Re: OSCP

["Michael Condon" <admin () singulartechnologysolutions com>]

"wHaT to0L dO I yEwS" is an understandable question, considering that 
"some" CEH training covers tools that honestly aren't that good, or are 
outdated.
And if one program reports an OS detection of a router and another reports 
Apache/probably running on Linux, it's not legitimate empirically to report 
just one result. Gut feelings/experience can't be scientifically replicated.
And some of the software out there that is not free/open source is really 
not too good either.

--------------------------------------------------
From: "J. Oquendo" <sil () infiltrated net>
Sent: Monday, November 17, 2008 4:02 PM
To: <pen-test () securityfocus com>
Subject: Re: OSCP

> On Mon, 17 Nov 2008, Craig Wilson wrote:
>
> > Hi,
> >
> > OSCP is great for practical knowhow but I would rather employ a CISSP 
> > anyday; why and how you would protect systems are much more important 
> > than how you break in.  Its all very well knowing how to make a shell run 
> > on a poorly configed machine but understanding defensive configs to 
> > ensure the machine isn't in a position to be compromised are more 
> > important IMHO.
> >
> > Additionally I would ensure you have day to day experience and knowledge 
> > of why you would advocate certain things in corporate environments.
> >
> > Craig
>
>
> Two different certs, two different purposes. I believe each has
> their own specific purpose so it's comparing apples and oranges.
> You are however so completely offbase in your assumption that a
> an OSCP or any other well qualified pentester is slowly looking
> for a method to run a "shell script" on a "poorly configured"
> machine. Apparently you have an isolated view of some of the
> research that goes on with fuzzying, intuition, session hijacking,
> etc., perhaps you could learn from the OSCP and other technical
> courses similar to it.
>
> For the CISSP types in an enterprise environment, there can only
> be so many managers pushing around papers and revamping policies.
> A thorough and knowledgeable pentester can and should be able to
> create the same logical reports based on their technical findings
> else they shouldn't be in the industry. There is a lot more than
> meets the eye from my perspective on what a pentester is and what
> the industry perceives them to be. If you're basing your opinion
> on the level of questions that float on this list "wHaT to0L dO
> I yEwS" than I can't blame you however, CISSP's aren't impressive
> to me. Nor is any exam that relies strictly on memorizing what's
> in a book.
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "Each player must accept the cards life deals him
> or her: but once they are in hand, he or she alone
> must decide how to play the cards in order to win
> the game." Voltaire
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------