OSCP (Offensive Security's PWK) Requirements

Question

I wanted to ask a few questions, mainly referred to those who completed OSCP or who know about it.

I want to take the course, I know that understanding of TCP/IP, IP subnetting and addressing and routing is needed, and also bash skills, and knowing python is a plus.

I wanted to study python from learnpythonthehardway.org (referred by Offsec), but I have a question about the networking part: is implementation of sockets in python needed, for instance? Or only understanding of how TCP/IP, subnetting, routing, addressing work and operate is enough?

Also is Ruby needed (I know it's used for creating metasploit modules, is it needed?)

And lastly, is knowledge about Nmap needed? or is it taught throughout the course?

first thing if you want to become a pentester is to learn to write (really, it is, you will spend 90% writing documents). What a messy wall of text did you just write here.. — The Illusive Man, Jun 25 '16 at 14:06
Not really, I asked more specifically about material :) ( In response to WhiteWinterWolf) — Jonathan, Jun 25 '16 at 14:28

score 2 · Answer 1 · answered Jun 25 '16 at 22:19

2

Absolute statements regarding OSCP

You DO NOT require coder kind of skills. (Therefore, one is wasting his time learning hardcore programming for OSCP. Although It's always a plus if you have some coding skills in your arsenal.)
Basic scripting is needed. (It is also limited to python and shell scripting.)
A complete Networking Nerd. (You should be able to eat and digest the entire TCP/IP)
Love Linux (My choice would be to enslavement! but a decent knowledge of Linux usage is enough)
Exposure to Exploits/pentesting methodology(In my view this part is more important because this one tells you "How to go about your business")

answered Jun 25 '16 at 22:19

Youbecks003

175
8

I'm pretty new to the information security field, and I don't think I was exposed to exploits/ pentesting methodology yet, I do read about networking currently, about the things I mentioned, and also about Python. – Jonathan Jun 26 '16 at 15:31
@J.J For the last part take Metasploit Unleashed. And I only included pentesting methodology because it will point ...where to hit next! – Youbecks003 Jun 26 '16 at 17:33
Thanks! I really appreciate the quick reply! Do you agree with the person down this page(kazhtaco)? that the course isn't to introduce the subjects? I thought it was meant to introduce to stuff and teach you how to use them And I assume that you did OCP(pretty sure =) ), so I wanted to ask a question in a private message, but unfortunately there is no option for that here, is there any where I can reach you in a private message? thanks! – Jonathan Jun 26 '16 at 20:24
About the programming skills, I saw that for example they teach about SQL injection, so starting the course without knowledge in SQL isn't a problem? if it is, then there are a lot of subjects that "lay" on specific languages.. do I really have to study 'em all? – Jonathan Jun 27 '16 at 19:19
Hey becks, I'd love to get your response, I want to take OSCP ASAP :) Thanks and have a great week ! =) – Jonathan Jun 29 '16 at 09:12
@J.J Sorry for really delayed response. I'm not OSCP, I've traditional MS degree in Infosec. I sense that you've presumed OSCP/PWK is introductory as CCNA is to Cisco certification path(just an analogy), if this is the case then you're slightly wrong. In respect of Offsec community and their certification, it is the first gate but a research will reflect that its actually intended for sys/network admins and security professional who have some years of XP in IT. – Youbecks003 Jul 04 '16 at 19:41
@J.J What you should be able to do is, understand a SQL statement and how it works. You are not required to have skills that creates an entire SQL database. Here's an analogy, A web application pentester or a bug bounty hunter can find vulnerabilities in website/web-app but I don't think he'll able to write all the code that creates such a website. For an XSS example you need to have knowledge about Javascript and where these are placed in HTML and how they'll work. it doesn't mean you should know HTML/CSS A to Z. – Youbecks003 Jul 04 '16 at 20:04
@J.J I will highly recommend you to go for CEH/ Security+ kind of certification to build your base, at least study their content first and get familiar with basics. And go to places like hacksplaining/vulnhub/pentester/pentestit.ru/sneakerhax. (others you'll find eventually). These places provide the Things to exploit. – Youbecks003 Jul 04 '16 at 20:16
Thanks for the reply :) Though I don't have any background in infosec (unlike programming that I do have a little bit), and Offsec's admins told me to study networking,python and read metasploit unleashed, and I should be good to go. I wondered (it also could be VERY helpful to other that want to start the course and need the pre-knowledge resources): do you (or anyone in general) have a good resource to study : TCP/IP , subnetting, routing and addressing ? thanks and have a great day! – Jonathan Jul 05 '16 at 18:29
As @Youbecks003 suggested, try to go through the contents of security+ or SSCP. It will help you understand why you need to put up the defences in the first place. What you learn in OSCP, will help you understand how to get through the defences. You will be able to better appreciate knowledge in security if you learn how to attack, and also know how to defend. This is just my suggestion. Feel free to try it out in any way that suits you. – Vikas Feb 19 '20 at 05:37

score 1 · Answer 2 · answered Jun 26 '16 at 09:26

1

Most of the topics you address will be introduced briefly in the course. I wouldn't say there is anything you mandatorily need to know before you start the course. I think I knew closed to nothing about nmap when I started, for instance. I think the question "what do I need to know in order to start" misses the point. The point is "am I willing to learn and how much time do I have to do that". I might be simplifying but maybe one can say that the course teaches you 20% of a topic and you need to learn the remaining 80% by studying, googling, hacking the lab machines. If you are not able to do that for whatever reason then it is irrelevant if you know either python, ruby or nmap beforehand.

answered Jun 26 '16 at 09:26

kaidentity

2,634
13
30

I am willing to learn, in fact i'm still student in high school and in parallel studying a B.SC degree in Computer Science, starting my last year very soon. I am willing to use my time, because I am truly fascinated about the subject, but I am scared to start the course and then I'll figure out that I lack knowledge :\ – Jonathan Jun 26 '16 at 15:33
One thing that needs to be said also is that the course costs money. That is an important part of the equation. I find the course material is already a great asset because even without trying to break the lab machines you will learn a lot just by studying the document and watching the videos. But for a 400 pages pdf you usually wouldn't want to pay 900$... If you are unsure another option is to find a job as pentester somewhere and let your employer make the invest. You can still do the course in 2 years from now. – kaidentity Jun 27 '16 at 08:53
I've saved money for 2 years, not for that, but for a case like that. I saved up money to a case where I'll need the money, and I believe that this is a good cause, I love the subject, and it's summer vacation, so hell yeah, I can take the course. I wanted to ask what do you think: reading http://www.it-ebooks.info/book/929/ (book about networking- atleast some of it- what do you suggest me to read out of there? I've been told that not everything is necessary.), after reading that doing learnpythonthehardway.org, and going over my linux knowledge on linuxcommand,org (I know the most) – Jonathan Jun 27 '16 at 16:38
and reading Metasploit unleashed aswell. is that enough preparation ? thanks! :-) – Jonathan Jun 27 '16 at 16:38
I don't know CCNA. I'm sceptical about certifications with a lot of theory. That is the great thing about OSCP: You can practice. If you feel ready to start the course then you will find plenty of topics you can focus on. Maybe it's the network stuff but maybe it's the section about buffer overflows and how to modify exploits. Or exploitation of web applications or or or.... Actually, metasploit unleashed is a good course but the OSCP authors motivate students to use metasploit as little as possible. – kaidentity Jun 27 '16 at 20:18
I have also tried to find a good book before doing the course and I have a couple of them but I only really understood them after the course ;-) It is really not easy to get the big picture if you cannot practice. Exercising all the exploits and code injections and everything is worth more than all the books in the world. – kaidentity Jun 27 '16 at 20:24
I see :) Thanks for replying btw, is there anywhere I can ask you a question in a private message ? btw , About the programming skills, I saw that for example they teach about SQL injection, so starting the course without knowledge in SQL isn't a problem? if it is, then there are a lot of subjects that "lay" on specific languages.. do I really have to study 'em all? – Jonathan Jun 27 '16 at 20:33
kaul630@yahoo.com – kaidentity Jun 29 '16 at 13:45

score 0 · Answer 3 · answered Jun 25 '16 at 21:23

0

None of them are required. OSCP is not the kind of exam where your knowledge of a certain subject (like Python, Ruby or nmap) will be assessed. The only thing that matters is whether you're able to break into systems, and knowledge of Python, Ruby an nmap certainly helps with that.

For example, let's say you have a low privilege shell on your target system. The system has a privilege escalation vulnerability, and you have just found a exploit code for that vulnerability. Unfortunately, it's written in Ruby, and the target system doesn't support Ruby, so you will have to translate it into another language. At that point, having at least a basic understanding of both Ruby and a common scripting language would be helpful.

nmap is taught during the course. See the official PwK syllabus for details on what the course covers: https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

(Still, it wouldn't hurt to play a bit with nmap before starting the course, just be sure to keep scanning activity inside your own network.)

I'm not sure if I understand this question:

is implementation of , for instance, sockets, in python needed?

If you meant to ask whether you'll need to know how Python implements sockets internally - no, I don't think so. If you were asking about knowing how to create sockets within the Python scripting language - yes, that would certainly be useful (and not only for the OSCP, but in general).

answered Jun 25 '16 at 21:23

kazhtaco

23
3

I am currently working on my knowledge on networking, python and nmap. I do not know how to use sockets in python, and also the admins of offsec referred me to learnpythonthehardway.org to study python, but it doesnt include sockets, and any thing that relates to networking in it, which I thought, should be important for the course( and as I understand it, you think aswell). I do not have knowledge in information security currently, I do have knowledge in programming, I thought my exposure to info.sec would be in PwK, what do you think, what should I do? I'd love to get some comments! – Jonathan Jun 26 '16 at 15:39
I think you should read the syllabus and study each subject on your own until you at least understand what it's about. If you understand the concepts behind the subjects it will be far easier to deepen your knowledge of these subjects during the course. Studying based on the syllabus will keep you busy for a while, you'll learn a lot of things without spending any money, and it'll give you a good idea if/when you're ready for this course. – kazhtaco Jun 26 '16 at 17:18
I'm really sorry for disturbing, I am just really curious =D So basically the course isn't to introduce you to the subjects? It's to deepen the knowledge about the subjects? If so then I have a lot to do before taking it, basically learning everything there from scratch.. and I thought it was where I'll first learn about the subjects .. :\ Thanks and hope you have a great day :) – Jonathan Jun 26 '16 at 17:32
1

You *can* use PwK as an introduction but it will not be a gentle introduction. You will then have to do a lot of learning during the course, all while the clock is ticking (and you are paying for the time). That's why I think it's best to prepare for it on your own when time is still "free". PwK will still deepen the knowledge and most importantly, teach you to apply it in terms of offensive security. When I took the course I was glad I had prepared this way. Because I had taught myself what I could, during the course I could focus on the interesting new things I could not have taught myself. – kazhtaco Jun 26 '16 at 19:16
So basically, learning things that are in the course before taking the course, saves the time of understanding them while the course is ticking (if i understood you correctly) ? Thanks for the quick reply! and have an awesome day :D – Jonathan Jun 26 '16 at 19:45
Do you maybe have twitter? I can talk to you via twitter and you can give me your email there =) Thanks! – Jonathan Jun 29 '16 at 19:12
Just ask here where others may benefit from the information as well. There is nothing I could tell you in private that I can't tell you in public. – kazhtaco Jul 01 '16 at 13:48
I want to ask something about a specific material I've been given by someone, and he doesn't really want it in public, so I respect him.. – Jonathan Jul 03 '16 at 09:09

OSCP (Offensive Security's PWK) Requirements

3 Answers3