How I learned to love enumeration and passed the OSCP

TL;DR – I passed the OSCP exam and had lots of fun doing it.

The Offensive Security Certified Professional (OSCP) certification is well known in the security industry as a really tough certification, unlike many certifications that rely on memorization and rote learning, the OSCP is awarded after a hands-on exam that forces the exam taker to demonstrate his knowledge through action.

I will try here to give a brief overview of the path I took towards this certification and share some of my thoughts about it.


My first steps in the hacking scene were taken back around 1997 when I was making my first steps in the wonderful world of the internet. I was 13 and my parents decided to get me an internet connection for my Bar-Mitzvah, a couple of months later I stumbled upon the once famous hackersclub website and IRC channel and that was beginning of my love affair with the wonderful world of information security (though I didn’t even know that was the name then).

Spending most of the 2000s in the army put a temporary pause on my dabbling in the grey side of hacking, but ever since I learned of Kali Linux in the mid-2000s and learning of the OSCP certification I knew I’ll one day have to do it.

So after working for 4 years in the IT and IT security industry, by late 2014 I felt ready to get on my way towards the OSCP.

The beginning

Penetration Testing with Kali Linux (PWK) is the basic course offered by Offensive Security and is a pre-requisite for taking the OSCP exam. The course consists of video lectures, study guide and a very large lab environment that is initially available for 30, 60, and 90 days of lab time that can be extended further. I decided that I will sign up for the 30-days of lab time and extend as necessary.

A few weeks later, in mid-January 2015 I received an e-mail from Offensive Security with download links for the course lab guide, videos and a Kali Linux imaged designed for use with the course and began my course.

The academic part

The “academic” part of the course (as I like to call the exercises in the study guide) is quite comprehensive, taking the student from the very beginning of recon through enumeration, exploitation and post-exploitation. The study guide is well written but leaves a lot for the student to find out by himself. For me, with my background in penetration testing, the study guide was more of a way to formalize my knowledge rather than adding much to it. I did not go too deeply into the exercises, but for someone without much experience it would be an invaluable resource. I’m somewhat split on the “extra miles” demanded of students could have better pointers and guiding for newbies.
All in all, I pretty much skimmed the exercise and went on to the real highlight of the course: THE LAB!!! Where there is gloom, and doom while things go boom!
The Lab

The OSCP lab is the crown jewel of the course, it’s composed of a single large network representing a corporate LAN and a number of smaller networks representing restricted VLANs that you’ll find in a large corporation, forcing the student to pivot between networks.

The first steps in the lab were easier than I thought and feared and I managed to compromise a number of machines and gain SYSTEM/root priveleges withing the first 2 days. However the job got progressively harder as the low hanging fruits were picked. I learned the hard way that this lab is all about enumeration, something that I now impart whenever I mentor a junior team member.

The lab exposes the student to a wide range of systems, there are many flavors of windows, linux and unix machines, some are patched, some aren’t. There are a whole range of software versions, with systems from the mid-2000s to the latest and greatest systems out there. I wish there was some mobile OS as well or even a Mac, but I realize it’s not as easy to set up. Hopefully in the future Offsec will add some (maybe start with an android BYOD scenario?).

More than the range of systems in the lab, what excited me the most was the range of attacks the lab required. They ranged from simple bruteforce directory guessing (dirb anyone?), through your regular metasploit exploits and up to client-side attacks via numerous channels. It was unlike any CTF or challenge I’ve done before.

All that being said, I felt the lab was a little bit dated. A certain windows exploit was way too important, and while I still encounter it on engagements, it’s not nearly as prolific as it was once. On the other hand, the lab is not intended to expose the student to the latest exploits but rather to teach him to enumerate, to use the tools of the trade and to be creative, all these tasks the lab does very well.

The sense of accomplishment that you feel when you compromise one of the harder hosts, unlock a new network or take down another host after days of trying, is ecstatic. This is the same excitement that I still feel whenever I access the client’s DC or other crown jewels on an engagement. This excitement is what keeps us penetration testers going and it’s totally there during the course.

The lab also teaches the importance of post exploitation, of looking for interesting information of the hosts themselves, as not all hosts can be compromised directly.

Documentation is extremely important during this stage. The lab report is part of the report you submit to Offsec after your exam and if you lack points to pass the OSCP exam, it may be the difference between passing and failing. I got too excited on some machines and did not write up or take a screenshot and so ended up with a report detailing less compromised hosts that I actually compromised.

I also suggest you work on the lab report well in advance of your exam as it will be quite large and you really don’t want to type 150-200 pages in 24 hours. I used Keepnote for documentation, but given the chance would switch to Dradis if I had to re-do the lab. However, use what you like best and what suits your taste.

It is also a good idea to back-up these notes, I kept my work on Dropbox.

After about 2 months of work I was done with most hosts. I then kept extending the lab a number of times to practice and re-visit some hosts and keep the exam date open. In August I finally decide to schedule the exam and got down to writing the lab report.

The Exam

Knowing a large vacation as due for the holidays after Yom Kippur, I scheduled the exam to the day after and waited for the exam email to arrive. Y

The email arrived right at 1400 hours, containing the OpenVPN script for the exam lab and the exam guide PDF. I had 23 hours and 45 minutes to finish the exam and a further 24 hours to submit my report. You are not allowed to use Metasploit except on a single host, or automatic vulnerability scanning or exploitation tools on this exam. You can use meterpreter whenever you want, but you’re limited to the commands you can issue in the shell.

The OSCP exam consists of a separate lab with hosts designated as your targets. Each host has a point value between 10 and 25 points. You score partial points for a partial compromise and need 70 points to pass the exam.

I started out by enumerating the sh*t out of my targets taking the better part of an hour, and then started working on the harder hosts first. In hind sight. 4 hours in, I had a full compromise of a 20 point machine and a further 3 partial compromises. Within 5 hours I already had 2 full compromises and took a break. I can’t stress enough how important taking breaks and eating normally are during the exam. Your brain can’t work all that well when you’re tired or hungry, so whenever you compromise a host on the exam, take a 15 minute break. Go outside, breath some air, call someone, brag on twitter, do something that takes your mind off the exam for a while. I ended up playing a game of World of Warships whenever I made progress and compromised a host.

With the low hanging fruits in my hand, I kept on going and the 3rd compromise was in only 5 hours later, at 10 hours into the exam, with 65 points in hand and 13 hours to go, I knew I’m going to pass this exam. The fourth host was done about 2 hours later and I had 90 points in hand. Then, the 10 points host showed me how exhausting the exam is. It was the easiest host on the exam and kept me chasing my tail for hours as I struggled to find a way to compromise it. Eventually I caught the telltale sign of the vulnerability and used the single instance of Metasploit use on the exam to compromise this host and gain a root shell.

18 hours, 5 red-bull cans and 2 bottles of Soda in, I had 5/5 hosts fully compromised and 100 points in hand. I went to sleep exhausted but satisfied well after the sun rose up.

The next day I worked on my report, added the 50 pages of exam report and sent in the report early Saturday morning Israel time.

Around noon on Monday I received the email notifying me that I have passed the exam.

Final Thoughts

The OSCP exam and the course itself were simply amazing. They were hard, they made me question my abilities and then made me feel ecstatic whenever I overcame a new hurdle.

To be honest, this is NOT an entry level course. If you don’t know what Linux is, never used SSH or don’t know how to start a windows server on the CLI, then you’re probably not yet ready. But if you are a sysadmin, an information security professional or a developer looking for a stepping stone into the field of penetration testing, then this course will make you appreciate every penny you spend on it.

I finally feel I have a certification that I really had to work for, that’s worth a lot more than a simple 4 letter word. It proves that I have accomplished something much harder than just cramming a bunch of stuff in my head and spewing it out on the exam.

So, where to now? I’ll probably focus on obtaining a CISSP and I’m about to begin studying for a Masters’ degree in Computer Science. I will definitely do the next Offensive Security course (OSCE) soon.

So if you have any questions about the exam, drop me a line and I’ll be happy to help. If you want to do the OSCP – YOU SHOULD!
Try Harder!



35 thoughts on “How I learned to love enumeration and passed the OSCP

  1. Itay

    Can u write some background about the pwk course (price, how does it work, etc.)
    Also, what is the price of oscp course?

    1. Peleg Wasserman Post author

      The OSCP and PWK are the same, so price-wise it depends on you. You can see the prices here:

      If you have some background doing penetration tests and you feel comfortable around Linux and Windows, then I guess you can go for the 60-day course which is 1,000USD. You will need to concentrate though, expect spending at least 3 hours a day on weekdays and much more on weekends. If you do that, then I think in 60 days you’ll be ready to go. If not, you can extend as needed.

      Again, this is course is all about self discipline.

  2. Pingback: OSCP Review by Offsec Students | fl3xu5' blog

  3. Thomas

    First of all great review! Was really fun to read.
    Secondly I have a question. You mentioned that many services where a little bit dated. Does that mean that the course rather focuses on post explotation (privilige escalation, etc.) than on getting the first unpriviliged shell?
    Or did I missunderstand this?

    Thanks in advance 🙂

    1. Peleg Wasserman Post author

      Thank you very much!
      On most boxes you’ll have to complete both parts, getting a foothold (some are easier than others in that regard) and then escalating. Very few hosts will give you a root/admin shell straight away.
      That being said, on most boxes you’ll spend more time on post exploitation than on getting the initial foothold.

  4. La Joker

    Thank you very much for sharing your experience and knowledge with us 🙂 I enjoyed every single word you wrote. Do you still keep the material of this course? If so, can you please send me via email? Otherwise, do you have any other to suggest? Many thanks ^^

    1. Peleg Wasserman Post author

      I’ve only kept the report but I can’t really share it with you, since it’ll defeat the purpose of the course. Get yourself a few scripts that automate information gathering and enumeration so you can fire them up and not worry about it for the exam.
      Other than that, I’d focus the lab time on learning how to spot the little flaws on all the hosts 🙂

  5. Omri

    Hi! I enjoyed reading your review very much. how much time in total did it take from starting the course to taking the exam?

    1. Peleg Wasserman Post author

      IF you’re dedicated it shouldn’t take you more than 3 months to finish it, for me it took 8 months because I took long breaks in the middle and then I decided to do the exam during the autumn holidays.

  6. Alok

    Hello, I also perusing OSCP done with labs took me 4 months initially took for 2 months then extended for another 2 months. Post was quiet helpful but would appreciate if you could share some tips like for me biggest hurdle was privilege escalation and windows server 2008 machines in labs. Would be helpful if you could share something to be ready for exam for the above. Thanks.

    1. Peleg Wasserman Post author

      I’m not sure there’s much to share, it’s just a matter of experience. All the hosts in the lab AND the exams have the answer before your eyes. It’s just a question of proper enumeration.

  7. John

    Hello Peleg,

    Thanks for the information. I am sorry for the stupid question but you mention that you are not permitted to ise kali, what tools do you then use?

    I have several years in technology and am going to undertake the Kali training first but wonderened if this was background enough to start the OSCP training? Thanks

  8. MXO

    Hey Men !, Congrat. very good experience and sharing.
    I have strong networking knowledge and good at linux, windows, and common security concepts. I am meaning to take this course and exam. but a few questions before taking it,
    -need for python , ruby, or other?
    -need for assembly?
    -need for web application pen test concepts?
    -lab works are enough to prepare lab test?

    thanks a bunch in advance

    1. Peleg Wasserman Post author

      Sorry for the late reply, but hopefully someone else will find it useful.
      You need at least one of these languages, python is preferred, you should also be comfortable with C.
      There is some basic assembly usage for exploitation, but it’s not central to the course and you should be able to learn it during the course.
      WebApps – Definitely.
      I think lab work is enough, given you really do complete it by yourself, I’ve seen groups going into the lab together and helping each other.

  9. Kevin Hoganson

    Hey, thanks for the honest and thorough review. I’m a student pursuing OSCP as we speak.

    You mentioned above that we are allowed to use meterpreter whenever we want, limited to the shell commands it provides. Does this mean that we can use Metasploit’s multi/handler whenever we want in order to stage it appropriately? Or should we investigate manual, non-Metasploit ways of deploying meterpreter?

    A second question for you: in your brute forcing attempts, did you resort to using cloud services (for more hardware resources)? Anything similar?

    Best regards.

    1. Peleg Wasserman Post author

      I know it’s a late reply and you’ve probably finished OSCP already but yes, you can use the handler when you want, but you can’t use the special functions it gives you (i.e. no getsystem).
      No need for cloud services during the OSCP.


    Hey, thanks for the great write up.

    I’m currently on the OSCP course, I started the course with no experience in IT security. I have found it challenging, but feel confident with most of the areas covered with the exception of privilege escalation. I have done a lot of research and feel I understand the concept but I have had 0 luck in the labs without using metasploit. Do you have any tips or pointers?

    1. Peleg Wasserman Post author

      First of all, for every host you pop with metasploit, go back and do the manual exploit. You know now that it works and is the right way, right? So see what you have to modify in your manual exploit so that it too will work. After you’ve done that a bunch of times, start out with the manual exploits and then circle back to metasploit.

    1. Peleg Wasserman Post author

      Yes, you are not allowed to use metasploit exploits and some other functionality. In general, whatever is not forbidden is allowed.
      If in doubt, ask an admin.

  11. cristie

    My husband has tried this one box 3 times. He has tried so hard!
    All he needs is the “look around you” oscp box. he has worked on it all night

    Any help would be so appreciated!

    has has an hour or so left…..

    1. kate

      Hi cristie,

      May I know if your husband figured out LookAroundYou in the end? If so, then PLEASE, help out a poor soul and send her an email at kate_lockwell (at) please!

    2. jane eastwood

      Hi cristie,

      Please could you leave me your email address? I have something important to ask you about LookAroundYou and OSCP.

      Or you can reach out to me at [email protected].

      Please cristie…Help this poor soul out 🙁

  12. dizzo


    Its the best honest and realistic review I have had read so far.
    Looking forward to starting the journey this November.

    Thanks alot for the review.

    1. Peleg Wasserman Post author

      I usually don’t publish posts like this one, but I think I need to get this out of the way:
      I will not send copyrighted materials to anyone, for any reason. If you need to study, buy the lab, there’s more then enough time and the price is really good for a security course.

  13. MichaelSkywave

    My role has been more of Network Engineer, I have frequent access to layer 3 and layer 2 networks, I developed an interest in network/cyber securities after an attack to a layer 3 device in one of the sites I deployed.

    As I don’t have the basic Linux knowledge, how do I start? can you help me some self-study guides or equally an outline of what to do and where to start?

    Thanks for your understanding.

    1. Peleg Wasserman Post author

      My knowledge of the OSCP lab is limited to the previous version, that is somewhat different than the one you’ll be facing.
      Generally, Linux is not that hard to learn, install an Ubuntu VM and play with it, learn how to configure stuff, where config files are located, etc… When you feel you’re ok with the system and can find your way around the CLI, try installing a more interesting distro, like Gentoo.
      If you want to dive in even deeper, then the best thing is doing LFS (Linux From Scratch) install, you can find stuff about it here:

  14. Esther

    Hello! Is it possible for you to give some advice on what is the best way to gather and enumerate hosts?

    Great posts, thanks!

    1. Peleg Wasserman Post author

      Hi Esther,
      First of all, there isn’t a single catch-all answer to this question.
      It depends a lot on the environment you’re in, type of engagement (do you need to be stealthy or can you make noise in the network?), and other factors.
      The simplest way would be follow the examples in the PWK course material, and start off with a ping sweep, then move on to stuff like snmp sweeps, and scanning with NMAP. In the lab, these methods would be a good start.
      Once you have a handle on the different hosts, start scanning them with more in depth tools, for example if it’s a web server, run nikto or dirb to find stuff on the web server itself, try to enumerate the server version and the other software running on it (PHP?).
      From there on, it’s mostly following your gut feelings.


Leave a Reply

Your email address will not be published. Required fields are marked *