This free OSCP study guide teaches the penetration-testing methodology the Offensive Security Certified Professional exam tests, organized to the current OffSec PEN-200 (Penetration Testing with Kali Linux) course.[1] It is built around the way a real engagement flows — enumerate, research, exploit, escalate, then attack Active Directory and pivot.
One thing to be clear about up front: the OSCP exam is not multiple-choice. It is a 24-hour hands-on practical in which you compromise live machines and then write a professional report.[2]
So this guide teaches the concepts and methodologythe practical rewards, and the built-in quizzes are a concept study-aid — pair them with real lab practice. If you are weighing the hands-on OSCP against the multiple-choice route, see our companion CEH study guide and PenTest+ study guide.
What the OSCP Exam Is
The OSCP is earned by passing the exam for OffSec’s PEN-200 course: a 24-hour hands-on practical worth 100 points, with 70 to pass, followed by a separate 24-hour window to submit a professional penetration-test report.[2] There are no multiple-choice questions — you must actually gain access to machines, escalate privileges, and document everything credibly.
The single most useful thing to internalize before you study: the exam mirrors the penetration-testing methodology. Almost everything you do follows a predictable order — enumerate thoroughly, research and adapt an exploit, gain a foothold, escalate to root or SYSTEM, then chain through the Active Directory set — with careful note-taking running underneath the whole time.
- 1
Enumeration & information gathering
Sweep the network for live hosts, scan ports, fingerprint services and versions (Nmap), and enumerate each service deeply (SMB, web, FTP, DNS). The phase you keep returning to — most footholds are missed enumeration.
- 2
Vulnerability identification & exploit research
Map enumerated software and versions to known weaknesses; search the offline Exploit-DB archive with searchsploit and run NSE checks. Read, understand, and adapt public proof-of-concept code before firing it.
- 3
Initial access (foothold)
Exploit a web app flaw, a vulnerable service, or weak credentials to land a first shell — typically as a low-privileged user or service account. Worth 10 points per standalone machine.
- 4
Privilege escalation
Enumerate the host (linPEAS/winPEAS, manual checks) and abuse a misconfiguration — SUID/sudo/cron on Linux, service/token misconfigs on Windows — to become root or SYSTEM. The second 10 points per machine.
- 5
Active Directory & lateral movement
On the AD set, pivot from the foothold: harvest credentials (Kerberoasting, Mimikatz), move host-to-host (Pass-the-Hash, WMI, WinRM), and tunnel through pivots to reach internal hosts.
- 6
Domain compromise
Chain access to the domain controller and extract all domain secrets (DCSync / NTDS.dit), owning the domain — the 20-point capstone of the AD set.
- 7
Documentation & reporting
Throughout, capture proof, commands, and screenshots. After the 24-hour window, submit a professional report within 24 hours; an unreported compromise scores zero.
A naming note worth keeping straight: OSCP is the certification; PEN-200 (formerly PWK) is the course and exam that grants it. You will see all three names used interchangeably. This guide teaches the PEN-200 syllabus and the methodology the practical tests — always confirm the current exam structure and rules on the official OffSec exam guide before you book.[2]
OSCP Exam Snapshot
| Detail | OSCP / PEN-200 |
|---|---|
| Credential | Offensive Security Certified Professional (OSCP) |
| Course | PEN-200 — Penetration Testing with Kali Linux (formerly PWK) |
| Format | 24-hour hands-on practical — compromise live machines (not multiple-choice) |
| Machines | Three standalone hosts + one Active Directory set |
| Scoring | 100 points total; 70 required to pass |
| Report | Professional penetration-test report submitted within 24 hours after the test window |
| Metasploit | Limited — automated exploitation allowed on one machine only |
| Provider | OffSec (Offensive Security) |
The 100 points break down across the machines as follows.[2] The Active Directory set is the single largest block (40 points), so it deserves proportionate study time:
Module 1 · Enumeration & Information Gathering
The foundation of every machine. Enumeration is the most important — and most under-practiced — OSCP skill. Nearly every foothold and privilege escalation comes from a detail you surfaced here: an uncommon port, an anonymous share, a forgotten credential.
1.1 Host Discovery & Port Scanning with Nmap
is your primary scanner.[5] Start by finding live hosts — a ping sweep (nmap -sn) lists which hosts are up without scanning ports — then scan ports. A host that ignores ICMP looks “down,” so force the scan with .
The high-yield habit: run a fast top-ports scan first to start working, then a full all-ports scan (-p-) so a foothold service parked on an uncommon high port is never missed. UDP services such as DNS and SNMP need a separate -sU scan.
- 1
Host discovery
Find which hosts are alive. A ping sweep (nmap -sn) lists live IPs without scanning ports; on hosts that block ICMP, force the scan with -Pn.
- 2
Port scanning
Identify open TCP/UDP ports. A fast top-ports scan first, then a full all-ports scan (-p-) so an uncommon foothold port on a high number is not missed.
- 3
Service & version detection
Fingerprint what is actually listening. -sV reports product and version; -sC runs default scripts. Versions drive exploit research.
- 4
Deep service enumeration
Interrogate each service: directory brute-forcing on web, share listing on SMB, banner grabbing, anonymous logins on FTP, NSE category scripts.
1.2 Service & Version Detection
Open ports are only the start — you need to know what is listening and its exact version, because versions drive exploit research.[5] reports each service’s product and version, and runs Nmap’s default scripts; they are usually combined as -sC -sV. A “closed” port means it is reachable but nothing is listening, while “filtered” means a firewall is dropping probes.
1.3 Deep Service Enumeration (SMB, Web, FTP)
Once you know what is running, interrogate each service. On web, brute-force content with or ffuf, inspect robots.txt, and enumerate virtual hosts. On SMB, an can leak users, groups, and shares via ; writable shares may let you upload a payload.
On FTP, try an anonymous login and list directories. names software and versions — but treat banners as a hint, since an administrator can change them. The automates much of this (for example --script smb-enum-shares).
Checkpoint · Enumeration & Information Gathering
Question 1 of 8
A tester wants Nmap to perform only host discovery across a small range of IP addresses to learn which hosts are alive, without scanning any ports. Which Nmap option performs this ping-sweep behavior?
Module 2 · Vulnerability Scanning & Exploit Research
Turning enumeration into a plan of attack. With services and versions in hand, identify which are vulnerable and find the code to exploit them — then read and adapt that code so it actually works against your target.
2.1 Vulnerability Identification
A vulnerability scanner enumerates known weaknesses, and an authenticated scan (supplying valid credentials so the scanner can inspect the host from the inside) is far more accurate than an unauthenticated one.[3] But scanners produce false positives: when a finding doesn’t match what manual probing shows, trust your manual verification. Nmap’s vuln category gives a lightweight, targeted alternative for a single box.
2.2 Finding & Adapting Public Exploits
Map a service and version to a public exploit with , which searches the offline archive without internet access.[1] Read the full entry and code before running it.
A almost always needs editing: set the attacker’s IP and listener port, fix offsets for the right minor version, and regenerate any embedded shellcode. A missing-module error means installing the dependency on your attacker box — not abandoning the exploit. Above all, read the whole script so you never run destructive or backdoored code.
Checkpoint · Vulnerability Scanning & Exploit Research
Question 1 of 8
A tester wants an authorized vulnerability scanner to enumerate missing patches on a Linux target as accurately as possible. Which configuration choice most improves detection accuracy?
Module 3 · Web Application Attacks
The most common foothold on the exam. Web applications are everywhere, and the goal is always the same: turn a web bug into a . Know the major attack classes and how to chain each one to code execution.
SQL injection (SQLi)
UNION, error-based, blind/time-based
Untrusted input alters a SQL query. Extract data, bypass auth, or (with FILE/xp_cmdshell) gain code execution. sqlmap automates it.
Cross-site scripting (XSS)
Reflected, stored, DOM-based
Injected script runs in a victim's browser — steal sessions, log keystrokes, or force state-changing requests. Bypass CSP and filters.
Command injection
; | && $(…) `…`
User input reaches an OS shell. Chain a separator and a command; if output is hidden (blind), use a reverse shell or out-of-band callback.
Directory traversal / LFI
../../etc/passwd, PHP wrappers
Read arbitrary files or include attacker-controlled content. Escalate LFI to code execution via log poisoning or php://filter.
File upload
Web shells, extension/MIME bypass
Upload executable code the server runs. Defeat signature, extension allow-list, and double-extension checks to drop a web shell.
Client-side attacks
Malicious macros, custom URI handlers
Deliver a payload a staff user opens — an Office macro or a link that fetches second-stage code from the attacker's server.
3.1 SQL Injection
happens when untrusted input is concatenated into a query.[4] The major variants: UNION-based (append a UNION SELECT to exfiltrate data — first find the column count with ORDER BY), error-based (leak data through displayed error messages), and blind / time-based (no data returned, so a payload that pauses the response reveals values bit by bit).
SQLi can also bypass authentication by closing the string and adding an always-true condition, and with FILE privileges or xp_cmdshell it can reach code execution. automates detection and extraction — including authenticated requests and request files captured in a proxy.
3.2 XSS, Command Injection & Directory Traversal
injects script that runs in a victim’s browser — reflected (bounced from one request), stored (persisted for every visitor, the most impactful), or DOM-based.[4] Use it to steal sessions, log keystrokes, or force state-changing requests, and be ready to bypass a Content Security Policy or tag filters.
is more direct: user input reaches an OS shell, so a separator (;, |, &&) and a command run arbitrary code; when output is hidden, confirm out of band and upgrade to a reverse shell.
reads files outside the web root with ../ sequences — defeat filters that strip ../ only once, or a fixed prefix the app prepends.
3.3 File Inclusion, Upload & Client-Side Attacks
goes beyond reading files — the app includes the referenced file in execution, so you can reach code execution by poisoning a log the app reads, or disclosing source with the php://filter wrapper.[4]
File uploads are a fast foothold: defeat a magic-byte (signature) check by prepending an image header, defeat an extension allow-list with case tricks or double extensions, and abuse server-side archive extraction to write a to a chosen path. Client-side attacks target staff instead of the server — a malicious Office macro, or a link using a custom URI handler that fetches second-stage code from your server.
Checkpoint · Web Application Attacks
Question 1 of 8
A tester probing a numeric product-listing parameter changes its value from a number to the same number followed by an arithmetic expression, and the page returns the product that matches the computed total. What does the application performing that arithmetic indicate about the parameter?
Module 4 · Gaining a Foothold: Shells & Transfers
From bug to interactive access. A successful exploit gives you code execution, but you want a stable, interactive shell — and then the ability to move tools onto the box. This module is the bridge between initial access and privilege escalation.
4.1 Reverse vs. Bind Shells & TTY Upgrades
Choose the right shell for the network. A makes the target connect back to your listener and is the default on the exam, because most targets sit behind NAT or a firewall that blocks inbound connections.[1]
A opens a listener on the target — useful in some cases, but reachable by anyone scanning the port. A plain netcat listener offers no encryption and may be filtered, so socat gives a more robust, encrypted option.
Finally, so job control, tab completion, and full-screen tools work: spawn a PTY (python3 -c 'import pty; pty.spawn("/bin/bash")'), then set stty raw -echo and export TERM=xterm and a sane PATH.
4.2 Payloads & File Transfers
generates payloads in whatever format you need — a standalone Windows EXE that connects back, or raw shellcode to paste into a Python exploit — with your LHOST and LPORT set.[1] When the target flags certain bytes, specify them as bad characters (-b) and let an encoder route around them.
Once you have a shell, you often need to move tools onto a box that has no outbound internet: host a file with a quick HTTP server and pull it down, push it over an SMB share, or use a living-off-the-land downloader. Always confirm which user your shell runs as before choosing an escalation path.
Checkpoint · Gaining a Foothold: Shells & Transfers
Question 1 of 8
A tester lands a basic shell on a Linux host and runs a one-liner using python3 to spawn /bin/bash through pty.spawn so the session behaves like a real terminal. What does this single step accomplish for the tester?
Module 5 · Privilege Escalation (Linux & Windows)
The second 10 points on every machine. A foothold is rarely root or SYSTEM. Privilege escalation is a methodical search for one misconfiguration — start with an enumeration script, then verify findings manually and abuse the best one.
Linux (root)
- SUID/SGID binaries (GTFOBins, e.g. bash -p)
- Misconfigured sudo rules (sudo -l)
- Writable cron jobs & wildcard injection
- Linux capabilities (getcap, cap_setuid)
- Kernel exploits (match version precisely)
- Readable credentials & weak file permissions
Windows (SYSTEM)
- SeImpersonatePrivilege → Potato attacks
- Unquoted service paths & writable service binaries
- AlwaysInstallElevated & weak service permissions
- DLL hijacking (Process Monitor)
- SeBackupPrivilege (read SAM/SYSTEM hives)
- Stored credentials (autologon, Unattend.xml)
5.1 Linux Privilege Escalation
On Linux the classic vectors are (a SUID-root program that can spawn a shell — for example a copy of bash run as bash -p to keep its privileges), misconfigured (many allowed binaries have a escape), writable or wildcard-based cron jobs, and Linux capabilities such as cap_setuid on an interpreter.[3] Kernel exploits exist but are a last resort — match the exact version and prefer a clean misconfiguration. Run to surface candidates, then confirm each by hand.
5.2 Windows Privilege Escalation
On Windows, check the token first with whoami /priv. — common on service accounts — is abused by the Potato family (PrintSpoofer, RoguePotato, GodPotato) to impersonate a SYSTEM token.[3]
Other staples: and writable service binaries, weak service permissions and AlwaysInstallElevated, (find the missing DLL with Process Monitor), the powerfulSeBackupPrivilege (read the SAM and SYSTEM hives), and stored credentials in autologon registry values or Unattend.xml. automates the hunt, though antivirus may quarantine it.
Checkpoint · Privilege Escalation (Linux & Windows)
Question 1 of 8
A tester finds a SUID-root binary that is a copy of bash with the privileges preserved. Which invocation turns this into a root shell?
Module 6 · Active Directory Attacks
The 40-point capstone. The Active Directory set is scored as a chain — client, a second host, and the domain controller — and credential reuse is the engine that drives it. Enumerate the domain, harvest credentials, and chain your way to the DC.
- 1
Foothold on a domain host
Compromise the client machine of the AD set (often via a web app or weak service) and obtain a first domain or local credential context.
- 2
Domain enumeration
Map the domain with BloodHound and PowerView — users, groups, sessions, SPNs, and the shortest attack paths to high-value objects. Enumerate before attacking.
- 3
Credential harvesting
Kerberoast accounts with SPNs and AS-REP roast accounts without pre-auth; crack the tickets offline (Hashcat). Dump credentials from memory with Mimikatz where you have admin.
- 4
Lateral movement
Reuse harvested material to move host-to-host: Pass-the-Hash (NTLM), Pass-the-Ticket (Kerberos), and remote execution over SMB (PsExec), WMI, or WinRM.
- 5
Privilege escalation in the domain
Abuse BloodHound-identified rights (WriteDACL, GenericAll) and reach a Domain Admin or the domain controller through the chained path.
- 6
Domain controller compromise
On the DC, run DCSync to pull all domain hashes (including krbtgt) or extract NTDS.dit directly — full domain ownership and the 20-point capstone.
6.1 AD Enumeration & Kerberos
A hosts the directory and authenticates the ; member servers and client machines are domain-joined hosts you move between. Map the environment first with and PowerView — users, groups, sessions, service principal names, and the shortest attack paths to Domain Admins.[3]
Underneath it all is : a client authenticates to the DC for a , then exchanges it for a to reach a service. That flow underpins every roasting and ticket attack.[6]
6.2 Roasting, Credential Reuse & Tickets
requests service tickets for SPN-enabled accounts and cracks them offline; it needs only one valid domain credential.[3] targets accounts with pre-authentication disabled and needs no credential— only usernames — making it usable before any access.
With a hash in hand, authenticates over NTLM without cracking it (defeating even long passwords), and Pass-the-Ticket injects a stolen Kerberos ticket. Forged tickets go further: a (from the krbtgt hash and domain SID) grants domain-wide access as any user, while a (from one service account’s hash) is narrower but stealthier. dumps the credentials and tickets that fuel all of this.
Kerberoasting
Accounts with an SPN
Request a service ticket (TGS) for an SPN-enabled account and crack its hash offline. Needs any valid domain credential.
AS-REP Roasting
Accounts with pre-auth disabled
Request an AS-REP for accounts that do not require Kerberos pre-authentication and crack it. Needs no valid credential — only usernames.
Pass-the-Hash (PtH)
NTLM authentication
Authenticate with a stolen NT hash without cracking it. Defeats long passwords; blunted by unique local admin passwords (LAPS).
Pass-the-Ticket (PtT)
Kerberos authentication
Inject a stolen TGT or TGS into a session to impersonate a user. Tickets expire, so they must be reasonably fresh.
Golden ticket
Forged TGT (krbtgt key)
Forge a ticket-granting ticket from the krbtgt hash and domain SID — arbitrary user, arbitrary groups, domain-wide. Resetting krbtgt twice invalidates it.
Silver ticket
Forged TGS (service key)
Forge a service ticket from a single service account's hash — narrower scope and stealthier than a golden ticket (no DC contact).
6.3 Domain Compromise
Reaching the domain controller is the goal. With sufficient rights, abuses the replication protocol to pull every domain hash — including krbtgt— without touching on disk; alternatively, extract NTDS.dit directly.[3] Membership of the Domain Admins group is effectively full control of the domain, so BloodHound edges likeWriteDACL and GenericAll that lead there are exactly what you chain toward.
Checkpoint · Active Directory Attacks
Question 1 of 8
A tester is asked which logical boundary in Active Directory groups computers and users so they can share a common directory database and security policy under a single administrative authority. Which term describes that boundary?
Module 7 · Lateral Movement & Pivoting / Tunneling
Reaching what you can’t touch directly. The AD set rewards movement beyond the first foothold — host-to-host with reused credentials, and through a pivot into internal subnets the attacker box can’t reach.
7.1 Lateral Movement (WMI, WinRM, PsExec)
With recovered credentials or a hash, move between Windows hosts using built-in remote execution.[3] PsExec runs a command over SMB via a temporary service (effective but noisy), WMI executes through the management interface, and provides an interactive remote PowerShell session on ports 5985/5986 — often preferred when staying quiet matters. This , powered by credential reuse, is the heart of the AD set’s scoring beyond the first box.
7.2 Pivoting & Tunneling
A is a compromised, dual-homed host that routes your traffic into an otherwise unreachable network.[3] SSH forwards do the work on Linux: local (-L) exposes one internal service on your box, remote (-R) pushes a port out when you can’t reach inward, and dynamic (-D) opens a SOCKS proxy for many tools at once.
tunnels a SOCKS proxy over HTTP through a firewalled Windows host with no SSH server. Then forces command-line tools through the tunnel — but use full TCP-connect scans (nmap -sT -Pn), because SYN, ICMP ping, and UDP do not traverse a SOCKS proxy.
SSH local port forward
ssh -L
Expose one internal service (e.g. RDP) on a local port of the attacker box through a Linux pivot you can SSH to.
SSH remote port forward
ssh -R
Pivot can reach the attacker but the attacker cannot reach inward; the pivot pushes an internal port out to you.
SSH dynamic / SOCKS
ssh -D
Open a SOCKS proxy that routes many tools into the internal network at once — pair with proxychains.
Chisel
TCP/SOCKS over HTTP
Tunnel through a firewalled Windows host with no SSH server; a client-server SOCKS proxy that survives heavy inbound filtering.
proxychains
Force tools through a proxy
Wraps command-line tools so their TCP connections traverse a SOCKS tunnel. Use TCP-connect scans — ICMP/UDP do not traverse SOCKS.
Checkpoint · Lateral Movement & Pivoting / Tunneling
Question 1 of 8
A tester recovers valid administrator credentials and chooses Windows Management Instrumentation to execute a command on a remote host for lateral movement. What is a notable characteristic of using WMI for this purpose?
Module 8 · Reporting & Exam Strategy
Points you only keep if you can prove them. An unreported compromise scores zero, and the 24-hour clock punishes poor time management. The discipline of note-taking and strategy is as much a part of passing as the exploitation itself.
8.1 Note-Taking, Proof & the Report
Document as you go, not at the end.[2] For each compromise, capture the proof file, the exact commands and exploit you used (so it is reproducible), and screenshots showing the proof alongside the machine’s IP and your access level. The final penetration-test report, submitted within 24 hours after the test window, must let an assessor reproduce every step — if it’s not in the report credibly, it doesn’t count.
8.2 Time Management & the Metasploit Rule
Strategy wins exams. Spend your one permitted Metasploit machine wisely — automated exploitation is allowed on a single machine of your choice, so reserve it for a box you can’t crack manually, and use manual techniques everywhere else.[2] On the AD set, prioritize the client machine to start the chain, and don’t tunnel-vision a single hard standalone box while easier points sit untouched — rotate targets, bank partial points (initial access even without escalation), and take regular breaks to stay sharp.
Checkpoint · Reporting & Exam Strategy
Question 1 of 8
A tester has fully compromised a standalone box and is preparing the report. To document the initial-access step credibly, which content best demonstrates how the foothold was achieved?
How to Use This OSCP Study Guide
This guide is built to be worked, not just read — and because the OSCP exam is hands-on, the most efficient path to a pass combines this conceptual map with real lab practice:
- Follow the kill chain. Enumerate, research, exploit, escalate, then attack Active Directory and pivot — that order is the methodology the exam rewards.
- Master enumeration first. It is the highest-leverage skill; most candidates who fail simply didn’t enumerate deeply enough.
- Practice hands-on. Use a lab (PEN-200, Proving Grounds, or similar). The quizzes here reinforce concepts — they don’t replace breaking into real machines.
- Check off as you go. Use the Study Guide Contents to mark each section done — it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show exactly which topics need another pass.
- Then prove it. Send your weak area into the flashcards and the practice questions, and read every rationale — that is how the methodology sticks.
OSCP Concept Questions
Common technique and methodology concepts candidates search while studying for the OSCP (OffSec PEN-200) exam — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
OSCP Glossary
The high-yield OSCP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- -Pn
- An Nmap option that skips host discovery and scans a target even if it does not respond to ICMP echo requests.
- -sC
- Runs Nmap's default category of NSE scripts during a scan to gather extra information and catch common issues.
- -sV
- Nmap service and version detection — reports each open port's product name and version, the input for exploit research.
- Active Directory (AD)
- Microsoft's directory service that groups users and computers into domains sharing a common database and security policy.
- AS-REP Roasting
- Capturing and cracking the AS-REP of accounts with Kerberos pre-authentication disabled; it needs no credential, only usernames.
- Banner grabbing
- Reading a service's identifying banner (for example with Netcat) to learn its software and version for exploit research.
- Bind shell
- A shell in which a listener is opened on the target and the attacker connects to it; it is exposed to anyone who scans the port.
- BloodHound
- A tool that collects AD data and graphs the shortest attack paths from a controlled account to high-value targets like Domain Admins.
- Chisel
- A client-server SOCKS tunnel over HTTP used to pivot through a firewalled Windows host that lacks an SSH server.
- Command injection
- An attack in which user input reaches an operating-system shell, letting an attacker run arbitrary commands by chaining a separator.
- Cross-site scripting (XSS)
- Injecting script that runs in a victim's browser to steal sessions or keystrokes, or to force state-changing requests.
- DCSync
- An attack that abuses the directory replication protocol to request domain account hashes from a DC without touching NTDS.dit on disk.
- Directory traversal
- Abusing ../ sequences to read files outside the intended directory, such as /etc/passwd or a Windows web.config.
- DLL hijacking
- Placing a malicious DLL where an elevated application loads it; Process Monitor reveals a missing or writable DLL path to abuse.
- Domain controller (DC)
- The server that hosts the Active Directory database and authenticates the domain — the highest-value target in the AD set.
- enum4linux
- A wrapper tool that enumerates Windows and Samba hosts over SMB — domain or workgroup, users, groups, shares, and policy.
- Enumeration
- The systematic discovery of hosts, ports, services, versions, and configurations on a target — the single most important OSCP skill. When you are stuck, the answer is almost always more enumeration.
- Exploit-DB
- A public archive of exploits and proof-of-concept code; match the exact product and version, then read and adapt the code.
- gobuster
- A directory and file brute-forcing tool for web servers; in directory mode it appends file extensions to each wordlist entry.
- Golden ticket
- A forged ticket-granting ticket made from the krbtgt hash and domain SID, granting domain-wide access as any user with any groups.
- GTFOBins
- A reference of Unix binaries that can be abused — via SUID, sudo, or capabilities — to bypass restrictions and escalate privileges.
- Hashcat
- A GPU-accelerated password cracker; the correct mode must be chosen per hash type (e.g. Kerberoast or AS-REP) and rules can be applied.
- Kerberoasting
- Requesting service tickets for accounts with a service principal name and cracking them offline; it needs only one valid domain credential.
- Kerberos
- Active Directory's default authentication protocol, which uses tickets (a TGT and service tickets) issued by the domain controller.
- Lateral movement
- Moving host-to-host with reused credentials (Pass-the-Hash, Pass-the-Ticket, PsExec, WMI, WinRM) — the heart of the AD set's scoring.
- linPEAS
- An automated Linux enumeration script that sweeps a host for privilege-escalation opportunities and highlights them by likelihood.
- Local file inclusion (LFI)
- A flaw where an application includes a referenced file in execution; it can be escalated to code execution via log poisoning or PHP wrappers.
- Mimikatz
- A tool that extracts credentials and Kerberos tickets from memory; it requires elevated privileges to read the LSASS process.
- msfvenom
- Metasploit's standalone payload generator, which builds reverse- and bind-shell payloads in formats such as EXE or raw shellcode.
- Nmap
- The primary port scanner used to discover live hosts, open ports, and service versions that drive exploit research.
- NSE
- The Nmap Scripting Engine — a framework for running scripts (e.g. the 'vuln' or 'smb-enum-shares' categories) for deeper enumeration.
- NTDS.dit
- The Active Directory database file on a domain controller; extracting it yields every domain password hash.
- Pass-the-Hash (PtH)
- Authenticating with a captured NTLM hash without cracking it; it defeats strong passwords and is blunted by unique local passwords.
- Pivot host
- A compromised, dual-homed host used to route traffic into a network the attacker cannot reach directly.
- Privilege escalation
- Moving from a low-privileged user or service account to root or SYSTEM — the second 10 points on each OSCP machine.
- Proof of concept (PoC)
- Public exploit code that usually needs adapting — set the attacker IP and port, fix offsets, and regenerate shellcode before use.
- proxychains
- A tool that forces a command-line program's TCP connections through a SOCKS or HTTP proxy so it can reach an internal network via a pivot.
- Reverse shell
- A shell in which the target connects back to a listener on the attacker — preferred when the target blocks inbound connections.
- searchsploit
- A command-line search of the offline Exploit-DB archive bundled with Kali Linux; works without internet access.
- SeImpersonatePrivilege
- A Windows privilege, common on service accounts, that 'Potato' attacks abuse to impersonate a SYSTEM token and escalate.
- Silver ticket
- A forged service ticket made from one service account's hash — narrower in scope and stealthier than a golden ticket.
- SMB null session
- An anonymous SMB connection made with empty credentials that, where allowed, can reveal users, groups, and share names.
- SQL injection
- An attack in which untrusted input alters a SQL query, allowing data extraction, authentication bypass, or even code execution.
- sqlmap
- A tool that automates SQL injection — detecting it and enumerating databases, tables, and data, with support for authenticated requests.
- sudo -l
- A command listing what the current user may run via sudo as root; many such binaries have a documented root-shell escape.
- SUID binary
- A file that runs with its owner's privileges; a SUID-root program that can spawn a shell becomes a path to root.
- TGS
- A Kerberos service ticket for a specific service, encrypted with that service account's key — the material Kerberoasting cracks offline.
- TGT
- A ticket-granting ticket issued after initial Kerberos authentication and presented to obtain service tickets; signed by the krbtgt key.
- TTY upgrade
- Turning a basic (dumb) shell into a fully interactive terminal so job control, tab completion, and full-screen tools work.
- Unquoted service path
- A Windows service path containing spaces and no quotes; writing a binary to an earlier directory lets it run at the service's privilege level.
- Web shell
- A script placed on a server that the server executes, giving the attacker remote command execution through the browser.
- winPEAS
- The Windows counterpart to linPEAS; antivirus may quarantine the well-known binary, so an obfuscated or in-memory version helps evade it.
- WinRM
- Windows Remote Management, which provides an interactive remote PowerShell session (ports 5985/5986) often preferred for stealthier lateral movement.
OSCP Study Guide FAQ
OSCP stands for Offensive Security Certified Professional. It is a hands-on penetration-testing certification offered by OffSec (Offensive Security) and earned by passing the exam for the PEN-200 course, Penetration Testing with Kali Linux (historically called PWK). It is widely regarded as a benchmark practical credential for offensive security roles.
No. Unlike CEH or PenTest+, the OSCP exam is a 24-hour hands-on practical: you compromise live machines in a lab, gaining initial access and escalating privileges, and capture proof. You then have a further 24 hours to write and submit a professional penetration-test report. Our practice questions are a concept study-aid that reinforces the underlying methodology — they do not replace hands-on lab practice.
The exam is worth 100 points and you need 70 to pass. The current format has three standalone machines (each worth 10 points for initial access plus 10 for privilege escalation) and an Active Directory set worth 40 points (10 for the client, 10 for a second host, and 20 for the domain controller). You must also submit an acceptable report; an unreported compromise scores nothing.
The penetration-testing methodology end to end: information gathering and enumeration, vulnerability identification and exploit research, web application attacks (SQL injection, XSS, command injection, file inclusion and upload), gaining a foothold with shells and payloads, Linux and Windows privilege escalation, Active Directory attacks (Kerberoasting, AS-REP roasting, Pass-the-Hash, ticket attacks), and lateral movement with pivoting and tunneling.
The OSCP is a hands-on practical exam — you actually break into machines and write a report — while CEH and CompTIA PenTest+ are largely multiple-choice (PenTest+ also has performance-based questions). The OSCP proves you can do the work, not just recall it, which is why employers weight it heavily for offensive roles. Our companion guides for those certifications cover their multiple-choice formats.
Only in a limited way. You may use Metasploit's automated exploitation features (and msfvenom) against a single exam machine of your choice; the rest must be compromised with manual techniques. Most candidates reserve their one Metasploit machine strategically and rely on manual exploitation everywhere else, which is exactly what the course is built to teach.
Work through the modules in the order a penetration test flows — enumerate, research, exploit, escalate, then attack Active Directory and pivot. Use the checkpoints to test recall, but pair the guide with hands-on practice in a lab (PEN-200, Proving Grounds, or similar), because the exam rewards doing, not memorizing. Treat the practice questions as concept reinforcement.
Yes — the full guide, the module checkpoints, the glossary, the practice questions, and the flashcards are 100% free, with no account required.
References
- 1.OffSec (Offensive Security). “PEN-200: Penetration Testing with Kali Linux (OSCP).” offsec.com. ↑
- 2.OffSec (Offensive Security). “OSCP Exam Guide and Exam FAQ.” help.offsec.com. ↑
- 3.MITRE. “MITRE ATT&CK — Enterprise Tactics and Techniques.” attack.mitre.org. ↑
- 4.OWASP. “OWASP Top Ten and Attack Reference (SQLi, XSS, Command Injection, Path Traversal, File Upload).” owasp.org. ↑
- 5.Nmap Project. “Nmap Reference Guide — Host Discovery, Port Scanning, and Version Detection.” nmap.org. ↑
- 6.Microsoft Learn. “Kerberos Authentication and NTLM Overview.” learn.microsoft.com. ↑
- 100.Nmap Project. “Nmap Reference Guide — Host Discovery and Port Scanning.” nmap.org, accessed 20 June 2026. ↑
- 101.Nmap Project. “Nmap Reference Guide — Service and Version Detection.” nmap.org, accessed 20 June 2026. ↑
- 102.OWASP. “SQL Injection.” owasp.org, accessed 20 June 2026. ↑
- 103.OWASP. “Cross Site Scripting (XSS).” owasp.org, accessed 20 June 2026. ↑
- 104.OWASP. “Command Injection.” owasp.org, accessed 20 June 2026. ↑
- 105.OWASP. “Path Traversal.” owasp.org, accessed 20 June 2026. ↑
- 106.OWASP. “Unrestricted File Upload.” owasp.org, accessed 20 June 2026. ↑
- 107.MITRE ATT&CK. “Privilege Escalation (TA0004).” attack.mitre.org, accessed 20 June 2026. ↑
- 108.MITRE ATT&CK. “Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009).” attack.mitre.org, accessed 20 June 2026. ↑
- 109.MITRE ATT&CK. “Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003).” attack.mitre.org, accessed 20 June 2026. ↑
- 110.MITRE ATT&CK. “Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004).” attack.mitre.org, accessed 20 June 2026. ↑
- 111.MITRE ATT&CK. “Use Alternate Authentication Material: Pass the Hash (T1550.002).” attack.mitre.org, accessed 20 June 2026. ↑
- 112.MITRE ATT&CK. “Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001).” attack.mitre.org, accessed 20 June 2026. ↑
- 113.MITRE ATT&CK. “OS Credential Dumping: DCSync (T1003.006).” attack.mitre.org, accessed 20 June 2026. ↑
- 114.MITRE ATT&CK. “Lateral Movement (TA0008).” attack.mitre.org, accessed 20 June 2026. ↑
- 115.MITRE ATT&CK. “Proxy: Internal Proxy (T1090.001).” attack.mitre.org, accessed 20 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
