If you ask people about neophyte infosec/pentesting courses or certifications, the first ones you will hear about will be the CEH or the OSCP. People talk smack about CEH, but it’s a certification that almost everyone in the tech industry knows from HR to developers. It’s a cert with a catchy name, good marketing and a DoD recognition, but the exam is not practical at all and a few years ago there were more exam dumps than you could count. The OSCP on the other hand is pretty much unknown outside infosec circles. It’s a highly technical course, where you can only rely on your skills and sheer willpower, but most people outside security will not realize the effort required to pass.
So what about the eLearnSecurity Penetration Testing Professional course? Well, this course has been known to the community as the “OSCP Light” or as a preparation course leading to the OSCP. These rumours are not exactly wrong, as the materials cover the same topics from reconnaissance to basic stack overflow exploitation, just with more hand-holding. Everything is clear, well-explained, supported by videos, labs and lab guides. This makes the whole learning experience more pleasant, easier and saves you a bucketload of time as you don’t need to reinvent the wheel every time.
I took the course to get “in-shape” for my second attempt at OSCP, as I haven’t done any penetration testing in more than 3 years now and I felt a little rusty. The web app pentesting, recon, scanning, etc. were all familiar topics so I quickly rushed through them. From the forums I knew that the Ruby and the Wifi modules are not part of the exam, so I skipped those, leaving more time for stack overflow and post-exploitation modules.
For me, the network sec. exploitation and post exploitation modules were the most useful. The slides were detailed, informative and contained everything I wanted to know. Some Active Directory stuff would have been useful, but that’s my only criticism. As for the system security materials, they are equally good, buuuuut… you are probably better off doing the Exploitation with Ruby lab and watching the corresponding the video. Buffer overflow can be really intimidating if someone dumps several hundreds of slides on you, so I would recommend taking the practical route first and understanding the theory later.
There are labs for every topic except the wifi. Most of the labs are awesome with amazing lab guides and content, but the system security lab seems out-of-place. There are no real exercises or goals here, you just get a machine and you can do whatever you want with it. For actual stack overflow exploit lab exercises you are better off creating your own code with C/C++ or using the Exploitation with Ruby lab
The other labs try to mimic real-life networks with segregation, various hosts, common exposed ports/services and other artifacts, that you might find in a real life scenario. In v4 there were a very small number of Linux/Unix hosts, but v5 features this topic as well. To prepare for the exam, I completed most of the labs two or three times, spending 45 hours in the labs. All of the labs can be completed in two hours, especially if you look at the lab guide when you are stuck. I don’t personally recommend this, unless you are really stuck. Most of your skills will come from failing, troubleshooting and learning stuff the hard way.
The labs also put a heavy emphasis on pivoting, which means that I had to get familiar with a whole new range of problems: what works through the socks4 proxy, which nmap modules work, why does my scan fail, etc. While working through pivoted machines is not fun, I had to get used to it and learned a lot in the process.
I was familiar with the eLearnSecurity way, so I already knew it, but for those who want to take their first exam: the exam starts as soon as you press the button. You don’t need to schedule anything, once you hit the button, you get your RoE letter and can start pwning right away.
The exam is 100% practical. You need to achieve a certain goal and provide a quality report during a 14 day period. You have 7 days for testing and 7 days for the report. If you don’t achieve that goal or your report sucks, you will fail and have to try again. elearnSecurity takes this very seriously, some of my friends failed the first time due to their inadequate report, so you should make sure that your report rocks.
I can’t give you details about the exam environment, but pretty much the whole material was covered during the exam, except MiTM and Wifi. The exam was structured in a straightforward way, where with enough enumeration, you could go from A to B. Due to a misunderstanding from my side, I wasted an entire day chasing dead ends, but still managed to achieve the exam goal and complete the report in 3 days from start.
The report was graded rather quickly, I submitted the PDF during the weekend and received the passing grade on the next Tuesday. I was very happy that I passed as I was worried about the report and the way I hacked some of the boxes. Overall, I learned a lot and even with the high training cost, I felt that it was worth it. I’m much more confident of my skills and feel ready to try harder.
Tips for the exam
- Create a cheat sheet for commonly used commands.
- Make sure that you understand the Engagement Letter.
- Know the difference between a slow scan and a non-working pivot.
- If the exploit doesn’t work, try a different payload.
- Create backdoor users for persistence.
- Don’t be afraid to use RDP for pillaging.
- Complex shellcodes can be problematic, try a simple one first.
- Document everything that you find, not just the kill chain.
- Enumerate, enumerate, enumerate.
- Don’t worry, you have plenty of time.
- Create a report, even if you feel like you failed.
- Try to create a report that would be useful for a client.