OffSec PEN-200 Learning Plan - 12 Week – OffSec Support Portal

Welcome to OffSec PEN-200! We are delighted to offer a customized learning plan designed to support your learning journey and ultimately enhance your preparedness for the Offensive Security Certified Professional plus (OSCP+) certification.

The Learning Plan comprises a week-by-week journey, which includes a recommended studying approach, estimated learning hours, course topics to focus on, topic labs, capstone labs, and challenge labs to complete, as well as supplemental materials to reinforce your learning (if you so choose).

NOTE: A downloadable PDF version of the plan can be found at the end of this article.

Active OffSec PEN-200 holders can also access the OffSec Academy: OSA-PEN-200 recorded videos, which offer comprehensive guidance and lab concept demonstrations from our Academy Instructors to reinforce the learning objectives. These videos serve as a valuable resource to gain a deeper understanding of the material and enhance preparedness for the OSCP+ exam or to reinforce your learning. You can locate the recorded videos in the OffSec Learning Platform (OLP).

Our OffSec Mentors also play a valuable role in providing guidance and support to you by facilitating dedicated OffSec Discord channels. Through these channels, you will have the opportunity to collaborate with other learners, ask questions, and build relationships to gain a deeper understanding of the PEN-200 material and methodology. We strongly encourage you to take advantage of this resource and actively engage with our Mentors throughout your learning journey. Click here to join the OffSec Discord server and find answers to more frequently asked questions (FAQs).

Should you encounter technical issues or have questions about VPN connections, lab access, navigating the OffSec Learning Platform, or any other related matters, our 24/7 OffSec Technical Service Team is available to assist you. Please click here to contact us.

Getting Ready

To help you prepare for PEN-200, please see the quick reference guide that will assist you in getting started with the OffSec Learning Platform (OLP) and enhance your learning experience.

Please see our Course Start Guide for further onboarding details.

Learning Plan - 12 Week

Jump to Week: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12

Week 1

Overview and Study Approach	The first four topics serve as an introduction to the course material and provide a general approach to the course. We also recommend learners explore the following OffSec communication mediums: OffSec Help and FAQs: https://help.offsec.com/hc/en-us Discord: How may I join the OffSec Community? Youtube Channel: @OffSecTraining Twitch Channel: @offsecofficial Twitter: @OffSecTraining
Learning Topics	1) Penetration Testing with Kali Linux: General Course Information 2) Introduction To Cybersecurity 3) Effective Learning Strategies 4) Report Writing for Penetration Testers 5) Information Gathering 6) Vulnerability Scanning
Labs	6.2.1. Whois Enumeration 6.2.2. Google Hacking 6.2.3. Netcraft 6.2.4. Open-Source Code 6.3.1. DNS Enumeration 6.3.2. TCP/UDP Port Scanning Theory 6.3.3. Port Scanning with Nmap 6.3.4. SMB Enumeration 6.3.5. SMTP Enumeration 6.3.6. SNMP Enumeration 7.1.1. How Vulnerability Scanners Work 7.1.2. Types of Vulnerability Scans 7.1.3. Things to consider in a Vulnerability Scan 7.2.1. Installing Nessus 7.2.2. Nessus Components 7.2.3. Performing a Vulnerability Scan 7.2.4. Analyzing the Results 7.2.5. Performing an Authenticated Vulnerability Scan 7.2.6. Working with Nessus Plugins 7.3.1. NSE Vulnerability Scripts 7.3.2. Working with NSE Scripts
Estimate Time (Hours)	20
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 1A - Active Info. Gathering Offsec Live Twitch Recordings: Get to Know the Minds Behind PEN-200 (2023) Relevant Labs: N/A

Week 2

Overview and Study Approach	This week, we will focus on the basic methodology, techniques, and tools required to perform successful enumeration and exploitation of web and common web application attacks.
Learning Topics	1) Introduction to Web Application Attacks 2) Common Web Application Attacks
Labs	8.2.4. Security Testing with Burp Suite 8.3.3. Enumerating and Abusing APIs 8.4.5. Privilege Escalation via XSS 9.1.1. Absolute vs Relative Paths 9.1.2. Identifying and Exploiting Directory Traversals 9.1.3. Encoding Special Characters 9.2.1. Local File Inclusion (LFI) 9.2.2. PHP Wrappers 9.2.3. Remote File Inclusion (RFI) 9.3.1. Using Executable Files 9.3.2. Using Non-Executable Files 9.4.1. OS Command Injection
Estimate Time (Hours)	24
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 2A - Web Application Attacks OffSec Live Twitch Recordings: WEB-200: Cross-site Scripting Relevant Labs: Proving Ground Practice labs: Key examples: helpdesk, law Additional practice (when ready): Apex, xposedapi, reconstruction, slort, payday, uc404

Week 3

Overview and Study Approach	The learners will focus on SQL Injection which is one of the most common web application vulnerabilities. Additionally, learners will acquire the skills to conduct target reconnaissance, explore exploitation scenarios using malicious Microsoft Office documents and Windows Library files.
Learning Topics	1) SQL Injection Attacks 2) Client-side Attacks
Labs	10.1.2. DB Types and Characteristics 10.2.3. Blind SQL Injections 10.3.2. Automating the Attack 12.1.1. Information Gathering 12.1.2. Client Fingerprinting 12.2.1. Preparing the Attack 12.2.2. Installing Microsoft Office 12.2.3. Leveraging Microsoft Word Macros 12.3.1. Obtaining Code Execution via Windows Library Files
Estimate Time (Hours)	20
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 3B - Web Application Attacks Relevant Labs: Proving Ground Practice labs: Key examples: butch, Hepet Additional practice (when ready): hawat, pebbles, megavolt

Week 4

Overview and Study Approach	Focus on online resources that provide public known vulnerabilities exploits. Additionally, we will also examine offline tools within Kali that contain local-hosted exploits and learn techniques for overcoming any potential obstacles when utilizing these tools.
Learning Topics	1) Locating Public Exploits 2) Fixing Exploits
Labs	13.1.1. A Word of Caution 13.2.1. The Exploit Database 13.3.1. Exploit Frameworks 13.3.2. SearchSploit 13.3.3. Nmap NSE Scripts 13.4.1. Putting It Together 14.1.3. Cross-Compiling Exploit Code 14.1.4. Fixing the Exploit 14.1.5. Changing the Overflow Buffer 14.2.2. Selecting the Vulnerability and Fixing the Code 14.2.3. Troubleshooting the "index out of range" Error
Estimate Time (Hours)	20
Supplemental Learning*	Videos: N/A Relevant Labs: Proving Ground Practice labs: Key examples: Kevin, shifty Additional practice (when ready): Twiggy

Week 5

Overview and Study Approach	We will cover multiple techniques for detecting malicious software, as well as exploring methods to bypass AV software on target machines. Learners will also delve into network attacks, password cracking, and attacks against Windows-based authentication implementations.
Learning Topics	1) Antivirus Evasion 2) Password Attacks
Labs	15.1.3. Detection Methods 15.2.2. In-Memory Evasion 15.3. AV Evasion in Practice 15.3.2. Evading AV with Thread Injection 15.3.3. Automating the Process 16.1.1. SSH and RDP 16.1.2. HTTP POST Login Form 16.2.1. Introduction to Encryption, Hashes and Cracking 16.2.2. Mutating Wordlists 16.2.3. Cracking Methodology 16.2.4. Password Manager 16.2.5. SSH Private Key Passphrase 16.3.1. Cracking NTLM 16.3.2. Passing NTLM 16.3.3. Cracking Net-NTLMv2 16.3.4. Relaying Net-NTLMv2
Estimate Time (Hours)	20
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 7A OffSec Live Twitch Recordings: PEN-200 (2023): Antivirus Evasion Relevant Labs: Proving Ground Practice labs: Key examples: Authby, nickel Additional practice (when ready): Phobos

Week 6

Overview and Study Approach	Once we gain access to the target machine, we will need to escalate the privileges in order to perform more advanced actions on the compromised system. These topics will focus on techniques and exploits that enable successful privilege escalation on both Windows and Linux systems.
Learning Topics	1) Windows Privilege Escalation 2) Linux Privilege Escalation
Labs	17.1.1. Understanding Windows Privileges and Access Control Mechanisms 17.1.2. Situational Awareness 17.1.3. Hidden in Plain View 17.1.4. Information Goldmine PowerShell 17.1.5. Automated Enumeration 17.2.1. Service Binary Hijacking 17.2.2. Service DLL Hijacking 17.2.3. Unquoted Service Paths 17.3.1. Scheduled Tasks 17.3.2. Using Exploits 18.1.2. Manual Enumeration 18.1.3. Automated Enumeration 18.2.1. Inspecting User Trails 18.2.2. Inspecting Service Footprints 18.3.1. Abusing Cron Jobs 18.3.2. Abusing Password Authentication 18.4.1. Abusing Setuid Binaries and Capabilities 18.4.2. Abusing Sudo 18.4.3. Exploiting Kernel Vulnerabilities
Estimate Time (Hours)	24
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 4A - Privilege Escalation OSA - PEN - 200: Week 5A - Privilege Escalation OSA - PEN - 200: Week 6A Privilege Escalation Relevant Labs: Proving Ground Practice labs: Key examples: morbo, Nibbles Additional practice (when ready): billyboss, escape

Week 7

Overview and Study Approach	We will cover port redirection and tunneling techniques using SSH. The topic will begin with simple techniques and gradually progress to more complex ones as we move towards more secure network environments.
Learning Topics	1) Port Redirection and SSH Tunneling
Labs	19.2.3. Port Forwarding with Socat 19.3.1. SSH Local Port Forwarding 19.3.2. SSH Dynamic Port Forwarding 19.3.3. SSH Remote Port Forwarding 19.3.4. SSH Remote Dynamic Port Forwarding 19.3.5. Using sshuttle 19.4.1. ssh.exe 19.4.2. Plink 19.4.3. Netsh
Estimate Time (Hours)	20
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 8A - Port Redirection and tunneling OSA - PEN - 200: Week 8B - Port Redirection and Tunneling Relevant Labs: Proving Ground Practice labs: Key examples: N/A Additional practice (when ready): Nukem

Week 8

Overview and Study Approach	There may be many restrictions implemented on a network. We will focus on learning and leveraging various tunneling tools and strategies to bypass technologies such as deep packet inspection. We will also cover the Metasploit Framework, including its features, usage and its internal workings. By doing this, we can understand how these frameworks can assist us in real penetration tests.
Learning Topics	1) Tunneling Through Deep Packet Inspection 2) The Metasploit Framework
Labs	20.1.2. HTTP Tunneling with Chisel 20.2.1. DNS Tunneling Fundamentals 20.2.2. DNS Tunneling with dnscat2 21.1.1. Setup and Work with MSF 21.1.2. Auxiliary Modules 21.1.3. Exploit Modules 21.2.1. Staged vs Non-Staged Payloads 21.2.2. Meterpreter Payload 21.2.3. Executable Payloads 21.3.1. Core Meterpreter Post-Exploitation Features 21.3.2. Post-Exploitation Modules 21.3.3. Pivoting with Metasploit 21.4.1. Resource Scripts
Estimate Time (Hours)	20
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 10A - The Metasploit Framework Relevant Labs: Proving Ground Practice labs: Key examples: Splodge, Internal Additional practice (when ready): wombo

Week 9

Overview and Study Approach	Focus on Active Directory (AD) enumeration, AD explore authentication mechanisms and learn where Windows caches authentication objects such as password hashes and tickets, after that, we'll get familiar with the attack methods targeting these authentication mechanisms.
Learning Topics	1) Active Directory Introduction and Enumeration 2) Attacking Active Directory Authentication
Labs	22.2.1. Active Directory - Enumeration Using Legacy Windows Tools 22.2.2. Enumerating Active Directory using PowerShell and .NET Classes 22.2.3. Adding Search Functionality to our Script 22.2.4. AD Enumeration with PowerView 22.3.1. Enumerating Operating Systems 22.3.2. Getting an Overview - Permissions and Logged on Users 22.3.3. Enumeration Through Service Principal Names 22.3.4. Enumerating Object Permissions 22.3.5. Enumerating Domain Shares 22.4.1. Collecting Data with SharpHound 22.4.2. Analysing Data using BloodHound 23.1.1. NTLM Authentication 23.1.2. Kerberos Authentication 23.1.3. Cached AD Credentials 23.2.1. Password Attacks 23.2.2. AS-REP Roasting 23.2.3. Kerberoasting 23.2.4. Silver Tickets 23.2.5. Domain Controller Synchronization
Estimate Time (Hours)	16
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 11A - Active Directory Attacks (Part 1) OSA - PEN - 200: Week 12A - Active Directory Attack (Part 1) OSA - PEN - 200: Week 13A - Active Directory Attack (Part 2) OSA - PEN - 200: Week 14A - Active Directory Attack (Part 2) OffSec Live Twitch Recordings: PEN-200 (2023): Active Directory Enumeration Walkthrough of a PEN-200 AD Set Relevant Labs: N/A

Week 10

Overview and Study Approach	Explore different lateral movement techniques that allow us to authenticate to a system and gain code execution using a user's hash or a Kerberos ticket.
Learning Topics	1) Lateral Movement in Active Directory
Labs	24.1.1. WMI and WinRM 24.1.2. PsExec 24.1.3. Pass the Hash 24.1.4. Overpass the Hash 24.1.5. Pass the Ticket 24.1.6. DCOM 24.2.1. Golden Ticket 24.2.2. Shadow Copies
Estimate Time (Hours)	20
Supplemental Learning*	Videos: OffSec Academy Recordings: OSA - PEN - 200: Week 11A - Active Directory Attacks (Part 1) OSA - PEN - 200: Week 12A - Active Directory Attack (Part 1) OSA - PEN - 200: Week 13A - Active Directory Attack (Part 2) OSA - PEN - 200: Week 14A - Active Directory Attack (Part 2) OffSec Live Twitch Recordings: PEN-200 (2023): Active Directory Enumeration Walkthrough of a PEN-200 AD Set Relevant Labs: N/A

Week 11

Overview and Study Approach	The final topic will cover a complete penetration testing scenario. The remaining time will be devoted to organizing and consolidating all the notes taken on learning concepts from previous weeks, as well as completing labs.
Learning Topics	1) Assembling the Pieces
Labs	N/A
Estimate Time (Hours)	20
Supplemental Learning*	N/A

Week 12

Overview and Study Approach	The aim is to simulate an exam environment and assess your preparedness while identifying any areas that may require further attention. The time should be utilized to attempt to complete any of the OSCP grade labs (OSCP A, OSCP B, or OSCP C) in under 24 hours. These are retired OSCP exams.
Learning Topics	N/A
Labs	N/A
Supplemental Learning*	N/A
Estimate Time (Hours)	20

*Note: the Supplemental Learning sections described above offer an opportunity to enhance your understanding of the specific topics covered during the assigned week. The suggestions are not required. The Supplemental Learning includes video concept demonstrations and practice lab machines. The machines listed under “Relevant Labs” are not intended to be fully rooted (unless the learner chooses to do so), but rather are designed to be used for practicing and reinforcing the concepts learned during that particular week. These Proving Ground Practice lab machines include hints and walk-throughs to further illustrate how to solve the machine objective.

To access PG Practice lab machines will require either a Proving Ground Practice, Learn One, Learn Unlimited or Learn Enterprise subscription. Click here for more information.

PEN-200 12 week learning plan.pdf
400 KB Download

Related articles