics, but they are not really part of the exercises later. There are quite a few exercises for each module to practice the techniques, which all have to be documented and sent along  the exam report at the end, but will talk about it later.

The big part is the remote lab. There is a big network with about 50 machines, and they try to simulate an existing organization with that. There are firewalls, proxy servers, machines are communicating with each other, so it’s pretty good. The big goal here is to attack all the machines and get root / admin access to all (or as many as you can/want to). I managed to own 46 machines. There are some very easy ones, and there are some which are really hard to get. My last and most difficult was “sufference” (you can have a guess, why the name is…), where I spent about 20-30 hours to get root on it; it was very-very tricky, and painful (oh, there is another box called “pain” – guess why :)). The training material teach you the basics, but you will have to go and learn a lot by your own, read about various services, OSes, application, and so on… because of the subject they just can’t cover everything, and this is really not the goal there, but to teach you to adapt and solve unknown problems, as you would face in real life. Will you spend hours in trying exploiting patched services, or other stuff, which won’t work? YES! Will you do it over and over again? YES! Will you hit your head to the desk, when you finally realize how to get in somewhere, and how stupid you were not seeing the forest because of the tree? Probably YES! :) All these part of the fun :) You can chat with the Offsec guys on IRC, but never expect them to give you a solution to any of the machines, if you go to them with some specific question, they may give you a hint, but that’s the maximum you can expect. Will you feel many times that you just can’t exploit a machine? YES! Will you get in later? Hopefully YES! I think their “Try Harder!” philosophy really works. Remember that all the machines are exploitable, and they are there to be exploited. All the boxes are different and almost all of them can be owned by different technique, so you can practice every type of attack, normal exploits, SQL injection, XSS attacks, client side exploits and so on. There are 4 networks in the lab separated by firewalls, proxy servers, as you would have in real life. You can practice various tunneling techniques there, and hopping from one machine to the next in the exploitation. I think if you are not a pentester, then you should get all of the machines in the lab, to get most out of the course. The lab time can be purchased for 30, 60 and 90 days, but if you feel it short, you can always extend it, as I did it (I went for 90 days + 30 days extension). I did the training after works and weekends, and I’m just lucky that my wife didn’t kill me for that :)

The exam. Obviously I can’t share details about it, but it’s a 24 hour long challenge, where you get access to another small network with a few machines, and similarly to the lab you need to get admin / root access on them. I really liked it, finally an exam, which not simple a lists of multi choice questions, but you really need to present your skills in practice, on a previously unknown environment (like on a Cisco CCIE). This is why it’s important to own all machines in the lab, to get prepared to the challenge, and face as many different systems as you can. Obviously you can use everything, as you could in a real world pentesting, but don’t expect the exam to be easy because of that. It’s hard. I started at 4PM (GMT+1), and progressed quite good, and at 1AM I already had enough points that I knew I will pass. So I went for a 6 hour sleep, and continued at 8AM, and quickly get my next machine. I decided to have a shower and breakfast then, and after that in another hour I completed everything. With that sad, it’s very important to take frequent breaks during the exam, as they can make huge difference; go and breathe some fresh air, your brain really needs oxygen :). I also prepared a list of commands I found very useful during the lab time, which became very handy during the exam.

The last part is to write the penetration test report about the exam, along with your recommendation how to fix the holes you have found. You have another 24 hours for that after the exam ends, so take notes, screenshots, etc… You need to make the same report for the lab network penetration testing and for the additional exercises you did during the training.

You get the results in 3 business days, but for me it was much quicker.

Overall I really enjoyed both the training and the exam, and I can’t say how much I learned during the last 4 months about this subject. It’s really worth its price, and much cheaper than any other similar training, you just need a lot of time, and even more time (I spent about 160-200 hours practicing in the lab after work and on weekends) – and most importantly a wife / girlfriend / family who will support you, and understand that you are not always available during this period :)