The Offensive Security Certified Professional (OSCP) is widely regarded as the most respected hands-on penetration testing certification in the cybersecurity industry. It does not test memorization โ it tests whether you can actually break into systems under pressure. That distinction makes preparation harder, and it makes good study materials more valuable. If you are working toward the PEN-200 course and 24-hour practical exam, understanding the knowledge foundation behind each attack technique is just as important as lab practice. This page covers the full scope of offensive security certified professional exam content and how to use the free PDF to sharpen your conceptual knowledge.
Offensive Security offers the PEN-200 course โ "Penetration Testing with Kali Linux" โ as the prerequisite for the OSCP exam. The course provides a lab environment with dozens of vulnerable machines across multiple network segments. Students must root or compromise machines to earn points. The exam itself runs for 24 consecutive hours: you receive access to a fresh set of machines worth a defined point value and must achieve at least 70 out of 100 points to pass. A professional penetration test report covering your methodology and findings must be submitted within 24 hours after the exam ends.
Offensive Security's philosophy โ "try harder" โ is not just marketing. The exam is designed so that googling a ready-made exploit is rarely sufficient. You must understand the underlying vulnerability well enough to adapt an exploit to a specific target configuration. This requires depth of knowledge, not surface-level familiarity.
Printable practice materials help you build that conceptual depth between lab sessions. When you are away from a terminal, reviewing attack methodology, tool syntax, and vulnerability theory reinforces the mental models you need when you are staring at a blank terminal at 2 AM during the exam.
Every professional penetration test begins with reconnaissance. OSCP candidates must distinguish between passive and active reconnaissance and know when each is appropriate.
Passive reconnaissance gathers information without touching the target's systems. WHOIS database queries reveal domain registration details, registrar contact information, and nameservers. DNS enumeration using tools like dig, host, and dnsenum can reveal subdomains, mail exchanger (MX) records, and zone transfer misconfigurations. Shodan and Censys index internet-facing services and can reveal exposed devices, open ports, and software versions without the examiner ever sending a packet to the target network. OSINT (open-source intelligence) techniques โ searching LinkedIn for employee names and technology stack clues, reviewing GitHub repositories for leaked credentials, and examining job postings for technology hints โ are all passive and entirely within scope.
Active reconnaissance involves directly probing the target. Nmap is the primary tool. A basic TCP SYN scan (nmap -sS) identifies open ports. Service version detection (-sV) attempts to fingerprint the software and version behind each open port. Operating system detection (-O) makes probabilistic guesses about the host OS based on TCP/IP stack fingerprinting. Script scans (-sC) run Nmap's default NSE scripts against discovered services. UDP scanning (-sU) catches services like DNS (53), SNMP (161), and NTP (123) that TCP scans miss. For the OSCP exam, thorough Nmap scanning is non-negotiable โ missing an open service can mean missing the attack path entirely.
After mapping open ports and services, the next phase identifies exploitable weaknesses. Vulnerability scanners like Nikto (for web applications) and auxiliary modules in Metasploit provide automated discovery. However, OSCP explicitly limits Metasploit use: candidates may use Metasploit modules on only one machine during the exam. This forces candidates to understand manual exploitation techniques.
Attack surface analysis means asking: what is this service, what version is it running, are there known CVEs, and can I exploit this CVE manually? For web applications, the attack surface includes every input field, every parameter, every file upload mechanism, and every authentication endpoint. For network services, it includes default credentials, unpatched software, and misconfigured access controls.
SearchSploit โ the offline version of Exploit-DB โ lets you search for public exploits by software name and version. When you find a candidate exploit, the OSCP mindset is to read the source code, understand the vulnerability class, and modify the exploit as needed rather than executing it blindly.
The exploitation phase turns identified vulnerabilities into system access. OSCP covers two major categories: network service exploitation and web application exploitation.
Buffer overflow exploitation is a signature OSCP skill. The PEN-200 course dedicates substantial material to 32-bit Windows buffer overflow development. The process involves fuzzing an application to find the crash offset, controlling the EIP register, identifying bad characters, finding a JMP ESP instruction in a module without memory protections (using Mona.py inside Immunity Debugger), generating shellcode with msfvenom, and delivering the exploit. OSCP candidates are expected to complete a buffer overflow from scratch under exam conditions.
Web application attacks tested in OSCP include SQL injection, cross-site scripting (XSS), local file inclusion (LFI), remote file inclusion (RFI), and command injection. SQL injection โ both error-based and blind โ requires understanding how user input interacts with database queries. LFI exploits allow an attacker to read arbitrary files on the server; combined with log poisoning, LFI can achieve remote code execution. Command injection occurs when user-supplied input is passed unsanitized to a system shell. For each of these, candidates must understand not just the mechanics but also the manual detection process: how does the application respond to a single quote, a semicolon, or a pipe character?
Password attacks are a common lateral movement enabler. Hydra performs brute-force and dictionary attacks against SSH, FTP, HTTP forms, RDP, and dozens of other services. Rockyou.txt and custom wordlists derived from application enumeration are standard inputs. Password spraying โ trying one common password against many accounts โ avoids account lockout policies and is highly effective against Active Directory environments.
Gaining initial access to a system rarely means you have the level of access you need. Post-exploitation begins with enumeration: what user are you running as, what OS version and patch level, what other users and groups exist, what scheduled tasks or cron jobs run, what network connections are active, and what sensitive files are readable?
Linux privilege escalation vectors include SUID binaries (executables that run as the file owner rather than the calling user โ check with find / -perm -4000), cron jobs running as root that write to world-writable directories, kernel exploits for outdated Linux versions (though these are often unreliable in practice), weak sudo configurations (check with sudo -l), and readable configuration files containing credentials. GTFOBins is an invaluable reference cataloging how common Linux binaries can be abused for privilege escalation when they have SUID set or appear in sudo rules.
Windows privilege escalation has its own taxonomy. Unquoted service paths allow an attacker to place a malicious executable where Windows will execute it when a service with a space in its path starts. Weak service permissions allow modification of an existing service's binary path. Token impersonation โ using tools like PrintSpoofer or Juicy Potato โ exploits SeImpersonatePrivilege to obtain SYSTEM-level access. AlwaysInstallElevated registry keys allow a low-privilege user to install MSI packages with SYSTEM privileges. Windows privilege escalation scripts like WinPEAS automate the search for these misconfigurations.
Active Directory attacks are increasingly prominent in OSCP. Password spraying identifies accounts with weak or default passwords. Kerberoasting requests service tickets for service accounts and cracks them offline โ any domain user can request a service ticket, making this attack broadly applicable. Pass-the-Hash lets attackers authenticate using an NTLM hash without knowing the plaintext password. BloodHound ingests Active Directory data and visualizes attack paths: it can show, for example, that a low-privilege user is a member of a group that has GenericAll rights over a high-value computer object, creating a clear privilege escalation path.
Lateral movement means using access on one machine to gain access to another. Techniques include pass-the-hash with Impacket's psexec.py, using stolen credentials, and exploiting trust relationships between hosts. Network pivoting โ using a compromised host as a relay to attack an otherwise unreachable network segment โ is tested in the OSCP lab environment and requires comfort with port forwarding and proxychains.
The OSCP exam is not complete until you submit a professional penetration test report. Offensive Security provides a report template, but the quality of your documentation reflects your understanding of the methodology. A strong report includes: an executive summary for a non-technical audience, a technical findings section with reproduction steps for each exploited vulnerability, proof screenshots (desktop.txt or proof.txt file contents with your IP address visible), and remediation recommendations grounded in industry standards. Reports that lack reproduction steps or proof screenshots receive no credit for that machine.
Tool familiarity is necessary but not sufficient for the OSCP. You need to understand what each tool does at the protocol level so you can adapt when the tool fails or when you need to replicate its function manually.
Nmap is the backbone of every OSCP engagement. Beyond basic port scanning, candidates should be comfortable with timing templates (-T4 for faster scans), output formatting (-oA for all formats), and specific NSE scripts for SMB (smb-vuln-ms17-010), FTP (ftp-anon), and HTTP enumeration. Saving full Nmap output for every target is a discipline that pays off when you need to revisit a machine hours later.
Burp Suite is the standard proxy for web application testing. Candidates use the intercept, repeater, and intruder modules extensively. The community edition lacks the scanner, but manual testing with repeater covers the OSCP web application scope. Understanding how to capture a request, modify parameters, and analyze responses for injection indicators is more valuable than relying on automated scanning.
Netcat earns its reputation as the "TCP Swiss Army knife" in the OSCP context. File transfers, reverse shells, bind shells, port scanning, and banner grabbing are all within Netcat's capability. Candidates who can set up a stable reverse shell one-liner without looking it up have a significant time advantage on exam day.
Hydra handles credential attacks against network services. The syntax varies by protocol, and candidates should practice against SSH, HTTP-POST forms, FTP, and SMB. Keeping wordlist paths memorized โ or better, aliased โ removes friction during the exam.
SQLmap automates SQL injection testing but, like Metasploit, should be used only after manual confirmation that an injection point exists. OSCP graders want to see evidence of manual testing methodology in your report. Jumping straight to SQLmap without understanding the underlying SQL query structure is a gap that shows up under exam pressure when the target does not behave as expected.
Twenty-four hours sounds like a long time until you are four hours in with no points on the board. Successful OSCP candidates develop a time management strategy before exam day.
The standard advice is to attempt the buffer overflow machine first. It is typically worth 25 points, the exploitation path is methodical and predictable, and starting with a win builds confidence. Allocate no more than two hours to it โ if you have studied the methodology, two hours is sufficient.
For the remaining machines, set a hard time box per machine: spend no more than 90 minutes on a machine before moving on. If you are stuck, note exactly where you are and what you have tried, then switch targets. Fresh eyes after working on another machine frequently reveal the path you were missing. Do not let one machine consume your exam.
Documentation during the exam is as important as the exploitation itself. Take screenshots of every step: Nmap output, exploit execution, proof files. Recreating your steps from memory at 3 AM after the exam ends is painful and error-prone. A simple folder structure โ one folder per machine with numbered screenshots and a running notes file โ keeps you organized throughout the exam window.
The report is worth taking seriously. Some candidates pass on points but fail because their report lacks sufficient technical detail or their proof screenshots are incomplete. Review Offensive Security's report requirements before exam day and use their template so you do not have to make formatting decisions during the post-exam reporting window.
The OSCP credential opens doors that other certifications cannot. Penetration testing teams at consulting firms, managed security providers, and internal red teams treat the OSCP as a baseline hiring filter. Candidates without it are often screened out before the first interview. Candidates with it โ especially those who passed on the first attempt โ are viewed as serious practitioners.
The credential does not expire, but the field moves fast. Many OSCP holders pursue OffSec's advanced certifications: OSEP (Offensive Security Experienced Penetration Tester) covers advanced evasion and Active Directory attack chains; OSED (Offensive Security Exploit Developer) covers advanced Windows exploit development; OSWE (Offensive Security Web Expert) covers white-box web application testing. Together these form the OSCE3 (Offensive Security Certified Expert 3) designation.
Bug bounty programs provide a legal and financially rewarding environment to practice OSCP skills outside of lab environments. Platforms like HackerOne, Bugcrowd, and Intigriti host programs from major corporations. The skills overlap substantially: web application testing, network reconnaissance, and responsible disclosure documentation are all transferable. Some OSCP candidates use bug bounty work to fund their exam attempt.
Salary data consistently shows OSCP-certified penetration testers commanding a premium over non-certified peers. Entry-level penetration testing roles in the United States typically start in the low six figures, with experienced testers at consulting firms earning substantially more. Independent consultants with strong reputations can charge daily rates that exceed equivalent full-time salaries when factoring in working days per year.
The OSCP is not the end of the road โ it is the credential that proves you are ready to start doing the work professionally. The hours you invest in preparation, the machines you root in the lab, and the methodology you internalize through practice all compound into a skill set that does not depreciate the way memorized facts do. Every machine you compromise during preparation is another scenario your brain has solved, and that experience is what carries you through the exam.