Penetration Testing mailing list archives

RE: OSCP

From: Craig Wilson <cwilson () ppilearning com>
Date: Tue, 18 Nov 2008 11:41:33 +0000

You appear to have misread my message - I have both certs, the OCSP is fine if you want to know how to break things 
that are already broken. I am more interested in how to ensure that things are not broken in the first place.




-----Original Message-----
Craig Wilson
Senior IT Network Administrator & Support Analyst
T. 0207 264 5113
M. 07899895510
F. 02072645101
E. cwilson () ppilearning com
W. http://www.ppilearning.com/
P Think Green - Please do not print this email unless you really need to
http://www.ppilearning.com/promotions/winserver2008register.php

This email and any attachments are confidential information and solely intended to be read by the email addressees 
above. If you inadvertently receive this email, your access is unauthorised and you may not copy, disclose, distribute 
or otherwise use this email and its contents. If you have received this email in error, please inform us immediately at 
mailto:SA () PPILearning com and delete all copies from your system. PPI Learning Services accepts no legal liability 
for the contents of this email including any errors, interception or interference, as internet communications are not 
secure. Whilst PPI Learning Services and the sender have taken every precaution to prevent transmission of computer 
viruses, should this inadvertently occur we do not accept any liability. Any offer or acceptance of a contract for 
goods or services made in this email is subject to our standard terms and conditions (available on request), unless 
other terms and conditions have been agreed in writing between authorised signatories of the parties. PPI Learning 
Services Limited. Registered Address: 3-5 Crutched Friars, London, EC3N 2HR. Registered in United Kingdom Company 
Number 06008725

-----Original Message-----

From: J. Oquendo [mailto:sil () e-fensive net]
Sent: 17 November 2008 21:35
To: Craig Wilson
Cc: pen-test () securityfocus com
Subject: Re: OSCP

On Mon, 17 Nov 2008, Craig Wilson wrote:

Hi,

OSCP is great for practical knowhow but I would rather employ a CISSP anyday; why and how you would protect systems 
are much more important than how you break in.  Its all very well knowing how to make a shell run on a poorly 
configed machine but understanding defensive configs to ensure the machine isn't in a position to be compromised are 
more important IMHO.

Additionally I would ensure you have day to day experience and knowledge of why you would advocate certain things in 
corporate environments.

Craig


Two different certs, two different purposes. I believe each has
their own specific purpose so it's comparing apples and oranges.
You are however so completely offbase in your assumption that a
an OSCP or any other well qualified pentester is slowly looking
for a method to run a "shell script" on a "poorly configured"
machine. Apparently you have an isolated view of some of the
research that goes on with fuzzying, intuition, session hijacking,
etc., perhaps you could learn from the OSCP and other technical
courses similar to it.

For the CISSP types in an enterprise environment, there can only
be so many managers pushing around papers and revamping policies.
A thorough and knowledgeable pentester can and should be able to
create the same logical reports based on their technical findings
else they shouldn't be in the industry. There is a lot more than
meets the eye from my perspective on what a pentester is and what
the industry perceives them to be. If you're basing your opinion
on the level of questions that float on this list "wHaT to0L dO
I yEwS" than I can't blame you however, CISSP's aren't impressive
to me. Nor is any exam that relies strictly on memorizing what's
in a book.



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

RE: OSCP, (continued)
- - RE: OSCP Abe Getchell (Nov 17)
    - Re: OSCP Michael Condon (Nov 17)
    - Re: OSCP Morning Wood (Nov 18)
    - Re: OSCP Robin Wood (Nov 18)
    - RE: OSCP John Babio (Nov 18)
    - Re: OSCP Chris Griffin (Nov 18)
    - Re: OSCP Pedro Drimel (Nov 17)
  - Re: OSCP J. Oquendo (Nov 17)
    - Re: OSCP Michael Condon (Nov 18)
    - Re: OSCP J. Oquendo (Nov 18)
  - Message not available
    - RE: OSCP Craig Wilson (Nov 18)
  - Re: OSCP acey deucey (Nov 18)
- Re: Re: OSCP prdiez (Nov 18)