This post is part of the security training review project, and was guest blogged by Jim O’Gorman.
This last summer I was given the opportunity to take the Offensive Security 101 course. I came across it on accident while looking for some training that I could do without travel and that was reasonably priced. When I saw that the prices started at $550 (compared to $3,000+ for most classes), honestly I assumed that there was no way it could be very good, but as it was put on by the people behind Backtrack I thought I would look into it some more.
What I found was a large number of people that were saying nothing but good things about it. So, for the price, jumped head first into it without doing much more research. When you sign up for the course, you are provided with some flash videos, a PDF, access to the offensive security labs, and directed to IRC and forums for any problems and questions.
What type of background is needed for this class?
The course is foundational, but not basic. It helps to have hands on experience with Linux, and Backtrack in particular. The course utilizes Backtrack quite extensively, so time spent learning the OS is time away from the meat of the course. The material covered is not high level CISSP style, but much deeper, more technical. The background that matters more is less the familiarity with different technologies, but more attitude including a desire to learn and no aversion from hard work. Some background in a scripting language is nice as well, as I will get into.
What was actually covered and taught at the course?
The syllabus is online and is very complete. As I said, the material is foundational, and gives the student the chance to either just learn the basics while giving them the details and references to go as deep as they desire on any topic. One thing that may not be obvious from the syllabus is: get ready for some scripting. I used to script in perl all the time, but not so much anymore before this course. After this course, I find myself shooting out various python scripts for all sorts of various reasons. This has the potential to be a time sink if you don’t have some experience in this area. The course starts out very, almost deceivingly easy. Then as soon as you start getting cocky, you find yourself in the deep end of the pool manually fuzzing applications with python scripts you write yourself, then writing your own custom exploits for the holes you find.
How was the class?
Insane. I spent many hours working on the various labs, reviewing the provided training materials, following up on references that are given, and having hours of desperate frustration followed by moments of livid celebration. I learned more in this course then from any single course that I have taken, mostly because of the open nature in which it was structured. Students are expected to spend time in Google looking up items on their own. This course is not for those that give up easily or expect to have things handed to them. You have to work, and work and work.
Did it meet your expectations?
Yes, the course did exceeded my expectations. I firmly believe that you get out of anything what you put into it. And the way the course is structured, it requires you to commit yourself and your evenings in order to get through it. Concepts are given a deeper understanding due to complete hands on nature of the labs. Difficult processes are made understandable due to the crawl, walk, run nature of the courseware.
How were the speakers?
There are no speakers as such. Videos are provided which are very well done. The match the provided PDF, and build on each other. It is very nice to be able to go back and watch difficult parts more then one time.
Any suggestions for improvement?
Nothing is ever perfect, and this course is no exception. There are some items that I would have really enjoyed more time and material on that are only touched on. But, you have to draw the line somewhere, and knowing what to keep out is just as hard as knowing what to put in at times. The biggest cautionary item I have to say about this course is: Its not for everyone. Its not a SANS course, its not a college course. No one is there to hold your hand. Don’t mistake me, you can get help if you are putting in effort and having problems, but you have to put in that effort first. Its possible to feel a sense of entitlement after paying the money for a course to expect that someone will be there to put the band aid on your knee when you fall down and get hurt. That is not this courses style. When you fall down, you are simply told to stand back up, shake it off, and "try harder". You will get plenty of encouragement, but no one will do the work for you. That style is not for everyone.
Would you suggest this course to others?
Yes, with the caveat being you are the sort of person descried above.