Welcome to OffSec PEN-200! We are delighted to offer a customized learning plan designed to support your learning journey and ultimately enhance your preparedness for the Offensive Security Certified Professional (OSCP) certification.
The Learning Plan comprises a week-by-week journey, which includes a recommended studying approach, estimated learning hours, course topics to focus on, topic labs, capstone labs, and challenge labs to complete, as well as supplemental materials to reinforce your learning (if you so choose).
NOTE: A downloadable PDF version of the plan can be found at the end of this article.
Active OffSec PEN-200 holders can also access the OffSec Academy: OSA-PEN-200 recorded videos, which offer comprehensive guidance and lab concept demonstrations from our Academy Instructors to reinforce the learning objectives. These videos serve as a valuable resource to gain a deeper understanding of the material and enhance preparedness for the OSCP exam or to reinforce your learning. You can locate the recorded videos in the OffSec Learning Platform (OLP).
Our OffSec Mentors also play a valuable role in providing guidance and support to you by facilitating dedicated OffSec Discord channels. Through these channels, you will have the opportunity to collaborate with other learners, ask questions, and build relationships to gain a deeper understanding of the PEN-200 material and methodology. We strongly encourage you to take advantage of this resource and actively engage with our Mentors throughout your learning journey. Click here to join the OffSec Discord server and find answers to more frequently asked questions (FAQs).
Should you encounter technical issues or have questions about VPN connections, lab access, navigating the OffSec Learning Platform, or any other related matters, our 24/7 OffSec Technical Service Team is available to assist you. Please click here to contact us.
Getting Ready
To help you prepare for PEN-200, please see the quick reference guide that will assist you in getting started with the OffSec Learning Platform (OLP) and enhance your learning experience.
Please see our Course Start Guide for further onboarding details.
Learning Plan - 24 Week
Jump to Week: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Week 1
| Overview and Study Approach |
The topics covered this week serve as an introduction to the course material and provide a general approach to the course.
|
| Learning Topics | 1) Penetration Testing with Kali Linux: General Course Information 2) Introduction To Cybersecurity 3) Report Writing for Penetration Testers |
| Labs | 3.1.3. On Emulating the Minds of our Opponents 3.2.4. Recent Cybersecurity Breaches 3.3.4. Balancing the Triad with Organizational Objectives 3.4.9. Logging and Chaos Testing 3.5.2. Standards and Frameworks 3.6.3. Cybersecurity Career Opportunities: Build 5.1.6. Tools to Take Screenshots 5.2.7. Appendices, Further Information, and References |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs: N/A |
Week 2
| Overview and Study Approach | This week we will focus on getting the learner familiar with different tools and techniques that allow us to perform successful information gathering and vulnerability scanning. |
| Learning Topics | 1) Information Gathering 2) Vulnerability Scanning |
| Labs | 6.2.1. Whois Enumeration 6.2.2. Google Hacking 6.2.3. Netcraft 6.2.4. Open-Source Code 6.3.1. DNS Enumeration 6.3.2. TCP/UDP Port Scanning Theory 6.3.3. Port Scanning with Nmap 6.3.4. SMB Enumeration 6.3.5. SMTP Enumeration 6.3.6. SNMP Enumeration 7.1.1. How Vulnerability Scanners Work 7.1.2. Types of Vulnerability Scans 7.1.3. Things to consider in a Vulnerability Scan 7.2.1. Installing Nessus 7.2.2. Nessus Components 7.2.3. Performing a Vulnerability Scan 7.2.4. Analyzing the Results 7.2.5. Performing an Authenticated Vulnerability Scan 7.2.6. Working with Nessus Plugins 7.3.1. NSE Vulnerability Scripts 7.3.2. Working with NSE Scripts |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs: N/A |
Week 3
| Overview and Study Approach | This week we will focus on the basic methodology, techniques, and tools required to perform successful enumeration and exploitation of basic web application attacks. |
| Learning Topics | 1) Introduction to Web Application Attacks |
| Labs | 8.2.4. Security Testing with Burp Suite 8.3.3. Enumerating and Abusing APIs 8.4.5. Privilege Escalation via XSS |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs:
|
Week 4
| Overview and Study Approach | This week, we will focus on the basic methodology, techniques, and tools required to perform successful enumeration and exploitation of common web application attacks. |
| Learning Topics | 1) Common Web Application Attacks (Part 1) |
| Labs | 9.1.1. Absolute vs Relative Paths 9.1.2. Identifying and Exploiting Directory Traversals 9.1.3. Encoding Special Characters 9.2.1. Local File Inclusion (LFI) 9.2.2. PHP Wrappers |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs:
|
Week 5
| Overview and Study Approach | We will continue to focus on Part 2 of the basic methodology, techniques, and tools required to perform successful enumeration and exploitation of common web application attacks. |
| Learning Topics | 2) Common Web Application Attacks (Part 2) |
| Labs | 9.2.3. Remote File Inclusion (RFI) 9.3.1. Using Executable Files 9.3.2. Using Non-Executable Files 9.4.1. OS Command Injection |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos: N/A
|
Week 6
| Overview and Study Approach | This week will focus on understanding SQL syntax and exploiting SQL Injection vulnerabilities. |
| Learning Topics | 1) SQL Injection Attacks |
| Labs | 10.1.2. DB Types and Characteristics 10.2.3. Blind SQL Injections 10.3.2. Automating the Attack |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs:
|
Week 7
| Overview and Study Approach | This week will delve into network attacks, password cracking, and attacks against Windows-based authentication implementations. |
| Learning Topics | 1) Password Attacks |
| Labs | 15.1.1. SSH and RDP 15.1.2. HTTP POST Login Form 15.2.1. Introduction to Encryption, Hashes and Cracking 15.2.2. Mutating Wordlists 15.2.3. Cracking Methodology 15.2.4. Password Manager 15.2.5. SSH Private Key Passphrase 15.3.1. Cracking NTLM 15.3.2. Passing NTLM 15.3.3. Cracking Net-NTLMv2 15.3.4. Relaying Net-NTLMv2 |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos: N/A Relevant Labs:
|
Week 8
| Overview and Study Approach | This week will focus on online resources that provide public known vulnerabilities exploits. Additionally, we will examine offline tools within Kali that contain local-hosted exploits and learn techniques for overcoming any potential obstacles when utilizing these tools. |
| Learning Topics | 1) Locating Public Exploits 2) Fixing Exploits |
| Labs | 12.1.1. A Word of Caution 12.2.1. The Exploit Database 12.3.1. Exploit Frameworks 12.3.2. SearchSploit 12.3.3. Nmap NSE Scripts 12.4.1. Putting It Together 13.1.3. Cross-Compiling Exploit Code 13.1.4. Fixing the Exploit 13.1.5. Changing the Overflow Buffer 13.2.2. Selecting the Vulnerability and Fixing the Code 13.2.3. Troubleshooting the "index out of range" Error |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos: N/A Relevant Labs:
|
Week 9
| Overview and Study Approach | This week will cover multiple techniques for detecting malicious software, as well as exploring methods to bypass AV software on target machines. Additionally, learners will acquire the skills to conduct target reconnaissance, explore exploitation scenarios using malicious Microsoft Office documents and Windows Library files. |
| Learning Topics | 1) Client-side Attacks 2) Antivirus Evasion |
| Labs | 11.1.1. Information Gathering 11.1.2. Client Fingerprinting 11.2.1. Preparing the Attack 11.2.2. Installing Microsoft Office 11.2.3. Leveraging Microsoft Word Macros 11.3.1. Obtaining Code Execution via Windows Library Files 14.1.3. Detection Methods 14.2.2. In-Memory Evasion 14.3.2. Evading AV with Thread Injection 14.3.3. Automating the Process |
| Estimate Time (Hours) | 12 |
| Supplemental Learning* |
Videos: N/A Relevant Labs:
|
Week 10
| Overview and Study Approach | Once we gain access to the target machine, we will need to escalate the privileges in order to perform more advanced actions on the compromised system. This week's topic will focus on techniques and exploits that enable successful privilege escalation on the Windows system. |
| Learning Topics | 1) Windows Privilege Escalation |
| Labs | 16.1.1. Understanding Windows Privileges and Access Control Mechanisms 16.1.2. Situational Awareness 16.1.3. Hidden in Plain View 16.1.4. Information Goldmine PowerShell 16.1.5. Automated Enumeration 16.2.1. Service Binary Hijacking 16.2.2. Service DLL Hijacking 16.2.3. Unquoted Service Paths 16.3.1. Scheduled Tasks 16.3.2. Using Exploits |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs: N/A |
Week 11
| Overview and Study Approach | As we continue to focus on privilege escalation, this week we will cover the techniques and exploits that enable successful privilege escalation on the Linux system. |
| Learning Topics | 1) Linux Privilege Escalation |
| Labs | 17.1.2. Manual Enumeration 17.1.3. Automated Enumeration 17.2.1. Inspecting User Trails 17.2.2. Inspecting Service Footprints 17.3.1. Abusing Cron Jobs 17.3.2. Abusing Password Authentication 17.4.1. Abusing Setuid Binaries and Capabilities 17.4.2. Abusing Sudo 17.4.3. Exploiting Kernel Vulnerabilities |
| Estimate Time (Hours) | 12 |
| Supplemental Learning* |
Videos:
Relevant Labs:
|
Week 12
| Overview and Study Approach | This week will cover port redirection and tunneling techniques using SSH. The topic will begin with simple techniques and gradually progress to more complex ones as we move towards more secure network environments. |
| Learning Topics | 1) Port Redirection and SSH Tunneling |
| Labs | 18.2.3. Port Forwarding with Socat 18.3.1. SSH Local Port Forwarding 18.3.2. SSH Dynamic Port Forwarding 18.3.3. SSH Remote Port Forwarding 18.3.4. SSH Remote Dynamic Port Forwarding 18.3.5. Using sshuttle 18.4.1. ssh.exe 18.4.2. Plink 18.4.3. Netsh |
| Estimate Time (Hours) | 12 |
| Supplemental Learning* |
Videos:
Relevant Labs:
|
Week 13
| Overview and Study Approach | There may be many restrictions implemented on a network. We will focus on learning and leveraging various tunneling tools and strategies to bypass technologies such as deep packet inspection. We will also cover the Metasploit Framework, including its features, usage and its internal workings. By doing this, we can understand how these frameworks can assist us in real penetration tests. |
| Learning Topics | 1) Tunneling Through Deep Packet Inspection 2) The Metasploit Framework |
| Labs | 19.1.2. HTTP Tunneling with Chisel 19.2.1. DNS Tunneling Fundamentals 19.2.2. DNS Tunneling with dnscat2 20.1.1. Setup and Work with MSF 20.1.2. Auxiliary Modules 20.1.3. Exploit Modules 20.2.1. Staged vs Non-Staged Payloads 20.2.2. Meterpreter Payload 20.2.3. Executable Payloads 20.3.1. Core Meterpreter Post-Exploitation Features 20.3.2. Post-Exploitation Modules 20.3.3. Pivoting with Metasploit 20.4.1. Resource Scripts |
| Estimate Time (Hours) | 12 |
| Supplemental Learning* |
Videos:
Relevant Labs:
|
Week 14
| Overview and Study Approach | This week will focus on the enumeration aspect of Active Directory. The information we will gather throughout the Module will have a direct impact on the various attacks we will do in subsequent modules. |
| Learning Topics | 1) Active Directory Introduction and Enumeration |
| Labs | 21.2.1. Active Directory - Enumeration Using Legacy Windows Tools 21.2.2. Enumerating Active Directory using PowerShell and .NET Classes 21.2.3. Adding Search Functionality to our Script 21.2.4. AD Enumeration with PowerView 21.3.1. Enumerating Operating Systems 21.3.2. Getting an Overview - Permissions and Logged on Users 21.3.3. Enumeration Through Service Principal Names 21.3.4. Enumerating Object Permissions 21.3.5. Enumerating Domain Shares 21.4.1. Collecting Data with SharpHound 21.4.2. Analysing Data using BloodHound |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs: N/A |
Week 15
| Overview and Study Approach | This week will explore authentication mechanisms of Active Directory (AD) and learn where Windows caches authentication objects such as password hashes and tickets, after that, we'll get familiar with the attack methods targeting these authentication mechanisms. |
| Learning Topics | 1) Attacking Active Directory Authentication |
| Labs | 22.1.1. NTLM Authentication 22.1.2. Kerberos Authentication 22.1.3. Cached AD Credentials 22.2.1. Password Attacks 22.2.2. AS-REP Roasting 22.2.3. Kerberoasting 22.2.4. Silver Tickets 22.2.5. Domain Controller Synchronization |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* |
Videos:
Relevant Labs: N/A |
Week 16
| Overview and Study Approach | This week will be exploring various lateral movement techniques that enable us to authenticate to a system and execute code by utilizing a user's hash or a Kerberos ticket. |
| Learning Topics | 1) Lateral Movement in Active Directory |
| Labs | 23.1.1. WMI and WinRM 23.1.2. PsExec 23.1.3. Pass the Hash 23.1.4. Overpass the Hash 23.1.5. Pass the Ticket 23.1.6. DCOM 23.2.1. Golden Ticket 23.2.2. Shadow Copies |
| Estimate Time (Hours) | 12 |
| Supplemental Learning* |
Videos:
Relevant Labs: N/A |
Week 17
| Overview and Study Approach | The final topic will cover a complete penetration testing scenario. The remaining time will be devoted to organizing and consolidating all the notes taken on learning concepts from previous weeks, as well as completing any remaining labs. |
| Learning Topics | 1) Assembling the Pieces |
| Labs | N/A |
| Estimate Time (Hours) | 10 |
| Supplemental Learning | N/A |
Week 18
| Overview and Study Approach | It is recommended that the learner takes this week off away from the material and labs, this should help with regrouping, this week can be moved to fit the learner's schedule and liking. |
| Learning Topics | N/A |
| Learning Sections to Read | N/A |
| Labs | N/A |
| Estimate Time (Hours) | 10 |
| Supplemental Learning* | N/A |
Week 19-22
| Overview and Study Approach |
The learner may choose any of the first three challenges and attempt to complete the one chosen within the allotted time:
|
| Learning Topics | N/A |
| Labs | N/A |
| Estimate Time (Hours) | 40 |
| Supplemental Learning* | N/A |
Week 23-24
| Overview and Study Approach | This week the aim is to simulate an exam environment and assess your preparedness while identifying any areas that may require further attention. The time should be utilized to attempt to complete any of the OSCP grade labs (OSCP A, OSCP B, or OSCP C) in under 24 hours. These are retired OSCP exams. |
| Learning Topics | N/A |
| Labs | N/A |
| Estimate Time (Hours) | 20 |
| Supplemental Learning* | N/A |
*Note: the Supplemental Learning sections described above offer an opportunity to enhance your understanding of the specific topics covered during the assigned week. The suggestions are not required. The Supplemental Learning includes video concept demonstrations and practice lab machines. The machines listed under “Relevant Labs” are not intended to be fully rooted (unless the learner chooses to do so), but rather are designed to be used for practicing and reinforcing the concepts learned during that particular week. These Proving Ground Practice lab machines include hints and walk-throughs to further illustrate how to solve the machine objective.
To access PG Practice lab machines will require either a Proving Ground Practice, Learn One, Learn Unlimited or Learn Enterprise subscription. Click here for more information.