Friday, October 3, 2014

OSCP - A crash course in brain surgery

Everyone who has gone through the OSCP process has a story to tell.

I had been mulling it for years and things have gotten in the way. I always thought of it as the "kali course" or "backtrack course." I was intrigued but as I've been doing this job for quite a while, I didn't prioritize it.

I wish I did this much, much, much sooner.

Waxing intellectual about the state of the field

Before you go any further, ask yourself why you are doing this and if you have the right tools for this.

Pentesting is "5 minutes of 'fun' and 5 hours of paperwork." If I've trained you, you asked me about my job or InfoSec in general, you've head me say that repeatedly.  I'll say it again.

Anyone can break into a server, workstation or network with enough commitment.

Father time is undefeated.

Being a great pentester or infosec specialist means being able to explain an attack, exposure or risk in an easily digestable format. My general rule is that you should be able to hand your report off to a 10 year old and they can understand what needs to be done and why. You job is not to root every server you touch, trick every user into clicking your phishing emails or making IT staff melt-down after commandeering their workstations remotely.  Your job is to understand and demonstrate risks to an organization so that they are able to meaningfully act upon your report, improving their security posture.

If you can't explain an attack, prove it was successful, suggest a remediation based on your knowledge, all while  providing data, documentation and the social skills needed to survive a possibly contentious or confrontational hand-off meeting, you are in the wrong business.

You are in a job where if you're doing your job correctly, unfortunately, you're going to be making people look bad. People may (and do) have their employment terminated based on your findings. It's not "fun", "sexy" or even "exciting" most of the time. It's research, documentation and adaptability. It's 30 hour sessions, learning about a subject that takes years of mastery in a few hours. It's like spinning plates in a minefield, except those plates are about 100 yards apart and you're blindfolded.

...that's the 10,000 foot view of your role as a trusted advisor...

There's much more to it than that.

Information Security is big business. It's getting MUCH bigger thanks to a multitude of factors. Regulations, criminals, APTs, media reports and the steady stream of sensationalist news channel fodder are just a few.

With all of that,  people are attracted to the business for a variety of reasons. Most of the time the reasons are

  • Money
  • Esteem
  • Knowledge
  • Ego
There's nothing wrong with any of them, necessarily. Expectations are the problem.

You're not going to get incredibly rich in this business. You'll do very well for yourself. If your only motivation is money, you're a risk. Teaching someone without ethics who is also motivated by money how to perform illegal acts in a way that are hard to catch is extremely stupid.

Those folks tend to wash out quickly. They move on to the next "big thing." Even if they're ethical, they're not putting the time in to hone their skills and knowledge.

Esteem, respect? A pentester craves not these things.

As simple as it is to pull off some basic yet devastating attacks, the knowledge to avoid them, remediate them or identify an attack when it's occurring is the one reason you should be taking the course. It's a huge commitment.

I've been doing this for a long time. I thought I was very good at it. If there is anything I've learned in this course it's to be humble, take some pain, and only though sufferance will true enlightenment occur. ;) Heh, heh, heh.

The good stuff....

If you've made it through all of that, thank you for sticking it out.

From the OSCP site:

"The Offensive Security Certified Professional (OSCP) is the world’s first completely hands on offensive information security certification. The OSCP challenges the students to prove they have a clear practical understanding of the penetration testing process and lifecycle through an arduous twenty four (24) hour certification exam."

OSCP is a crash course in brain surgery. Plain and simple. You're handed some materials, run through some extremely focused technical videos, labs and exercises and left to explore a network completely foreign to you with just about every OS flavor you can imagine. You have nothing to go on except for your wits, the skills you brought with you (or learned) and a Kali Linux machine.

A lot of security and IT courses like to overstate how arduous, taxing or comprehensive they are. They like to tell you how relevant they are, how much it's in demand (or will be.) Many like to tell you  how you're going to become a rockstar after reading a book, memorizing terms and procedures and regurgitating them in a timed multiple choice exam.

I compare those things to watching ER for a few weeks and then calling yourself a cardiologist.

OSCP/Pentesting with Kali is none of those.

I say, without qualification, that OSCP is the single most difficult technical challenge I have ever taken on (....and I do this for a living.)

You're cut loose with a list of initial IPs. All information gathering and enumeration is your job, just like the real world. It's black box pentesting. The goal is to equip you with the same tools the "bad guys" have.

You're going to lose all of your free time. Your spouse is going to forget who you are. You're going to dream about servers and problems. You're going to wake up in the middle of the night with a sore forehead from banging your head on the keyboard. You're going to run to your computer, freshly inspired with something you over looked and 8 hours later, finally get that /etc/shadow file you covet.

You are going to hate the world.

Luckily, there are great rewards in all of this. There are machines you're going to "pop a shell" on easily and buzzsaw through. They've done a great job of tuning the difficulty and rewards to drive you insane but give you a real sense of achievement when you're done with a machine. You're going to fully understand the insanity, complexity and humility required to do this job. It's grueling.

I do take issue with a few things. The biggest issue I have with the course is the lack of straightforward support from the course designers. The forums are good, the IRC channel is hit and miss and the infamous "try harder" philosophy of providing support is not helpful.

The forums are great as they're archival and a resource without giving anything away. They're very mindful of the overarching theme of "try harder" without being obnoxious about it. You won't get quick responses and you can get a nudge in the right direction.

The IRC channel is a mixed bag. Your best bet is developing a core of folks you trust and that know their stuff. I've found myself helping others without asking questions. I don't want to ask questions or have anything come easy but occasionally I've reached out to others to see what their opinions are. This is key to survival. A fresh perspective and walking away for a few hours will often be beneficial.

You'll find a few folks begging or lying to get more information. I've run into this a few times. I understand a bit more why the "try harder" response is so prevalent. Some people just want the letters or have it handed to them. I polled to see who wanted to discuss PAIN and got a quick response. I was asked what I had found and I pounded it out furiously, anxious to compare notes. The reply: "I got nothing. thanks for the info. that's a good start." I wanted to defenestrate the guy.

(funny sidenote: I jumped back into the channel and saw this person poll again on it. I found who he was discussing with, copy/pasted my conversation and said, "If he tells you any of this, here's where he got  it." The reply was hilarious and that idiot was NOT happy with what happened next.) be continued...

No comments:

Post a Comment