Update: I was asked what my experience level was before starting the PWK course, so I added in section 9 – “My Experience Level Before Starting”.
- Introduction, Overview, and My Experience
- Signing Up and Scheduling
- The Course Material
- The Labs
- The Exam
- Thank You’s and Shout Outs
- My Experience Level Before Starting
This is a great course. You will most likely learn a TON during your time in it. Be prepared to spend a lot of time and patience working towards it. I can easily say this has, by far, been one of the most rewarding certifications I have earned. Important points:
- Course should be thought of and treated as an entirely self-study course
- If possible, try to go through the course with a friend
- Taking an extension on time is okay, everyone requires their own time frame to complete the course in, and most everyone takes an extension
- Take very detailed notes of your attack process for the labs, as well as during the exam
- Do not leave all of the pentest documentation until the end. Make time to create most of your lab pentest report before you take your exam.
Introduction, Overview, and My Experience:
I recently took the Penetration Testing with Kali Linux course, offered by Offensive Security. For anyone not familiar with it, this is a course for hands-on penetration testing which leads you on the path to earning the Offensive Security Certified Professional certification. You are given access to a lab environment with around 60 machines of varying operating systems, patch levels, and vulnerabilities. There is no multiple choice or question based exam, this final exam requires you to gain access to a certain number of machines within a 24 hour time period. There are a lot of questions that surround the PWK course and OSCP exam/certification; I will try to answer them throughout this post.
One thing I did differently than a lot of people who go through the course, is that I decided to sign up and go through it with my friend, r0ckphish. We were both very interested in earning the certification and thought it would be a good idea to take the course together, and I must say that we were right. Having a battle buddy there definitely motivated me to work harder and stay on track with the course. It was also great to have someone to compare notes with, both for the lab manual exercises and for the lab machines themselves, as well as having someone else there for motivation. Whether r0ckphish knows this or not, when we first started I was worried that he would end up helping me through the entire thing, so to ensure I could bring just as much to the table I decided I would have to work extra hard. In the end it paid off, not only did we both end up helping each other throughout the course but it also caused me to learn and improve more than I may have otherwise. I strongly suggest that if you can, you try to go through the course with a friend. If you are unable to go through the course with a buddy then have no fear, you can always talk to the admins and others on the IRC channel if you have any questions, want to compare notes, or just need a little motivation.
I thoroughly enjoyed the course and my time in the labs. The environment was so rich with machines of different shapes and sizes that it was great to be able to work on so many different techniques. Now that it’s over I almost want to buy more lab time just to get in and practice some more. Looking back I realize that I should have spent more time working on my lab pentest report. I only had about five entries in there before I took the exam, which left me with around twenty or more to add in during the 24 hour post exam documentation period. I also should have taken better notes for the attack process on each lab machine. My notes for the machines hacked earlier in my lab time were a bit lacking. In case you were curious, I used a program called KeepNote for note taking. It is a little rough around the edges, but overall was a great program for the job.
I had a very good experience with the exam. I believe I was definitely ready for it, so to me the difficulty level was medium at most (5 on a 1-10 scale). I was able to breeze through pretty much all but one of the machines. I chose a start time of 7am on Saturday, so I would have all of Saturday for the exam and all of Sunday for the documentation. Within the first five hours I had gotten into all but two of the systems. I then hit a bump in the road, on what we will call Machine-A, during the privilege escalation phase. After a good few hours of getting nowhere, I decided to move on to the second of the last two machines, which I got into within a couple of hours. After returning back to Machine-A, going over all my notes, and looking at it with a fresh mind, I was able to perform my privilege escalation within a couple of hours, finishing my exam in roughly 16 hours.
After going to sleep at about 12am on Sunday and waking up at 7am, creating my exam pentest report and finishing my lab pentest report took me about another 18 hours or so; finally going to sleep at 2:30am on Monday. Had I taken more time to work on my lab pentest report beforehand, it would have taken me far less time to complete the report. So learn from my mistake and work on your lab report early.
All in all, the entire course was an amazing experience. I learned way more for this certification than I did for any other certification I have taken, and even learned more than many classes I took in college. I would absolutely choose to do this all over again, and just might when I go after the OSCE in the future.
This is something that is hard to talk about for the course. I have met people with all sorts of skill levels going in, and everyone ends up taking their own amount of time to complete the course, so it’s hard to say exactly what you’ll need to be prepared.
Below, I’ve tried creating a list of things that I think will help you have an easier time with the course. Do not feel like you are required to know all of the items below in order to start the course, these should just be seen as guidelines for things that would be helpful.
- Reading knowledge of at least one programming and/or scripting language. This means being able to read through a program and have at least a general idea of what it’s doing. Here are some languages that I saw throughout the course:
- Get familiar with using the Linux command line. Here are some, among many, commands that are used:
- wget/curl (to get, post, and put data)
- nc (a.k.a. netcat)
- mount (understand its output when run by itself with no parameters)
- Understand TCP and UDP networking protocols, and know how to read through a packet capture
- Be familiar with different services: DNS, SNMP, SMTP, SMB, HTTP, and FTP (among others). Be able to read through packet captures most of those services
That list is by no means exhaustive; these are items that stuck out when I was creating this write-up. Also, as mentioned earlier, you do not need to know all of these before you start the course but it would most likely make it easier.
Signing Up and Scheduling:
A quick note about signing up — they require that you use a non-free email address, so no @gmail, @yahoo, @live, etc…A work or school (.edu) email address will work. If you do not have a non-free email address that you can use then you will have to scan and email your ID.
Scheduling is another tough item to talk about for the course. You have the option to sign up for 30, 60, or 90 days of lab time, with the possibility of purchasing extensions later on (including a 15 day extension) if you need more time. It really comes down to a couple of things; how much time you have every day to devote to this course, and your knowledge/skill level going in. Most people I have talked to have needed to get extensions on their originally scheduled time.
If you have a full-time job and a wife/husband and kids to take care of, I would suggest at least scheduling 60 days. You can always order an extension later on if needed, and don’t ever be afraid to order one because most people also end up needing to.
I purchased a 30 day period, but my case is different than most. Since I attempted this course back in 2011, way before I was ready and when it was still called Penetration Testing with Backtrack, this time around I was able to purchase the course material and lab time separately. I purchased the updated PWK course material about two weeks before my lab time started. This gave me two weeks of extra time to work on (most) lab manual exercises and go through the material before actually diving into the labs. So total, I took about 45 days to complete the course and earn the certification, with a full-time job and a (very) supportive girlfriend.
I was more relaxed with the lab manual exercises at first, and didn’t devote as much time as I could have for them, so I managed to complete them in three weeks. That left me with three weeks of pure lab time. I was a bit more relaxed with my time during the first week, but quickly realized I was going to need to spend every second I could working in the labs if I wanted to be ready for the exam. I ended up spending every day before work from 7:30am to 9am working in the labs, and then after work from about 7:30pm until 11pm or 12am working in the labs. My weekends were almost completely devoted to lab time, spending around 10 hours or more both Saturday and Sunday working on labs.
Again, my case was different, I had the course material early and I had a lot of time that I could devote to working in the labs. Make sure to take as many days as you think will be necessary according to your life schedule.
The Course Material:
When you finally sign up and your start date comes around, you will receive an email containing download links for the lab manual, lab videos, your VPN connectivity pack, and the official PWK virtual machine. It is HIGHLY suggested that you use their Kali image (it is a 32-bit system), the course material was tested and run using this system. I have seen many people run into issues with the lab manual exercises because they did not use the provided Kali image.
You don’t have to go through the entire lab manual and all of the exercises, however I suggest you do. They go over a lot of the tools needed for the labs and you will most likely learn of new tools you had not heard of before. Plus, if you have no experience with Bash or Python, the lab material will give you some brief introductions to both.
The lab manual and lab videos are what make up the “course material” that I referenced previously. The manual is upwards of 350 pages long, with videos to accompany almost every section. When working through the manual I would read the pages first and then watch the accompanying video, but some people did it opposite of me or would watch the videos while reading the lab manual. Use whatever method works best for you.
The lab manual might seem huge, but it only covers part of what you will need for this course. This course should be thought of, and treated as, an almost entirely self-study style course. There are staff available to speak to for hints, however be expected to be told to “try harder”, and expect to do a lot of extra research.
The lab environment they have setup for you to use is, in my opinion, amazing. To access it, you will use openvpn and the VPN connectivity pack that you were given access to download in the email. As I said previously, there about 60 machines running a multitude of operating systems and software. The environment is split into the public network (which you start of with access to), the IT network, the Dev network and the Admin network. As you work through the public network machines you will eventually find ways to unlock and pivot to the rest of the networks.
The majority of the time you spend on the course should be in the lab. This is where you actually get to develop and improve all of your skills. As fun and interesting as the labs are, they are also extremely frustrating. I have spent as much as two days working to gain access to one machine, searching through pages of exploit-db results, and running through 20 or more exploits just to find the right one. At times things took so long due to fatigue, and other times it was because I had not yet learned a certain technique. Remember to look for the basics first, there are times when the information you need is looking you square in the face but you don’t even realize it.
If you have truly tried on a machine but aren’t making any headway, you have a few options as to what to do next:
- Look in the forums to see if anyone else has already asked a question about that machine, and if not you can post your own question.
- Use the available IRC channel, #offsec, on Freenode:
- Use the IRC hint system, where all you have to do is type !machineName to get a hint about the machine you are working on. Some of these are useful and others not so much.
- Open your question to anyone on the IRC channel, usually something like “Would anyone like to talk about the .xxx machine?” These will often move to private message conversations with an individual on the channel.
- If no one answers, or if you chose to skip that option, then you can always talk to an admin. Just type ping admin, and if one is available they will respond “pong yourUserName”. From there, ask to move to a private message and then you can start talking about your issue. You should make sure to have really tried on that machine, and enumerated as thoroughly as possible. Otherwise you are likely to be greeted with a “try harder” message from the admins. Also, include your OSID number when you ask your question to an admin via private message.
Some simple hints for the labs:
- You will hear this often, remember that proper enumeration of a target is key. The more information you have on it, the better off you will be.
- Do as much without using Metasploit as possible. Learning to do things a more manual way will really ingrain those techniques in your head.
- Keep as detailed notes as possible about your attacks. You should be able to recreate the attacks almost step-by-step just by your notes.
- Begin working on your lab pentest report early, leaving it until the very end is just going to stress you out even more.
- If you aren’t sure where to start, just pick a target and enumerate it thoroughly. If you think you’ve found an attack vector, go after it, otherwise move on to another one. It won’t be long until you to find one to go after.
- If you don’t know where to start with privilege escalation, use these guides for help:
I can’t stress enough how important the labs are, and how fun they are. I have truly missed working in there. As stressful as it can be, really try to enjoy your time in the labs. It is hard to come across an environment such as that one, an essential “hacker’s playground”, where you get to try all of these techniques that would otherwise get you arrested if performed on a random system on the Internet.
A common question asked is, when will I know if I am ready for the exam? This is also a question without a definitive answer. According to the admins at Offensive Security, they suggest being able to hack every machine in the public network except for the three notoriously hardest ones, pain, sufferance, and humble. I hacked all but ten of the machines in the public network, and was able to pass the exam without too much trouble. Since an exam attempt is included in the original price of the course and with every purchase of a lab extension, I would suggest trying the exam at the end of your lab time just to get a feel for what it will be like (just like taking the PSAT’s, or taking the SAT/ACT multiple times).
The exam itself is completely hands-on. There are no multiple choice or true-false questions to be answered, just machines to be hacked and a time limit to do it in. You will have roughly 24 hours to break into a specified number of machines and attempt to gain full root/administrator/system access. When your exam time starts you will receive an email with a new VPN connectivity pack and an exam document that will explain the exam quite thoroughly, and answer most questions you may have.
Each machine is going to be worth a designated amount of points, and you will need to earn a certain percentage of the total points to be able to pass. On some machines it may be possible to earn partial credit, but others it is pretty much all or nothing. You should be keeping as good, if not better, notes about the exam as you did during your lab time.
After the exam time has run out, you will then have another 24 hours to turn in a pentest report for the exam. Without this document, you cannot be awarded your OSCP. This document is your only proof for what you did during the exam, just like it is the only true item of value you will be giving to a client in a real pentest.
You can also turn in a pentest report for the labs. This can be separate to or included in the report for the exam. If you turn in a lab pentest report, it will be used to gain supplemental points in case you do not earn enough during the actual exam, meaning it can be the difference between passing and failing. My thought is, it’s better to be safe than sorry, so might as well turn in everything you can to earn as many points as possible.
I chose to create one large document, which in the end was 282 pages long (and could have been longer), so do not underestimate how long the pentest reports will take you to create. You should be taking some time as you go through your labs to be adding to the lab pentest report. An alternative would be to leave about a week between when your lab time ends and when you go to take your exam, so that you can work through most of your lab pentest report beforehand. The more of the lab report you can get through before the exam, the faster you will be able to create your exam pentest report.
- Don’t eat Thai food the night before
- If right before you start the exam, you have your playlist on random and the first song that plays is “The End” by The Doors, don’t panic, just laugh at the irony
- Ping an admin on the IRC about 5-10 minutes before the exam starts. Start a private message chat and let them know you have an exam starting soon. Ask if you can PM them again if you have any questions once you receive and read the exam packet.
- If you aren’t making any progress on one machine, and you’ve been at it for a while, move onto the next one. Once you’ve completed the second one, come back and look at the original one with a fresh mind. Go over all of the information you have on the machine, what you have tried, and any software you have not dived into or attack vectors you have not tried.
- There is information you can infer about the machines based on their associated point values, I would suggest gaining some momentum by starting off with a machine you think you can get and then working up from there.
- Enjoy the experience 🙂
Thank You’s and Shout Outs:
I would like to thank my girlfriend for being extremely supportive and understanding during my time in the course; staying in the house almost all the time and fighting through the cabin fever. Without your support the whole experience could have turned out horrible.
I would also like to thank r0ckphish for being an awesome battle buddy during the course. Your help and motivation certainly made this possible.
Finally, I would like to thank all of the admins and other users that I interacted with in the IRC for your help and esoteric suggestions that somehow led me to find the answers. Among others:
My Experience Level Before Starting:
I was asked on Twitter what my experience level was before starting the course, and I just did not feel that 140 characters would suffice, so I added this section to the post. I have a pretty wide array of experience and knowledge gained from work, school, studying for certifications, CTF/”cyber” competitions, and personal projects. I have tried to list as much as possible below, but I wouldn’t be surprised if I forgot a few minor things
TLDR: I have a bachelors degree in Computer Networks and Security, about five years of mixed Windows and Linux system administration experience, multiple industry certifications, I participate in many CTF/”cyber” competitions, and I have a small home lab that I use to gain experience and work on personal projects.
I know certifications do not completely represent someone’s technical abilities or overall knowledge sometimes, but the ones I had earned before starting were:
- CompTIA A+
- Cisco CCNA
- CompTIA Linux+ (a.k.a. LPIC-1)
- CompTIA Security+.
- Multiple years of experience simply doing computer repair, and home and small business network troubleshooting
- Approximately five years of experience as a Windows systems administrator, and almost two years as a Linux systems administrator.
- The sys admin time included managing and working with routers, firewalls, web servers, SMTP servers, FTP/SFTP/FTPS servers, DHCP servers, and DNS servers; and using VBScript, Powershell, Python, BASH, AWK, Sed, ColdFusion, HTML, CSS, and PHP
- 6 months full-time work doing IT compliance (ex: working through SOX audits, and PCI vulnerability scans)
- Bachelors degree in Computer Networks and Security, coursework including:
- Windows server classes (roughly preparing for MCSA)
- Linux sys admin classes (prepare for Linux+, and a little extra)
- 3 courses in C++
- 1 course in PERL
- 1 course in BASH
- 1 course in VB .NET
- Databases – intro to SQL
- Ethical hacking course (prepares for CEH)
- Malware analysis
- Networking classes (enough to prepare for CCNA)
- Cryptography and authentication
- General misc. security classes (ex intro to IT security, and a course guided for Security+)
- I have participated in a lot of capture the flag competitions and other “cyber” competitions, both by myself and, primarily, as part of a college team (ex: MITRE STEM CTF, CCDC, Cyberlympics, etc…)
- I have also done a good amount of personal projects at my home network in order to learn about different things. Including:
- Setting up Vmware ESXi server
- Setting up Citrix Xenserver
- Setting up Microsoft Hyper-V server, on Server 2008 R2 core
- Setting up, configuring, and maintaining Windows domain environment
- IIS based websites
- Microsoft Exchange server (2007-2013)
- Windows and Linux file servers
- Linux web servers – mainly Nginx but some Apache as well
- Ampache music streaming server
- WordPress, Ghost Blog, MediaWiki
- Home made “LogMeIn” solution using VNC and SSH tunnels (both local and remote)
- Lightly experimented with vulnerable virtual machines, such as Metasploitable and Damn Vulnerable Linux