Career / Career Progression

How to Prepare for the OSCP

How to Prepare for the OSCP picture: A
Follow us
Published on December 2, 2019

The information security market continues to be volatile as ever. It seems like for years we've been hearing about a disturbing trend with survey after survey reporting the same thing: a drastic shortage of skilled, qualified talent to fill mission-critical positions.

That should make your ears perk right up. Anyone looking to move around in the cybersecurity market or, better yet, pivot into infosec from another IT area is in a golden position. If you are looking to make that move, it's worth surveying the different types of positions that make up infosec and the type of infosec training you’ll need.

While most infosec positions revolve around the defensive side, like keeping the bad guys out as a SOC Analyst or Security Engineer, we think the real fun is on offense.

Behold: The Penetration Tester!

Few other jobs involve you breaking into systems, ferreting out network weaknesses, exploiting vulnerable applications, busting through sloppy code, and going for that all-important ROOT (or ADMINISTRATOR in Windows). Yes, pentesters are professional hackers (done with permission as part of carefully scoped engagement to stay completely legal, of course).

Got your attention? Great. Now back up to that first paragraph, notice two key words: "a drastic shortage of skilled, qualified talent." How does one build the needed skills and qualifications, especially in a field where practicing the wrong way can earn you a free visit from the FBI?

Certifications of course! There are a few different choices when it comes to pentesting certs, but we're here to look at the cream of the crop: the Offensive Security Certified Professional, or OSCP.

The OSCP is one of the most widely recognized and well-regarded pentesting certs out there. It teaches core pentesting skills, of which there are many to learn. It's also a cert known for its toughness; there's not a lot of hand-holding to be found. Their "try harder" motto should attest to this.

Getting Rolling in the PWK Courseware

The first requirement for the OSCP is to take the Pentesting With Kali Linux course (or PWK). The course centers around a written PDF and video material that first introduces you to Kali Linux, a special distribution of Linux preloaded with almost every open source pentesting tool you'll need.

The course is very comprehensive, going to a comfortable depth through a very wide range of techniques and tools to get you started, everything from running port scans with Nmap to cracking password hashes with John the Ripper to exploiting vulnerable apps for reverse shells with Metasploit.

Meticulously Enumerate Your Target

It goes deeper than just learning to run tools, though. There is a certain mindset every pentester needs to be successful. You must be very methodical and meticulous in enumerating a target from the outside. There's no point in knowing which room in Fort Knox holds the gold if you're unsure how to get through the perimeter fence.

The same is true with pentesting, you must find every open port, find the version of every running service, and research carefully to find your way in. You must absorb large amounts of information and digest it down, all while thinking like an admin and relying on your knowledge of networking, OSes, network services, and scripting languages.

Being stubborn helps too, you'll constantly hit way more brick walls than open doors. The PWK will put you through the wringer in every single one of these areas and either make you stronger or break you.

Do Your Exercises

The coursework also contains a series of exercises for you to start getting your hands dirty running tools, developing basic shell scripts, and poking and prodding at ports. These exercises are great learning opportunities, sometimes very straight forward, sometimes though requiring you to go off on your own to do more research.

A lot of the OSCP takes this approach, giving you a base of knowledge, but also forcing you to learn on your own and grind through figuring out a way into a machine. Completing them will also grant you some bonus points come test day, as long as you write up a report on how you exploited 10 of the lab machines.

With these exercises, you'll need machines to run them against, and that brings us to the next part.

How to Tackle the OSCP Lab

Your journey through the course will only be effective though with practical hands-on (and legal!) experience, and there will be absolutely no better place for that than the lab. Think 50 servers, across a variety of versions of Linux and Windows, all for you to practice your newfound pentesting skills.

Day One: VPN and the Public Network

At your start date, along with the courseware, you'll be sent a VPN connection pack. This is what you will use to connect to the lab. Once on the VPN, you'll have access to the control panel. On this web page, you'll get a list of IPs, every machine on the public network, and an option to reset any machine back to its pristine, uncompromised condition (some exploits by other students will alter the condition of machines, like crashing services or changing passwords). It is a shared lab network, so other students are working on the same machines you are, but you'll rarely step on each other's toes.

From there it's all on you to take what you've learned in the courseware and start applying it to live hosts, with the goal on each machine of achieving either root (in Linux) or administrator (Windows) access and growing your skills in enumeration, research, and the essential privilege escalation (gaining access from a low-level user to root/administrator). You'll find workstations, email servers, Active Directory servers, web servers, and more, a set up not unlike a real-worldmall office network.

Getting Help

Need help along the way? A student forum provides discussion free of full-on spoilers, but if you want to puzzle through things on your own it might be wise to avoid it except as a last resort. Hints are also available on a student IRC channel, but their vague and cryptic wording will sometimes leave you no better off.

Breaking Into the Other Networks

We mentioned the public network earlier. There are actually multiple networks in the lab, but the public one is the only one you can access to start with. Certain machines are multihomed, meaning they have network adapters in more than one network. These machines are the keys to unlocking access for the other networks. It's up to you to find them as you go.

Preparing for the OSCP Exam

At some point during your lab time, you'll need to schedule your exam. At your chosen date and time, you'll receive an email with another VPN pack, this time for the exam network. This network is you and a small number of vulnerable servers. You'll have 23 hours and 45 minutes to score as many points as possible; every box has a point value assigned to it. Root/admin gets you the full points, only achieving access as a low-level user earns an undisclosed amount of partial credit.

You're on your own. No hints or forums — just you and your wits for the full next day. Earn 70 points and the certification is yours. It's daunting, but a lot of fun.

Complete Your Exam Report

Once the sun has set and risen, you still have one more task. You must provide a professionally written report detailing how you comprised each machine, with certain required proof screenshots, the code of any exploits you used (written by yourself or modified from preexisting ones), and any other steps that got you to root.

This has to be submitted within 24 hours from the end of test time, then you wait for the official pass or fail email.

How Webcam Proctoring Works During the OSCP

One element of the exam that has changed in the past year is the addition of proctoring. The test has always been taken at your choice of location, but now it is virtually proctored. Before your actual test begins, you must launch two apps, one is a screen sharing/chat app, the other a webcam app. Your proctor will ask to see your ID to confirm your identity, then ask to see all around the room you are in. Once they are satisfied, they will be watching your screen and webcam feed the entire exam.

This was not a choice joyfully received by the community with all the obvious privacy concerns and an added distraction during an already tense exam time. The reason for the change though is unfortunately necessary. People were paying others to take the exam for them, and they want to maintain the integrity of the cert.

The proctoring experience is actually not a distraction; it's really done as unobtrusively as possible. One downside is that pants are required now for the exam, in case you are accustomed to being more…comfortable while hacking.

How to Pregame Your PWK

If you are new to pentesting, the PWK course will be like drinking from a firehose. While you'll learn a ton, you are under a time restriction with however much lab time you purchased, so it might be wise to shore up some base skills before jumping in instead of trying to learn everything on the fly.

Pregame Your Linux Skills

For example, if your daily driver machine is Windows or Mac, you might be lacking in some necessary Linux chops. Linux machines will make up more than half of the lab, plus working in Kali is a necessity. Trust us, it's better to get comfortable in the terminal before starting your course.

Sites like Linux Journey and the Bandit wargames will get you on the right path. Then try downloading and installing Kali as a VM to play with, Offensive Security's own Intro to Kali course is perfect for this.

Pregaming for Rookies

If you are a complete IT rookie, you might need to take more than a few steps back. A few years experience in a junior admin or dev role will benefit your career abundantly, in whatever niche you aim for.

For some admin learning, starting with your CompTIA Network+ cert is a great idea; knowledge of network services and port is absolutely essential for pentesting. For the dev side, an intro course to a language like Python would help. Bonus pro tip: why not both? Especially since Python is the language of choice for most of the InfoSec world.

Oh, and for future reference, CompTIA last year released its own penetration testing certification, which could serve as an early stepping stone toward the OSCP.

Pregaming for Experienced Admins

Maybe you're a seasoned admin with more than enough Linux, networking, and scripting experience under your belt. A great place to get started hacking something might be the Virtual Hacking Labs. Or maybe seek out a good ol' fashioned Capture the Flag competition.

Think of this as a mini-OSCP, with much less pressure and way cheaper, but not near as in-depth. You get a PDF course plus time to practice in their lab. Sound familiar? It's a great intro to pentesting with a much lower commitment and a great jumping-off point to your OSCP.

Get Going!

Hopefully, we've given you some motivation to bust into the wild world of pentesting, plus a few assignments to start building up some chops. In a future article we'll dig into the journey of one recently certified OSCP recipient and see what strategies worked, what didn't, and if missing entirely on any form of social life for three months was really worth it to "TRY HARDER!"


By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.

Don't miss out!Get great content
delivered to your inbox.

By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.

Recommended Articles

Get CBT Nuggets IT training news and resources

I have read and understood the privacy policy and am able to consent to it.

© 2024 CBT Nuggets. All rights reserved.Terms | Privacy Policy | Accessibility | Sitemap | 2850 Crescent Avenue, Eugene, OR 97408 | 541-284-5522