+ Reply to Thread
Results 1 to 3 of 3
  1. Junior Member Registered Member
    Join Date
    Aug 2017
    Posts
    1
    #1

    Default Ambiguous OSCP exam restrictions

    "You cannot use any of the following on the exam: Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
    Any tools that perform similar functions as those above are also prohibited."
    ...
    "You may however, use tools such as Nmap (and its scripting engine), Nikto, Burp Free, DirBuster etc. against any of your target systems."


    Aren't Nmap, Nikto, Burp, and Dirbuser doing mass scans for vulnerabilities?


    Would netcat be allowed? How about vulndetector? How about a tool like w3af which has tools to exploit found vulnerabilities, if I don't use those tools and just take advantage of scanning capabilities?


    Is there a fine line between how many, or what types of scans a vulnerability scanner does that decides whether it's a "mass vulnerability scanner" or not?
    Besides, couldn't someone just make an nmap script (allowed) to accomplish what some of the programs they consider "mass vulnerability scanners" do?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Sep 2016
    Location
    VA
    Posts
    456

    Certifications
    CISSP, PMP, CCNP, FITSP-M
    #2
    If you have to nitpick about exam requirements, are you sure you're ready for it? And maybe scripting functionality in a basic tool is the idea. It's not hard to download a tool that takes a lot of the thought out of the process. If you can design a script for a basic tool though, you probably have a better sense of the objectives and process to get there.
    2017: CCNP (done), FITSI-M (done) CCIE Written
    2018: CCIE R/S
    2019: VCP (DCV/NV), OSCP
    2020-1: MBA
    Reply With Quote Quote  

  4. Senior Member TeKniques's Avatar
    Join Date
    Jul 2004
    Location
    Oregon, USA
    Posts
    1,250

    Certifications
    OSCP, CISA, CISSP, SSCP, MCSA 2008, MCSE 2003: Security, MCDST, MCP, Security+, Network+, A+, Project+, CCENT, CCNA
    #3
    Maybe run some of those tools not allowed on the exam vs. those that are ... you'll see the difference real quick and answer your own question. If the course and exam was about automating everything then those tools would be allowed, but it's not and is more focused on having you do some research into the things you find and how to exploit them.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks