Solved

OSCP Prerequisite and Advantages

Posted on 2013-01-08
22
1,898 Views
Last Modified: 2013-01-17
Hi All,

1 - Before going to start OSCP, i want to know what are the prerequisites for doing it. what certifications or language will add  advantage in prepration of OSCP. i am CCNP Security,working as a Network Security Engineer, have a sound knowledge in Firewall (ASA/PIX/Juniper). i am also a RHCE during my previous jobs configured nagios,asterisk,cacti. i have no knowledge in any scripting languages. i dont know any thing about pearl,phython,shell,bash.

2 - i want to know from all of experts should i do OSCP ? whats  level of scripting is involved in OSCP ? can an unexperienced person in scripting should do OSCP ?

3 - If i do OSCP will my network security skills will add advantage to it ?

4 - What is the scope of a person who is good in security and if he is a OSCP to ?

Experts thanks in advance for any suggestions and advice which will be provided from all of u.
0
Comment
Question by:pawanopensource
  • 11
  • 6
  • 4
  • +1
22 Comments
 
LVL 14

Assisted Solution

by:binaryevo
binaryevo earned 125 total points
ID: 38756744
Answers to your questions:

1 - Before going to start OSCP, i want to know what are the prerequisites for doing it. what certifications or language will add  advantage in prepration of OSCP. i am CCNP Security,working as a Network Security Engineer, have a sound knowledge in Firewall (ASA/PIX/Juniper). i am also a RHCE during my previous jobs configured nagios,asterisk,cacti. i have no knowledge in any scripting languages. i dont know any thing about pearl,phython,shell,bash.

Pre-requisites according to offensive security ( http://www.offensive-security.com/faq/ ).  I would suggest being familiar with the various scripting languages, specifically perl, python, ruby and bash.

2 - i want to know from all of experts should i do OSCP ? whats  level of scripting is involved in OSCP ? can an unexperienced person in scripting should do OSCP ?

If you don't know how to script then now is probably a good time to learn, otherwise you will end up being a person that uses everyones else's stuff and never comes up with their own.  In the hacker community this is known as a script kiddie.  You could do it and based on your background would probably do well in the course but, I'm just saying this to save you trouble down the road when you want to lets say write an exploit in metasploit, well in order to do so you need to know ruby.


3 - If i do OSCP will my network security skills will add advantage to it ?

Yes

4 - What is the scope of a person who is good in security and if he is a OSCP to ?

Not sure what you mean by this but ill take a crack at it anyways:  OSCP for anyone that knows anything about security is a highly respected cert.  I would say much more respected than CEH or anything that doesnt require you to dig deep.  Here is a better, more in depth explanation of the benefits:  http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Hope this helps.
0
 
LVL 4

Assisted Solution

by:stea1mic
stea1mic earned 250 total points
ID: 38756845
What binaryevo said is essentially correct.  As a former security consultant with an alphabet of certs (CISA, CISM, CRISC, CGEIT, CISSP, CEH, CCNA, ITILF, SFCP, ISO Lead Auditor etc etc) What I would add is that OSCP is really targeted for those with hands-on experience.  The test as I'm sure you've seen, is a 24 hr -- here's a network -- go find stuff -- hands-on working knowledge type thing.  It's not can you recognize the right answers a-la CISSP/CEH.

I took the training years ago but never took the exam because I quickly realized I need much more hands-on with the systems and tools.  Go get BackTrack and play around to learn the basics of scripting and looking at the programs and tools to see what they are doing.

The security community is much more about show me what you can do and that you understand how to secure things, than it is about having the certs.  OSCP for those who know is more respected, but it's still emerging in corporate America.
0
 

Author Comment

by:pawanopensource
ID: 38757802
Thx Binaryrevo,,stea1mic

thx for ur suggestions.  as i told u that i am a cisco security engineer i am well aware of firewalls IDS/IPS. these days i am going deep into security and what i found that CCIE security or CISSP only tells you or train u how to secure our corporate networks but these certification dosent explain how hacking happens. according to me if a person dosent know what are the methods or ways a hacker penetrates a network than these certification is of no use in real world.though they can get u a good job.

i googled about CEH or CISSP many gurus of security suggested that OSCP is best as it teaches u from a hacker point of view and provides in depth knowledge of security tools.

from ur suggestions i came to know that a person should be having knowledge of programing  languages.

1 Do i have to master all programing language or should i try to master ruby,pearl,bash ?
0
 
LVL 4

Accepted Solution

by:
stea1mic earned 250 total points
ID: 38759021
I would initially focus on shell scripting (bash) and probably python if you wanted to "master" skills.  Once you understand one set of languages, the rest can fall into place as they tend to be similar in structure.  Perl would probably be next on my list as a lot of installers and programs are written in Perl.  If you are getting bored and want to move on to the next challenge ruby would then be good.

But, that all depends on your goals and what you want to achieve in the programming world.  As binaryrevo said, ruby would be necessary for metasploit development and such.

Just my $0.02
0
 

Author Comment

by:pawanopensource
ID: 38759750
i am in touch with Offset Security, they have sended me the pricing, they charge according to days like 30,60,90 days and in which we have to attempt exam also. this is clear to me.

i am not able to understand whats the use of Back Track, what we do with Back Track.they said i have to download from back Track. is it like a live cd, or any linux iso in which i have to practice ?
0
 
LVL 4

Expert Comment

by:stea1mic
ID: 38759782
BackTrack is the primary set of tools they have developed for use on penetration testing and vulnerability assessments.  It can be downloaded as a live CD or installed on any computer as the running OS and is based on Ubuntu Linux.

If you use it in conjunction with a virtual environment like VMWare you can play and break it and then just revert back to a known working state if you want.

I would consider installing it so you can more easily retain updates and anything you develop in your learning process.

download it here http://www.backtrack-linux.org/

While you don't need this and could install all the tools independently, it just makes sense to use a pre-setup system like this to simplify your training and learning process.  This is exactly how Backtrack started.  One guy needing these types of tools without the ability to download and install on a client's computer.
0
 

Author Comment

by:pawanopensource
ID: 38759846
ok that means Back Track is just like a Live iso in which we do practice.


My Study plan guide, me is this study Plan good

1 First ill try to master Shell,Python,Ruby
   Once i am comfortable with scripting

2 Ill purchase study material from Offensive Security
    and than ill try to do their labs
0
 
LVL 4

Expert Comment

by:stea1mic
ID: 38759866
Seems good.

If you've got access to Cisco (or other network) gear and such where you can setup a bit of a lab, you can really play with a lot of the tools and practice your skills with Backtrack and some computers without breaking production systems.  Many of the tools can disrupt network traffic which is kinda bad when you're at work, but necessary to get some of the concepts and/or tools to work.

I'd do your learning on Backtrack and just poke around.  That's how you'll learn.  Just don't do things on networks you don't have permission to access and test.  That's what gets you put in jail.

Best of luck.
0
 

Author Comment

by:pawanopensource
ID: 38760046
Bro right now i am not having any access to any corporate network neither i dont wanna breake a law (LOL). right now i just have 4 Desktop and i can install different OS in that, but i dont have any router or firewall . i think a router and a friewall is needed if i try to make lab in home. or i can do r/d with my 4 machines.
0
 

Author Comment

by:pawanopensource
ID: 38760078
I'd do your learning on Backtrack and just poke around.

Bro what u mean by this, do u mean to say i should install 3 or 4 backtrack live cd in 4 machines or vms and try to penetrate using coding ?

appologies for asking stupid questions.
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 125 total points
ID: 38760088
for your network portion, if you have access to the images, you can use GNS3 to setup ASAs, cisco routers, and even junos routers.  there are several tutorials online to setup the ASA, but the router is easy.  No switches (not intelligent ones anyway) though unfortunately.  It does actual emulation so its just like the real thing and can easily interact with the rest of your network when setup properly.  Would just take one of your machines to run it.

And good luck with the OSCP.  I look forward to when I get my skills up to where I can start studying for that.  Currently planning on that to be in a year.  Just one request though.  If you run a blog, write about your experience.  For a cert of that caliber I'm sure a lot of people would be interested how you went about obtaining it.  Again, good luck.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 14

Expert Comment

by:binaryevo
ID: 38760098
Yep backtrack is DEFFINATELY the best all in one distro that ive found and thats where ive spent most of my time in the security space.  You may want to look into virtualization to increase the number of machines in your infrastructure if your trying to hit a broad range os's.  Definitely setup a lab at home behind a decent firewall so that things that you work on (IE: viruses...) don't get out into the wild ( thats something else that will land you in prison ).  Stea1mic has sound advice.  With that being said, one thing that I have noticed is that without knowledge of the offensive, the defensive is only theoretical and whats really bad is that in most instances, security officers focus so much on defensive tactics that they forget to understand the offensive and their is a HUGE gap between the two.  Hackers are smarter, work harder and understand the ways in which to penetrate a network better than the people that set it up.
0
 
LVL 14

Expert Comment

by:binaryevo
ID: 38760119
Now my preference in order of languages to learn would be as follows:

1)  Bash scripting
2)  Python
3)  Powershell / windows CLI
4)  .net
5)  Perl
6)  Ruby

Why windows, well considering most of your targets in the pen test world will be windows boxes, its good to know your enemy per say and be able to write code that executes natively on your enemy.  Lots of social engineering & spear phishing attacks can be effective especially if they are made to be "easy" to pull off.  Knowing .net for instance or how to execute various powershell commands can greatly aid you elevating your privelage per say on a victim machine.
0
 

Author Comment

by:pawanopensource
ID: 38760124
First of all Thx Cyclops for joining this discussion. yes i have configured ASA in Gns n played a lot of time making VPNS, Failover etc etc.

@ Binaryevo - what do u mean by this (Definitely setup a lab at home behind a decent firewall so that things that you work on (IE: viruses...), if ill practice in VM machines than how can i break law, ill not connect my vm with internet so how can i break law.
0
 
LVL 14

Expert Comment

by:binaryevo
ID: 38760139
Sure if you dont connect them to the LAN you will be fine.  What i mean is that if you create a "test" network, and have your VM's available for you to run exploits against do MIM attacks or whatever from a different machine ( your hacking box ).  Remember you can practice on a closed VM but, if you only have closed VM's that aren't open to your LAN how can you truly tap into the metasploit framework for instance.  All im saying is you need variety...
0
 

Author Comment

by:pawanopensource
ID: 38760213
@binaryevo - right now this term metasploit framework looks like alien to me. (LOL) bounced from my head.

From this discussion i cleared the picture of OSCP


                                             How to Achieve OSCP

1 - Have to know Programming  Language (Bash scripting,Python,Powershell / windows CLI,.net,Perl,Ruby)  Plz suggest any one or two because i cant master all.

2 - Make my own Lab (vms or 3 or 4 desktop) and practice

                                              Final Stage

3 - Purchase the subscription of (30,60,90 days (depends on individual) ) From Offensive Security and study videos and pdf provided by them.

4 - Shedule Exam according to confidence (provide root administrative credentials of lab) to offset guys , = Target Achieved
0
 

Author Comment

by:pawanopensource
ID: 38760310
Experts keeping in mind the target (OSCP) plz suggest me (a layman,kiddo,beginner in Programming) programming books.
0
 
LVL 14

Expert Comment

by:binaryevo
ID: 38760325
For the OSCP you will need to know bash scripting, python and windows CLI.  I think you can probably get away with those 3.  Anything less I hate to say you probably wont be ok.  Here is a link with some things to expect:

http://www.techexams.net/forums/security-certifications/72621-calling-all-penetration-testing-backtrack-pwb-oscp-students.html
0
 

Author Comment

by:pawanopensource
ID: 38760414
@binaryevo - plz suggest me some books for  bash , python, windows CLI.
0
 
LVL 14

Expert Comment

by:binaryevo
ID: 38760456
0
 

Author Comment

by:pawanopensource
ID: 38762153
Hi all,

As i told i dont have any knowledge in any of programming language(bash,python,pearl,ruby) so i decided first to have knowledge on those therefore i have gone to many training institues where i can join and start understanding those, but unfortunately in my city no institutes r capable.  

some of them are good in C, C++ my question is shall i start from C or C++ and than start bash, python pearl by myself, will C or C++ will give advantage in understanding those programing languages.
0
 

Author Comment

by:pawanopensource
ID: 38763401
One of gentleman gave a very good info what should be done to achieve OSCP.friends plz read below points and provide some more inputs i.e what type of scripting a person should be familiar with.according to him ping sweeps,port scanning, Understanding of buffer overflow  is required.

1.) Know a scripting language fluently before starting – perl, bash or python. But be able to automate and feel comfortable making scripts to do things such as ping sweeps and port scanning.


2.) Understand buffer overflows, how they work and write one yourself. Check out Smashthestack.org and try some of their challenges. Up through level 9 of the IO wargame will give you a good idea of what to expect.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now