PEN-200 OSCP Exercise Checklist
Getting Comfortable with Kali
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 2.3.6 |
2.3.6 |
Kali Documentation |
3 |
No |
|
| 2.4.3.4 |
2.4.4 |
Finding Your Way Around Kali |
5 |
Yes |
|
| 2.5.3 |
2.5.3 |
Managing Kali Linux Services |
2 |
No |
|
| 2.6.6.1 |
2.6.7 |
Searching, Installing and Removing Tools |
5 |
No |
|
Command Line Fun
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 3.1.3.1 |
3.1.4 |
The Bash Environment |
2 |
Yes |
|
| 3.2.5.1 |
3.2.6 |
Piping and Redirection |
2 |
Yes |
|
| 3.3.5.1 |
3.3.6 |
Text Searching and Manipulation |
3 |
Yes |
|
| 3.5.3.1 |
3.5.4 |
Comparing Files |
2 |
Yes |
|
| 3.6.3.1 |
3.6.4 |
Managing Processes |
5 |
Yes |
|
| 3.7.2.1 |
3.7.3 |
File and Command Monitoring |
2 |
Yes |
|
| 3.8.3.1 |
3.8.4 |
Downloading Files |
1 |
Yes |
|
| 3.9.3.1 |
3.9.4 |
Customising the Bash Environment |
2 |
Yes |
|
Practical Tools
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 4.1.4.3 |
4.1.5 |
Netcat |
4 |
No |
|
| 4.2.4.1 |
4.2.5 |
Socat |
4 |
Yes |
|
| 4.3.8.1 |
4.3.9 |
PowerShell and Powercat |
3 |
Yes |
|
| 4.4.5.1 |
4.4.6 |
Wireshark |
5 |
Yes |
|
| 4.5.3.1 |
4.5.3 |
Tcpdump |
4 |
Yes |
|
Bash Scripting
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 5.7.3.1 |
5.7.4 |
Practical Examples |
4 |
Yes |
|
Passive Information Gathering
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 6.3.1.1 |
6.3.1 |
Whois Enumeration |
1 |
Yes |
|
| 6.4.1.1 |
6.4.1 |
Google Hacking |
2 |
Yes |
|
| 6.5.1.1 |
6.5.1 |
Netcraft |
2 |
Yes |
|
| 6.6.1.1 |
6.6.1 |
Recon-ng |
2 |
No |
|
| 6.7.1.1 |
6.7.1 |
Open-Source Code |
1 |
Yes |
|
| 6.12.1.1 |
6.12.3 |
User Information Gathering |
2 |
Yes |
|
| 6.13.2.1 |
6.13.2 |
Social Media Tools |
1 |
Yes |
|
Active Information Gathering
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 7.1.6.3 |
7.1.7 |
DNS Enumeration |
3 |
Yes |
|
| 7.2.2.9 |
7.2.3 |
Port Scanning |
5 |
Yes |
|
| 7.3.2.1 |
7.3.3 |
SMB Enumeration |
3 |
Yes |
|
| 7.4.2.1 |
7.4.3 |
NFS Enumeration |
2 |
Yes |
|
| 7.5.1.1 |
7.5.1 |
SMTP Enumeration |
2 |
Yes |
|
| 7.6.3.6 |
7.6.4 |
SNMP Enumeration |
2 |
Yes |
|
Vulnerability Scanning
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 8.2.4.2 |
8.2.5 |
Unauthenticated Scanning With Nessus |
3 |
Yes |
|
| 8.2.5.2 |
8.2.7 |
Authenticated Scanning With Nessus |
2 |
Yes |
|
| 8.2.6.1 |
8.2.9 |
Scanning With Individual Nessus Plugins |
3 |
Yes |
|
| 8.3.1.1 |
8.3.1 |
Vulnerability Scanning With Nmap |
1 |
Yes |
|
Web Application Attacks
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 9.3.3.1 |
9.3.4 |
Web Application Assessment Tools |
1 |
Yes |
|
| 9.5.1.1 |
9.5.2 |
Exploiting Admin Consoles |
2 |
Yes |
|
| 9.6.4.1 |
9.6.6 |
Cross-Site Scripting (XSS) |
3 |
Yes |
|
| 9.7.1.1 |
9.7.2 |
Directory Traversal Vulnerabilities |
1 |
Yes |
|
| 9.8.4.1 |
9.8.5 |
LFI Code Execution |
2 |
Yes |
|
| 9.8.5.1 |
9.8.7 |
Remote File Inclusion |
3 |
Yes |
|
| 9.8.7.1 |
9.8.10 |
PHP Wrappers |
2 |
Yes |
|
| 9.9.3.1 |
9.9.4 |
Authentication Bypass |
4 |
Yes |
|
| 9.9.7.1 |
9.9.9 |
Extracting Data From The Database |
3 |
Yes |
|
| 9.9.8.1 |
9.9.11 |
From SQL Injection to Code Execution |
2 |
Yes |
|
| 9.9.9.1 |
9.9.13 |
Automating SQL Injection |
2 |
Yes |
|
| 9.5.1 |
9.10.1 |
Extra Miles |
3 |
No |
|
Introduction to Buffer Overflows
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 10.2.5 |
10.2.5 |
Introduction to Buffer Overflows |
2 |
Yes |
|
Windows Buffer Overflows
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 11.1.1.2 |
11.1.2 |
Discovering the Vulnerability |
2 |
Yes |
|
| 11.2.3.1 |
11.2.4 |
Controlling EIP |
3 |
Yes |
|
| 11.2.5.1 |
11.2.8 |
Checking for Bad Characters |
2 |
Yes |
|
| 11.2.7.1 |
11.2.10 |
Finding a Return Address |
2 |
Yes |
|
| 11.2.9.1 |
11.2.13 |
Getting a Shell |
3 |
Yes |
|
| 11.2.10.1 |
11.2.15 |
Improving the Exploit |
1 |
Yes |
|
| 11.2.10.2 |
11.2.16 |
Extra Miles |
1 |
No |
|
Linux Buffer Overflows
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 12.2.1.2 |
12.2.1 |
Replicating the Crash |
3 |
Yes |
|
| 12.3.1.1 |
12.3.1 |
Controlling EIP |
2 |
Yes |
|
| 12.5.1.1 |
12.5.1 |
Checking for Bad Characters |
2 |
Yes |
|
| 12.6.1.1 |
12.6.1 |
Finding a Return Address |
2 |
Yes |
|
| 12.7.1.1 |
12.7.1 |
Getting a Shell |
2 |
Yes |
|
Client Side Attacks
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 13.1.2.3 |
13.1.5 |
Know Your Target |
3 |
No |
|
| 13.2.2.1 |
13.2.3 |
Leveraging HTML Applications |
2 |
Yes |
|
| 13.3.2.1 |
13.3.3 |
Microsoft Word Macro |
1 |
Yes |
|
| 13.3.3.1 |
13.3.5 |
Object-Linking and Embedding |
1 |
Yes |
|
| 13.3.4.1 |
13.3.7 |
Evading Protected View |
3 |
Yes |
|
Locating Public Exploits
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 14.3.1.1 |
14.3.1 |
Putting It All Together |
5 |
Yes |
|
Fixing Exploits
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 15.1.3.1 |
15.1.4 |
Cross-Compiling Exploit Code |
2 |
Yes |
|
| 15.1.4.1 |
15.1.6 |
Changing the Socket Information |
2 |
Yes |
|
| 15.1.5.1 |
15.1.8 |
Changing the Return Address |
1 |
Yes |
|
| 15.1.6.1 |
15.1.10 |
Changing the Payload |
4 |
Yes |
|
| 15.1.7.1 |
15.1.12 |
Changing the Overflow Buffer |
2 |
Yes |
|
| 15.2.3.1 |
15.2.4 |
Changing Connectivity Information |
5 |
Yes |
|
| 15.2.4.1 |
15.2.6 |
Troubleshooting the "Index Out Of Range" Error |
5 |
Yes |
|
File Transfers
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 16.1.3.2 |
16.1.4 |
Considerations and Preparations |
3 |
No |
|
| 16.2.5.1 |
16.2.6 |
Transferring Files With Windows Hosts |
4 |
No |
|
Antivirus Evasion
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 17.3.3.2 |
17.3.4 |
PowerShell In-Memory Injection |
3 |
Yes |
|
| 17.3.3.4 |
17.3.5 |
Antivirus Evasion |
4 |
Yes |
|
Privilege Escalation
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 18.1.1.13 |
18.1.2 |
Manual Enumeration |
1 |
Yes |
|
| 18.1.2.1 |
18.1.4 |
Automated Enumeration |
2 |
Yes |
|
| 18.2.3.2 |
18.2.4 |
User Account Control (UAC) Bypass: fodhelper.exe Case Study |
1 |
Yes |
|
| 18.2.4.1 |
18.2.6 |
Insecure File Permissions: Seviio Case Study |
2 |
Yes |
|
| 18.3.2.1 |
18.3.3 |
Insecure File Permissions: Cron Case Study |
1 |
Yes |
|
| 18.3.3.1 |
18.3.5 |
Insecure File Permissions: /etc/passswd Case Study |
1 |
Yes |
|
Password Attacks
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 19.1.1.1 |
19.1.2 |
Wordlists |
1 |
No |
|
| 19.2.1.1 |
19.2.1 |
Brute Force Wordlists |
1 |
No |
|
| 19.3.1.1 |
19.3.2 |
HTTP htaccess Attack with Medusa |
2 |
No |
|
| 19.3.2.1 |
19.3.4 |
Remote Desktop Protocol Attack With Crowbar |
1 |
No |
|
| 19.3.3.1 |
19.3.6 |
SSH Atttack With THC-Hydra |
1 |
No |
|
| 19.3.4.1 |
19.3.8 |
HTTP Post Attack With THC-Hydra |
2 |
No |
|
| 19.4.1.1 |
19.4.2 |
Retrieving Password Hashes |
2 |
No |
|
| 19.4.2.1 |
19.4.4 |
Passing the Hash in Windows |
2 |
Yes |
|
| 19.4.3.1 |
19.4.6 |
Password Cracking |
1 |
No |
|
Port Redirection and Tunnelling
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 20.1.1.1 |
20.1.2 |
Port Forwarding |
2 |
Yes |
|
| 20.2.1.1 |
20.2.2 |
SSH Local Port Forwarding |
4 |
Yes |
|
| 20.2.2.2 |
20.2.4 |
SSH Remote Port Forwarding |
3 |
Yes |
|
| 22.2.3.1 |
20.2.6 |
SSH Dynamic Port Forwarding |
5 |
Yes |
|
| 20.3.1.1 |
20.3.1 |
PLINK.exe |
3 |
Yes |
|
| 20.4.1.1 |
20.4.1 |
NETSH |
2 |
Yes |
|
| 20.5.1.1 |
20.5.1 |
HTTPTunnel-ing Through Deep Packet Insection |
3 |
Yes |
|
Active Directory Attacks
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 21.2.1.1 |
21.2.2 |
Traditional Approach |
1 |
Yes |
|
| 21.2.2.1 |
21.2.4 |
A Modern Approach |
3 |
Yes |
|
| 21.2.3.1 |
21.2.6 |
Resolving Nested Groups |
2 |
Yes |
|
| 21.2.4.1 |
21.2.8 |
Currently Logged On Users |
3 |
Yes |
|
| 21.2.5.2 |
21.2.10 |
Enumeration Through Service Principal Names |
4 |
Yes |
|
| 21.3.3.1 |
21.3.4 |
Cached Credential Storage and Retrieval |
2 |
Yes |
|
| 21.3.4.1 |
21.3.6 |
Service Account Attacks |
4 |
Yes |
|
| 21.3.5.1 |
21.3.8 |
Low and Slow Password Guessing |
2 |
Yes |
|
| 21.4.2.1 |
21.4.3 |
Overpass the Hash |
1 |
Yes |
|
| 21.4.3.1 |
21.4.5 |
Pass the Ticket |
3 |
Yes |
|
| 21.4.4.1 |
21.4.7 |
Distributed Component Object Model |
3 |
Yes |
|
| 21.5.1.1 |
21.5.2 |
Golden Tickets |
2 |
Yes |
|
Metasploit Framework
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 22.1.3.1 |
22.1.4 |
Metasploit User Interfaces and Setup |
3 |
Yes |
|
| 22.2.1.1 |
22.2.2 |
Exploit Modules |
1 |
Yes |
|
| 22.3.3.2 |
22.3.4 |
Experimenting with Meterpeter |
1 |
Yes |
|
| 22.3.7.1 |
22.3.9 |
Metasploit Payloads |
7 |
Yes |
|
| 22.4.1.1 |
22.4.1 |
Building Our Own MSF Module |
1 |
Yes |
|
| 22.5.4.1 |
22.5.5 |
Post-Exploitation with Metasploit |
1 |
Yes |
|
| 22.6.1.1 |
22.6.1 |
Metasploit Automation |
1 |
Yes |
|
PowerShell Empire
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 23.1.3.1 |
23.1.4 |
Installation, Setup and Usage |
3 |
Yes |
|
| 23.3.1.1 |
23.3.1 |
PowerShell Modules |
4 |
Yes |
|
Assembling the Pieces
| PDF Number |
Portal Number |
Heading |
No. of Exercises |
Required |
Completed? |
| 24.2.2.2 |
24.2.2 |
SQL Injection Exploitation |
1 |
Yes |
|
| 24.5.1.1 |
24.5.1 |
Exploitation |
2 |
Yes |
|
OSCP-Exercise-Checklist copied to clipboard
Cyb3rC3lt
Cyb3rC3lt