There are a ton of certification’s in the information security space. While some certifications are ‘good’ and some are ‘bad’, often it’s more a case of different certs for different purposes. If you want to tick a box on a resume you go for CEH, if you want to focus on the theoretical side you go for CISSP, if your boss is paying you go for SANS, and if you want to learn you go for Offensive Security. Okay okay, perhaps that’s a little harsh on the others but in my opinion Offensive Security offers by far the best value for money certifications on the market today.
A range of training is provided by Offensive Security, but their premier course is the Pentesting with Kali Linux (PWK) course which upon completion gives you the Offensive Security Certified Professional (OSCP) certification. It’s not their hardest or most advanced course but it’s their most popular and the one they have spent the most time refining. As a bit of a disclaimer, at the time I wasn’t actively looking to go into the information security field, I was looking simply to learn about interesting things so a lot of my opinions are based around this perspective. Onto some information about the course.
Who should take the course?
One of the most commonly asked questions is ‘Am I ready for the PWK course?’ or ‘Should I do this first or take XYZ certification before hand?’. My opinionated answer to this is – you should take PWK as one of the first certifications you do, but you should do some self directed learning first. Really the most important aspect for learning any subject is to be interested in the subject matter. It’s what will make you go the extra mile to learn about related topics and do further research. If you really are interested in information security I’d recommend looking at places like VulnHub and making a start there with some vulnerable virtual machines. This can give you an opportunity to explore the basics of port scanning, understanding the difference between an exploit and a payload, perhaps giving you an introduction to Metasploit. That’s really the only baseline you need for PWK on the assumption you’re willing to knuckle down and learn the course material which will provide you with most of the other answer you need. I don’t think that what you’d learn in any other basic certification (CEH, eCPPT) is necessary to be successful in PWK.
What is taught in the course?
A direct answer to this would be to link the course syllabus which is available here. It can be thought of as a solid grounding in everything that’s required to successfully enumerate, penetrate and obtain sensitive information from a computer. A wide range of information is provided in the course materials from the basics of finding your way around Kali, to covering the tenants of penetration testing – “Enumeration / Reconnaissance”, “Vulnerability Discovery”, “Exploitation” and “Post Exploitation”. In addition to this they provide several area’s of knowledge that don’t fit neatly into these boxes, such as deeper understanding of how exploit’s actually work (their buffer overflow section of the course was my favorite), common and unique methods of file transfers on and off a machine (debug.exe – what?!) and a mind bending and very interesting port forwarding / tunneling section. Really an answer to any beginner’s question of “How do I hack a computer?” is thoroughly covered in the course notes. Because the notes are so wide ranging and comprehensive it’s one of the justifications I have for saying you don’t need to have a huge amount of previous experience to undertake the course.
In terms of the quality of the notes and learning exercises I was always able to follow along quite easily and replicate the exercises using the supplied lab computers without any issues. Each section typically has an exercises section which makes you undertake what has been outlined in the notes and confirm your understanding of the material. For all their fearsome reputation’s the Offensive Security admin’s in #offsec on freenode IRC are more than happy to help with any issues students are having with the material or quite often other students are happy to jump in to help as well. In addition all the course notes have accompanying videos which are useful for picking up any tiny commands perhaps you missed in the pdf. Once you manage to find your way through the course material congratulations, you’re ready to begin the real PWK course.
The PWK Labs
The course notes and materials of PWK are, in isolation, about on par with most of the other courses out there. If that’s all there was to it I think Offensive Security could hold their own in the certification market, but they wouldn’t be anything special. What does turn PWK from an average run of the mill course into one of the best learning opportunities out there is the access to a range of lab computers to attack in a virtual hacker’s playground. Each of these boxes have their own unique story, but is part of the network as a whole also. Almost every box is compromised in a unique way allowing you to practice what’s in the course notes constantly. Given that each box is based off something that Offensive Security have seen in their own penetration testing career’s each path has a decidedly ‘real world’ feel to it. Exploits, weak credentials, web vulnerabilities, a range of privilege escalation techniques are all required to compromise the boxes. Not only that but you might need to compromise a certain box which contains the key to others which would be otherwise safe – a great method of learning the importance of post exploitation.
For all the technical aspects of the course the lab also teaches the real lesson of the certification, patience and resilience. As summed up by their ‘Try Harder’ motto the difficulty in penetration testing isn’t in understanding how a remote file inclusion works on a technical level. The difficulty is in looking at all of the services on a machine, finding there isn’t anything vulnerable that you can see and going back and trying over and over until you see what you missed. It’s hard enough to achieve this in a setting where you know the machine is vulnerable, let alone trying to do it in the real world where perhaps there isn’t a vulnerability on the machine. Perhaps some of what I’ve said so far has given the impression the OSCP certification is easy to achieve – it isn’t. The hard part isn’t technical however, the challenging part of PWK is that you’re trying to learn about things you don’t know exist. You never knew MySQL could be abused to do ‘XYZ’ until you read that blog post on it. You never knew that vulnerability existed in a piece of software until you searched on exploit-db. You never knew that the operating system worked that way until you had to abuse it for privilege escalation. Without hours of research, patience and resilience looking at machines you can’t see how to get into you wouldn’t have learnt those lessons either. Course notes will never be able to instil in you what these lab’s can.
The final thing I’ll say about the labs is treat it like a real network. There is interaction between boxes in both the ‘story’ of a network and the more literal sense. One box may give you access to whole new network’s where you can take advantage of the pivoting and port forwarding modules you have learnt. In all expect to attack and compromise approximately 50 machines if you get them all.
At the conclusion of the course you schedule your exam where you have a 24 hour period to compromise a range of boxes. I won’t reveal much about this process, all the information you require is made available by Offensive Security in their student forums before hand or in an email that arrives at the start of your exam. Basically however you’re required to compromise a certain number of machines within this period of time, capturing ‘proof’ flags from each to be included in your final pentesting report to be submitted within 24 hours of finishing your exam. I often get asked by students ‘What can I do to prepare for the exam?’. In response to this honestly there isn’t much outside what is being taught in the lab’s themselves, it’s really like a number of those boxes are selected at random and presented to you. The most important thing to have down before going in is a solid framework for enumerating, testing and exploiting machines. If you stick with the same methodology going in that you used in the lab you’ll come through successfully.
I wish someone had told me…
Some of the key points I wish perhaps I had known before taking the course which may prove handy for future students.
- It’s much easier to document in a final report format as you go rather than keeping notes in something like Keepnote and transcribing later. Do what works for you, but I wish I had written directly into the final report.
- Get all your documentation done before attempting the final exam. It’s likely that you’ll be extremely tired after working for 24 hours on the exam and often not have time to document the labs and exercises if you haven’t already.
- Enjoy every second of the labs, you’re going to miss it once it’s over.
- Try harder. There are going to be plenty of boxes that will frustrate you – but this is part of the learning experience. Take a step back, enumerate, research, try things, revert, enumerate more.
- 60 days is a good solid amount of time for the course. Some might need a little more or less, but I’d recommend getting 60 days of lab time.
- Every box is easy… when you know how. The only difference between the easy one’s and the hard one’s is whether you know the solution. You’re only missing one ‘little’ thing that will give you the answer – you just need to see it.
I would thoroughly recommend anyone take the Offensive Security course if you have any interest in information security. It’s going to give you a great foundation in all of the basics of penetration testing, but more importantly help you develop a framework and patience enough to apply it to real world scenarios. By far I think this is the best value certification out there for learning, so if that’s your motivation there is no better alternative. You don’t need to have completed any certifications before hand – however you do need to have the motivation to learn and understand everything that’s presented in the course notes to get the most out of the experience. Most importantly, remember the real course is in the lab’s so get into them as soon as you can and soak up the experience – it’s one of the best learning opportunities you’ll have in infosec. Any questions hit me up in the comments or contact form and I’ll be happy to answer.