The most popular posts on my blog have been my harsh reviews of the CISSP and CEH certifications. You might just think that I don't like certifications in general, and I probably would have agreed with you before I signed up for PWK/OSCP. Today, I'm going to tell you about my experience working through this unusual infosec certification.
The OSCP is pretty secretive. I'm going to be careful describing my experience so as to not to reveal anything that they wish to keep secret.
The Pen Testing With Kali (PWK) course consists of three main components: a series of videos, a course manual, and a pen testing lab. The videos are not the dry lectures you might find in other courses: they are technical demosntrations. The narrator describes concepts and then shows you how to perform certain techniques using specific tools from Kali Linux.
The course manual covers most of the same materials as the videos but goes into considerable detail and also contains additional exercises for students to try on their own. The manual is useful for seeing exactly what to type for some of the most tricky and complicated command line invocations.
The lab is where PWK really shines. Without a doubt, the lab work is the deepest and most rewarding part of the course. The lab consists of a number of machines, each of which has one or more intentional vulnerabilities. The goal is to obtain a root shell on every single box in the lab. I won't say exactly how many machines are in the lab; I will only say that it contained more machines than I expected, and I spent a huge amount of time working on the lab machines. (More on that later.) The lab is similar to a capture-the-flag (CTF) competition, except instead of using contrived vulnerabilities built just for the sake of gameplay, the PWK lab contains real-world vulnerabilities and common misconfigurations.
While the videos and course manual provide a wide, technical survey of pen testing tools and techniques, they do not prepare you for every single scenario you will encounter in the lab. Far from it: the majority of exploitation will require a lot of research and experimentation to understand the underlying technologies, look for relevant public exploits, look for common weak configurations, etc. Some of the machines contain various exploit mitigation technologies, so further work is required to evade those security controls. Finally, if you are not able to obtain a high privilege (i.e. root) shell, you'll need to find or develop an additional exploit to escalate privileges.
In some cases, exploitation is as simple as finding a password that somebody carelessly wrote down. On the other end of the spectrum, you'll be developing or modifying public exploits, chaining multiple exploits together, and searching for the tiniest misconfiguration that can be used to obtain access or escalate privileges. The network layout includes multiple subnets, so you'll need to find machines that you can exploit and pivot through to gain access to those remote machines along the way. Ergo, the spectrum of techniques you are required to learn and use is extremely wide.
I must mention here that there is no answer key for the PWK lab. If you can't figure out how to exploit a particular machine, you can ask for hints on the PWK/OSCP internal forum, but the hints are extremely vague and generally unhelpful. Any blatant spoilers are censored by the administrators. The motto of the course – and a common refrain on the forums – is simply, "try harder." Translated: succeed or fail on your own. Nobody is going to hold your hand.
Mercifully, during my studies, they added several machines that do have an "answer key" in the form of a detailed walkthrough of the recon and exploitation techniques. These machines and walkthroughs were very helpful for picking up new ideas and finding things that I had overlooked elsewhere, but these walkthroughs were the exception – not the rule.
The Offensive Security Certified Professional (OSCP) exam format is legendary (well… in some circles it is): you are given access to a private network (similar to the lab) and you must break into as many machines as possible within a 24 hour period. The details of the exam are shrouded in secrecy, so as a student preparing to take it, it feels really formidable. You never really know for sure when you are ready to take it. The official advice is that you should complete a large portion of the lab machines but not necessarily all of them. My personal goal was to finish 75% of the machines before taking the exam. (I eventually finished 83% of the machines.)
The PWK/OSCP web site is a bit vague about what the prerequisites for the course are:
Penetration Testing with Kali Linux is a foundational security course, but still requires students to have certain knowledge prior to attending the online training class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.
I have been programming for decades, I know a lot about web vulnerabilities in theory (not so much in practice), I have a solid understanding of network protocols, solid understanding of machine architecture, and even a bit of experience with memory corruption exploits and shellcodes. So... I mistakenly believed that I either met or exceeded the prerequisites.
Once I got into the course, I realized I still had a huge amount to learn. I would suggest before taking this course, prospective students should spend time thoroughly studying machine architecture and network protocols and become proficient in at least one programming language. Beyond that, spend some time doing some CTFs so that you have some exposure to web exploits and memory corruption exploits.
On the other hand, if you have prior pen testing experience, you might breeze through this course quite easily. I talked to several people on the PWK/OSCP internal forums who did have a pen testing background and were moving the course much more quickly than myself.
For the CISSP and CEH, I elected for self-study. Essentially, self-study meant that I bought a couple of books instead of enrolling in a very expensive class ($3,000-6,000). The OSCP does not offer the ability to sign up for the OSCP exam without taking the PWK course first. Instead, the OSCP bundles the PWK course with varying periods of lab access (30, 60, or 90 days) and offers the ability to extend your lab access if you need more time.
In my case, I signed up for the PWK course with 60 days of lab access ($1,000). 60 days? Oh, how naive! Although I finished the videos and course manual in the first few weeks, by the end of the first 60 days I had barely made a dent in the lab. I signed up for a 60 day lab extention ($450). And when that expired, I signed up for another 60 days ($450). And when that expired, I signed up for an additional 90 days ($600) and vowed to make one final, all-out effort to finish as many lab machines as possible.
In total, I spent 9 months on the course (I'll detail my effort in the next section) and $2,500. Was the class worth the price? Short answer: yes. Long answer…
In my CISSP and CEH reviews, I asked if those courses were worth the money. Neither of those course teaches much useful material, and neither certification is likely to have a major effect on your income. I concluded that those courses are way too expensive compared to the value you get in return – unless your employer is footing the bill.
The PWK/OSCP is extremly reasonably priced, however. Although my final cost was $2,500, this was mostly my own doing by working through the course at a slow pace. A student with stronger prerequisites and/or more time to put in could finish the course much faster and spend much less money than I. Even at my slow pace, however, the bill was still less than I would have paid for the CISSP or CEH. At the same time, I learned far more from this course than from the CISSP and CEH combined. They're not even in the same league.
Overall, I rate the PWK/OSCP as being a very good value.
The cost of the course is more than just money; it's also personal time. In addition to a full-time job (I'm self-employed), I also have a daughter who was about 5 months old when I started this course. Finishing this course while juggling other responsibilities was really gruelling, and coupled with my weak prerequisites, contributed to taking a very long time to finish the course and running up my tab in the process.
Since I am self-employed, I keep detailed records of my hours. These records allow me to focus on staying profitable while also allowing a reasonable amount of time for self-study and passion projects. The upshot is that I have a very accurate accounting of my hours spent studying for the OSCP:
That's a total of 248.75 hours! This is over 10% of the total hours that I will work in 2016, and the time invested in this activity resulted in a significant dent in my annual income because I shifted billable hours towards OSCP study hours.
Overall, I recommend the PWK/OSCP very strongly to anybody interested in pen testing or infosec in general. However, I strongly urge prospective students to acquire at least an intermediate understanding of the prerequisites mentioned above.
Futhermore, if you're looking to save money, I encourage you to take this course when you have the ability to dedicate large blocks of time to it. If you're a college student, take this course over the summer. If you're currently working full time, maybe take the course while you're in between jobs or ask your employer for a modified schedule. And finally, if you have young kids, you might want to wait until the kids are a bit older and do not require your constant attention!
At the end of 9 months though, despite major frustrations and stresses along the way, I'm extremely happy with the entire course and thrilled to have passed the exam and put it behind me.
If you have questions, please contact me on Twitter.