About one year ago, my colleague Trevor O’Donnal wrote a blog post, “Why a 17-Year Veteran Pen Tester Took the OSCP,” which detailed his experience with the certification, why he pursued it, how it works, and his thoughts on it. Trevor and I are very similar in some ways and very different in others. We are both members of the “Moose Dojo,” or the Rapid7 penetration testing team. We consider ourselves the, well, more life-experienced members of the team. If that’s not clear, we’re both older than most members of the team (even 20 to 25 years older, in some cases).
The main way that Trevor and I differ is that he has 18 years of penetration testing experience, while I am a relative newcomer to the field. I’ve been a minor league baseball athletic trainer, a Java instructor, and a PHP developer, and have done some incident response work. My pentesting career will be four years old as of this coming April. I don’t have the same experience as Trevor, and virtually everything I’ve learned about penetration testing has been through my teammates at Rapid7. So, taking Offensive Security’s Penetration Testing with Kali (PWK) class to get the Offensive Security Certified Professional (OSCP) certification was a pretty new challenge for me.
Learning how to enumerate targets
In Trevor’s blog post, he wrote about how the methods he’s always known and used in his career were challenged and how he had to learn new techniques as he pursued the OSCP. In my experience, I had to learn a lot of new techniques, the most important of which were how to conduct thorough enumeration on a target and have patience.
Many new PWK students (myself included) just want to rush to find the solution for a target server. We might run an nmap scan, see an open port and think, “That’s the way in!” and try to find exploits for that one service, only to get frustrated and ask for assistance after thinking we’ve tried everything.
Learning how to enumerate targets is the most important skill to add or improve on during this experience. Enumeration is when we learn everything we can about the particular target, such as which operating system is the host running, which services are running, what versions are these services, and whether there is anything hiding that we need to know about. Learning these skills isn’t about how many targets are exploited, or how quickly. It really is about the journey, not the destination. I learned that if the enumeration skills are there, I could make progress and exploit any host they threw at me.
The patience part comes in with being able to think about what I might have missed along the way. If the answer is not in front of me, what should I go back to and look at again? What service, port, or version number did I not enumerate enough? I had many nights of frustration, bordering on rage, thinking I’d looked at everything and there was just no answer. Then, eventually, I’d find the answer and realize, “Oh, there it is!” After enough of those experiences, my frustration lessened, my patience increased, and I knew to just keep searching and to keep enumerating.
Taking the OSCP exam(s)
My exam experience was also different from Trevor’s. Trevor passed on the first try, while I passed on my fourth. I’m not embarrassed by this, as learning what was important to pass the exam was a huge part of my development. For so long, I thought it was just about being an elite (or “1337”) hacker who knew all kinds of exploits and could make servers bend to your will with just a glance or mouse click. It’s not. Passing this exam is about being patient and being able to properly enumerate a host and find the right exploits for it.
The first time I took the exam, I was nowhere near ready for it. My study time was expiring, and I decided to do it just for the experience of the 24-hour exam. And boy, was that a lesson.
The second time, I felt a little better. I’d learned a bit more, but had still not properly learned those two most important lessons.
By the third time, I thought I was ready. I thought I was one of those elite hackers who could hack anything they put in front of me. Nothing could stop me! Then, just two hours into the exam, I hit a wall. I thought I’d tried everything. For the next 22 hours of the exam, I was stuck. Frustrated. Raging. I might have even said a few bad words.
I took some time to reflect, then jumped back in. Then, finally, it all clicked somehow. It wasn’t about what I thought it was. The Offensive Security mantra of “Try Harder” to me, really meant “Enumerate more!” and keep searching for that answer that’s hidden in plain sight. The importance of this insight finally clicked only about a month before my scheduled exam.
During this iteration of the exam, there was no stress and only a little frustration. Each time the frustration started creeping in, I knew that I just needed to keep enumerating, be patient, and stick to what I’d learned. At various times throughout the exam, new details emerged, and eventually, there were enough to get me to the point where I knew I had earned enough points to pass the exam. I breathed many sighs of relief, then celebrated.
So, here I am. After many, many months of studying, nights away from my family, and days of being unable to work on other projects, I met my goal and finally achieved the OSCP certification.
Now, what’s next? I don’t know yet. Maybe new research, more studying, but I think for now, I’ll go watch a movie with my family.