OSCP(Offensive Security Certified Professional)

Introduction

If you're intrigued by the world of cybersecurity and eager to dive into the realm of ethical hacking, the Offensive Security Certified Professional (OSCP) certification is undoubtedly a name you've come across. In this article, we'll explore what OSCP is, why it's highly regarded, and how it can kickstart your career in penetration testing.

Cracking the OSCP Exam: An Unparalleled Challenge
The Virtual Battlefield: Simulating Real-World Scenarios
The Countdown: Time Management and Documentation
Mastering the Report: Documenting Your Exploits
The High Stakes: Striving for Points and Precision
Unveiling the Proctor: Virtual Surveillance and Compliance
The Exam Centered Approach: Penetrating Five Machines
Points and Goals: Understanding the Scoring System
Beyond the Basics: Bonus Points and Lab Mastery
The Quest for Success: What OffSec Doesn't Disclose
Course content of OSCP
Conclusion

1. Cracking the OSCP Exam: An Unparalleled Challenge

The OSCP exam isn't just a test; it's an immersive experience that challenges your skills, knowledge, and resilience. It's designed to push you beyond your limits and assess your practical abilities in the field of penetration testing.

2. The Virtual Battlefield: Simulating Real-World Scenarios

Imagine being placed in a virtual network – your battlefield. You're given 23 hours and 45 minutes to conquer vulnerable machines. This environment mirrors real-world scenarios, where identifying and exploiting vulnerabilities is your mission.

3. The Countdown: Time Management and Documentation

Time is of the essence. Effective time management is key to success. Remember, you have an additional 24 hours after the exam to submit the required documentation. Every moment counts.

4. Mastering the Report: Documenting Your Exploits

The documentation aspect of the OSCP exam is as crucial as the penetration itself. You're expected to provide a detailed, step-by-step report of your exploitation process for each target. Your documentation should be clear enough for a technically skilled reader to replicate your every move.

5. The High Stakes: Striving for Points and Precision

In this high-stakes exam, you'll face a total of five machines. Three independent machines hold the key to 60 points, while two client machines offer 40 points. The magic number for success is 70 points. Precision and accuracy are paramount.

6. Unveiling the Proctor: Virtual Surveillance and Compliance

During the exam, you're under the watchful eye of a virtual proctor. Screen sharing, chat, and webcam monitoring ensure compliance. It's an intense experience that adds to the authenticity of the exam environment.

7. The Exam Centered Approach: Penetrating Five Machines

Your ultimate goal is to compromise all five machines. Each victory demonstrates your prowess in different aspects of penetration testing and vulnerability exploitation.

8. Points and Goals: Understanding the Scoring System

Understanding the scoring system is essential. Each machine has its point value, and earning bonus points by completing specific tasks in the labs can boost your overall score.

9. Beyond the Basics: Bonus Points and Lab Mastery

Strive for excellence by aiming for those coveted bonus points. Completing a minimum of 10 lab machines with detailed reports earns you extra points. This not only enhances your score but also showcases your dedication to learning.

10. The Quest for Success: What OffSec Doesn't Disclose

Offensive Security keeps the number of OSCP-certified individuals and the exam success rate a closely guarded secret. They believe that the experience varies for each candidate and that statistics might influence potential test-takers unnecessarily.
As you prepare to conquer the OSCP exam, remember that the journey itself is a priceless learning opportunity. The skills you hone, the challenges you overcome, and the documentation you craft are all invaluable assets on your path to becoming an accomplished penetration tester.

Course content of OSCP exam

Module1: Penetration Testing with Kali Linux

Accessing the internal VPN Lab Network
Offensive Security Student Form
Introduction to Penetration Testing
MegaCorpone.com and Sandbox.local Domains
PWK VPN Labs
Reverts
Control Panel
Client Machines
Kali Virtual Machine
Reporting
PWK Report

Module2: Kali Linux

Botting Up Kali Linux
Kali Menu
Kali Linux Support Forum
Kali Linux Bug Tracker
Linux Filesystem
Linux Commands
Finding Files in Kali Linux
Handling the Kali Linux Services
HTTP Service
SSH Service
Installing, Searching, and Removing the Tools
Apt update and upgrade
Apt - cache search and apt show
apt remove - purge
dpkg

Module3: Command Line

Section 3.1: Bash Environment

Environment Variables
Bash History Tricks
Tab Completion

Section 3.2: Piping and Redirection

Redirecting to the new file
Redirecting to the Existing File
Redirecting from the File
Redirecting STDERR
Piping

Section 3.3: Text Searching and Manipulation

sed
grep
awk
cut

Section 3.4: Editing Files from a command file

Vi
nano

Section 3.5: Comparing Files

diff
comm
vimdiff

Section 3.6: Handling Processes

Background Process
Process Control: kill and ps
Jobs Control: jobs and fg

Section 3.7: File Monitoring and Command Monitoring

Watch
Tail

Section 3.8: Downloading the files

curl
axel
wget

Section 3.9: Customizing Bash Environment

Customizing Bash History
Persistent Bash Customization
Alias

Module4: Practical Tools

Section 4.1: Netcat

Connecting to the TCP/UDP Port
Listening on the TCP/UDP Port
Transferring the Files with Netcat
Remote Administration with Netcat

Section 4.2: Socat

Differentiate Netcat and Socat
Socat Reverse Shells
Socat File Transfers
Socat Encrypted Bind Shells

Section 4.3: Powercat and PowerShell

PowerShell Reverse Shells
PowerShell File Transfers
PowerShell Bind Shells
Introduction to Powercat
Powercat Reverse Shells
Powercat File Transfers
Powercat Bind Shells
Powercat Stand-Alone Payloads

Section 4.4: Wireshark

Wireshark Fundamentals
Starting Wireshark
Display Filters
Capture Filters
Following TCP Streams

Section 4.5: TCPdump

Filtering the Traffi
Advanced Header Filtering

Module5: Bash Scripting

Variables
Arguments
If, If-Else, Else Statements
Reading User Input
Boolean Logical Operations
For Loops
While Loops
Functions

Module6: Passive Information Gathering

Website Recon
Google Hacking
Whois Enumeration
Recon-ng
Netcraft
Open-Source Code
Security Headers Scanner
Shodan
SSL Server Test
Pastebin
Email Harvesting
User Information Gathering
Password Dumps
Email Harvesting
Site-Specific Tools
Social Media Tools
Stack Overflow
OSINT Framework
Maltego

Module7: Active Information Gathering

Section 7.1: DNS Enumeration

Interaction with the DNS Server
Forward Lookup Brute Force
Automating Lookups
Reverse Lookup Brute Force
Relevant Tools in Kali Linux
DNS Zone Transfers

Section 7.2: Port Scanning

UDP/TCP Scanning
Port Scanning with the Nmap
Masscan

Section 7.3: SMB Enumeration

Scanning for NetBIOS Service
Nmap SMB NSE Scripts

Section 7.4: NFS Enumeration

Scanning for the NFS Shares
Nmap NFS NSE Scripts

Section 7.5: SMTP Enumeration

Section 7.6: SNMP Enumeration

SNMP MIB Tree
Scanning for the SNMP
Windows SNMP Enumeration

Module8: Vulnerability Scanning

Section 8.1: Introduction to Vulnerability Scanning

How Vulnerability Scanners Work
Manual vs. Automated Scanning
Internal Scanning vs. Internet Scanning
Unauthenticated vs. Authenticated Scanning

Section 8.2: Vulnerability Scanning with Nessus

Nessus Installation
Specifying Targets
Configuring Scan Definitions
Unauthenticated and Authenticated Scanning with Nessus
Scanning with Individual Nessus Plugins

Section 8.3: Vulnerability Scanning with Nmap

Module9: Web Application Attacks

Section 9.1: Web Application Enumeration

Inspection URLs
Inspecting Page Content
Inspecting the SiteMaps
Locating the Administration Consoles

Section 9.2: Web Application Assessment Tools

Burp Suite
Nikto
DIRB

Section 9.3: Web-Based Vulnerabilities

Exploiting the Admin Consoles
File Inclusion Vulnerabilities
Cross-Site Scripting
Directory Traversal Vulnerabilities
SQL Injection

Module10: Buffer Overflows

Section 10.1: x Architecture

Program Memory
CPU Registers

Section 10.2: Buffer Overflows

Sample Vulnerable Code
Immunity Debugger
Navigating Code
Overflowing the Buffer

Module11: Windows Bufferflows

Section 11.1: Discovering the Vulnerability

Fuzzing HTTP Protocol
Win Buffer Overflow Exploitation

Section 112: DEP, ASLR, and CFG

Replicating the Crash
Controlling EIP
Discovering Space for Our Shellcode
Checking for the Bad Characters
Redirecting the Execution Flow
Finding the Return Address
Generating Shellcode with Metasploit
Getting the Shell
Enhancing the Exploit

Module12: Linux Buffer Overflows

DEP, ASLR, and Canaries
Controlling EIP
Replicating the Crash
Checking for the Bad Characters
Discovering Space for the Shellcode
Finding the Return Address
Getting the Shell

Module13: Client-Side Attacks

Section 13.1: Client Information Gathering

Passive Client Information Gathering
Active Client Information Gathering

Section 13.2: Leveraging the HTML Applications

HTA Attack in Action
Exploring the HTML Application

Section 13.3: Exploring Microsoft Office

Microsoft Office Installation
Object Embedding and Linking
Microsoft Word Macro
Evading the Protected View

Module14: Locating Public Exploits

Searching Online Exploit Resources
Searching Offline Exploit Resources

Module15: Fixing the Exploits

Section 15.1: Fixing the Memory Corruption Exploits

Introduction and Considerations
Importing and Reviewing the Exploits
Cross-Compiling the Exploit Code
Modifying the Socket Information
Modifying the Return Address and Payload
Modifying the Overflow Buffer

Section 15.2: Fixing the Web Exploits

Introduction and Considerations
Choosing the Vulnerability
Modifying the Connectivity Information
Troubleshooting “index out of range” error

Module16: File Transfers

Section 16.1: Preparations and Considerations

Dangers of Transmitting the Attack Tools
Installing the Pure - FTPd
Non-Interactive Shell
Section 16.2: Transferring the Files the Windows Hosts
Non-Interactive FTP Download
Windows Downloads using the Scripting Language
Windows Downloads with exe2hex and PowerShell
Windows Uploads using the Windows Scripting Languages
Uploading Files with TFTP

Module17: Antivirus Evasion

Section 17.1: Define Antivirus Software

Section 17.2: Methods of Identifying the Malicious Code

Signature-Based Detection
Behavioral and Heuristic-Based Detection Section 17.3: Eluding the Antivirus Detection
On-Disk Evasion
In-Memory Evasion
AV Evasion

Module18: Privilege Escalation

Section 18.1: Information Gathering

Manual Enumeration
Automated Enumeration

Section 18.2: Examples for Windows Privilege Escalation

Windows Privileges and Integrity Levels
User Account Control
User Account Control Bypass
Insecure File Permissions
Leveraging the Unquoted Service Paths

Section 18.3: Linux Privilege Escalation Examples

Linux Privileges
Insecure File Permissions: /etc/passwd case study
Insecure File Permissions: Cron Case Study
Kernel Vulnerabilities: CVE-7-2 Case Study

Module19: Password Attacks

Section 19.1: Wordlists

Standard Wordlists

Section 19.2: Brute Force Wordlists

Section 19.3: Common Network Service Attack Methods

HTTP htaccess Attack with Medusa
Remote Desktop Protocol Attack with the Crowbar
HTTP POST Attack with THC-Hydra
SSH Attack with THC - Hydra

Section 19.4: Leveraging the Password Hashes

Retrieving the Password Hashes
Password Cracking
Passing the Hash in Windows

Module20: Port Redirecting and Tunneling

Section 20.1: Port Forwarding

RINETO

Section 20.2: SSH Tunneling

SSH Local Port Forwarding
SSH Remote Port Forwarding
SSH Dynamic Port Forwarding

Section 20.3: PLINK.exe

Section 20.4: NETSH

Section 20.5: HTTP Tunnel-ing Through the Deep Packet Inspection

Module21: Active Directory Attacks

Section 21.1: Active Directory Theory

Section 21.2: Active Directory Enumeration

Conventional Approach
A Modern Approach
Resolving Nested Groups
Currently Logged on the users
Enumeration using the Service Principal Names

Section 21.3: Active Directory Authentication

Kerberos Authentication
NTLM Authentication
Service Account Attacks
Cached Credential Storage and Retrieval
Slow and Low Password Guessing

Section 21.4: Active Directory Lateral Movement

Pass the Hash
Overpass the Hash
Distributed Component Object Model
Pass the Ticket

Section 21.5: Active Directory Persistence

Domain Control Synchronization
Golden tickets

Module22: Metasploit Framework

Section 22.1: Metasploit Setup and User Interface

Getting Familiarised with MSF Syntax
Metasploit Database Access
Auxiliary Modules

Section 22.2: Exploit Modules

SyncBreeze Enterprise

Section 22.3: Metasploit Payloads

Non-Staged vs Staged Payloads
Experimenting the Meterpreter
Meterpreter Payloads
Executable Payloads
Client-Side Attacks
Metasploit Exploit Multi Handler
Advanced Features and Transports

Section 22.4: Building Own MSF Module

Section 22.5: Post-Exploitation with Metasploit

Core Post-Exploitation Features
Post-Exploitation Modules
Migrating Processes
Pivoting with the Metasploit Framework

Section 22.6: Metasploit Automation

Module23: Powershell Empire

Section 23.1: Installation, Usage, and Setup

PowerShell Empire Syntax
Stagers and Listeners
Empire Agent

Section 23.2: PowerShell Modules

Situational Awareness
Credential and Privilege Escalation
Lateral Movement

Section 23.3: Switching Between Empire and Metasploit

Module24: Penetration Test Breakdown

Section 24.1: Public Network Enumeration

Section 24.2: Targeting the Web Application

SQL Injection Exploitation
Web Application Enumeration
Cracking the Password
Enumerating Admin Interface
Obtaining the Shell
Post-Exploitation Enumeration
Creating the Stable Pivot Point

Section 24.3: Targeting Database

Enumeration
Trying to Exploit the Database

Section 24.4: Depper Enumeration of Application Server

More Deeper Post Exploitation
Searching for the DB Credentials
Privilege Escalation

Section 24.5: Targeting Database Again

Exploitation
Post-Exploitation Enumeration
Creating the Stable Reverse Tunnel

Section 24.6: Targeting the Poultry

Exploitation (or just logging in)
Enumeration
Post-Exploitation Enumeration
Unquoted Search Path Exploitation

Section 24.7: Internal Network Enumeration

Reviewing the Results

Section 24.8: Targeting Jenkins Server

Exploiting Jenkins
Application Enumeration
Privilege Escalation
Post Exploitation Enumeration

Section 24.9: Targeting Domain Controller

Exploiting Domain Controller

Conclusion

In conclusion, embarking on the journey of the Offensive Security Certified Professional (OSCP) exam is an unparalleled adventure into the world of ethical hacking. This intensive examination isn't just a test of knowledge; it's a test of determination, adaptability, and problem-solving skills. The OSCP exam challenges candidates to push their boundaries, simulate real-world scenarios, and prove their expertise in penetration testing.
As you navigate the virtual battlefield, remember that time is your ally. Effective time management, coupled with meticulous documentation, is the key to conquering the exam successfully. Every step you take in penetrating the machines contributes to your journey towards mastery.
Crafting detailed reports isn't just a formality; it's an art that showcases your technical acumen. Your ability to replicate your actions in a way that others can follow demonstrates your depth of understanding and hands-on experience.
The scoring system, the virtual proctoring, and the diverse machines you encounter all add layers of authenticity to this intense experience. As you strive for points, remember that it's not just about the numbers; it's about demonstrating your ability to dissect complex challenges and find effective solutions.
While OffSec keeps certain statistics under wraps, one thing is certain: the journey through the OSCP exam is a transformative one. It equips you with skills that go beyond passing a test; it equips you with the ability to safeguard digital landscapes and contribute meaningfully to the world of cybersecurity.
So, as you prepare to take the leap into the OSCP exam, embrace the challenge with enthusiasm. The knowledge gained, the skills polished, and the resilience developed are the true rewards of this remarkable journey. The OSCP certification isn't just a badge; it's a testament to your dedication, growth, and expertise in the realm of ethical hacking.

FAQ

1. Can I use my phone during OSCP?

You are not allowed to use, and there should be no other electronic devices other than what is shared with the Proctoring tool session in your exam workstation.

2. How much time do I have for the OSCP exam?

Candidates have 23 hours and 45 minutes to complete the OSCP exam, followed by an additional 24 hours to submit required documentation.

3. What kind of documentation is required for the OSCP exam?

Candidates need to provide a comprehensive penetration test report for each target, detailing all the steps, commands, and console output used to exploit vulnerabilities.

4. How many attempts are there for OSCP?

You may retake the OSCP exam as many times as you need, subject to a cooling off period. OSCP retakes have a fee of $249.

5. What is the significance of bonus points in the OSCP exam?

Bonus points are earned by completing specific tasks in the labs. For instance, completing at least 10 lab machines with detailed reports can earn candidates additional points.

6. Is the OSCP exam proctored?

Yes, the OSCP exam is proctored via a virtual connection that includes screen sharing, chat, and webcam monitoring (without audio).

7. Does OSCP exam expire?

OffSec's certifications such as the OSCP do not expire: once a candidate earns them, they are valid indefinitely.

8. What is the age limit for OSCP?

Before you can take the OSCP exam you must finish the PWK course which will prepare you to take the exam. You must be 18 years of age, and ask that you have prior experience with TCP/IP networking, Linux, and Bash scripting.

9. What tools are banned in OSCP?

You cannot use any of the following on the exam: Spoofing (IP, ARP, DNS, NBNS, etc) Commercial tools or services (Metasploit Pro, Burp Pro, etc.) Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)

10. How does OSCP impact a cybersecurity career?

Earning the OSCP certification can open doors to various job opportunities, including roles such as penetration testers, security analysts, and vulnerability assessors.

What is OSCP?