Thoughts on the OSCP in 2017

Offensive Security OSCP!

I recently had a chance to gain my OSCP certification through my day to day penetration testing job and wanted to share some thoughts on the experience.

For the most part, the certification has only positive reviews online. Even attempting to find a negative review with a search like “OSCP bad” or “OSCP not worth it” results in nothing but praise for the OSCP. This reputation is probably there for a good reason, but I would argue it is more to do with how bad other certifications are rather than the inherent value of the OSCP itself. To that end, I have some specific criticisms that bear mentioning to those who are looking to complete their OSCP certification in the future. I have ordered these roughly in order of “easiest to fix” to “hardest to fix”. These are 100% my own opinion. I don’t doubt that most people will not agree, but I hope that this helps explain some of the reasons people might not be recommending everyone hold an OSCP.

There is no APAC region

While this may be a minor issue for some people, I can say without a doubt that one of the most frustrating experiences during both my lab and examination period was trying to find ways to work around the issues that arise when you are on a VPN with 300 milliseconds of round trip time.

If you thought UDP scans were slow normally, try with 300 ping

That is not to say that the lack of an APAC region makes the OSCP significantly more difficult, it just adds a lot of frustrations. As you might imagine, some tasks become exceedingly painful. Trying to navigate an FTP server to find the one interesting file? What about just trying to complete an nmap scan (especially if you include all ports rather than just the top 1000). The official word from Offensive Security is that there is no need for an APAC region, nor are there any plans to open one, but as someone who suffered through the OSCP with high ping and paid a very significant amount of money for the privilege, I’m really not happy with that response. Being ex-devops, I completely understand the pain that goes into bringing a new region online of your product, but to completely brush it off as unnecessary feels like it tells us that Offensive Security are more concerned with maximizing profit than providing a pleasant experience for their customers.

Unclear and changing requirements

When you first begin the labs, you might ask a simple question like “What is the scope of the lab machines”, that is, what IP ranges are you allowed and meant to be targeting? Given the tendency to compare the OSCP labs to a penetration test, you would hope there’s a clear answer. Alas, that does not seem to be the case. The first place you might look, your course PDF (which is provided only once your lab time starts, which I presume is necessary to keep people spending expensive lab time away from the labs and reading a PDF?), only lists a single subnet: 10.11.0.0/16. In the same table, however, it also lists a target start as 10.11.1.1 and target end as 10.11.1.254. You might rightly be confused as to what this means. While later it becomes clear what is in scope (hint: it is a lot less than 10.11.0.0/16 and a lot more than 10.11.1.1/24), this points to a more general problem of being unclear in the documentation.

Another place this comes up is during the final examination. Without revealing anything about the exam that isn’t allowed, I can share that you are required to document your steps. Specifically, you are told, “You must submit at least two or four screenshots”. Ignoring how confusing of a sentence this is in the first place, it can be inferred that these refer to two screenshots of the exploit to gain an unprivileged shell, and two more of a root shell (though individual exam machines may vary of course). This requirement quite clearly breaks down in the case where one of your intrusion methods is not an exploit, such as the use of a default password. Nonetheless, it is possible to figure out what you are meant to do (for the most part), but it once again makes me wonder why they are not more clear from the outset.

It’s not really for professional penetration testers

Of the issues I have pointed out here, this is the one least in the control of Offensive Security, but perhaps the one I found most frustrating.

All through the internet, we can see stories of people singing the praises of the OSCP, how it helped them learn what they needed, or how it helped them become better at what they already can do, but something I didn’t notice at the time was how few of these praises come from those already in the industry. Of the ones that do come from the industry, they are framed more as “you should get this certification if you plan to work in infosec”, which is a far cry different from “if you are in the industry, you should have this certification”.

To that end, I found the course materials severely lacking compared to what I expected. Where I expected to learn about attacks, I instead learned to look things up in the ExploitDB database. Where I expected to learn about new and interesting attacks, I was given ten different boxes to run Metasploit on. Moreover, that is not to say those skills are not useful, of course, they are, but they are skills I already had, and skills I would expect anyone who’s been in the industry for more than six months to have picked up already.

However, I hear you say, the OSCP is not there to teach you about bugs, it is there to teach you an attitude, a way of thinking! Surely you are right, but how many penetration testers have managed to get and maintain a job in the industry without those skills already? The ability to “try harder” isn’t some magical thing that only an OSCP has, it is a basic requirement for being able to do your job.

So while this last one is on me, I wanted to provide some contrast between the glowing reputation the OSCP receives, and my experience with it.