The Penetration Testing Report Templates mentioned in the PEN-200 guide can be found here:
Exam Report Template:
Lab Report Template:
You are highly encouraged to use these report templates for the final documentation you submit to us.
Every penetration tester will have their own style and preference of work flow and documentation. For this reason we allow some flexibility in the way students perform reporting.
We suggest the following course of action:
Treat both the lab network and exam network as penetration tests that you were hired to do. Use tools like basket/dradis/leo/keepnote to help you document important information as you work, and once you are ready with your results, complete the relevant documentation for the attack in the "final report". This way, you put your results down in the report while they are fresh in your mind.
In order to be awarded your OSCP certification, you must submit an exam penetration test report clearly demonstrating how you successfully achieved the certification exam objectives. You are also highly encouraged to submit a lab penetration test report as it can provide you with additional points towards your certification if you are lacking sufficient points needed to pass.
Report #1 - Penetration test Report of the PEN-200 labs
Report #2 - Penetration test Report of the OSCP Exam labs
The reports must be in PDF format and include screenshots and descriptions of your attacks and results.
DOCUMENTATION OF EXERCISES FOR THE FOLLOWING SECTIONS ARE NOT REQUIRED FOR PEN-200:
- The Kali Training Site
- HTTP Service
- Reverse Shell Scenario
- Client Fingerprinting
- Upgrading a Non-Interactive Shell
- Uploading Files with TFTP
- Standard Wordlists
- Brute Force Wordlists
- HTTP htaccess Attack with Medusa
- Remote Desktop Protocol Attack with Crowbar
- SSH Attack with THC-Hydra
- HTTP POST Attack with THC-Hydra
- Retrieving Password Hashes
- Password Cracking
- All Extra Miles exercises
- Topic Exercises
The short answer is "No".
If you wish to earn the OSCP certification, the only mandatory report is the exam report. However, if you are lacking a small number of points needed to pass the certification exam, a lab report can help push you to a passing score so we highly recommend you submit both an exam and lab report.
The lab report must contain a description of your attack steps for a fully exploited Active Directory set (XOR or SVCorp which consists of four (4) machines each) and six (6) fully compromised unique machines for a total of ten (10) machines (We will continue to accept lab reports that do not contain a fully exploited Active Directory set until March 14 2022, however if you are excluding Active Directory you will then need to include ten (10) fully compromised unique machines in your lab report)
You may choose to include more than 10 machines in your report, however this will not provide any additional points to your final exam score.
Ten (10) bonus points may be earned by submitting your lab report and course exercises. In order to receive the bonus points, your documentation needs to follow the guidelines outlined at the OSCP Exam Guide.