2011-07-28

//

[Review] Pentesting With BackTrack (PWB) & Offensive Security Certified Professional (OSCP)

The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.

Up until a month or so ago, everything I've learnt was done by using various free resources online. Last month however, I became an "offsec" student. I enrolled on the "Pentesting with BackTrack" (PWB) course, currently version 3 (syllabus). After the lab time is over, the student has the option of sitting an exam. Upon passing the exam, the student is awarded an Offensive Security Certified Professional (OSCP) certificate. I now have that certificate =). This is my review of it all.



I wanted to do it for a few reasons:
  • The challenge. Unlike De-ICE, pwnOS, metaspoitable, Kioptrix, Holynix and all the other "boot to root" VMs & ISOs, this is a complete network. And then some. Not just a single machine.
  • The experience & knowledge. I don't claim to know it all. Far from it. The course covers a wide area of topics/subjects. As a result, it gave me the opportunity to "do" things that otherwise I couldn't. It also forced me to do certain activities I normally I wouldn't bother with, but after they were done, it felt very worth the while, mainly the "paper side" - the report.
  • The qualification. Its one thing doing it for fun and having a blog as a notepad, but potential employers would rather see a professional qualification on the CV. I haven't seen job requirements asking for it, but then again, I haven't been looking. I'm still a student, just hoping it will give me an extra edge when the time comes.
  • Support. Offensive Security funds backtrack. "Nice" to know that a certain percentage of the course fee helps an open source community project.

I am unable to share the specific details of the course due to the signed contract, so the Visio network map, which I spent hours on will never been seen again! The same goes for the methods of how to hack host "xyz".

We all learn differently and do so at different speeds. Also we all have different background experience and not everyone can put in the same about of time. Having now completed the course, I would say if you want to "just pass" the course and can put a good couple of hours in each day then you could get away with doing 30 days - at a push. However, if you want to take your time, learn it and (try to) "do it all", I would recommend 60+ days in the lab. I started off with 30 days, with the hope of cramming it all in as I could spend 8+ hours a day on it. In the end, it took me a solid 30 days in the labs (not including any of the exercises before the lab work), so I ended up extending it by 15 days. If I was to do it again, I'd opt for 60 days and pace myself better.

After looking at the syllabus, I set myself the goal of "getting into the admin network". Then it soon became, "getting a shell on every box I could", which soon turned into "getting 'root/system' on every box I could" - another reason why I extended my time. I ended up reaching all of these goals. This was a personal goal, it wasn't required, and you don't need to for the exam.

In the last couple of days of lab time, I was ready to throw in the towel. But I stuck with it and got there in the end, including the last hour, when I managed to root "sufferance" - a "beautifully evil box" in my eyes.

My next mistake was to book the exam so soon after the Lab time ended. As soon as I was kicked out of the lab, I realised how exhausting it had all been. The only small issue - I still had to write the lab report, which I'm sure most students hate doing. This was something completely new to me. It wasn't a high point of the course, but I'm glad I've done it. I haven't yet found my "style" of report so I'm planning on forcing myself to spend some time tweaking until I'm happy with it (I'll use the de-ice collection as the subjects).

I should of known better than to go into an exam feeling so tired. I spent all the morning trying to cross the t's and dot the i's in the report. Then dead on 3pm GMT the exam pack was in my inbox, with all the guidelines and rules, along with the new login details (and a new IP address to use, but I kept on using my lab IP. Oops!). The rules are "slightly" different compared to the lab. The likes of nessus and "similar" tools are completely forbidden. The systems with which you can attack using metasploit are limited and you can only use it once. Offsec defines "using metasploit" as launching exploits of any type - that includes getsystem. Allowing you to "scan, handle and listen", with it the rest of the time. I ended up not using my metasploit lifeline.

There were a few "starting" problems to begin with - but there was an admin on hand in the IRC channel (as there seems to always be!) - and we were up and working 40 minutes later.
Another mistake I made was not taking a break in the exam. I managed to get a couple of boxes within the first couple of hours, though due the weighting of the scoring system it "quite" wasn't enough to pass. I then spent a few hours trying to get into a box, which was just not working. I can't share the details of my issue, I was doing everything right and I'm still not fully sure what the problem was, but by magic it worked. By this time it was "silly o'clock" in the morning - too late to sleep.
With the last box, I managed to get a shell - though I had a good feeling how to get "system" (turns out I was correct), just couldn't do it in that frame of mind.
The exam report was better than the lab report, much shorter, had a template and it was "fresh"ish in my head.

Sent the PDF within 24 hours after the exam ended. Finally, I could sleep! Come the other side of the weekend, there was an email congratulating me. Best Monday morning mail I've got in a while. Job done.

There are a range of boxes, with mix operating systems giving you a chance to test out various skill sets which you learn along the way in simulated "real scenarios". "Sufference", by far with was the most "painful" box, without a question. I "finally" got root on it, with less than an hour to go. A phrase attached to offsec is "Try harder", and there are "awards" for doing so - such as access to Metasploit Pro.

Overall I really did enjoy the whole course. Everyone I've spoken to and during the course has said the same. Really is a great way to start exploring the depths of backtrack with all the tools and scripts it’s got to offer. I would recommend it, mainly for beginners & intermediates. If you're on a more advance level, you might want to give the course above a try, Cracking The Perimeter. I did have to save up for the course, as I paid for it out of my own pocket. It was worth it and if I had to option to do it again, I would. Don’t get me wrong, you can learn it all online for free, and I've done all the self-learning before - It's just knowing where to look to piece it all together yourself, it was "nice" having someone else doing it - which added an unknown surprise. I'm not too sure where I could fault the course. There were a couple of machines where the same single exploit would work - but from my understanding of pentesting, this is the case! These machines usually had multiple faults in them - so you could also hunt for a unique way in.





To the people thinking about doing it:
If you've been doing pentesting for 5+ years - it's probably not for you (also, this blog isn't for you!) The only reason would be either; if you want a "re-fresher/reminder", just want some letters to add to your CV or you have done everything else!

Even if you have never done anything along the lines of "port scan" before, then yes, this is for you. The only thing is, Offsec do recommend that before starting the course you have some background with Linux (e.g. know your way around the file system, how to use terminal, print "hello world" in python - that sort of thing) and networking (e.g. know what goes where and your TCPs packets from UDPs), and I would agree with them. I would add, try doing something like de-ice before signing up. My justifications:
  • There is a fair bit of self-learning on the course. Yes, there is PDF and video to start you off and guide you through the first few steps. However, you will need to learn (and try!) things for yourself.
  • (Slight) background knowledge can help. Can give you a rough idea of how do try something.
  • It's a very watered down sample. 
  • You can take your time doing it (no lab time to worry about).


To students currently doing it:

  1. Learn the materials (Read the PDF, watch the videos) BEFORE starting the labs. It's worth doing it.
  2. Update/Check/Uninstall Programs before starting - Update the OS (BackTrack) & software (nmap, exploitdb, metasploit) once it is stable and you are in the labs, DON'T update again, as it could break something! Check the blog, forums and IRC (both Backtrack & offsec). Uninstall nessus. Best not to have the temptation of its power. Don't get me wrong - it is a great tool. But as you can't use it for the exam, you are better off learning to work without it.
  3. Enumeration, more enumeration, and even more enumeration. There is a reason why you don't "get a shell" on anything for the first 6 chapters...
  4. Pick off the low hanging fruit. Go after the "easy" ones first. If you see port "x" open, check "y", run "z" exploit. This helps you to get an idea of the network, collect usernames, passwords, hashes, etc.
  5. Revert the machine BEFORE you attack - then scan it again (TCP & UDP). Once you have shell, netstat (a 'internal scan', if you will), and compare the results. Is there something running internally, which is blocked externally?
  6. All the exploits are exploit-db or in the metsaploit frame work. However, sometimes you have "make the exploit fit".
  7. Use a different port.
  8. When you are "root/system" - have a look about. Desktop, Documents, Program files, Temp folders, Recent files, etc. There are some "juicy" files on some boxes. Not all. Some. Hint: Was it running MySQL? VNC? xyz? What are the usernames and or passwords for it!?
  9. "Print Screen" as you go. Also copy & paste the konsole/terminal output too. It will help you down the line. More than you think.
  10. Try harder. It can be done....




I would like to thank the offsec team for allowing the course to happen as well as the people which gave me support throughout it all. Thank you.



Update (2011-11-08):
One of the features of been an Offsec Student is having access to their hash cracking service, 'crackpot'.  However, I personally got a higher success rate using: 

If you are looking for some background reading before starting the course, I would recommend looking at: