I’m writing this post the day before I officially start Offensive Security’s Penetration Testing with Kali Linux course. Over the next 90 days I’ll be studying the course material and making my way through as many lab machines as I can before attempting the OSCP examination, hopefully successfully. I decided to focus this post on how I’ve prepared myself, what my expectations are for the next 90 days and the future of these weekly blog posts.
Being completely new to the InfoSec industry, I had no idea where to begin. Although I had read about the OSCP course and knew that I wanted to do it one day, I needed something more entry-level to get my feet wet. For that purpose, the Security+ certification was really useful. I was able to learn about a wide range of security concepts and confirm my passion for this industry. However, I’ll be honest in saying that it really didn’t contribute much in terms of preparation for the OSCP course and I wouldn’t recommend it for anyone interested in the OSCP specifically.
It did have some use as it covered networking and penetration testing concepts, but not in enough detail to be of any real value as a prerequisite. For anyone who wants to learn about computer networking in detail I would instead suggest more specific certifications such as the CompTIA Network+ or Cisco’s CCNA.
OSCP Prep Episodes
These were the main ways I prepared myself for the OSCP course, and are covered in my previous blog posts. Over the course of around 3-4 months, I have been learning as much as I can about penetration testing both practically and theoretically, so that I am not overwhelmed once I begin the course. Having to start from essentially zero knowledge, I slowly familiarized myself with all aspects of penetration testing and have built a solid foundation for the OSCP course.
My four main sources of study were:
- Penetration Testing – A Hands on Introduction to Hacking by Georgia Weidman
- Advanced Penetration Testing course on Cybrary
- Vulnerable machines on hackthebox.eu
- IppSec’s video tutorials of retired HackTheBox machines
For beginners with no prior experience, I would highly recommend Georgia’s book and Cybrary series. They do an excellent job at taking you through the basics and will provide you with a solid foundation to start building up your skill set. Personally, I really needed this because a lot Linux commands were new to me and having them all explained in an easy to understand way means I never felt confused or overwhelmed. Although I am by no means a Linux expert now, I am comfortable on the command line and understand all the penetration testing basics which I attribute to both Georgia’s book and IppSec’s YouTube Channel.
For those who are already comfortable using the command line and performing basic penetration testing, I recommend going straight to HackTheBox and attempting some of their retired machines. It’s worth purchasing a month’s VIP membership for the reasonable price of £10 as it provides you access to their retired machines. These are useful as they have walkthroughs available which supplement the learning you get from the machines themselves. As I mentioned, IppSec’s video guides are an amazing resource and will make each machine extremely clear so be sure to make use of these if you ever get stuck or find yourself in need of some inspiration.
I’m still not sure what to expect from the OSCP course, and I’ll admit that I am a little nervous. Part of me thinks I am not prepared enough in the basic concepts such as Linux, networking and programming and I’ll be biting off more than I can chew. On the other hand, the course is designed to teach people about penetration testing and I feel like I have enough understanding of the basics to be just fine. In particular, I have a pretty solid enumeration and penetration testing method down pat. I also feel as though I have been overthinking my preparation too much, and I would have to take the plunge at some point anyway. Now that I am starting, my only option is to give it a go and do my best.
I intend to spend approximately 20-25 hours per week on the OSCP. It remains to be seen if this will be enough time, but realistically it is the most I can commit when factoring in the other areas of my life. I’ve heard people mention 200 hours total as a ballpark figure for the amount of time that should be dedicated to the OSCP (excluding the exam) and I should be able to comfortably exceed this.
Ultimately, my expectation is to pass and become OSCP qualified. Anything less than this will be extremely disappointing, and obviously means I would need to spend more time practicing with a lab extension or on HackTheBox. I am determined and will not give up until I am OSCP qualified, however long that may take.
I gave quite a lot of thought into how I want to run my blog for the next 90+ days. Although I won’t have as much time to write posts, and won’t be able to write detailed content about the course I still want to continue with these weekly updates. At this stage, I want to measure I am in the course to track progress, and give a brief update on my key takeaways for the week along with what I found difficult (and any other random thoughts I may have). This way I’ll still be able to maintain my record of learning and update this blog without having to put too much time into the actual content. Hopefully you’ll check back in each week to follow along and see how I’m going!
I hope this post was valuable to anyone who may be considering the OSCP. I’ve had a lot of fun learning and increasing my skills thus far and honestly can’t wait to get stuck into the course itself. Good luck to everyone preparing for or starting the OSCP, remember to do your best and try harder.