I recently competed the PWB (Penetration Testing With Backtrack) course and the OSCP (Offensive Security Certified Penetration Tester) certification. Many people have asked what I thought about the class and the certification, and so I decided write a brief post about my experience.
When you start the PWB class, you receive over eight hours of training video. The videos are very professional. I was surprised at amount of information that was jammed into the videos. The topics ranged from Information gathering, exploit development (including exploit development and creating shellcode from scratch), application fuzzing, web application vulnerabilities, post exploitation, etc…
Although very helpful, the videos are not enough to become competent in any of the needed topic areas. I have never seen a “boot camp” style class that can teach security efficiently. I do not believe that it is possible to watch videos or listen to a lecture, and then become competent enough to call yourself a security expert (I know many CISSPs who say they value the OSCP cert far more than anything else they have [nothing against CISSP]). The videos, fortunately, are accompanied by a lab guide consisting of around 700 pages filled with in depth examples and exercises.
I spent hours pouring over the information and trying all the examples (and the extra examples). I felt like many of the things I previously understood became much more solidified, and the few new topics were very well presented and easy to pick up. So, do I think that the videos and guide are enough to make a security professional? No, I do not. Understanding how to exploit a computer and pivot through a network is great. Being able to do it is something entirely different.
The fine folks at Offensive Security must have realized that all the videos and book work in the world will not make a good security professional. They have something no one else seems to have. The most valuable part of my time spent on this class and certification was the lab time. The PWB/OSCP lab is setup to mimic a local network for a midsized company. Unlike many hacking challenges I have played with before, the Offsec lab doesn’t just consist of obvious flaws that can be pwned with Metasploit or a simple SQL Injection. Many of the computers that I exploited during my time in the lab, required customizing exploit codes (including shellcode). Basic programming is a must for many of the exercises.
The lab work is not simple. At no point does the lab guide say…check out the computer at 192.168…..it is vulnerable to MS0… They expect that you find all hosts, evaluate their vulnerabilities, leverage them to get access to the system, and then find ways to escalate your privileges. Many of the systems are setup in such a way, that they require more than just a surface level understanding of the concepts to gain access. Target vulnerabilities included a wide range of server flaws, web vulnerabilities, brute force attacks, and more. I was fortunate enough to take two months off of work to focus on this class (among some other security research). I spent around eight or nine hours a day, four or five days a week, for around five weeks. I kept extensive notes of all hosts. I still was not able to get into all of them. A few tricky ones evaded me. Some hosts are dual-homed (sitting on two networks) so there were plenty of opportunities to practice pivoting, tunneling, evading firewalls rules etc.
The OSCP certification test is one of a kind. It is the only test (beyond the OSCE) that I know of, which is not based on questions, but on ability to successfully preform penetration testing duties. Offensive Security gives you access to a network for 24 hours. In that time, you must exploit multiple hosts and gain root/administrator access. As noted in the PWB forums, the use of automated exploit tools is significantly limited in the testing environment. No point-and-click exploitation for this certification.
The PWB class is by far the best computer security class I have taken. However, successfully completing the class in no way guarantees a passing grade on this certification. Although the concepts were presented in the lab, workbook, and videos, none of the exploits needed for this test (at least that I know of) came directly from them. The OSCP certification, in my opinion, proves that it’s holder is able to identify vulnerabilities, create and modify exploit code, exploit hosts, and successfully preform tasks on the compromised systems over various operating systems.
One last thing that makes this certification an A+ is it’s emphases on reporting. After completing the PWB class and the OSCP exam a formal penetration testing report must be submitted. My final report was over a hundred pages long (and I was trying to avoid repetition as much as possible). There are many people who know security, there are some who can use that knowledge to take over systems, there are few who can present these finding to both technical and non technical audiences. PWB and OSCP make sure that the tester can report findings effectively to audiences of various technical backgrounds.
If all of this was not convincing enough, I should point out that there is always a wonderful community of OSCPs and other security professionals in the #offsec IRC channel (freenode). There are plenty of people to help, if help is needed (I have seen many people ask for answers, but I have never seen anyone give anything but direction).
If anyone else has taken this class, I would love to see your comments in the comments section below.