I recently attempted to get my OSCP certification. Even though I failed at the attempt, I am not going to let it bring me down. I am going to attempt to pas the certification again and take away what lessons I learned while attempting it. Of the things I had taken away from the exam, the first I am going to do next time I take the exam will be to eat a full and hearty meal before hand. The full 24 hours is necessary, if not for breaking into all of the machines, to give myself some extra time for the documentation, which is the biggest pain in the ass for just about any security consultant that I’ve talked to, and heavily disliked. During the time of the exam, try to have plenty of fulfilling snacks, or prepared meals that you can nuke for quick fixes.
The most important part of the exam that I am going to say that I had taken away was to not focus on any one machine for an extended period of time. Once you’ve ran your enumeration scans on a machine, look up ways to break into the machine for a little while, and if you haven’t found a way to get into it in say 2 hours, move on to the next machine. There are some machines that will probably jump out at you as one clear, concise way to get into it, and others that you will have to enumerate multiple times with multiple tools to find the vector that you’re going to compromise it with.
The next time I take the exam, I more than likely will use my Metasploit pass. Luckily, using Metasploit on a machine doesn’t take points away, but seeing as though you can only use Metasploit on a single machine, it needs to be thought out and basically used as a last resort. I will be using Metasploit more on my home vulnerable network to get the commands down, set up some resource files, and practice out more of the meterpreter commands to make sure I know all the ins and outs of the framework.
The last big thing I had taken away from the exam was to prepare for writing the penetration test report by writing out as many of the vulnerabilities as possible in a word document. I say that, because again, you only have 24 hours to write out the report. Having the vulnerabilities written out in a Word document, so that you can cut/paste the vulnerabilities into your report, just having to change the minor details will cut down composing the report immensely. I say this, because I will always read through a report 2 or 3 times, so that I can see if minor details need to be changed, like IPs, hostnames, query IDs, or URLs, I’ll be able to make them to match the tested network.
Lastly, I’d like to thank all of my family, blood and not, that supported me and raised my confidence enough to attempt the certification. So, thank you most importantly, to my wife, Katie, for supporting me in my dream, putting me in my place when necessary, letting me bounce ideas off of her, and offer to help me to expand my horizons with whatever help may be necessary to do so. I love you to the moon, out to the edge of our universe, and back. <3 To my mom, for always being there for me, no matter what, you are the boulder at the base of the mountain. My mother and father-in-law, for watching our youngest while I attempted to achieve the certification. James Siegel, for bouncing ideas off of, explaining terms and effective avenues for exploiting those terms. Dave Kennedy for being one of the best role models for anyone in InfoSec, providing some of the BEST talks available, providing one of the best conventions for security professionals and not to attend. Jayson Street for always offering an ear, shoulder, and akward (or not) hug, along with a plethora of stories to show what does work and doesn't work on social engineering engagements, seriously, between yourself and Dave K., you guys are the best!