OSCP Preparation Guide

# OSCP Preparation Guide

Overview

The Offensive Security Certified Professional is the most respected practical offensive security credential in the industry. Unlike knowledge-based certifications, OSCP requires demonstrating real penetration testing capability in a hands-on examination: candidates must compromise systems in an isolated lab environment, document their methodology, and produce a professional penetration test report. There is no multiple choice component. The credential cannot be purchased or studied into without genuine technical competency.

OSCP is offered by Offensive Security (now OffSec), the organization that also maintains the Kali Linux distribution and a range of other offensive security certifications. The credential has been the industry's practical penetration testing benchmark for over a decade, and the 2023 revision (OSCP+, part of the PEN-200 course) updated it to reflect the current threat landscape, with significantly increased emphasis on Active Directory attacks.

The certification is genuinely difficult. Failure rates among first-time candidates are substantial. Candidates who attempt the exam without adequate preparation waste a significant financial investment and, more importantly, lose momentum. The purpose of this guide is to describe what adequate preparation actually requires and how to build it systematically.

Within the Planetary Defense Model, OSCP sits at the operational heart of the VSD (Vulnerability and Surface Defense) domain. OSCP-level practitioners conduct the offensive security assessments that empirically validate whether the Continuous Surface Reduction methodology is working.

Role Description

OSCP is held primarily by penetration testers, red team operators, and offensive security consultants. It is the benchmark credential for practitioners who perform adversarial security testing professionally.

Employers who list OSCP as a requirement are typically hiring for:

Penetration testing consultant roles at specialist firms (OffSec itself, NCC Group, Bishop Fox, Rapid7 Advisory Services, and hundreds of boutique shops). These roles conduct external network tests, web application tests, internal network assessments, and sometimes red team engagements. OSCP at minimum is expected; OSCP plus two to three years of consulting experience is the typical mid-level profile.

Internal red team positions at large enterprises and financial institutions that operate dedicated adversary simulation teams. These teams attempt to compromise the organization using the same techniques that real threat actors would use, measuring how effectively the defensive teams detect and respond.

Security engineering roles with offensive research components where the ability to identify vulnerabilities through adversarial thinking informs architecture and control development decisions.

Bug bounty and independent research: While OSCP is not required for bug bounty participation, many successful bug bounty researchers hold it as a credential that validates their methodology and report quality.

The OSCP signals to employers that the holder has demonstrated, under exam conditions, the ability to enumerate a target environment methodically, identify exploitable vulnerabilities, compromise multiple systems, escalate privileges, and document the work in a professional report. This combination of technical capability and professional documentation quality is what the certification specifically tests.

Required Skills and Knowledge

The current OSCP+ exam (PEN-200 course) requires proficiency across the following technical areas. Gaps in any of these categories will materially impact exam performance.

Networking fundamentals: TCP/IP protocol mechanics (three-way handshake, packet structure, TCP vs. UDP), common application protocols (HTTP, HTTPS, FTP, SSH, SMB, RDP, DNS, LDAP, Kerberos), routing and subnetting, and the ability to interpret network scan output (Nmap) accurately. Misreading a port scan or misunderstanding how a service protocol works causes investigations to stall completely.

Linux and Windows administration: Comfortable command-line operation in both environments is required. Linux: filesystem navigation, file permissions, process management, service configuration, log locations, and bash scripting at a basic level. Windows: PowerShell basics, file system navigation, user and group management, registry basics, and understanding how Windows services and scheduled tasks work.

Web application testing: Burp Suite Proxy (intercepting and modifying HTTP requests), manual testing of the OWASP Top 10 vulnerability classes (particularly SQL injection, XSS, command injection, file inclusion, and SSRF), and understanding how web application authentication works well enough to identify weaknesses. The web application portion of the PEN-200 lab includes multiple machines where web application exploitation is the entry point.

Password attacks: hashcat and John the Ripper for offline hash cracking (with appropriate wordlists: rockyou.txt is the baseline, but rule-based mutations and combined lists are often required for harder targets), credential stuffing concepts, and password spray techniques for Active Directory environments.

Privilege escalation on Linux: SUID binary identification and exploitation, sudo misconfiguration exploitation, writable service files and cronjobs, PATH hijacking, kernel exploits (identified via tools like linux-exploit-suggester), and NFS root squashing misconfigurations. The LinPEAS automated enumeration script is a standard tool but candidates must understand what it is finding, not just run it blindly.

Privilege escalation on Windows: Token impersonation (including Potato attacks: JuicyPotato, PrintSpoofer, GodPotato for appropriate Windows versions), AlwaysInstallElevated, unquoted service paths, writable service binaries, DLL hijacking, scheduled task exploitation, and registry autoruns. WinPEAS is the Windows equivalent of LinPEAS. Understanding the Windows privilege model (standard user vs. local admin vs. SYSTEM vs. domain admin) is prerequisite.

Active Directory attacks: This is the component that has changed most significantly in the current exam. The OSCP+ exam includes a mandatory Active Directory set (three machines in an AD environment that must be fully compromised as a group). Required skills include:

Kerberoasting: requesting service tickets for service accounts configured with SPNs, extracting them, and cracking them offline. The attack exploits the way Kerberos grants encrypted service tickets that are encrypted with the service account's password hash.

AS-REP Roasting: targeting accounts with Kerberos pre-authentication disabled, requesting their AS-REP, and cracking the encrypted material offline.

Pass the Hash: using captured NTLM password hashes to authenticate without knowing the plaintext password, using tools like CrackMapExec, Impacket's psexec, and Evil-WinRM.

Pass the Ticket: capturing Kerberos tickets and using them to authenticate as the account they belong to.

BloodHound and SharpHound: BloodHound is a graph-based AD enumeration and attack path visualization tool that maps relationships between users, groups, computers, and permissions to identify the shortest path to Domain Admin. SharpHound is the data collector that feeds BloodHound. Understanding how to read BloodHound output and identify the attack path is a core exam skill.

DCSync: once sufficient AD privileges are accumulated, the ability to dump all password hashes from the domain controller using DCSync (Impacket's secretsdump or Mimikatz) is the typical path to full domain compromise.

Report writing: The 24-hour report window after the exam lab period requires producing a professional penetration test report documenting every compromised machine with evidence (screenshots, command output, proof.txt file contents), step-by-step exploitation methodology, and clear documentation of the attack chain. Reports must be submitted in PDF format. Poor documentation of a successfully compromised machine can result in zero credit for that machine.

Career Path

OSCP requires serious preparation and the timeline is genuinely 12 to 18 months from zero to exam-ready for candidates without prior offensive security experience. Shortcutting this timeline typically results in exam failure.

The recommended preparation path:

Foundation building (months 0 to 4): TryHackMe's "Pre-Security" and "Jr Penetration Tester" learning paths provide structured beginner-to-intermediate offensive security content. TCM Security's "Practical Ethical Hacking" (PEH) course is widely regarded as the best single introductory course for aspiring OSCP candidates: it covers the methodology, tooling, and AD attack content that PEN-200 builds on. Completing PEH before purchasing PEN-200 lab time significantly increases the value of that lab time.

Intermediate skill development (months 4 to 10): HackTheBox with a focus on "easy" rated machines (which roughly correspond to PEN-200 beginner lab difficulty) and then moving to "medium" rated machines. The IppSec YouTube channel provides detailed video walkthroughs of retired HTB machines. Watching IppSec's methodology, particularly how he approaches enumeration before exploitation, is one of the most effective ways to develop OSCP-compatible thinking.

TJNull's OSCP-like machine list (available on the NetSecFocus Trophy Room spreadsheet) identifies specific retired HTB and PG Practice machines most closely aligned to OSCP lab difficulty. Completing the machines on this list is standard preparation practice.

PEN-200 lab time (months 10 to 18): Purchase PEN-200 lab access (90-day or 180-day packages). Work through the course material systematically, complete the exercises, and use lab machines to practice the techniques. Complete the Proving Grounds Practice machines included with PEN-200 access. The AD sets in the lab are especially important given the exam emphasis.

Exam: The exam is 23 hours 45 minutes for the lab period, followed by 24 hours for the report. Maximum points available: 100. Passing threshold: 70 points. Points per machine: standalone machines are 10 or 20 points; partial credit (user-level access without root/SYSTEM) is available; the AD set is worth 40 points total for full compromise. The AD set must be fully compromised to pass with a reasonable margin.

The "try harder" philosophy requires direct address: OSCP labs and exam machines are designed to require independent problem-solving. Hints are minimal. The correct response to being stuck is methodical re-enumeration, not giving up and looking for a walkthrough. The ability to enumerate systematically, try multiple approaches, and reason through problems under time pressure is the core competency the exam tests.

Certifications and Education

PEN-200/OSCP+ (OffSec): The certification itself. Current course price is $1,499 USD for 90 days of lab access plus one exam attempt. Additional attempts are $249 each. Lab time extensions are available for purchase.

eJPT (eLearnSecurity Junior Penetration Tester): Appropriate as a first practical certification to confirm interest and basic capability before investing in OSCP preparation. Not a prerequisite for OSCP but a useful confidence benchmark.

PNPT (TCM Security Practical Network Penetration Tester): A well-regarded practical certification with a 5-day exam, offered at significantly lower cost than OSCP ($399). PNPT completion before OSCP is a common preparation strategy: the exam conditions build comfort with timed hands-on assessment and the certificate provides an employment credential during the longer OSCP preparation period.

OSEP (OffSec Experienced Penetration Tester) and OSED (OffSec Exploit Developer): OffSec's advanced certifications beyond OSCP. OSEP covers advanced evasion techniques and complex AD attacks. OSED covers exploit development. Both require OSCP-level competency as a prerequisite. These certifications are appropriate for practitioners who want to specialize in advanced offensive techniques.

Education: Computer science or software engineering backgrounds are advantageous for exploit development work. Cybersecurity programs at community colleges and universities increasingly include offensive security coursework. Formal education is not required: OSCP is one of the most purely competency-based credentials in the industry, and no degree substitutes for demonstrated exploitation ability.