This article is built as a student introduction guide to the PEN-200 course and OSCP certification. Here you will find information on:
- What is PWK (PEN-200)?
- Try Harder Mindset
- Study Approach & Tips
- Getting Started
- Additional Resources
What is PWK (PEN-200)?
PWK (PEN-200) is a hands-on, self-study, learn-by-doing and foundational course for pentesting that aims to teach mindset, skills, and tools needed to increase success in InfoSec.
PWK In OffSec Learning Journey
PWK Course Prerequisites
TCP/IP Networking Fundamentals
- TCP/IP Addressing and subnetting: Cisco - IP Addressing and Subnetting for New User
- The protocols and services that use TCP/IP: Service Name and Transport Protocol Port Number Registry
- How traffic is delivered and received
- Reasonable Windows and Linux administration experience: Linux Journey, Kali Linux Revealed
- Active Directory: Microsoft Active Directory Domain Services Overview
Familiarity with programming/scripting languages
Try Harder Mindset
Why TRY HARDER in InfoSec?
InfoSec is continuously evolving. Techniques and tools have a shelf life. It is common to encounter unfamiliar technologies and environments during a pentest while also being expected to deliver results within limited time frame.
It is important to have both knowledge and disposition needed to adapt and overcome this challenges.
Try Harder disposition is timeless, once you earn it - it will never leave you.
What does it mean to TRY HARDER?
- Trying Harder means being PERSISTENT.
- Trying Harder means being CREATIVE.
- Trying Harder means being PERCEPTIVE.
For more in depth information, please see our Try Harder Blog Post.
Trying Harder means being PERSISTENT
InfoSec involves a LOT of research, troubleshooting, and testing. There are no shortcuts to success.
Mistakes and failures are part of process. Taking a step back and understanding why approach is failing, will help identify what to try next.
The most certain way to succeed...is always to try just one more time. In other words, try again.
Trying Harder means being CREATIVE
Repeating the same failing approach over and over is not progress. Be creative and consider different problem solving approaches when one is not working.
You will need to use your knowledge and understanding of InfoSec concepts to consider a wide variety of solutions.
There are always different approaches to solving a problem. In other words, try differently.
Trying Harder means being PERCEPTIVE
Situational awareness is a critical skill for any Infosec professional. You must be aware of technologies, resources, and techniques available in a given situation.
It is also important to be aware of non-technical aspects such as how much time is available to you, and how best to use that time to get results.
In other words, try smarter.
Study Approach & Tips
Study Approach (High Level)
Start exploiting labs! To help students get started, we created PWK Labs Learning Path, which includes:
- Walkthroughs for Alpha and Beta lab machines
- Hints for 9 additional lab machines
Build a baseline methodology using walkthroughs as reference.
- Write-up detail techniques, methodology, and thought process used.
- Practice methodology on remaining lab machines.
Learn By Doing
Practice techniques and tools discussed in course materials and in labs. Hands on lab practice is key to learning success.
Buffer overflow and Active Directory involve a lot of steps and moving parts. Keep repeating exercises to master concepts and techniques involved. Replicate Alpha and Beta walkthroughs.
This one word is arguably the most important aspect of pentesting, but can be the hardest to master.
Do not simply run scans and move on. Take time to thoroughly review output and understand its implication.
Enumeration is a cyclical approach. You will need to expand your search after each new access or new information you obtain.
Pro Tip: The more you do proper enumeration, the easier it becomes to find proverbial “needle in haystack”.
Read the Exploits
Try to understand how an exploit works before executing. Knowing how an exploit works even at a high level will help you debug issues you encounter.
Do you need to set up files or permissions prior to running the exploit? Do you need to modify the exploit to match your target?
Pro tip: Running unverified exploits without considering what may occur could lead to disastrous results, such as losing files.
Take opportunity to learn a wide variety of tools in labs (e.g., nmap, nikto, sshuttle, Empire, etc.). Familiarize yourself with strengths of different tools, to identify which tool most suited for given situation.
Metasploit usage is limited in PWK exam, do not restrict yourself by over utilizing Metasploit in labs.
Pro Tip: Investigate and understand how a tool works. This will help you know when and how to use the tool, and better prepare for PWK exam.
Put in Time and Effort
Depending on your background, be prepared to dedicate significant time to work through course materials and practice in labs.
E.g., >200 - 300+ hours in the lab environment often yields best results.
Do not limit yourself to course materials and labs. Take the time to research any concept or prerequisite unclear to you. Google is your friend.
Practice, Practice, Practice!
There are no shortcuts in learning. The more machines you complete, the more exposure to environments and set ups.
Do not rely solely on hints and walkthroughs. They are not substitute to actual learning. Attempt the machine first, at minimum.
Pro Tip: Explore machines in PG Play & Practice for additional practice, though NOT a substitute for PWK lab machines.
Lab Machines Key to Success
Higher exam pass rate with >50 lab machines completed
Read course welcome email carefully. In it you will find:
- Download links for course PDF and videos
- Control Panel URL
- Help Center articles
- VPN connectivity pack and credentials
Set up Kali Linux
- Recommend Kali Linux with VMware Kali Linux with VMWare
- Snapshot your VM image regularly to avoid losing your work
Connecting to PWK labs
Download "PWK Lab Connection Package" to your Kali Linux machine and extract its contents:
root@kali:~# tar jxvf lab-connection.tar.bz2
Use openvpn command to connect to VPN labs and enter your provided username and password:
root@kali:~$ sudo openvpn OS-XXXXX-PWK.ovpn
For more information, visit Lab Connectivity Guide.
The lab network should be regarded as a hostile environment. We suggest using a VM to protect your host machine.
Direct VPN connection between students is not possible. However, you may encounter exploits left by other students. Executing these may lead to unintentional compromise of your machine.
Please be careful of unverified exploits or scripts. They may contain malicious code, resulting in loss of your data.
Best Practices in Labs
Make sure all default passwords of your personal machines have been changed.
Avoid storing sensitive information on your Kali Linux machine in the unlikely event someone able to gain access.
You can help protect yourself by stopping services when they are in use.
Take snapshots of your personal machines regularly.
The Control Panel lets you power on or revert your Client Machines.
The Control Panel also lets you revert lab machines from the “PUBLIC SERVERS” tab.
Lab Tip: Note Taking
- Document Everything. Document all steps, commands, codes, and output, even those that failed. Documentation reduces rework if/when the information later required. Notes can always be used as reference.
- Use Note Taking App. Applications such as CherryTree or OneNote allow a hierarchical structure to better organize your notes.
- Segment your notes. For instance, if attacking a single-target, create sub-notes for Enumeration, Interesting finds, Exploitation, Privilege Escalation, etc.
Who are Student Admins (SAs)?
- SAs are Offsec Alumni
- SAs help you learn
- SAs are your mentors
- SAs will guide you in right direction
- Not give you answers
- Will adjust guidance based on your background
- SAs will be your friends!
When to ask SAs for help
Try course materials and labs first, attempt to build both knowledge (technique) AND disposition (Try Harder Mindset).
Once feel you’ve exhausted and documented all steps, commands, and codes and can go no further on your own...then consider contacting SAs.
Pro Tip: SAs are here to help you build knowledge AND disposition, NOT give you the answer. They will help you find the answer on your own.
How to ask SAs for help
Be as detailed as possible. Provide all steps, commands, codes, and output when asking for help.
SAs will then understand context and how best to assist your learning.
Guidance SAs give based on amount of detail provided, and your background.
More details provided, better SAs can assist.
- Hi I need help!
- I need help with x.x.x.x machine
- I’ve been working on getting low-level access to x.x.x.x machine. I found credentials from another machine, but they do not seem to be working. Can someone help me?
- I’m trying to get the exploit for exercise 123 to work, however I get an error when launching it. Here are the commands and outputs: https://paste.offsec.com/SdDfLvsw
|What Do You Need?||Students|
For instruction:How may I join the Offsec Community?
|Mentorship with the labs or exercises|
|VPN connectivity issues|
|Lab or exam machine testing|
|Exam related firstname.lastname@example.org|
|Purchase or account related email@example.com|
OSCP Preparation Guides:
- The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0
- Scund00r Passing OSCP
- A Detailed Guide on OSCP Preparation – From Newbie to OSCP
- John J OSCP Preparation GuideAdditional Resources
PG Play and Practice: https://www.offensive-security.com/labs/individual
- Hacking: The Art of Exploitation, 2nd Edition
- The Web Application Hacker’s Handbook
- Black Hat Python, 2nd Edition
- CCNA Cisco Certified Network Associate Study Guide, 7th Edition
Public Pentesting Reports: https://github.com/juliocesarfort/public-pentesting-reports