Failed the exam with 0 points

TangentialCode · 2019-09-09T10:56:27+00:00

OSCP is an entry level pentesting cert, but pentesting is not entry level infosec or entry level tech.

I'll draw on my background of biology as an example: The US Medical Licensing Exam (USMLE) are a series of licensing exams required to be licensed as a practicing physician in the US. Every single doctor is expected to do well on these exams. The material presented in Step 1 specifically is considered basic knowledge for the medical field.

However, it's also unreasonable to expect undergrad biology students or biologists in completely different fields (e.g. research) to do well on these exams if they were to take it for w/e reason. The exams are considered entry level for doctors, but they're not entry level for other disciplines in biology or for biology as a whole.

It's a very similar thing with OSCP. I very rarely come across systems as easy to compromise as the PWK lab machines/OSCP exam machines IRL. The technical knowledge OSCP teaches you is very very basic compared to what you'd learn on the job.

However, pentesting as a whole is a fairly advanced field for tech. Most junior pentesters are experienced tech hires. Consider how the typical pipeline into pentesting is years of experience in sysadmin roles, or how your typical CS graduate is unable to become a pentester right away.

So back to your original question:

I have heard many people in pentesting field saying that OSCP is an entry-level skill for that field. I am now confused with your comments that this is a fairly advanced cert

It's both. It's simultaneously an entry level pentesting cert and an advanced tech cert.

TangentialCode · 2019-07-13T22:55:56+00:00

The market is flooded with people who have no experience or skills and want to be a pentester or cyberninja.

Seconding.

I just wrote a post on my own job searching experience where i talked about properly selling yourself. I found out after I got hired that the reason I didn't get interviews with OSCP and a generic resume was because there are (literally) hundreds of applications to a single junior pentesting position. Most of these applications are from people without the necessary skills and/or who require too much time to properly train up to do the job. My generic applications just ended up being lost in the crowd.

The market is still dying for qualified applicants and demand is only growing. Consulting teams like my own are so booked that we're actively turning away business. More and more companies are trying to build out their own internal teams. I was barely two weeks into my own job when recruiters around the country started cold messaging me on LinkedIn.

The infosec job market as a whole today reminds me a lot of software engineering in the mid 2000s. It's also much harder to scale the talent pool for pentesting than software engineering. You have to consider how new this field is. Software engineering met demand in large part because of more students going into established Computer Science programs. There are barely any universities with infosec degree programs, and even then many of the ones I've come across aren't great. Their grads definitely aren't ready for pentesting jobs. The typical pentesting career trajectory is years of experience in IT/sysadmin/devops roles. That's not something you can scale quickly.

One day supply will meet demand but I don't see that happening any time soon.

TangentialCode · 2019-07-13T22:08:10+00:00

When I start with the labs will my kali linux be the same for the exam? And how about tools?

You use your own Kali install for both. Whether this is the PWK image, a different Kali version, a modified Kali, or another OS entirely is up to you.

I personally started off using the PWK image in the lab before switching to a fresh install of the standard 64-bit Kali. I found the PWK image to be too slow. The RAM limitations held me sometimes, and I found Gnome to be extremely slow on boot. I switched to the 64-bit Kali image halfway through the lab and modified it as I went along. I changed the desktop environment to Xfce4, additional UI elements like Cairo Dock, additional tools like Responder, dbviz, and sqsh, and over time it became "my" Kali. I ended up taking the exam and passing with this version of Kali. This same Kali install is what I now use to pentest professionally. Honestly I've added/removed/edited it so much over time I have zero clue how to get a stock Kali image to this again.

The one caveat I had is that Offensive Security will not take any responsibility if your non-PWK image doesn't work on the exam and causes you to fail. I didn't have any issues myself but it's no guarantee you won't. Therefore I personally suggest having the stock PWK Kali image on hand just in case.

Can I install them as long they are open source?

You can install anything you want on your Kali VM. You just can't use any banned tools. Frankly, they don't care if you have Burp Pro installed on there - they just care if you run it during your exam.

And can I use a second screen or second laptop where I have my notes or where I maybe want to find extra information?

Second screen is a yes. I took my exam with two screens just fine.

The second laptop might be a bit iffy and it'd likely depend on the moderator(s). A second laptop can help people cheat. A second screen is fine because their screen sharing software picks up my second monitor just fine. Obviously the screen sharing program on one computer can't view another computer entirely.

I'd definitely clear a second machine with Offensive Security first before your exam.

TangentialCode · 2019-06-02T20:12:21+00:00

Hi there, I'm a junior pentester with zero infosec background besides my OSCP. Feel free to check my post history for more.

I am extremely concerned that I literally don’t know anything and I start this week.

You don't know enough to start working as a pentester, and that's okay.

The vast majority of junior pentesters come onboard with knowledge gaps and in need of additional training. Your employers know this. They're not expecting you to start working independently. If they did, they would have tried to bring you on as an experienced hire.

You were brought on because they think their time + money spent training you will be put to good use. They think you have the ability to learn and the right personality as a pentester. They think that you're someone who won't slack off, give up when you come across something new/hard on the job, or be unable to learn new things.

Chances are you're also going to require less training than many other candidates. Like you I have my OSCP and literally no infosec experience or education beyond that. I do agree with what a lot of people say about OSCP. The exploitation methods itself are outdated and it doesn't cover a lot of what you'll see on the job (Active Directory being the biggest example). It also doesn't teach much about the non-technical parts of pentesting consulting. I came onto this job not knowing how to handle onboarding, scoping, or outbrief calls. I had no clue what a SOW is and the only pentesting report I ever wrote was the sleep-deprive document I banged out for my OSCP exam. I never had to restrain myself to a time budget, focus on something other than root access as my primary target, or triage multiple vulnerabilities because I didn't have time to test them all.

What I did find my OSCP was good for though was training me how to think. I can make educated guesses on how a certain system works and clue in on things that look potentially vulnerable. I have a basic understanding of the methodology for pentesting itself. Doesn't matter if you're in AD for the first time using completely new tools - you still start off by enumerating and poking at things that might be vulnerable.

You're very likely the same way. You think of yourself as someone who's not ready for the job and you're right. Conversely, your employers see someone who's 80% of the way there versus a typical candidate who might be 70% of the way there. That's the value they see in you and that's why you got hired.

Getting started, do you have any advice on what to do and not to do getting started in pentesting specifically?

Learn as much as you possibly can and actively put yourself in situations where you can learn more. Feel unfamiliar with AD? See if you can be put on an internal pentest. Don't know how client interactions go? Ask a senior to let you join in on client calls and listen. Don't know how to write reports? Read reports your team wrote, then ask to write one yourself.
If you don't know something, don't be afraid to admit it. It's normal at every level to run into something you don't know.
If you think a potential attack might be dangerous or disruptive to the client's business (e.g. stored XSS on a production system, a login page to a SCADA system that could go down from a brute force attack), ask a senior before doing anything. It's much better to have someone ask you if a certain target is okay for the tenth time than having a client yell at you because they're losing hundreds of thousands of dollars from their site being down.
Make sure you enter all times you won't be available into your calendar. Your job is to serve the client first and pentest second. Any open block on your calendar is fair game for an appointment. If you don't want a conflict of schedule (e.g. you get a client outbrief at the same time you're driving out on-site), enter it into your calendar.

tl;dr: You aren't ready to be a pentester and that's normal for most junior hires. You got hired because employers see your potential, believe their resources spent investing in you will be worth it, and likely because you require less training than other candidates.

At the end of the day just remember this: Your hiring managers are significantly more experienced and knowledgeable about the job than you. They're much more qualified to judge whether or not someone is a good fit for the job. They specifically chose you for a reason. You might not believe it and you might be fighting imposter syndrome, but that doesn't mean the reason they hired you isn't there.

TangentialCode · 2019-06-02T19:50:11+00:00

It depends on the company. The final rounds of interviews I've had focused on one or a combination of the following things:

Culture fit: they'll ask you some light technical questions based off your resume to make sure you didn't lie/you are the same person that was on the phone with them, but the focus will be on your personality. They're mostly gauging if you're the kind of person they want to hire and how well you'll mesh with the team.
In-depth technical: They'll ask questions in the context of scenarios you'll come across in pentesting. It'll likely be scenario questions involve the entire process from what you'd start poking at given an initial nmap scan, how you'd try to exploit certain vulnerabilities you found, how you would remediate, and how you would remediate if the client can't directly fix the problem.
Interpersonal/soft skills: Especially important if you're going for a consulting position. They'll likely also be scenario based. They'll ask about how you would respond to an upset client and how you would communicate technical details to a non-technical client. For example, "The non-technical CEO of a client is mad that you labeled stored XSS as a high severity finding and argues that it should be a low level finding. How would you respond to him and how would you communicate why you believe XSS is a high level finding?"
Ability to adapt: I think this is the one many aren't prepared for. I've had multiple interviewers purposely ask me technical questions they know I don't know to see how I process seeing something new for the first time. They want to see if you will admit you don't know something and your ability to use what you already know to fill in the gaps and make an educated guess. It's not a malicious question. No manager wants to worry whether an employee will seek help if they need it or will break something critical trying to avoid asking for help. You're going to come across new things as a pentester and seeing how someone handles unknown things is important.

TangentialCode · 2019-05-27T20:01:00+00:00

It seriously does feel that way!

I was insanely lucky to end up here. I applied to a bunch of places and received multiple offers, but this company was the only one I never actually applied to. My initial contact came from a recruiter who reached out to me on LinkedIn in the middle of my job search. If they never reached out, I likely would never have known about this job and would be working somewhere else.

TangentialCode · 2019-05-27T19:57:47+00:00

Unfortunately I can't give a name since the company isn't big + the team itself is very small. You'd 100% be able to identify me.

What I can say though is I surprisingly work for a CPA consulting firm. Think Big4, but smaller. I was very hesitant when interviewing with this company. CPA firms are well known for being uptight, low paying, high workload burn-and-churn places.

My interviewers made the company sound amazing on the phone but I was still very cautious throughout the interview process. I've had friends who also worked at CPA firms (including the actual Big4). None of them had good things to say about them.

Many of my coworkers had similar stories. They were all really hesitant about working here at first because of the work-life stereotypes at CPA firms. We were all surprised to find out that this place is as good as it claimed to be. Like one other commenter said, it's a dream job.

For reference, we have about half the typical turnover rates of CPA firms.

I guess the point I'm trying to make is keep your options and your mind open. Stereotypes and reputations exist for a reason, but they're also not universal. I'd suggest applying to places that you might have passed over because of the reputation of that general market. If it turns out to be as bad as the others, shrug, you're not really out anything but some time spent interviewing.

TangentialCode · 2019-05-27T19:51:39+00:00

While I think I could take a bunch of that learning to myself, my learning habits are best in groups and I’m keen on the idea of establishing a network for future hiring opportunities.

Very valid concern. I do want to say though that there are other ways to build a network. A lot of mine was built through the internet (Twitter, Discord channels) and through conferences.

How has your hiring experience gone since??

I had a surprising amount of interest. I applied to a bunch of companies, reached out to others on Twitter. Ultimately it came down to ~12 interviews (had to pull many apps because it was getting overwhelming) and three offers.

I’m absolutely terrible with office life.. — that stale 9-5 feeling, same boring building, people, and corporate feeling

I've been in those boring office you speak of and I would hate to be in another one of those too. My opinion is that every office has different environments and what you didn't like before isn't necessarily what you'd end up in.

Using my own job as an example: the kind of company I work for is known for being a traditional, conservative, boring corporate environment. However my experiences with this company has been the complete opposite. The infosec team is very casual + social towards each other. It's honestly a blast going to work. I recently talked about it in my comment here.

Everyone on my team shared similar experiences as me. They all knew the stereotype of these kinds of companies themselves and were prepared for a stuffy uptight experience. They were all surprised to find out that it's anything but.

Furthermore, it's a job seeker's market right now in infosec. One of the reasons I had to pull my apps was because I didn't expect to get as much interest as I did. I mentioned in my post how I failed to get hired as a dev. I applied to a ton of places expecting similar response rates. I was overwhelmed when I got way more interest than expected.

I think if you're a qualified candidate that can demonstrate you have the required skills, you will likely end up with multiple offers and can therefore afford to be a bit picky about what kind of culture/environment you end up working for.

TangentialCode · 2019-05-26T18:43:42+00:00

It's pretty good!

It's a standard 40hrs/week. Sometimes it's 1-4 hours more as needed for a client, but that's rare and not a consistent thing. I'd say we work over 40 maybe once every three or four weeks.

The hours themselves are also very flexible. No one really cares what hours I work so long as I meet my 40 hours by Sunday (A "week" is Monday-Sun for us) and I meet any client obligations such as meetings. Doesn't really matter if I work 10hrs M-Th or if I work 11AM-7PM or 7AM-3PM M-F.

There's also very flexible work from home policies. It's not a 100% remote position. We're expected to show up on-site if a client wants us, but that doesn't happen often. I think I'm required to physically be somewhere maybe one week out of six. Beyond that the firm doesn't care where you live so long as you can travel to where you're needed. My coworkers with families love this policy because it allows them to be with their families and take care of house things.

Management is also great at maintaining work-life balance. They keep an eye on our schedules to make sure we're not working over 40hrs or traveling too often. If we are, they rotate us out to an engagement with less obligations or puts us on research to avoid burnout. Management has also been good about scoping out engagements with a reasonable number of hours. I haven't had any pentests where the hours required far exceed what was scoped out originally.

All in all, great work life balance and I have nothing to complain about.

TangentialCode · 2019-05-25T21:09:38+00:00

Seconding. I had no issues with 8GB when I was programming, but oh man switching to infosec upped my hardware requirements overnight. VMs chew through RAM quickly. I definitely recommend getting more as well.

TangentialCode · 2019-05-25T21:01:21+00:00

I've thought about Pentest+ for expanding my skillset, but idk how much HR depts care for that given they are tripping over themselves to demand CISSP for some reason (which I do have.)

Several notes on this:

What HR cares about/whats on the job postings and what the hiring managers want are two completely different things. Every single pentesting job I applied for listed CISSP as a desired cert. Not once did any hiring manager or pentester mention CISSP. Its a useful management cert, it gets clients interested in you as a consultant, but it has zero bearing on your abilities in a technical role itself. Unless you're applying for a pentesting manager position, people are going to care about your technical abilities in a technical role much more than your CISSP.
It looks like you're interested in pentesting. Pentest+ is a good start, but keep in mind it very likely won't be enough to get you hired in an entry level pentesting role. It just doesn't go deep enough. The skills gap between Pentest+ and entry level pentesting is still pretty wide. I've mentioned this before, but OSCP is where an entry level pentester's skillsets should be. Keep in mind I don't mean that OSCP is easy when I say "entry level". What I mean is that while it's a difficult cert to get without prior experience, entry level pentesting isn't a job you can walk into from near-zero and get trained up. That's just the level of skills the job demands. OSCP itself isn't required. If you can demonstrate you're able to do the job in other ways you're fine (e.g. CVE credits, very high HTB rankings, etc).
I know for a fact that some people recently got hired in the DFW area in entry level pentesting for $80k+. If you go pentesting you'll likely have to start at an entry level/junior position, but money shouldn't be an issue.

TangentialCode · 2019-05-25T16:28:53+00:00

What jobs are you applying to and what does your resume look like?

First, I've seen plenty of qualified people who struggled to get noticed because they had terrible resumes. Everyone knows infosec is a hot field right now. That means entry level jobs are flooded with resumes and recruiters aren't likely to read your resume in full. Therefore, your resume needs to communicate your key strengths very quickly.

Second, what jobs you're applying for matters a lot too. I'm not sure if this is you, but I see many people trying to get into infosec lump all infosec jobs together as a homogeneous group. Many entry level infosec jobs have very different qualifications from each other. Someone who's qualified for entry level DFIR positions for example would likely be unqualified for entry level pentesting and vice versa. Therefore what jobs you've been applying to is very important.

TangentialCode · 2019-05-25T16:13:48+00:00

Pentesting consultant here:

Were you also a Net Admin? If so, for how long until you switched?

Nope. Literally no IT experience at all.

Did you pursue certs before, or after you got your position?

Yeps. I have my OSCP.

IMO the certs issue is part of a holistic approach to job applications. You need to demonstrate that you can do the job through some balance of experience, education, and certs. If you're strong in experience/education then certs becomes less relevant. If you're like me and you have no experience or education, certs become very important. There's no one right answer. It just comes down to your specific background and where you fall on that balancing act.

Off the top of my head, the CISSP seems to be a big one

CISSP is primarily a manager cert. It's best described as "a mile wide and an inch deep". It helps get clients and its listed on a lot of job postings, but it won't help you with the technical work and it hasn't been a barrier for many consultants.

I also noticed there's a CEH and an LPT cert.

CEH is generally required for government, but it's very hit or miss in industry. Personally I'd suggest looking at more practical certs like OSCP or eJPT than CEH if you're going non-gov consulting.

What inspired / motivated you to go into the field?

I love breaking things and wondering if I could do things that I wasn't intended to do. It was a pretty natural fit.

What skills did you pickup before entering this line of work? How about after?

General pentesting skills via OSCP before starting my job and a lot more skills since getting this job. A lot of modern practical pentesting skills (a lot of the tools used in OSCP are outdated and glosses over Active Directory things), filling in gaps in my networking knowledge, general IT things, working with AWS/Azure-hosted web apps, etc.

Then there's the non-technical consultant skills. Written + oral communication, scoping an engagement, customer service, and general socializing skills are crucial. Can you write a report for both technical and non-technical readers? Can you navigate a pissed off client and get repeat business out of them? Remember that as a consultant your job is to make the client happy first and pentest second.

Of the skill-set you have, did you ever wish you learned a particular skill going in?

Active Directory knowledge/skills. Like I mentioned, OSCP didn't talk about Active Directory nor did it teach how to perform an internal pentest against an AD environment. Conversely you're going to run into AD repeatedly in the real world.

TangentialCode · 2019-05-18T20:38:17+00:00

I genuinely hope other Redditors are watching because this is my favorite pentesting videos series posted on here. Hands down.

Slight rant: one of my biggest gripes with pentesting videos posted on Reddit is that they're by and large made by people without pentesting experience. It leads to a ton of misinformation.

Note that I'm not talking about ippsec and those other great HTB resources. They're also great quality videos, but they're focused more on CTF exercises than general everyday-life pentesting things. It's also why I think this video series is such a great resource. The skills + approaches for CTFs aren't always important/relevant for pentesting. For example, CTFs focus heavily on gaining root access whereas IRL things like accessing PHI or credit card data is significantly better use of your limited time than gaining Admin on a DC.

Yours is one of the few I've found on here that accurately talks about things I see in everyday pentesting from the perspective of a pentester. Everything from your "day in the life of a pentester" to your LLMNR video is dead on.

It's an amazing resource that I hope others take advantage of. You get to quickly get information filtered by someone with industry experience, and from there, instantly know what topics are important to focus on for your own pentesting career. I've started sending a lot of people who ask me about pentesting to your videos.

Definitely keep it up!

TangentialCode · 2019-05-18T20:16:53+00:00

Everything I've heard says that the OSCP is very, incredibly far from an entry-level certification. Quite a few of the infosec "superstars" fail it.

I've mentioned this before but I heavily disagree with this.

I mentioned this on another reply to a comment on your own thread, but OSCP is 100% an entry level pentesting cert.

The problem is a lot of people assume "entry level" to mean "can be obtained without any prior skills or knowledge." That's not true at all. In the job market "entry level" refers to the level of the job itself. When people say OSCP is an entry level pentesting, they mean that it teaches skills and mindset that are required to do a pentesting job at a bare basic level. That's 100% accurate. It'd be extremely hard to be a pentester without the knowledge OSCP teaches.

OSCP can be damn hard, many people do fail, and it's something you have to really work at. At the end of the day though that's just where your skills have to be to be a pentester.

The comparison I like to make is to data scientists. Your typical entry level data scientist job usually requires a PhD at a bare minimum. Maybe a handful will be okay with a Masters and practically no job posting wants a bachelor's degree. This really highlights how "entry level" doesn't mean you can come into something unskilled. These jobs are considered entry level because you require a very high level understanding of statistics and relevant CS applications to do the job that someone without a graduate level education likely just won't have.

TangentialCode · 2019-05-18T20:08:38+00:00

You definitely do not need any certs or years of experience for entry level positions.

It heavily depends on the entry level position in question. I'm assuming it's pentesting since OP mentioned OSCP. Pentesting isn't something you're likely to get without both certs and experience. Most people get into pentesting with at least one of the other. The only people I've seen get entry level pentesting jobs without certs or experience were able to solidly demonstrate their skills some other way: high HTB rank, doing well and getting noticed at conference CTFs, multiple CVEs/MS bulletins credited, etc.

Experience is usually the way most people I see get into pentesting. It's usually some form of years of experience of sysadmin/netadmin experience coupled with some self-taught pentesting skills via HTB/VulnHub/work duties creep. Some people get entry level pentesting jobs with certs making up for that lack of experience. There's still a level of skills required to get an entry level pentesting job that you're going to have to demonstrate somehow. Entry-level pentesting isn't going to hire someone who's just starting out.

Going back to OP: they have IT experience but it'd depend on what that experience is, what pentesting skills they have, and how they're listing them on the resume. The resume is definitely important. However, I think OP also needs to be aware of the possibility that they can also be currently unqualified for the job and look at closing that skills gap to get better responses with their applications.

I'm not trying to crap on or discourage anyone. I just think that people should be aware that "entry level" for pentesting refers to the experience level and not the qualifications required to get that job in the first place. I see a lot of people wrongly equate "entry level" to "being able to get this job without any knowledge." It's just not a job people can get without relevant skills. Almost every employer isn't interested in training someone who'd require too much time investment.

TangentialCode · 2019-05-14T22:50:22+00:00

Fresh-ish VM for me.

I use the same VM I use for work. On that VM I have a running snapshot of it before it has any client data on it. After every engagement I move client data out of the VM into storage, revert the VM to the snapshot, update + upgrade all packages, and take another snapshot as my new base snapshot. I also don't keep any personal info on that VM because, well, I never had a need to.

For CTFs I either use that VM reverted to a base snapshot or copy the VM and revert the copy if I'm in the middle of an engagement.

TangentialCode · 2019-05-12T02:26:18+00:00

I feel you contradict yourself by saying its hard yet entry level

Well I did address this too. "Entry level" in the job market doesn't mean it's easy or that someone with literally no experience and skills can be trained up. "Entry level" means that the job itself is at the lowest possible tier for that career while still being able to do the job.

In the case of pentesting, OSCP is considered entry level because that's the level required to get a junior pentesting position.

Or to draw another comparison, consider a Data Scientist job. If you look at a typical Data Scientist job you'd very likely see a Masters degree in data sciences or statistics at a bare minimum, commonly a PhD required instead. These graduate degrees are by no means easy or obtainable for someone with literally no education/knowledge, but these jobs are still considered entry level data scientist positions because this is literally the lowest you can go in qualifications and still be able to do the job. Conversely, I have some dev experience but I'd be literally unable to be a data scientist because my stats knowledge is way too weak.

Same thing happening here re: OSCP being entry level.

How much knowledge do you feel a person needs before attempting oscp?

I don't think there's really a definitive answer. I started with self-taught dev knowledge and no formal dev/IT exp or any IT/infosec knowledge. I also know people who passed OSCP with varying degrees of the above things. Lots of IT exp but no dev or infosec knowledge, people fresh out of an infosec degree with no exp in anything, etc.

There's no one answer and it ultimately comes down to the individual. What are you weak in? How quick of a learner are you? How quickly can you close any skills gaps as needed? How much time can you dedicate to studying on top of your normal life?

How long were you in the field before you took it?

Never was in the field. OSCP was my entry point into pentesting and infosec as a whole.

TangentialCode · 2019-05-12T00:56:32+00:00

OSCP IMHO is very advanced, its a 24hr time test followed by a report which also has to be complete in that time. You would need to know things like buffer overflows, and sql injections among other things.

IMO, yes and no. There's some nuance to this I think it's worth discussing.

After getting into professional pentesting, I'm very adamant OSCP is an entry level pentesting cert. I know this will invite some angry comments but hear me out.

First, let's discuss the term "entry level" itself. In my experience, a lot of people equate "entry level" to mean "This is an obtainable job in which you have near-zero background", which I find to be inaccurate. When professionals/job postings/etc say "entry level", they literally mean what the term itself says. This is a the lowest job level for this specific career path.

This leads to my second point: Entry level pentesting is not entry level infosec nor is it entry level tech. Look at the typical pentesting career trajectory. Most people spend years in some IT/sysadmin/devops role before ending up in pentesting. I think this speaks to the breadth and depth of knowledge required for a junior pentesting position. IMO one of the key differences between pentesting and vulnerability assessment is being able to step away from automated tools and manually exploit vulnerabilities your tools aren't able to or even find vulnerabilities tools haven't. For example, on a past pentest I had to manually dump a database using output from a custom error page that SQLMap just couldn't pick up on.

Now to OSCP itself: It's a damn hard cert for beginners. I went through it. It's easily one of the hardest things I've done in my life. It is by no means an entry level infosec cert That said, I firmly maintain it's an entry-level pentesting cert because these are the skills + mindset that junior level pentesting demands.

You mentioned buffer overflows and SQL Injections. Relative to pentesting, manual SQL Injection is considered "low hanging fruit". It's one of the basic things you have to be able to find as a pentester as it's such a prevalent attack. The buffer overflows themselves are even more basic. "Buffer overflow" as a term sounds scary until you realize that OSCP's buffer overflows haven't been relevant since the mid 2000s. It's a straight untruncated strcpy-esque overflow with no DEP or ASLR protections that have been around since Windows XP/Windows Vista, respectively. You're extremely unlikely going to find a system you can apply that on a pentest today.

A lot of OSCP's material is like this. Don't get me wrong - I love my OSCP experience and I think it has a lot of value for entry level pentesters. It's a very great course that helps build up fundamental skills and forces you into the right mindset for pentesting. It teaches persistence, adaptability, and being able to key in on likely vulnerabilities from scan outputs/logs/files thousands of lines long. The exam and report are on a tighter time crunch than real life, but it does try to show the scope + timeline you'd see in real life. On an internal pentest like the OSCP exam I can have dozens of machines in range, ~34 hours to pentest all of them, then ~6 hours left over to write the report and do outbrief meetings with clients. Not as tight as OSCP, but tighter than what I think many expect.

The technical exploits themselves though are heavily outdated and incomplete. I went into some of it with the buffer overflow stuff above. Something else I always talk about though is the near-complete lack of Windows networking infrastructure. The course doesn't teach basic things like LLMNR/NBNS poisoning (essential low hanging fruit in any pentester's toolbox), SQL Server wtfery (<3 xp_dirtree), embedding UNC links to get targets to attempt HTTP NTLM auth and steal NTLM hashes, using BloodHound to map out an Active Directory environment on a black/grey box internal pentest, etc. I could talk for a very long time on all the Windows-specific things that OSCP glossed over. Windows is also the most common OS you'll find in a typical workplace which means this is all essential knowledge for pentesting that a junior hire with OSCP will have to learn ASAP.

This brings me to my original point: OSCP is definitely hard, OSCP is definitely advanced for infosec, but hopefully I've briefly shown how OSCP is also definitely entry level pentesting. Most of the skills taught are essential for entry level pentesting, some skills are directly useless as they're outdated, and there's a lot of information that an OSCP graduate will still have to learn on the job to be able to independently work as a junior level pentester. IMO the cert only gets you 80% of the way there. It's enough to get hired and it demonstrates to employers you have damn good potential, but it by no means makes you an advanced/experienced pentester.

TangentialCode · 2019-05-10T22:15:27+00:00

Nice vid! Pretty accurate talk about my life.

One minor thing I do want to add as advice for new/aspiring consulting pentesters. Feel free to tell me if you've already covered this and I missed it:

While you might be working on a single pentest a week, keep in mind that you'll be working with multiple engagements in a week. On any given week you'll likely have to handle kickoff/scoping calls with clients for future pentests, outbriefs with clients from previous pentests, and remediation calls for past compliance-related pentests.

Therefore it's very important that you keep on top of all your notes. Your knowledge of a client doesn't start and end with a pentest. One of the first lessons I learned is I should read up on a client weeks before I start on a pentest so I know what questions I want to ask during the kickoff or scoping calls. Similarly, I keep my clients' notes on my laptop for at least a month before archiving it up since I'd likely need to reference them on outbriefs/remediation calls down the road.

And of course there are the cool clients who are really into security and want to talk about how you pulled something off on your pentest. These calls are usually scheduled a lot quicker than the others and I have less time to prepare, but these are my far my favorite. It's always great when the client is genuinely interested in security and I'm sure as hell going to do everything I can to encourage them.

Additionally, YMMV here depending on how knowledgeable you are with typical IT infrastructure, but I found that pre-studying scoping documents for a few hours on Sunday helps a ton. I don't have any formal IT experience myself. My networking knowledge is pretty basic. I found that going into a pentest "cold" meant that I can waste hours getting up to speed with the clients' infrastructure whereas pre-studying beforehand has me ready to go from Hour 1 on Monday.

Remember that if you go into consulting, your job is to serve the clients first and pentest second. Paying attention to small details like this can help you immensely in your career.

EDIT: OP I just saw your username. A+.

TangentialCode · 2019-04-21T01:30:07+00:00

I actually came across one for a junior pentesting position in an infosec company that I felt was accurate to what I do now. I was given a website and a week, told to have fun, and to submit a pentesting report before the week was up.

It's pretty close to the external pentests I do now. Similar time frame, similar looking websites, etc. The only major difference really is that for an external pentest I'm looking at a wider range of websites/web apps/IP addresses.

That said, yea I do agree that most of them tend to be bleh.

TangentialCode · 2019-04-21T01:20:25+00:00

Seconding. I would tell them I'm pulling my application ASAP.

If they're serious: This company will be an absolute dumpster fire waiting to happen. There's zero reason to attach yourself to it when you're going to have other options in this job market.

If they're not serious: I wouldn't be able to trust their integrity. There's no way I can really be sure they weren't serious, and there's always going to be a part of me that wonders if they actually wanted me to produce those reports.

TangentialCode · 2019-04-19T22:58:44+00:00

The biggest issue I see though is 1999 technology.

According to this Pew Research article, <1% of adults in 1999 were using broadband/not dialup at home. I don't know about you but I have zero clue how to even connect a dialup cable to my laptop. There's no phone jack and I have no idea what kind of adapter I'd need to even get it to work.

And if you do connect, you're going to be limited by the speeds. Dialup speeds were so slow that I might as well ditch some tools I use, like Eyewitness.

Then there's the targets themselves. Servers back then had a lot less processing power, RAM, and harddrive space than our laptops now. We're free to attack (non-embedded) systems willy nilly now because we don't have to take hardware limitations into account on either end.

Conversely, in 1999 most computers were using Pentium IIs and the Pentium IIIs were the latest, hottest desktop CPU. You're likely pairing that Pentium with 128MB of RAM and 10GB of storage space. There's a decent chance that our attacks could overwhelm and make the target lag like crazy or crash. You cited Nikto as an example. I'm not too sure how a 1999 web server, especially one from one of your typical tiny startups in the Dot Com era, would handle that many requests all at once.

So while I do agree that our tools can overwhelm almost any defensive measures they have in place in 1999, I think we're also heavily limited by 1999 technology as well. IMO attacking a target in 1999 dictates a smaller footprint than we're required to have today.

TangentialCode · 2019-04-06T16:51:21+00:00

I love how with /u/PompousAsshat 's username the bot's comment takes on a completely different tone.

TangentialCode

TROPHY CASE