Offensive Security PWK Course Review
One month ago I got my OSCP certification and I think writing this review is a way to honor and to thank the Offensive Security Team for his awesome work and for all the things that they allowed me to learn.
We are talking about PWK but what is it?
Penetration Testing with Kali Linux is an online penetration testing course by the Offensive Security Team composed with a PDF, videos and a laboratory access time. With this course a student (after is training) can attempt the Offensive Security Certified Professional (OSCP) exam.
What can I learn with this course?
According to the Offensive Security Team:
- How to use multiple information gathering techniques to identify and enumerate targets running various operating systems and services;
- How to write basic scripts and tools to aid in the penetration testing process;
- How to analyze, correct, modify, cross-compile, and port public exploit code;
- How to successfully conduct both remote and client side attacks;
- How to identify and exploit XSS, SQL injection, and file inclusion vulnerabilities in web applications;
- How to deploy tunneling techniques to bypass firewalls and
- How to demonstrate creative problem solving and lateral thinking.
And according to me:
- How to be humble;
- How to improve your determination (how to try harder and harder);
- How to write basic exploits in both windows and Linux systems (stack based buffer overflow);
- How to write a professional and structured penetration testing report in order to better help a client and
- A new mindset.
My Security Background & Prerequisites
As a student (for the moment: Jul 9 2017) I started from scratch, I never worked for a company or as a penetration tester, not even for blue team. So, before my registration for the course I learned networking basics, how to write Python and Bash scripts, how Linux works and I played with few VulnHub virtual machines, as highly recommended by the Offensive Security Team:
A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.
For this reason I think these links (free course/certifications from Cybrary) can help you before your registration, if like me you start from scratch:
- Networking: CompTIA Network+
- TCP/IP: CP/IP Certification Course
- Linux skills: CompTIA Linux+
- Linux administration: Fundamental Linux Administration
- Python scripting: Python for Security Professionals
Note, a good English level is required in order to understand the course and to be able to write an understandable exam report. No other language are accepted.
The PWK Course Material (PDF + videos)
The PWK course material is composed with a 375 pages PDF and 148 videos where you are going to learn all important penetration testing phases. From the enumeration to the post-exploitation. I used one month to complete the course both reading the PDF and watching courses videos. Note, it is important to use both the PDF and the videos because some information are in the PDF and not in the videos and vice versa. The interesting point is that you have multiples of exercises in the PDF that you can choose to do or not.
To make sure that I had correctly understood, I decided to write a complete exercises report, with for each portions of the course an introduction of the tool or techniques used/learned, the context of the exercise and the exercise himself. I highly recommend students to do so; because it’s both a good way to write what we learn and a good exercise for the lab report.
For more information you can find the PWK syllabus here: Penetration Testing with Kali syllabus
Here I’m going to expose all the additional resources that I used during my learning process with the PWK course, due to the fact I started from scratch. If you already have security or a pentesting background it can still be useful.
Penetration Testing: What You Should Know (page 13-33)
This first chapter give you the aim of the course, of a modern pentration tester and the mindset to have. Yes we hack, but for the good side (for fun and not for profit). We also learn different pentesting process, the structure of the laboratory (that we are going to discuss later), restrictions inside the laboratory and the expectations of a good report.
Getting Comfortable with Kali Linux (page 34-48)
Here students are going to learn how to configure the Kali Linux environment in order to be ready to work with it. After that, how to use the bash environment in order to automatize task with the help of bash scripts.
The Essential Tools (page 49-74)
This chapter is extremely important because this is where you are going to learn how to use basics tools that you are going to use and reuse every time. How to create both bind and reverse shell. Moreover, how to sniff the network in order to understand what you do, what you send and what you receive (really useful during the exploitation phase).
Passive Information Gathering (page 75-92)
Interesting things begin, the enumeration or how to passively enumerate a target (single system, website, etc…). Students are going to learn how to use different tools in order to gain as much as possible information, such as emails, unprotected information, the localization of the target before using active information gathering tools. For that, students learn how to manipulate Google to filter results and maybe find juicy things. How to find emails and how to use a well know OSINT tool, Recon-ng.
Active Information Gathering (page 95-132)
Enumeration! We never enumerate enough our target. That’s what you are going to learn. This time students begin to interact with the target in order to gain more specific information. Students are going to learn how to intelligently run a port scan, analyze and brute force DNS server to identify potential misconfiguration and enumerate SNMP, SMTP and SMB protocols running in the target.
Vulnerability Scanning (page 133-144)
In this little chapter students are going to learn how to automatize scans with a vulnerability scanner. Moreover, they will learn the danger to too much trust these tools, due to the average of false positive, for example. Otherwise, students will learn too, how to use the Nmap NSE (Nmap Scripting Engine).
Fuzzing (page 145-150)
Exploit development start here, with an introduction of what is a buffer overflow. Students are going to learn the basics and how to use a fuzzer in order to find a vulnerability in a running service/application.
Win32 Buffer overflow (page 151-171)
Here students will learn how to make crash the application with a custom exploit, redirect the execution flow of the target service/application, to execute unwanted code in order to gain a bind/reverse shell and a quick introduction on how a computer works in his low-level layers. This introduction of buffer overflow is in a Windows x86 environment.
Linux Buffer Overflow Exploitation (page 172-183)
In this chapter, students will learn how to create an exploit in a Linux environment. The process is the same as the previously used for the Windows x86 system.
Working with Exploits (page 184-193)
There is a growing number of public exploits in Google and Exploit-DB that allow unskilled people to exploit the weaknesses of a service/application. Here students are going to learn the danger to blindly execute a public exploit without code verification, how to adapt, port and cross-compile an exploit in order to make it work in the targeted system.
File Transfers (page 194-204)
Here students will learn different techniques to exfiltrate potentially sensitive files and data both with interactive and non-interactive shell and how to upload unwanted files, local exploits or backdoors for example, in the targeted system.
Privilege Escalation (page 205-212)
After exploiting a vulnerability, we do not necessarily have high privileges and we need to find a way to become Administrator or NT AUTHORITY\SYSTEM for Windows systems or root in Unix systems. That’s why, here, students will learn how to elevate their privileges to get full access to the targeted system. Windows and Linux are both covered in this portion.
Client-Side Attacks (page 213-226)
Who is the low-hanging fruit in a company? For sure, the end user. Here students are going to learn how to perform a client side attack. From the information gathering, to the creation of a malicious Java applet. Moreover, students will learn the importance of the social engineering during the pentesting process and to never forget the weakness of the human factor.
Web Application Attacks (page 227-263)
Nowadays, web application are more and more frequent and they continue to grow. For this reason, students here are going to learn how to identify and exploit basics web application vulnerabilities such as cross site scripting (XSS), SQL injection (SQLi), remote file inclusion (RFI) and local file inclusion (LFI).
Password Attacks (page 264-286)
Sometimes, the only way to move forward is to find a password and there are multiples way to find one. That’s why here, students will learn how to create custom dictionaries for brute force attacks in order to have combinations related to the target. How locally retrieve passwords in memory, how to brute force online remote applications, how to crack hashes and finally how to use brute hashes instead of the plain text password.
Port Redirection and Tunneling (page 287-300)
In order to evade firewall rules or an IDS we sometime need to create secure tunnel or to forwards ports. Students, here are going to learn how to locally and remotely forwards ports, how to create SSH tunnels and they will take a look at HTTP tunneling and how to encapsulate the traffic in order to bypass more sophisticated DPI and IDS.
The Metasploit Framework (page 301-332)
In this chapter, students will learn how to use this well know and unavoidable framework: Metasploit. Students are going to learn how to use auxiliary modules to enumerate a target, how to use Metasploit’s exploits in order to gain access to a target, how to write their own Metasploit exploit and how to use Metasploit for post-exploitation purposes.
Bypassing Antivirus Software (page 333-340)
In this last chapter, students will learn the bases of how to evade anti-virus software. For that students are going to learn how to crypt well-known Malware and that’s the reason why it’s always better to write is own Malware, malicious code.
The PWK Laboratory
The offensive security laboratory is the major point of this course. This lab allow students to practice what they learned and in an hardcore way, in four different areas, the Public network, the IT department, the Development department and the admin department for a total of fifty-five systems (Windows and Linux combined). This is literally the place to be and you are going to learn more than you can expect, from basic web application pentest to tricky windows services modifications or Linux local exploit modification.
After the course I said:
"Now it’s going to be easy I finished every exercises."
Now I’m laughing. When you start the laboratory it’s like being dropped naked in the middle of the hell with only your keyboard, our mouse and your brain to survive (and maybe a cup of coffee).
I worked a total of two months, two weeks and few days in the lab in order to get them all. With a minimum of three hours per night the week and a minimum of ten hours per day Saturday and Sunday. That’s a lot, but I’ve learned a lot and I think it’s totally worth.
Always take notes
You absolutely need to take notes in order to have enough information to write the lab report because the lab report is a good exercise and training for the final exam report. Store the output of enumeration tools, take some screenshots in order to have a proof of your exploit, save the code that you modify. Everything you need is here:
For that I used the KeepNote software and the following picture is an example on how you can organise your notes with KeepNote:
Create your methodology
When you have finished to exploit a system, take the time to understand what you did, why that works and what you learned. If you add to your pentest methodology what you have learned, you will be more confident the next time you will see the same technology, application or vulnerability. Step by Step, create you own pentest methodology, top ten tools to use, etc …
After exploiting a vulnerability, try to know if you can create a script to automatize the process, if you can write your own exploit. Moreover, try to create your own toolbox with custom scripts. Always automatize what you can automatize, you will save time next time and that will show that you know what you do.
Don’t be weak!
In the Offensive Security Forum you have tons of spoilers that can drastically help student to find how to exploit a vulnerability or a system and students can send privates messages, but please, in your interest do not spend your time asking for help like someone’s do. Take a break, drink a coffee, and restart at the beginning.
To conclude, the PWK course taught me much more than I expected. I started from the scratch with not a lot of knowledge, but I successfully hacked all fifty-fives systems in the laboratory and got my OSCP certification. If I managed to do it you could too. I highly recommend to everyone to register for this course as soon as possible.
Try harder and harder, if you thinks you tried every possibility, restart from the beginning. The determination is the key of success.
Next step: Cracking The Perimeter (CTP)
Ch3rn0byl, to motivated me to start the PWK course.
Tony-St4rk, to have supported me on IRC and for your help.
All the Offensive Security Team, for the awesome laboratory, forum and staff.
Mati Aharoni “muts”, for the 1337 course (and the awesome Spotify playlist).