Wednesday, May 27, 2015

Offensive Security PWK Course and Exam Testimonial

I recently completed the Penetration Testing with Kali Linux course and successfully passed the Offensive Security Certified Professional Exam. However, the path to success was not without its hurdles. I'm writing this course/exam review to paint a picture of what to expect, as well as shine some light on the mental preparation necessary.

If you are reading this review, I'm just about certain that you know the all about the registration process, course syllabus, video and printed material format, hands on lab environment and examination process. If not please refer to the Offensive Security training and certification websites.

As many of prospective students of the course, I have a full basket of life responsibilities including but not limited to a full time job as an information security professional, a husband, father of 3 boys, a 1 hour commute to and from the office, and an infinite honey do list. With those responsibilities alone you may be wonder when I would have time to time to take on this sort of certification challenge. The short answer is you'll need to cut into you normal sleep hours.

I've broken down my training, lab and exam rants into a list of numbered per-conceptions, mis-conceptions, and suggestions:

Course & Exercises

  1. The PWK Course Covers all topics necessary for the exam – I believe this statement to be true, but however make sure to study the theories and research the topics on your own. Use both the exercises and lab time to make the practical application of each topic second nature.
  2. You have to complete and submit all of the completed exercises in order to register for the exam – This is not true. The Offensive Security Staff will definitely not impose such restrictions on the student. You'll soon find out how much the responsibility is on you to make sure you are ready. Don't take this as an opportunity to not complete the exercises, they're there for a reason.
  3. You can study by reviewing videos and the documentation and do not require lab time – This is partially true. I'll explain; Depending the time that you can invest (Daily/Nightly) the initial lab time may only be lightly utilized. Without giving too much away, the early portion of the training is centered around enumeration, both WAN, LAN, and system; this is for good reason. With that said you'll be able to sharpen these skills in the lab, but this will not require the amount of time that you'll have to invest later in the course. If you find that you initial lab time is running short don't panic, continue to take the necessary time to study the contents in from the videos and printed material.
    Don't hesitate to purchase more lab time if necessary!
    The Lab Environment

The PWK Lab Environment consist of approximately 50 machines which span 3 different networks. This is a true playground for the security enthusiast. The degree of difficulty varies from one machine to the next.

  1. You do not have to compromise all 50 machines – As mentioned in my previous point, it is your responsibility to best prepare your self for the OSCP exam. These machines are priceless in the pursuit of preparation, but its easy to loose focus and forget about the primary goal, the OSCP certification. You can always purchase lab time with the intent on owning all of the machines if that's your desire.
  2. Regulate the amount of lab assistance you receive – If utilized, the lab and the associated freenode #offsec irc channel, serve as a great resource to communicate with your peers and the Offensive Security administrators. The Offsec admins are wise and will not give you too much information. The prize is truly in the pursuit, they're aware of this and will not hesitate to tell you to “Try Harder”.
    Resist the temptation to turn to your peers for too much guidance; it will hurt you in the long run!
  3. Take detailed notes during your lab conquest – This detailed note taking process will come in handy, as during the exam you will doubtingly wonder “How did I perform that one exploit, what was the syntax of that one command?” Your notes will save you time and serve as a great study resource even when you are not online. Keepnote which is available on your Kali Linux image is in my opinion the best tool for note keeping.

The Exam

I have taken countless IT and Security Certifications throughout my career, I have never failed in any attempt; until now......

I don't say this to scare or discourage anyone. First off, there is no such thing as failure; just continued opportunities for learning. Corny but true..

Actually, the third time was a Charm. I know how did that happen, let me tell you how so you can avoid the same mistakes, believe me its possible!

As you all know, you have approximately 24 hours to complete the required exam objectives which are communicated to you the day of the exam via email. You'll have a certain number of machines with associated scored objectives. Achieving these objectives while documenting your process and proof will give you a passing score. Once achieved you must submit the penetration test report to Offsec for evaluation (Pass/Fail).

Ok, now here some do's and dont's:

  • Do not allow your eyes to deceive you – You have just completed countless hours of theory and practical application of the required techniques necessary to pass the exam, better yet own the box at hand! “Avoid losing focus of the trees for the forest...” Don't worry about passing the exam until you're done with the last box. The thought and desire to pass can be distracting.
    If you see a certain vulnerability, trust in your training, if its looks like chicken, tastes like chicken, its probably chicken!

    This was culprit during my first attempt, don't over think during the challenge you know how to do this stuff. Don't let the subtle differences between the lab and exam throw you for a loop, use what you've been trained.

  • Prepare exploits and a list of go-to commands prior to the test – Yes, you'll have you course materials at your disposal during the exam, but you will not want to flip through pages or take the time to watch videos during the exam. Trust me its the shortest 24hours of your life. I created a spreadsheet which I'll refine and post for download, that I call my Warchess. It contains the step by step stack-based buffer overflow exploitation process as Taught in the Offsec training; I was able to use this to make sure I hadn't missed any necessary steps, Common commands, Shell escape sequences, Netcat, Python, Perl, bind and reverse shell syntax, and a list of my per-compiled Linux and Windows remote and local exploits.
  • Get plenty of rest – This was partially the culprit during my second attempt. My anticipation for the exam would not allow me to sleep well the night before. I got 3 hours of sleep in total. Ultimately I knew how to achieve success, but did not have the energy and mental fortitude.
  • Download and Practice vulnerable applications to exploit – The exploit-db has several exploits publicized Remote Buffer Overflow exploits which have down loadable links to the vulnerable applications for your own P.O.Cs. Do this, master these exploits and all the curveballs prior to potentially seeing them during the exam.

  • Take frequent breaks – I know this is on allot of posts, however, do not ignore this. Sitting in one place and concentrating on the exam can be extremely stressful on the body. Make sure you stretch and keep the blood circulating. Also, you mind will benefit from switching gears.
    So in summary, I made a couple fatal mistakes.
  • Not following through with known exploits from the training
  • Not getting enough sleep the night before the examination
  • Not adequately preparing for the unknown
    Ultimately, after overcoming my issues, I was able to complete the exam in about 8 hours. I used a bit of the remaining time to put finishing touches on my lab/exam report. The good folks at Offensive Security sent me a Congratulations email on the same day; awarding me with the elusive OSCP certification; by far the best certification accomplishment thus far.

I will continue to hone my craft in preparation for Cracking the Perimeter/OSCE later this year


  1. Replies
    1. Nice review! Where is the spreadsheet posted?

    2. Great review, Court, do you still plan on posting your spreadsheet?

    3. This comment has been removed by the author.

  2. Hey thanks for this post...Is ur warchess - the spreadsheet ,something that u can share???

  3. Nice write up. Did you decide not to share the spreadsheet or is on request only? :)