+ Reply to Thread
Results 1 to 9 of 9
  1. Member dstock7337's Avatar
    Join Date
    Sep 2007
    Location
    USA
    Posts
    85

    Certifications
    MCSE, SSCP, FEMA: IS-915
    #1

    Default Pentesting Studies, CTF, and other Prep work for OSCP

    Hello All,

    I have started preparing for OSCP and transition from being a systems engineer into a security engineer/analyst, specifically performing vulnerability assessments, pentesting, and mitigation strategy.

    As part of my studies for my Master's degree, I participated in my first CTF, National Cyber League, which had schools across the country participating. I figured that this would help me better gauge what I would be getting myself into.

    Given the cost of labs and exam with OSCP, I wanted to do as much prep work before going into it. This way I figured would help me make better use of my time during that window and have a better shot at passing the first go around.

    I had already been self-studying CEH with CBT nuggets, Cybrary, my personal lab, and several books I've obtained covering the material. In addition, the NCL had hands on labs giving a taste of doing a pentest before the actual games had started. On top of that, the NCL provided a pre-season to get a taste of doing the challenges, which I was successful on and placed into the silver bracket. Given these things, I had some tempered confidence that I would do good with most challenges and some that I would have difficulty with.

    That confidence deflated the in the first game. It hit me in the face and hard. It was even more challenging than I had thought. By the end, I still placed into the upper 35% but I knew I had a lot more learning to do.

    I really seemed to struggle with Web app exploitation, specifically dealing with SQL injections and footprinting what type of DB it was running.
    Nevertheless I've taken those lessons learned and have a better idea on what to focus on with self-studies.

    Seeing that I'd like to avoid experiencing another big eye-opener/slap in the face with OSCP, I'd like to know what you all have used to prepare for the OSCP.

    Thank you!
    "The only true wisdom is in knowing you know nothing." - Socrates
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    May 2006
    Posts
    1,871

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #2
    I'm doing the PTSv3 which gives you a voucher for the eJPT (Junior Penetration Tester). It takes you through a step by step process of where to start and what to look for without actually giving you all the hints. Like, find X server but only use x tool and y tool. Then you are suppose to use the tools to do certain tasks so you can find info to access the server. It's pretty interesting, at least for me, not having any prior pen testing experience but having IT experience, i still find it really interesting. They have about 12 labs i think and each one is different, the modules are short but should provide you enough to create a methodology on how to attack a target. The other certifications like the eCCPT are a bit more advanced but i think these are good foundations for the OSCP. Step by step to climb the ladder.

    edit: forgot to mention "vulnhub" they have plenty of VM's that you can try to exploit and a lot of people post their way of attacking in various guides in case you get stuck.
    Last edited by TheFORCE; 01-06-2017 at 12:08 AM.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2014
    Posts
    617

    Certifications
    Alphabet-soup
    #3
    This book - https://www.amazon.com/Penetration-T.../dp/1593275641
    Over the wire - OverTheWire: Wargames
    Vulnhub - https://www.vulnhub.com/ (Conduct a Google search for vulnhub and OSCP to find ones similar to lab/exam boxes).
    The metasploitable project is a good resource to check out too.
    Reply With Quote Quote  

  5. Member dstock7337's Avatar
    Join Date
    Sep 2007
    Location
    USA
    Posts
    85

    Certifications
    MCSE, SSCP, FEMA: IS-915
    #4
    Thanks for the info TheFORCE and BlackBeret! I'll check them out.
    "The only true wisdom is in knowing you know nothing." - Socrates
    Reply With Quote Quote  

  6. Member
    Join Date
    Oct 2014
    Posts
    67
    #5
    One of the best resources for PWK preparation today on the web is https://www.cybrary.it/course/advanc...ation-testing/. Georgia is an OSCP and she's incorporated a lot of material that is inside of it into this free course on Cybrary.
    Reply With Quote Quote  

  7. Member dstock7337's Avatar
    Join Date
    Sep 2007
    Location
    USA
    Posts
    85

    Certifications
    MCSE, SSCP, FEMA: IS-915
    #6
    Thanks! I recently started using Cybrary and I like it a lot.
    "The only true wisdom is in knowing you know nothing." - Socrates
    Reply With Quote Quote  

  8. Member
    Join Date
    Dec 2016
    Posts
    37
    #7
    I have exactly same problem - how to gain some hands on experience quickly to get exposure to InfoSec tools. Some of the tools i wanted to see in action include Firewalls Load Balancer DLP Pen testing tools etc.
    I have contacted several individual trainers, training colleges, quick training institutes etc. i have even contacted several institues in other countries.
    It has been very frustrating. i am unable to find any source that can provide me quick access to above for few hours.
    I am sure there must be. Irtial networks somewhere that can be used to get a good practical introduction to Information Security.
    But where are they?
    Reply With Quote Quote  

  9. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    153

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, C|EH, OSCP
    #8
    Offtopic, You don't need to call institutes and pay for courses and time. You can setup your own home lab like everyone else and learn that why, there are several free and affordable courses that will give you hands on experience. The recommended course above from cybrary.it is a good one but you will have many problems with it since it is a bit dated. There are a few courses on udemy.com that are much better for this and will actually work properly, "Learn ethical hacking from scratch" is a great course and will teach you all of the basics. The instructors name is zaid. I hope this helps.
    Reply With Quote Quote  

  10. Member
    Join Date
    Dec 2016
    Posts
    37
    #9
    McxRisley
    Thank you very much for pointing some of the resources. I will certainly check them out.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks