How to Prepare for the OSCP

The information security market continues to be volatile. For years, we've been hearing about a disturbing trend, with survey after survey reporting the same thing: a drastic shortage of skilled, qualified talent to fill mission-critical positions.

That should make your ears perk right up. Anyone looking to move around in the cybersecurity market or, better yet, pivot into infosec from another IT area is in a golden position. If you want to make that move, it's worth surveying the positions that make up infosec and the type of infosec training you’ll need.

While most infosec positions revolve around the defensive side, like keeping the bad guys out as a SOC Analyst or Security Engineer, we think the real fun is on offense.

Behold: The Penetration Tester!

Few other jobs involve breaking into systems, ferreting network weaknesses, exploiting vulnerable applications, busting through sloppy code, and going for that all-important ROOT (or ADMINISTRATOR in Windows). Yes, pen testers are professional hackers (done with permission as part of a carefully scoped engagement to stay completely legal).

Got your attention? Great. Back up to that first paragraph, notice two key words: "a drastic shortage of skilled, qualified talent." How does one build the needed skills and qualifications, especially in a field where practicing the wrong way can earn you a free visit from the FBI?

Of course, there are a few different choices when it comes to pen-testing certifications, but we're here to look at the cream of the crop: the Offensive Security Certified Professional, or OSCP.

The OSCP is one of the most widely recognized and well-regarded pen-testing certifications. It teaches core pen-testing skills, of which there are many to learn. It's also a cert known for its toughness; there's not a lot of hand-holding to be found. Their "try harder" motto should attest to this.

Getting Rolling in the PWK Courseware

The OSCP's first requirement is to take the Pentesting With Kali Linux course (or PWK). The course centers around a written PDF and video material that introduces you to Kali Linux, a special Linux distribution preloaded with almost every open-source pen-testing tool you'll need.

The course is very comprehensive, going to a comfortable depth through an extensive range of techniques and tools to get you started, everything from running port scans with Nmap to cracking password hashes with John the Ripper to exploiting vulnerable apps for reverse shells with Metasploit.

Meticulously Enumerate Your Target

It goes deeper than just learning to run tools, though. Every pentester needs a certain mindset to be successful. You must be very methodical and meticulous in enumerating a target from the outside. There's no point in knowing which room in Fort Knox holds the gold if you're unsure how to get through the perimeter fence.

The same is valid with pen-testing; you must find every open port, see the version of every running service, and research carefully to find your way in. You must absorb large amounts of information and digest it, all while thinking like an admin and relying on your knowledge of networking, OSes, network services, and scripting languages.

Being stubborn helps, too. You'll constantly hit way more brick walls than open doors. The PWK will put you through the wringer in these areas and either make you stronger or break you.

Do Your Exercises

The coursework also contains a series of exercises for you to start getting your hands dirty running tools, developing basic shell scripts, and poking and prodding at ports. These exercises are great learning opportunities, sometimes very straightforward, sometimes requiring you to go off independently to do more research.

Many OSCPs take this approach, giving you a base of knowledge but forcing you to learn on your own and grind through figuring out a way into a machine. Completing them will also grant you some bonus points on test day, as long as you write up a report on how you exploited 10 of the lab machines.

With these exercises, you'll need machines to run them against, bringing us to the next part.

How to Tackle the OSCP Lab

Your journey through the course will only be compelling, though, with practical hands-on (and legal!) experience, and there will be no better place for that than the lab. Think 50 servers across various versions of Linux and Windows, all for you to practice your newfound pen testing skills.

Day One: VPN and the Public Network

At your start date, you'll be sent a VPN connection pack along with the courseware. This is what you will use to connect to the lab. Once on the VPN, you'll have access to the control panel.

On this web page, you'll get a list of IPs, every machine on the public network, and an option to reset any machine back to its pristine, uncompromised condition (some exploits by other students, will alter the condition of machines, like crashing services or changing passwords). It is a shared lab network, so other students are working on the same machines you are, but you'll rarely step on each other's toes.

From there, it's all on you to take what you've learned in the courseware and start applying it to live hosts, with the goal on each machine of achieving either root (in Linux) or administrator (Windows) access and growing your skills in enumeration, research, and the essential privilege escalation (gaining access from a low-level user to root/administrator).

You'll find workstations, email servers, Active Directory servers, web servers, and more, a setup not unlike a real-world office network.

Getting Help

Need help along the way? A student forum provides discussion free of full-on spoilers, but if you want to puzzle through things on your own, it might be wise to avoid it except as a last resort. Hints are also available on a student IRC channel, but their vague and cryptic wording sometimes leaves you no better off.

Breaking Into the Other Networks

We mentioned the public network earlier. There are multiple networks in the lab, but the public one is the only one you can access. Specific machines are multihomed, meaning they have network adapters in more than one network. These machines are the keys to unlocking access for the other networks. It's up to you to find them as you go.

Preparing for the OSCP Exam

You'll need to schedule your exam at some point during your lab time. You'll receive an email with another VPN pack, this time for the exam network, on your chosen date and time. This network is you and a small number of vulnerable servers.

You'll have 23 hours and 45 minutes to score as many points as possible; every box has a point value assigned to it. Root/admin gets you the total points; only achieving access as a low-level user earns an undisclosed partial credit.

You're on your own—no hints or forums — just you and your wits for the full next day. Earn 70 points, and the certification is yours. It's daunting but a lot of fun.

Complete Your Exam Report

You still have one more task once the sun has set and risen. You must provide a professionally written report detailing how you comprised each machine, with certain required proof screenshots, the code of any exploits you used (written by yourself or modified from preexisting ones), and any other steps that got you to root.

This has to be submitted within 24 hours of the end of the test. Then, you wait for the official pass or fail email.

How Webcam Proctoring Works During the OSCP

One element of the exam that has changed in the past year is the addition of proctoring. The test has always been taken at your choice of location, but now it is virtually proctored. Before your test begins, you must launch a screen sharing/chat app and a webcam app.

Your proctor will ask to see your ID to confirm your identity, then ask to see all around your room. Once satisfied, they will watch your screen and webcam feed the entire exam.

This choice was not joyfully received by the community, with all the obvious privacy concerns and an added distraction during an already tense exam time. The reason for the change, though, is unfortunately necessary. People were paying others to take the exam for them, and they wanted to maintain the integrity of the certificate.

The proctoring experience is not a distraction; it's done as unobtrusively as possible. One downside is that pants are required now for the exam, in case you are accustomed to being more…comfortable while hacking.

How to Pregame Your PWK

If you are new to pen testing, the PWK course will be like drinking from a firehose. While you'll learn a ton, you are under a time restriction with however much lab time you purchased, so it might be wise to shore up some base skills before jumping in instead of trying to learn everything on the fly.

Pregame Your Linux Skills

For example, if your daily driver machine is Windows or Mac, you might lack the necessary Linux chops. Linux machines will make up more than half of the lab, and working in Kali is a necessity. Trust us, it's better to get comfortable in the terminal before starting your course.

Sites like Linux Journey and the Bandit wargames will get you on the right path. Then try downloading and installing Kali as a VM to play with; Offensive Security's own Intro to Kali course is perfect for this.

Pregaming for Rookies

If you are a complete IT rookie, you might need to take more than a few steps back. A few years of experience in a junior admin or dev role will benefit your career abundantly in whatever niche you aim for.

For some admin learning, starting with your CompTIA Network+ cert is a great idea; knowledge of network services and ports is essential for pen testing. An intro course to a language like Python would help for the dev side. Bonus pro tip: why not both? Especially since Python is the language of choice for most InfoSec world.

Oh, and for future reference, CompTIA released its penetration testing certification last year, which could serve as an early stepping stone toward the OSCP.

Pregaming for Experienced Admins

Maybe you're a seasoned admin with more than enough Linux, networking, and scripting experience. A great place to get started hacking something might be the Virtual Hacking Labs. Or maybe you'd like to seek out a good old-fashioned Capture the Flag competition.

Think of this as a mini-OSCP, with much less pressure and cheaper, but not as in-depth. You get a PDF course plus time to practice in their lab. Sound familiar? It's a great intro to pen-testing with a much lower commitment and a great jumping-off point to your OSCP.

Get Going!

Hopefully, we've motivated you to enter the wild world of pen testing and a few assignments to build up some chops. In a future article, we'll explore the journey of one recently certified OSCP recipient and see what strategies worked, what didn't, and whether missing entirely on any form of social life for three months was really worth it to "TRY HARDER!"