jim@elwood.net
June 24, 2008
Offensive Security - OSCP!

Proud to say, I just received notice tonight that I have passed my certification challenge and now have the OSCP (Offensive Security Certified Professional).

Honestly, I have a love/hate point of view on most certifications. I love to have a chance to learn, so training is great. I tend to go deeper then I need to in any class I am a part of, but that is just how I am. And certs are great to have to show other people that you have at least that minimal set of knowledge, and someone will vouch for you on that. They are not the end all be all, but at the very least they help when you are dealing with third parties that don’t know much about technology.

So, the Offensive Security 101 class.

I signed up for this class primarily due to the low cost combined with ability to work on it in my free time and not miss work. What I expected was a normal remote infosec training class. But what I got was a whole lot more.

Honestly, the first couple weeks were pretty rough. I was expecting a normal class, and that is not what the OffSec101 class is. At all.

The best way I can describe what OffSec101 really is, is simply a formalization of the old school hacker mentoring system. Anyone that has read the know your enemy series of white papers should be familiar with that concept. The idea is, the n00b goes into the world, trying to prove his chops. As time goes by, the n00b might get a mentor, but only if he proves himself as a hard worker. Someone that is willing to put effort into something, and not just expect everything to be handed over to him. As time goes by, the number and quality of the mentors will go up, and eventuality the n00b may become a mentor himself.

So when you sign up for OffSec101, that’s pretty much what you get. You receive some very well done flash videos, a PDF, access to some lab systems for a period of time, and if you need help you hop into an IRC channel and try to show that you are not just expecting everything to be handed over to you.

So yeah, those first couple weeks were a little rough due to my mistaken expectations. However, once I realized what was up, it was great. It was old school learning and conversing like computing used to be for me back in the late 90s. You would go through the videos as you had time, work through the PDF completing exercises in the labs, and hang out in IRC getting and giving help to others.

It was a blast.

Granted, I know for a fact I spent more time going through the material then I had to. But really, in a course like this, you get out what you put in. And I don’t regret the number of hours I spent on this. Really, its a shame its over.

The course is not just a simple “Here is how to run Nessus” job at all. Sure, it starts out basic, throws a little Google hacking and nmap your way, but soon enough it ramps up to 11. After a bit, you are putting fuzzing applications, writing your own exploits in python, debugging proof of concept exploits you find online, etc etc.

I know I learned a lot from the course. But, honestly, I come out of the course more aware of how much more there is to learn. Of how much I don’t know. And really, that is great. No false sense of being all knowing. Just a humbling sense of what is possible out there, what I can and can’t do, and what else I want to learn over time.

And as for the test, that was a much better test then what you normally have to do. No multiple choice questions. No subjective opinion on a write up. Just a pure timed capture the flag event.

Knowing what you learned from the class, you are few lab systems and a couple basic ground rules, then you just go. At the end of the time, you either have the flags, or you don’t. About as real world as I have ever seen a certification exam be.

So, thanks to Muts and Ziplock and all the other people in #offsec. Great class, highly recommended.

Now I am just looking forward to taking the Backtrack to the Max class…

Comments (View)
blog comments powered by Disqus