 What's up? So a few months ago, Offensive Security put out one of the new courses. This one was called PEN 300, or Evasion Techniques and Breaching Defenses. And that came with the certification OSEP, or Offensive Security Experience Penetration Tester. So I took a look at the course online and I bought it right away. Like, I was stoked because this course looked awesome. It looked so cool. It said an advanced penetration testing course building on the knowledge and techniques taught in the Penetration Testing with Cali Linux course, or PWK that works with OSEP. And it teaches students to perform advanced penetration tests against mature organization with an established security function. You would learn how to bypass defenses, perform advanced attacks while avoiding detection and compromise systems that are already configured with security in mind. So we're talking about phishing with Microsoft Office documents. We're talking about process injection and migration, antivirus evasion, bypassing application whitelisting, post-exploitation credentials, lateral movements, a ton of cool stuff and an active directory environment. So I bought the course the moment that it came out. I registered for the exam the moment that I could and throughout the past few days I was taking the exam and today I got an email notification that I passed. Yes, I was really nervous for this test. I thought that I was gonna fail. I thought I was gonna have to retake it. I thought I was gonna have to take it like a second time because I just failed it that bad. Honestly, I did not expect for it to go the way that it did. But I wanted to bring this video to you because I think it's very, very new and there are a lot of questions out there. So this is it. Here it is. This is my video for the OSEP review. I wanna make this video like helpful for you. So I asked out on the internet, I posted on LinkedIn, I posted on Twitter, hey, what would you like me to talk about or what would you like to see discussed during this OSEP video review? So hopefully I'll be able to answer some of your questions and we'll get to that in just a moment. But first I kinda wanna give a little bit of a timeline as to how this course and what this really looked like for me. So I had bought the course as soon as I could, right? The day that it launched, I was super excited. I'm loving what OFFSEC is doing lately and this sort of stuff I wanna get better at. I wanna learn more and get sharper on that. So I bought the course as soon as I could but I wasn't able to start with the labs and the course materials and really get into it until about the 21st of November. So from that week, like on that Saturday and throughout that weekend, I was like hard charging. I would watch every single video. I would take as many notes as I could and I was staying up until like three o'clock or four o'clock in the morning just so I could absorb everything. So when they give you the course material, the video files that they give you are labeled in like the section of the course and then the module and then the lesson and then just numbers within that. That wasn't exactly useful to me. So I went through the process, like while I was going through all the course videos, I would rename them to begin chronological order and then what they were actually discussing or what they were teaching within that section. So later down the line, if I needed to during the exam, I could reference the video and actually see it showcase and be able to quickly search and get what I needed. While I was taking all my notes on all that, I was practically recreating the course book but in my own like words and in my own understanding and that way I could copy and paste any code blocks that I was writing and that made it much more easily referenceable, a little bit better than what the course book and that PDF, you can't quick and easy copy and paste code out of that because it gets messy. But that was what I had done to get started in that regard. I was trying to like speed run the course until about Thanksgiving and then when we get to December, right, then we get to the holiday time. Like I was going on vacation, I think the very, very first week and then of course we had Christmas, right? As we get close to the holiday and I've got family coming up. So like December was kind of a wash and then when we came to January, at that point I felt like I'm running out of time. My lab was gonna expire on the 20th and my exam was scheduled to start on the 31st. So up until I think like the 15th I had still just been kind of like busy doing other work. Like this month was super duper busy for my actual day job. But then as we came closer to exam time, like, all right, I really got to hunker down. I really just got crammed the stuff. So I tried to work through all the labs and then I got into about lab time or exam time, sorry. So for the 31st of January, from what I understand the course exam wasn't gonna be released until February 1st. And I thought like, am I taking this on January 31st when it's not even out yet? So it's cause I'm Eastern time, right? So the time zone difference. But when my exam started at 10 p.m. January 31st that means I had the 48 hours to take the exam. So all of Monday, February 1st and then all of Tuesday, right February 2nd. And now today we get to when I get my exam results. So I am pretty sure I'm the first person to take the OSEP exam and I'm the first person to get that certification. I think, I mean, I could be wrong, but that's kind of cool. Anyway, let me show you my notes or like my note taking process. Obviously I can't show you like my real notes cause it's a part of the course but I'll show you kind of the workflow that I work through. So I have an OSEP directory, right? And that's how I kind of go ahead and connect to the VPN. I've got all the course material in there and then I continue to work inside of a GitHub repository. Now this is something that I've stressed before but I can't stress enough. When you're working through this, back up your stuff. In case you lose it, you don't really wanna have to go through that all again. So create a private repository for yourself so you can just easily just, hey, get push and get your stuff backed up somewhere. Make sure it's private, obviously. But I would totally, totally recommend that. And that is inside my workspace directory. So inside this, and I think it's totally cool to show you this cause there's nothing exactly sensitive here. Just a bunch and bucket dump of tools and the stuff that I had created and stuff that I'd made and just random grab bag of assortments and stuff you can see like random interpreter shells in there or other things or other notes. But the big one here is this readme file. So that readme.md is literally my entire dump of everything that I have taken notes on throughout the course while going through the videos. So if I were to like take a look at how big this file is, there's a lot of lines in there, right? And that's not even all of it. I actually didn't go through some stuff that I just went on later and didn't end up documenting personally. But that is how I had done it originally. That's how I had done it to start with. I just had this humongous markdown file that I threw all my stuff in. Now, I don't know how you guys take notes and I know that's different for everyone, but I will showcase and I will kind of offer this. If you haven't seen Obsidian, it's so cool. It's so good. I love it. I would totally recommend that if some folks are interested in Heyges. I'm still taking notes and markdown, but I still want to slap in images and I want to be able to easily look for and through and grab what I might need. So I'll show you that. I'll fire up Obsidian right now and I'll show you what I can. Okay, so here we are. This is the folder that I had used and created for everything that I might be looking up and grabbing for OSEP while I'm taking everything down there. I had my folder and it's no for the challenges. I would kind of keep track of what I could be thinking of when I get to a certain point. I could be looking for specific things and different references. Hey, what do I need to do if I land on a Linux box and I need to remember it like a gut check, what's going on? What if I run into some SQL servers? What tools do I need to pull in and how am I gonna end up doing that? Lateral movement, right? Other techniques and things that we're working with those phishing documents or macros, et cetera, et cetera. And this is beautiful and wonderful because I could just simply hate control O and just search for something that I might need. Like, hey, I wanna grab the quick syntax to disable offender or I need to quickly get a PowerShell downloader for some specific tool like Rubyus or PowerView or Bloodhound, et cetera. Just having all these things readily accessible for me at like a keystroke was fantastic and awesome and still just acted as a good sanity check. So if you aren't using Obsidian, it's super duper cool. You can create like another pane. I'll split vertically, right? And I'll make this in like the markdown view that's necessary to have that display nice and pretty. And you can also make all these references that are necessary in the graph view. Let me see how I can get that if I can. Oh, there it is, open local graph. Oh, and it creates like a separate pane but like you can create a little like mind map of everything that you're taking part of in different like sections or notes and that's super duper cool. I honestly don't use it a ton, the graph view anyway, but I just love being able to have all of the markdown files and things that I might need able to be looked up at like a second. Okay, last thing before we get to your questions because I promise you I get to your questions. I wanna talk about the exam report. I submitted my exam report just like under an hour after my exam testing period ended. Now I say that because what I wanna emphasize to you is write your exam report while you're taking the exam. And I don't mean that literally, but I do. So like, I guess what I try to do is I try to like write out my thoughts as I'm going through it. I'll just have like my text editor open another window and the terminal and everything like as I'm taking the exam. So like, while I get a thought like, look, I see a couple options from me. This is what I can do. These are the commands that I ran and I would like literally copy and paste each command that I wrote and just slapped it into the text editor so I had it saved. Because then for one thing, when you know you need that later because maybe you messed up that command or you're just gonna do a similar thing again. You just need to change the arguments. You've got it, control shift C, control shift V, plop the thing in and you're good to go. I really, really recommend that because if you get yourself to a point where you can just basically copy and paste what you've already written down in your notes while you're going through the process and you can like fine tune some sentences or whatever, you've got your report, your walkthrough, your write up, you show your work as you're going along. It makes it so much easier. And I know like report writing is sometimes kind of the most boring thing. So literally you won't wanna do it after the fact. Literally just do it while you're going through the penetration test. Just jot down either what you're thinking or what you just looked at or what you just found. Hey, I see this vulnerability with this technique. I was able to abuse it, then you're good to go and then you're set. Now I'm gonna do something here. I'm gonna do something real quick and don't get spooked, don't get scared, don't you worry off sec. I'm not giving any trade secrets away or anything but I'm gonna show you my exam report, what I can of my exam report, right? So basically just the front cover. But this is it, this is the folder. This is what I was working out of when I was working through my exam. And if I fire this thing up, I'll give you exam report.pdf. Take a gander, it is 73 pages long. Now I use a lot of screenshots so that might be longer than what most people expect or even would care to do. But look, this is it, this is the thing. And I show this to you because I want to demonstrate how I put this thing together, right? So as I said, I write it all in markdown. I'm not a big fan of bumping around in Microsoft Word. I hate using those templates. I just dislike doing that. So I write it in markdown, right? And I'll show you this template where I end up using this Ice Vogel latex style and use that template and it's online. I think I've shared it before for even the OSCP video. So I'll throw some overlays in the video and I will link that in the description because it's a good GitHub repo where you just get whatever you need. You write the thing in markdown, you convert it to latex and it spits it out as a nice, beautiful PDF for you. So you don't have to do a whole lot of legwork with Microsoft Word or Adobe, whatever the heck to make a PDF file. I love to use this and I do that for literally every offensive security exam that I've taken. And even I think for other certifications, that is the way that I do it. And I hope that is helpful for you. Now finally, let's get to your questions. I think I should end up doing this sort of like a live stream at some point or an AMA or whatever, if some folks are interested in that. But anyway, these are a few of the canned ones that I had seen from Twitter and LinkedIn. So I'll try and go through these. How useful is OSCP in the course and certification? So I am not currently on the market or like looking for a job, right? But obviously, yes, the classic same value and worth that comes from just getting a certification. That's obviously gonna super duper help your resume when you're hunted for jobs, you're trying to bypass HR, et cetera, et cetera. There's value in that. But for the learning, right, that's the real important stuff in my opinion. And a few of you like, no, like this sort of thing is super duper pertinent to what I do for my day job. So I work at a company where we hunt for hackers and we're trying to look at the malware that we find, we're trying to understand and following the footsteps of the threat actors, see how they're maintaining their access and getting that foothold and implant in place. And a lot of the techniques, right, when you're bypassing application of whitelisting, you're trying to slip under the radar for antivirus. Those are super duper pertinent and it's real world stuff that real hackers are doing, right? So this is super cool. Honestly, in my opinion, I think this is like one of the greatest examples of it. I was going through the section on like compiling C sharp on the fly without touching disk. And how you do it originally is you use like MS build or CSC or kind of a command line C sharp compiler. And when you use those utilities, it does write temporary artifacts to disk and like the temp directory or something. There's like random letters and like a dot zero or a dot number dot CS for the C sharp code and other things that just get left out like the standard output or the standard error of the process. And I saw those at work, like doing what I really do for my job. And then the next day, when I was going through that section in OSCP, I was like, whoa, I literally saw that it tied it all in. And that was so cool and really incredible. So it's super duper pertinent to I think real world stuff. And that's the value. And that's how I thought it was useful because it was really, really cutting close to the bone or like it hits close to home, right? When you see it for what you do every day. And yeah, it is useful. How did you prepare for the OSCP exam? So I've said this before in the video, right? And I'll say it over and over again and I'll reiterate it as I took a lot of notes, a lot of notes and I would stage everything and have it ready so I could use it in the future. My biggest recommendation, like my best advice that I can give you is go through the challenges, go through the challenge labs, go through every single one of them and take thorough notes. So I think my advantage or what made this, like what was so instrumental in helping me was that I would have the code, I would have programs, my tools, I'd have syntax, I'd have commands, already staged and ready that I could just copy and paste and slap it in. So, hey, do I need to use impact it? Look, I've got it ready. Do I need to use crack map exec or whatever the case may be? Do I need to throw in Rubius? I've already got it set so I can just keep rolling and I don't need to go fumbling and looking for syntax when I already have it ready and I've got that look up for myself. That is my best recommendation is to go through the labs, go through the challenges and have that prepped. What are some materials or resources that would be really helpful for preparation or external war games or practice ranges? So, I have not admittedly gone through, like hack the box cybernetics or some of the pro labs, like I know offshore or some of the Ross labs are much more into active directory than you might find in other locations. I did go through try hack me throwback and that was some time ago and there's a video on my channel that'll showcase me failing through that. But I'll say, look, I have said many times before, Windows pentesting is not my strong suit. I practically never operate in an active directory environment. This was like the first time I'd done it. So, when I say go through the labs, when I say do the challenges, those were what were invaluable to me. Honestly, I didn't end up going through some of the hack the box or try hack me other stages or other ranges. I know pentester academy and plenty of other stuff have things that could help you and certainly go after them, certainly do them if that's what you'd like to do. Truthfully, I hadn't yet, the course is enough for what you need. The course, I think OSCP and OSEP specifically is going to teach you everything that you need so you don't have to go research a lot of that other stuff. The biggest thing that I struggled with because I'm not familiar with active directory and because I'm not all that confident in Windows is that I would struggle and I would be afraid of my own intuition. I wouldn't know what to do next or what to look for next or how to do that next. So, at one point, many times actually, I'd be laying in my bed just staring at my phone looking up how to more enumerate an active directory, how to do more in a Windows realm and I would just be trying to understand the techniques, trying to understand what tools they use and how they do it. I would just be looking at my phone in the middle of the night when I can't sleep, staring at that stuff and that's really the research and kind of putting the puzzle pieces together throughout the lab and the challenges. How does this compare to OSCP or the Offensive Security Certified Professional? So, OSCP and I've said it before and I know Offset has gone out and said this where OSCP is one of the introductory fundamentals beginner certifications which sucks to hear, especially if someone is studying crazy hard for OSCP and it's like the holy grail, like that's the gauntlet they want. It's like a throat punch when someone tells you, hey, no, that's just the tip of the iceberg, man. I think that rings true, right? Because OSCP focuses a lot on knowing vulnerabilities and being able to exploit them with some attack script or code you might be able to pull off the shelf. You just need to do the enumeration to figure out what it is that's in front of you. Okay, what software name and what software version and what can I go find in the public domain to exploit this and take advantage of it? For OSCP, you're taking advantage of things that are inherent and internal to the way that Windows works, the way that Active Directory is structured and part of its design, it has these flaws that you can take advantage of these things, okay, constrained delegation, unconstrained delegation, resource-based delegation, et cetera, et cetera. It's a step above because it's OSCP, I feel like is very Linux-oriented and I might be wrong in saying that now with the 2020 update, right? They focus on Active Directory as smidge a little bit. OSEP is much more real world and take that with a grain of salt in that you're doing Windows stuff in environments that are secured that are using the latest and most modern rendition of these operating systems that have credential guard in place or application white listing in place or have PowerShell locked down to only be in constrained language mode, stuff like that. There's just more to circumvent and navigate around and it makes for a more formidable foe and I think that's how it differs from OSCP. OSCP, I can't say becomes a little formulaic but OSEP, you do problem solving and you do critical thinking in different ways but OSEP puts you in a different environment. This current one, right? The experience penetration tester puts you in more of that modern, real world, actual, all enterprises, right? All network businesses, corporations, companies, they're using Active Directory. That's like 99%, 95% of industry. That's where it's at. So OSCP, that's the tip of the iceberg, right? OSEP can pump you up a little bit. That's the next level. Can we be best friends? Yeah, duh, absolutely, of course. We're already best friends. Does the material help you go through the exam if you pass the challenges? Are you ready for the exam? In my opinion, yes. Everything that you need is in the course. That's why I take notes, say it over and over again. How long did it take you to pass the exam? Oh gosh, I hate this question. I hate, this makes me just look like a bad word. So my exam got started at 10 p.m. on January 31st and I had completed the objective at seven in the morning. So I guess if you're really counting that, that makes it nine hours. But I say that and it, gosh, it makes me, I hate, I hate, I don't want to sound like some braggadocio guide. I'm telling you if you prepare, I'm telling you if you take notes, I'm telling you if you go thoroughly through the challenges and you have things staged out and ready, then you're unstoppable. You're loaded up with your armor, you've got your arsenal, you are ready to rock. That I think was my strong suit and the biggest advice that I, again, I'll give you is get it locked in, that all this code, all these C-sharp scripts, the C-sharp code, right? You'll compile to do specific things, PowerShell syntax to be able to interact with different things, all those things ready and prepared. That is how you'll cruise through it. What are some things you would have liked to have known before taking it? Ooh, that's a good question. So, I tell people, yeah, it's good to be familiar with PowerShell, right? C-sharp, I feel like you can pick up, just syntactically, right? I mean, it's a programming language, you can just kind of get the feel for it and bump around and fail and fumble a little bit, all again beforehand, before the exam, so when it's go time, you're ready to rock. I mentioned, I wish I had more of the intuition. I wish I had a grown muscle as to what to look for and when when I'm in the Windows world inside of an Active Directory environment. Ooh, but I will mention this and I don't think I've said this before, so it's good that we get into it. Bloodhound, oh my goodness. So, I don't often use bloodhound, right? Or use any sharp hound or any of the other collectors to be able to pour it into bloodhound. Look, I use bloodhound like a compass. Like whenever I got lost in the woods, wherever I didn't know where to go next, wherever I was unsure, hey, I got new access, now what do I do with it? Go back to bloodhound, look around, look through every single thing that you can. And just poke around and say, hey, that doesn't look weird. I wonder what I could do with this. Is this the right group? Is this the right user? What about that computer over there? Oh man, I would really, really recommend to folks just play with bloodhound and that is something that I wish I had a little bit more familiarity with. Look, did you know you can right click on something in bloodhound and mark it as owned or mark it as high value? I didn't know that. If you right click on an edge, if it says, hey, you have whatever right dacoal or you've got generic all on this thing, dude, if you right click on it, you check out that abuse info. If you go through the help menu, harm joy, forgive me, I'm pretty sure I got that right. The developer, right? It just does an incredible job at telling you like, look, if you wanna break this thing, here's how to do it. And using that combined with the book, combined with everything that you've learned through the course, that sets you on the right path, so bloodhound, I would footstomp over and over again. I'm putting it lightly when I say, I use bloodhound as my compass. I hope you do the same. Who would you advise this course for? Are there any types of jobs or positions or people that the certification is suited towards? So yeah, this is totally like being a modern red teamer. This is being a penetration tester for real, like for your actual job. As I mentioned, yeah, obviously 95%, 99% of businesses, companies, organizations, network systems, et cetera. They're using Windows and they're using Active Directory. So learning these techniques, knowing how to do some of the anti-virus evasion, doing AMSI bypasses or working around application whitelisting, like if you want to be a penetration tester, if you want to be a hacker and do it as a job, like that is it. This is who that course is for. That is who this course is for. It is experienced penetration tester for a reason. I think encapsulating it as a red teamer is the right way to think about it. Because this is really what you'll be doing. Okay, I know this video is getting kind of long, so we'll wrap this up. We'll start to wind this thing down. Last question. I say like last question for like right now for this video. If you do want us to do like, hey, John, can you do a live stream? Can you do an AMA or something cheesy like that? Absolutely, I'm happy to. If you've got more questions, we'll do that. And don't hesitate to reach out. Like don't hesitate to ask me, hit me up, hit me up on Discord, hit me up on Twitter, LinkedIn, whatever social media platform. I am drowning in messages and a little overwhelmed, so hopefully I'll get to you. But no, don't be a stranger. I'm happy to help. That's totally what I'm doing this all for. And I hope that this review video is helpful for you. So last question. At the end of the day, is it worth it? Or was it worth it? Yes, like yeah, absolutely, 1,000% hands down. Maybe I'm weird, like maybe I'm an oddball because I love this stuff, right? This is my passion. I find this fun. Because like hands-on learning, the practical application-based learning, I don't know, it makes it real. It makes it tangible. It makes it like you're doing it for real. You're not just, and I say this a lot, but you're not just talking about cybersecurity. You know, you're not droning on in front of a PowerPoint presentation. You're like pointing at a pie chart in statistics, histogram. You're not talking about cybersecurity, you're ethical hacking, but you're doing it. You're on the keyboard, you're operating and you're learning the real tactics, the real techniques, the real procedures. And that, being able to play with it and tinker with it, I just think that's so cool and that's so fun. So was it worth it? Absolutely, it was absolutely worth it to me. And yeah, if you're wanting to advance your career, if you're trying to open up those job prospects and everything, 1,000%, this on your resume is gonna make you skyrocket. But even if you're just doing it for the learning, just for the knowledge and the value that comes from it, I see it firsthand. This stuff is absolutely pertinent to what I do every day for my day job. And I think that is so cool. Like I remember, when that happened, the whole MS Build, CSC thing with temporary artifacts that blew my mind. Like what an amazing moment where I can tie it into something that I literally do every day. That was really cool. So, okay. I think that's it. I think that's all I wanted to talk about. Hey, so to close this thing out, I wanna take a moment to just say thank you. And it's weird, I think. But look, when I shared and screened on social media, like, hey, I passed, I did it. I was so pleased. The overwhelming response of like, congratulations, you know, like the pat on the back, just the encouragement is so surreal. I'm lucky. I'm so incredibly and insanely lucky because of this community, because of this following. Like I'm blessed to sort of be in the spotlight, right? Cause I'm a content creator, cause I'm an influencer and in cybersecurity, right? When you put that on YouTube and then you make something out of it, it's weird. Like you wouldn't normally think or expect that out of education and learning, but I don't know. Seeing that positive response was just so heartwarming and I'm so, so grateful. I'm lucky because I get to be sort of in the spotlight, but every single one of you, every single one out there, every single person should have that same encouragement and response and love when they achieve something that they've been working towards. So I am so excited for you to pass OSCP. I am so excited to see your certificate. I'm so excited to see all the achievement messages and social media postings. And I'm super excited for OSED, right? You know, the new offset course for Windows, user mode, like exploit development and all that stuff. I'm super stoked and I'm super excited. So you know what, we're just gonna keep playing. We're gonna keep having fun. We're gonna keep learning and I'm happy and I'm excited and I'm stoked. So thank you so, so much for watching this video. I really hope that this review video was helpful for you. Let me know. Please don't hesitate to reach out. We can keep doing more stuff like this, but golly gee, this was an absolute blast. And thanks so much. I really hope you enjoyed this one. I'll have you guys take care. I'll see you in the next one.