Career Employer

FREE OSCP Study Guide 2026: The PEN-200 Methodology

The penetration-testing methodology the OSCP 24-hour practical tests — an interactive study guide with built-in quizzes and flashcards, organized by the OffSec PEN-200 kill chain from enumeration to reporting.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer OSCP

By

This free OSCP study guide teaches the penetration-testing methodology the Offensive Security Certified Professional exam tests, organized to the current OffSec PEN-200 (Penetration Testing with Kali Linux) course.[1] It is built around the way a real engagement flows — enumerate, research, exploit, escalate, then attack Active Directory and pivot.

One thing to be clear about up front: the OSCP exam is not multiple-choice. It is a 24-hour hands-on practical in which you compromise live machines and then write a professional report.[2]

So this guide teaches the concepts and methodologythe practical rewards, and the built-in quizzes are a concept study-aid — pair them with real lab practice. If you are weighing the hands-on OSCP against the multiple-choice route, see our companion CEH study guide and PenTest+ study guide.

What the OSCP Exam Is

The OSCP is earned by passing the exam for OffSec’s PEN-200 course: a 24-hour hands-on practical worth 100 points, with 70 to pass, followed by a separate 24-hour window to submit a professional penetration-test report.[2] There are no multiple-choice questions — you must actually gain access to machines, escalate privileges, and document everything credibly.

The single most useful thing to internalize before you study: the exam mirrors the penetration-testing methodology. Almost everything you do follows a predictable order — enumerate thoroughly, research and adapt an exploit, gain a foothold, escalate to root or SYSTEM, then chain through the Active Directory set — with careful note-taking running underneath the whole time.

A naming note worth keeping straight: OSCP is the certification; PEN-200 (formerly PWK) is the course and exam that grants it. You will see all three names used interchangeably. This guide teaches the PEN-200 syllabus and the methodology the practical tests — always confirm the current exam structure and rules on the official OffSec exam guide before you book.[2]

OSCP Exam Snapshot

OSCP (OffSec PEN-200) at a glance
DetailOSCP / PEN-200
CredentialOffensive Security Certified Professional (OSCP)
CoursePEN-200 — Penetration Testing with Kali Linux (formerly PWK)
Format24-hour hands-on practical — compromise live machines (not multiple-choice)
MachinesThree standalone hosts + one Active Directory set
Scoring100 points total; 70 required to pass
ReportProfessional penetration-test report submitted within 24 hours after the test window
MetasploitLimited — automated exploitation allowed on one machine only
ProviderOffSec (Offensive Security)

The 100 points break down across the machines as follows.[2] The Active Directory set is the single largest block (40 points), so it deserves proportionate study time:

OSCP exam points by machine block
Active Directory set (client + 2nd host + domain controller)40% · 40 pts
Standalone machine 1 (access + privilege escalation)20% · 20 pts
Standalone machine 2 (access + privilege escalation)20% · 20 pts
Standalone machine 3 (access + privilege escalation)20% · 20 pts

Module 1 · Enumeration & Information Gathering

The foundation of every machine. Enumeration is the most important — and most under-practiced — OSCP skill. Nearly every foothold and privilege escalation comes from a detail you surfaced here: an uncommon port, an anonymous share, a forgotten credential.

1.1 Host Discovery & Port Scanning with Nmap

is your primary scanner.[5] Start by finding live hosts — a ping sweep (nmap -sn) lists which hosts are up without scanning ports — then scan ports. A host that ignores ICMP looks “down,” so force the scan with .

The high-yield habit: run a fast top-ports scan first to start working, then a full all-ports scan (-p-) so a foothold service parked on an uncommon high port is never missed. UDP services such as DNS and SNMP need a separate -sU scan.

1.2 Service & Version Detection

Open ports are only the start — you need to know what is listening and its exact version, because versions drive exploit research.[5] reports each service’s product and version, and runs Nmap’s default scripts; they are usually combined as -sC -sV. A “closed” port means it is reachable but nothing is listening, while “filtered” means a firewall is dropping probes.

1.3 Deep Service Enumeration (SMB, Web, FTP)

Once you know what is running, interrogate each service. On web, brute-force content with or ffuf, inspect robots.txt, and enumerate virtual hosts. On SMB, an can leak users, groups, and shares via ; writable shares may let you upload a payload.

On FTP, try an anonymous login and list directories. names software and versions — but treat banners as a hint, since an administrator can change them. The automates much of this (for example --script smb-enum-shares).

Checkpoint · Enumeration & Information Gathering

Question 1 of 8

A tester wants Nmap to perform only host discovery across a small range of IP addresses to learn which hosts are alive, without scanning any ports. Which Nmap option performs this ping-sweep behavior?

Module 2 · Vulnerability Scanning & Exploit Research

Turning enumeration into a plan of attack. With services and versions in hand, identify which are vulnerable and find the code to exploit them — then read and adapt that code so it actually works against your target.

2.1 Vulnerability Identification

A vulnerability scanner enumerates known weaknesses, and an authenticated scan (supplying valid credentials so the scanner can inspect the host from the inside) is far more accurate than an unauthenticated one.[3] But scanners produce false positives: when a finding doesn’t match what manual probing shows, trust your manual verification. Nmap’s vuln category gives a lightweight, targeted alternative for a single box.

2.2 Finding & Adapting Public Exploits

Map a service and version to a public exploit with , which searches the offline archive without internet access.[1] Read the full entry and code before running it.

A almost always needs editing: set the attacker’s IP and listener port, fix offsets for the right minor version, and regenerate any embedded shellcode. A missing-module error means installing the dependency on your attacker box — not abandoning the exploit. Above all, read the whole script so you never run destructive or backdoored code.

Checkpoint · Vulnerability Scanning & Exploit Research

Question 1 of 8

A tester wants an authorized vulnerability scanner to enumerate missing patches on a Linux target as accurately as possible. Which configuration choice most improves detection accuracy?

Module 3 · Web Application Attacks

The most common foothold on the exam. Web applications are everywhere, and the goal is always the same: turn a web bug into a . Know the major attack classes and how to chain each one to code execution.

3.1 SQL Injection

happens when untrusted input is concatenated into a query.[4] The major variants: UNION-based (append a UNION SELECT to exfiltrate data — first find the column count with ORDER BY), error-based (leak data through displayed error messages), and blind / time-based (no data returned, so a payload that pauses the response reveals values bit by bit).

SQLi can also bypass authentication by closing the string and adding an always-true condition, and with FILE privileges or xp_cmdshell it can reach code execution. automates detection and extraction — including authenticated requests and request files captured in a proxy.

3.2 XSS, Command Injection & Directory Traversal

injects script that runs in a victim’s browser — reflected (bounced from one request), stored (persisted for every visitor, the most impactful), or DOM-based.[4] Use it to steal sessions, log keystrokes, or force state-changing requests, and be ready to bypass a Content Security Policy or tag filters.

is more direct: user input reaches an OS shell, so a separator (;, |, &&) and a command run arbitrary code; when output is hidden, confirm out of band and upgrade to a reverse shell.

reads files outside the web root with ../ sequences — defeat filters that strip ../ only once, or a fixed prefix the app prepends.

3.3 File Inclusion, Upload & Client-Side Attacks

goes beyond reading files — the app includes the referenced file in execution, so you can reach code execution by poisoning a log the app reads, or disclosing source with the php://filter wrapper.[4]

File uploads are a fast foothold: defeat a magic-byte (signature) check by prepending an image header, defeat an extension allow-list with case tricks or double extensions, and abuse server-side archive extraction to write a to a chosen path. Client-side attacks target staff instead of the server — a malicious Office macro, or a link using a custom URI handler that fetches second-stage code from your server.

Checkpoint · Web Application Attacks

Question 1 of 8

A tester probing a numeric product-listing parameter changes its value from a number to the same number followed by an arithmetic expression, and the page returns the product that matches the computed total. What does the application performing that arithmetic indicate about the parameter?

Module 4 · Gaining a Foothold: Shells & Transfers

From bug to interactive access. A successful exploit gives you code execution, but you want a stable, interactive shell — and then the ability to move tools onto the box. This module is the bridge between initial access and privilege escalation.

4.1 Reverse vs. Bind Shells & TTY Upgrades

Choose the right shell for the network. A makes the target connect back to your listener and is the default on the exam, because most targets sit behind NAT or a firewall that blocks inbound connections.[1]

A opens a listener on the target — useful in some cases, but reachable by anyone scanning the port. A plain netcat listener offers no encryption and may be filtered, so socat gives a more robust, encrypted option.

Finally, so job control, tab completion, and full-screen tools work: spawn a PTY (python3 -c 'import pty; pty.spawn("/bin/bash")'), then set stty raw -echo and export TERM=xterm and a sane PATH.

4.2 Payloads & File Transfers

generates payloads in whatever format you need — a standalone Windows EXE that connects back, or raw shellcode to paste into a Python exploit — with your LHOST and LPORT set.[1] When the target flags certain bytes, specify them as bad characters (-b) and let an encoder route around them.

Once you have a shell, you often need to move tools onto a box that has no outbound internet: host a file with a quick HTTP server and pull it down, push it over an SMB share, or use a living-off-the-land downloader. Always confirm which user your shell runs as before choosing an escalation path.

Checkpoint · Gaining a Foothold: Shells & Transfers

Question 1 of 8

A tester lands a basic shell on a Linux host and runs a one-liner using python3 to spawn /bin/bash through pty.spawn so the session behaves like a real terminal. What does this single step accomplish for the tester?

Module 5 · Privilege Escalation (Linux & Windows)

The second 10 points on every machine. A foothold is rarely root or SYSTEM. Privilege escalation is a methodical search for one misconfiguration — start with an enumeration script, then verify findings manually and abuse the best one.

5.1 Linux Privilege Escalation

On Linux the classic vectors are (a SUID-root program that can spawn a shell — for example a copy of bash run as bash -p to keep its privileges), misconfigured (many allowed binaries have a escape), writable or wildcard-based cron jobs, and Linux capabilities such as cap_setuid on an interpreter.[3] Kernel exploits exist but are a last resort — match the exact version and prefer a clean misconfiguration. Run to surface candidates, then confirm each by hand.

5.2 Windows Privilege Escalation

On Windows, check the token first with whoami /priv. — common on service accounts — is abused by the Potato family (PrintSpoofer, RoguePotato, GodPotato) to impersonate a SYSTEM token.[3]

Other staples: and writable service binaries, weak service permissions and AlwaysInstallElevated, (find the missing DLL with Process Monitor), the powerfulSeBackupPrivilege (read the SAM and SYSTEM hives), and stored credentials in autologon registry values or Unattend.xml. automates the hunt, though antivirus may quarantine it.

Checkpoint · Privilege Escalation (Linux & Windows)

Question 1 of 8

A tester finds a SUID-root binary that is a copy of bash with the privileges preserved. Which invocation turns this into a root shell?

Module 6 · Active Directory Attacks

The 40-point capstone. The Active Directory set is scored as a chain — client, a second host, and the domain controller — and credential reuse is the engine that drives it. Enumerate the domain, harvest credentials, and chain your way to the DC.

6.1 AD Enumeration & Kerberos

A hosts the directory and authenticates the ; member servers and client machines are domain-joined hosts you move between. Map the environment first with and PowerView — users, groups, sessions, service principal names, and the shortest attack paths to Domain Admins.[3]

Underneath it all is : a client authenticates to the DC for a , then exchanges it for a to reach a service. That flow underpins every roasting and ticket attack.[6]

6.2 Roasting, Credential Reuse & Tickets

requests service tickets for SPN-enabled accounts and cracks them offline; it needs only one valid domain credential.[3] targets accounts with pre-authentication disabled and needs no credential— only usernames — making it usable before any access.

With a hash in hand, authenticates over NTLM without cracking it (defeating even long passwords), and Pass-the-Ticket injects a stolen Kerberos ticket. Forged tickets go further: a (from the krbtgt hash and domain SID) grants domain-wide access as any user, while a (from one service account’s hash) is narrower but stealthier. dumps the credentials and tickets that fuel all of this.

6.3 Domain Compromise

Reaching the domain controller is the goal. With sufficient rights, abuses the replication protocol to pull every domain hash — including krbtgt— without touching on disk; alternatively, extract NTDS.dit directly.[3] Membership of the Domain Admins group is effectively full control of the domain, so BloodHound edges likeWriteDACL and GenericAll that lead there are exactly what you chain toward.

Checkpoint · Active Directory Attacks

Question 1 of 8

A tester is asked which logical boundary in Active Directory groups computers and users so they can share a common directory database and security policy under a single administrative authority. Which term describes that boundary?

Module 7 · Lateral Movement & Pivoting / Tunneling

Reaching what you can’t touch directly. The AD set rewards movement beyond the first foothold — host-to-host with reused credentials, and through a pivot into internal subnets the attacker box can’t reach.

7.1 Lateral Movement (WMI, WinRM, PsExec)

With recovered credentials or a hash, move between Windows hosts using built-in remote execution.[3] PsExec runs a command over SMB via a temporary service (effective but noisy), WMI executes through the management interface, and provides an interactive remote PowerShell session on ports 5985/5986 — often preferred when staying quiet matters. This , powered by credential reuse, is the heart of the AD set’s scoring beyond the first box.

7.2 Pivoting & Tunneling

A is a compromised, dual-homed host that routes your traffic into an otherwise unreachable network.[3] SSH forwards do the work on Linux: local (-L) exposes one internal service on your box, remote (-R) pushes a port out when you can’t reach inward, and dynamic (-D) opens a SOCKS proxy for many tools at once.

tunnels a SOCKS proxy over HTTP through a firewalled Windows host with no SSH server. Then forces command-line tools through the tunnel — but use full TCP-connect scans (nmap -sT -Pn), because SYN, ICMP ping, and UDP do not traverse a SOCKS proxy.

Checkpoint · Lateral Movement & Pivoting / Tunneling

Question 1 of 8

A tester recovers valid administrator credentials and chooses Windows Management Instrumentation to execute a command on a remote host for lateral movement. What is a notable characteristic of using WMI for this purpose?

Module 8 · Reporting & Exam Strategy

Points you only keep if you can prove them. An unreported compromise scores zero, and the 24-hour clock punishes poor time management. The discipline of note-taking and strategy is as much a part of passing as the exploitation itself.

8.1 Note-Taking, Proof & the Report

Document as you go, not at the end.[2] For each compromise, capture the proof file, the exact commands and exploit you used (so it is reproducible), and screenshots showing the proof alongside the machine’s IP and your access level. The final penetration-test report, submitted within 24 hours after the test window, must let an assessor reproduce every step — if it’s not in the report credibly, it doesn’t count.

8.2 Time Management & the Metasploit Rule

Strategy wins exams. Spend your one permitted Metasploit machine wisely — automated exploitation is allowed on a single machine of your choice, so reserve it for a box you can’t crack manually, and use manual techniques everywhere else.[2] On the AD set, prioritize the client machine to start the chain, and don’t tunnel-vision a single hard standalone box while easier points sit untouched — rotate targets, bank partial points (initial access even without escalation), and take regular breaks to stay sharp.

Checkpoint · Reporting & Exam Strategy

Question 1 of 8

A tester has fully compromised a standalone box and is preparing the report. To document the initial-access step credibly, which content best demonstrates how the foothold was achieved?

How to Use This OSCP Study Guide

This guide is built to be worked, not just read — and because the OSCP exam is hands-on, the most efficient path to a pass combines this conceptual map with real lab practice:

  • Follow the kill chain. Enumerate, research, exploit, escalate, then attack Active Directory and pivot — that order is the methodology the exam rewards.
  • Master enumeration first. It is the highest-leverage skill; most candidates who fail simply didn’t enumerate deeply enough.
  • Practice hands-on. Use a lab (PEN-200, Proving Grounds, or similar). The quizzes here reinforce concepts — they don’t replace breaking into real machines.
  • Check off as you go. Use the Study Guide Contents to mark each section done — it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show exactly which topics need another pass.
  • Then prove it. Send your weak area into the flashcards and the practice questions, and read every rationale — that is how the methodology sticks.

OSCP Concept Questions

Common technique and methodology concepts candidates search while studying for the OSCP (OffSec PEN-200) exam — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

OSCP Glossary

The high-yield OSCP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

-Pn
An Nmap option that skips host discovery and scans a target even if it does not respond to ICMP echo requests.
-sC
Runs Nmap's default category of NSE scripts during a scan to gather extra information and catch common issues.
-sV
Nmap service and version detection — reports each open port's product name and version, the input for exploit research.
Active Directory (AD)
Microsoft's directory service that groups users and computers into domains sharing a common database and security policy.
AS-REP Roasting
Capturing and cracking the AS-REP of accounts with Kerberos pre-authentication disabled; it needs no credential, only usernames.
Banner grabbing
Reading a service's identifying banner (for example with Netcat) to learn its software and version for exploit research.
Bind shell
A shell in which a listener is opened on the target and the attacker connects to it; it is exposed to anyone who scans the port.
BloodHound
A tool that collects AD data and graphs the shortest attack paths from a controlled account to high-value targets like Domain Admins.
Chisel
A client-server SOCKS tunnel over HTTP used to pivot through a firewalled Windows host that lacks an SSH server.
Command injection
An attack in which user input reaches an operating-system shell, letting an attacker run arbitrary commands by chaining a separator.
Cross-site scripting (XSS)
Injecting script that runs in a victim's browser to steal sessions or keystrokes, or to force state-changing requests.
DCSync
An attack that abuses the directory replication protocol to request domain account hashes from a DC without touching NTDS.dit on disk.
Directory traversal
Abusing ../ sequences to read files outside the intended directory, such as /etc/passwd or a Windows web.config.
DLL hijacking
Placing a malicious DLL where an elevated application loads it; Process Monitor reveals a missing or writable DLL path to abuse.
Domain controller (DC)
The server that hosts the Active Directory database and authenticates the domain — the highest-value target in the AD set.
enum4linux
A wrapper tool that enumerates Windows and Samba hosts over SMB — domain or workgroup, users, groups, shares, and policy.
Enumeration
The systematic discovery of hosts, ports, services, versions, and configurations on a target — the single most important OSCP skill. When you are stuck, the answer is almost always more enumeration.
Exploit-DB
A public archive of exploits and proof-of-concept code; match the exact product and version, then read and adapt the code.
gobuster
A directory and file brute-forcing tool for web servers; in directory mode it appends file extensions to each wordlist entry.
Golden ticket
A forged ticket-granting ticket made from the krbtgt hash and domain SID, granting domain-wide access as any user with any groups.
GTFOBins
A reference of Unix binaries that can be abused — via SUID, sudo, or capabilities — to bypass restrictions and escalate privileges.
Hashcat
A GPU-accelerated password cracker; the correct mode must be chosen per hash type (e.g. Kerberoast or AS-REP) and rules can be applied.
Kerberoasting
Requesting service tickets for accounts with a service principal name and cracking them offline; it needs only one valid domain credential.
Kerberos
Active Directory's default authentication protocol, which uses tickets (a TGT and service tickets) issued by the domain controller.
Lateral movement
Moving host-to-host with reused credentials (Pass-the-Hash, Pass-the-Ticket, PsExec, WMI, WinRM) — the heart of the AD set's scoring.
linPEAS
An automated Linux enumeration script that sweeps a host for privilege-escalation opportunities and highlights them by likelihood.
Local file inclusion (LFI)
A flaw where an application includes a referenced file in execution; it can be escalated to code execution via log poisoning or PHP wrappers.
Mimikatz
A tool that extracts credentials and Kerberos tickets from memory; it requires elevated privileges to read the LSASS process.
msfvenom
Metasploit's standalone payload generator, which builds reverse- and bind-shell payloads in formats such as EXE or raw shellcode.
Nmap
The primary port scanner used to discover live hosts, open ports, and service versions that drive exploit research.
NSE
The Nmap Scripting Engine — a framework for running scripts (e.g. the 'vuln' or 'smb-enum-shares' categories) for deeper enumeration.
NTDS.dit
The Active Directory database file on a domain controller; extracting it yields every domain password hash.
Pass-the-Hash (PtH)
Authenticating with a captured NTLM hash without cracking it; it defeats strong passwords and is blunted by unique local passwords.
Pivot host
A compromised, dual-homed host used to route traffic into a network the attacker cannot reach directly.
Privilege escalation
Moving from a low-privileged user or service account to root or SYSTEM — the second 10 points on each OSCP machine.
Proof of concept (PoC)
Public exploit code that usually needs adapting — set the attacker IP and port, fix offsets, and regenerate shellcode before use.
proxychains
A tool that forces a command-line program's TCP connections through a SOCKS or HTTP proxy so it can reach an internal network via a pivot.
Reverse shell
A shell in which the target connects back to a listener on the attacker — preferred when the target blocks inbound connections.
searchsploit
A command-line search of the offline Exploit-DB archive bundled with Kali Linux; works without internet access.
SeImpersonatePrivilege
A Windows privilege, common on service accounts, that 'Potato' attacks abuse to impersonate a SYSTEM token and escalate.
Silver ticket
A forged service ticket made from one service account's hash — narrower in scope and stealthier than a golden ticket.
SMB null session
An anonymous SMB connection made with empty credentials that, where allowed, can reveal users, groups, and share names.
SQL injection
An attack in which untrusted input alters a SQL query, allowing data extraction, authentication bypass, or even code execution.
sqlmap
A tool that automates SQL injection — detecting it and enumerating databases, tables, and data, with support for authenticated requests.
sudo -l
A command listing what the current user may run via sudo as root; many such binaries have a documented root-shell escape.
SUID binary
A file that runs with its owner's privileges; a SUID-root program that can spawn a shell becomes a path to root.
TGS
A Kerberos service ticket for a specific service, encrypted with that service account's key — the material Kerberoasting cracks offline.
TGT
A ticket-granting ticket issued after initial Kerberos authentication and presented to obtain service tickets; signed by the krbtgt key.
TTY upgrade
Turning a basic (dumb) shell into a fully interactive terminal so job control, tab completion, and full-screen tools work.
Unquoted service path
A Windows service path containing spaces and no quotes; writing a binary to an earlier directory lets it run at the service's privilege level.
Web shell
A script placed on a server that the server executes, giving the attacker remote command execution through the browser.
winPEAS
The Windows counterpart to linPEAS; antivirus may quarantine the well-known binary, so an obfuscated or in-memory version helps evade it.
WinRM
Windows Remote Management, which provides an interactive remote PowerShell session (ports 5985/5986) often preferred for stealthier lateral movement.

OSCP Study Guide FAQ

OSCP stands for Offensive Security Certified Professional. It is a hands-on penetration-testing certification offered by OffSec (Offensive Security) and earned by passing the exam for the PEN-200 course, Penetration Testing with Kali Linux (historically called PWK). It is widely regarded as a benchmark practical credential for offensive security roles.

References

  1. 1.OffSec (Offensive Security). “PEN-200: Penetration Testing with Kali Linux (OSCP).” offsec.com.
  2. 2.OffSec (Offensive Security). “OSCP Exam Guide and Exam FAQ.” help.offsec.com.
  3. 3.MITRE. “MITRE ATT&CK — Enterprise Tactics and Techniques.” attack.mitre.org.
  4. 4.OWASP. “OWASP Top Ten and Attack Reference (SQLi, XSS, Command Injection, Path Traversal, File Upload).” owasp.org.
  5. 5.Nmap Project. “Nmap Reference Guide — Host Discovery, Port Scanning, and Version Detection.” nmap.org.
  6. 6.Microsoft Learn. “Kerberos Authentication and NTLM Overview.” learn.microsoft.com.
  7. 100.Nmap Project. “Nmap Reference Guide — Host Discovery and Port Scanning.” nmap.org, accessed 20 June 2026.
  8. 101.Nmap Project. “Nmap Reference Guide — Service and Version Detection.” nmap.org, accessed 20 June 2026.
  9. 102.OWASP. “SQL Injection.” owasp.org, accessed 20 June 2026.
  10. 103.OWASP. “Cross Site Scripting (XSS).” owasp.org, accessed 20 June 2026.
  11. 104.OWASP. “Command Injection.” owasp.org, accessed 20 June 2026.
  12. 105.OWASP. “Path Traversal.” owasp.org, accessed 20 June 2026.
  13. 106.OWASP. “Unrestricted File Upload.” owasp.org, accessed 20 June 2026.
  14. 107.MITRE ATT&CK. “Privilege Escalation (TA0004).” attack.mitre.org, accessed 20 June 2026.
  15. 108.MITRE ATT&CK. “Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009).” attack.mitre.org, accessed 20 June 2026.
  16. 109.MITRE ATT&CK. “Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003).” attack.mitre.org, accessed 20 June 2026.
  17. 110.MITRE ATT&CK. “Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004).” attack.mitre.org, accessed 20 June 2026.
  18. 111.MITRE ATT&CK. “Use Alternate Authentication Material: Pass the Hash (T1550.002).” attack.mitre.org, accessed 20 June 2026.
  19. 112.MITRE ATT&CK. “Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001).” attack.mitre.org, accessed 20 June 2026.
  20. 113.MITRE ATT&CK. “OS Credential Dumping: DCSync (T1003.006).” attack.mitre.org, accessed 20 June 2026.
  21. 114.MITRE ATT&CK. “Lateral Movement (TA0008).” attack.mitre.org, accessed 20 June 2026.
  22. 115.MITRE ATT&CK. “Proxy: Internal Proxy (T1090.001).” attack.mitre.org, accessed 20 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.