OSCP+ | PEN 200 Course Training Certification

OSCP examiners reward methodology over tool memorisation, but they assume fluency with the standard offensive Linux toolchain. The Macksofy OSCP exam-prep bootcamp drills every tool below to the point where command syntax fades into reflex — so you spend exam hours on enumeration logic, not on man-pages.

• Nmap (full NSE) + masscan. Service enumeration, version detection, and parallel sweeps for the OSCP lab subnets. We cover NSE scripts beyond the defaults (smb-vuln-*, http-enum, ldap-rootdse) and how to chain masscan → nmap for time-boxed exam recon.
• Burp Suite Community. Manual HTTP attack workflows: Repeater chains for IDOR/SSRF, Intruder for fuzzing, the Comparer for response-diffing. Pro is not required for OSCP — we drill the same workflows on Community so cost isn’t a barrier.
• Metasploit Framework (limited use). OffSec restricts Metasploit usage on the exam (one auto-exploit per attempt). We teach msfvenom payload crafting and post-modules so you know when MSF saves time and when manual exploitation is mandatory.
• BloodHound + SharpHound. Active Directory attack-path graphing. Bootcamp covers ingestor flags, custom Cypher queries for shortest-path-to-DA, and ACL abuse chains (GenericAll, GenericWrite, AddSelf, WriteDACL).
• CrackMapExec / NetExec. AD lateral-movement and credential validation across SMB/WinRM/RDP/MSSQL. Includes Kerberos abuse (ASREPRoast, Kerberoasting) and password-spray hygiene.
• Impacket suite. psexec.py, wmiexec.py, smbexec.py, GetUserSPNs.py, secretsdump.py — the AD attack tax. We cover when each is detected vs evaded by Defender + Sysmon.
• Responder + ntlmrelayx. Multicast poisoning, NTLMv2 capture, relay chains to SMB/LDAP/HTTP. Includes the MS08-068 / mitigation-bypass discussion.
• Linux PrivEsc kit (linpeas, pspy, GTFOBins lookups). Local enumeration speed-runs. PEAS suite tuning for the OSCP timebox; pspy for short-lived cron and process leak hunts.
• Windows PrivEsc kit (winPEAS, PowerUp, Seatbelt). Service mis-permissions, unquoted paths, AlwaysInstallElevated, token impersonation. Bootcamp covers the SeImpersonate → PrintSpoofer / GodPotato path that’s recurring on OSCP.
• Buffer-overflow workflow (Immunity Debugger, mona.py, msfvenom). Pattern_create/offset, EIP control, JMP ESP discovery, badchar detection, bind/reverse shellcode generation. Macksofy classroom hours include hands-on OSCP-style BOF practice machines.
• Web-payload arsenal. PHP/ASPX/JSP web-shells, polyglot uploads, command-injection payloads, SSRF/LFI/RFI chains, deserialisation primers (PHP, Java, .NET).
• Tunnel/pivot toolkit. Chisel, ligolo-ng, sshuttle, socat, plink. The bootcamp’s AD lab demands pivoting to internal subnets — we drill all four pivoting tools so you can pick whichever survives the exam network restrictions.

The bootcamp lab is built to mirror OffSec’s PWK lab topology: an entry subnet of ‘easy’ boxes, a depth subnet of ‘medium’ boxes, and a small Active Directory forest with two trust relationships. You’ll work through it across 12 weeks of mentored sessions plus unmonitored after-hours practice.

• Weeks 1-3 (foundations): Linux/Windows enumeration depth, service abuse on FTP/SMB/SSH/HTTP/MSSQL, password attacks, web-app exploitation primer.
• Weeks 4-6 (privilege escalation): Linux PE (kernel, sudo, capabilities, SUID, NFS) and Windows PE (services, schtasks, AlwaysInstallElevated, JuicyPotato family). Buffer-overflow drills with mona.py.
• Weeks 7-9 (Active Directory): AS-REP roasting, Kerberoasting, NTLM relay, BloodHound path-walking, DCSync, Golden/Silver tickets. Two parallel forests so you get cross-trust attack practice.
• Weeks 10-11 (full chain rehearsals): Mock 24-hour exam attempts on Macksofy-built challenge boxes — the closest available approximation to OSCP exam pressure.
• Week 12 (exam-prep sprint): Report-writing rehearsals against the OffSec report template, time-boxing playbook, retake strategy if a flag is missed.

Total hands-on hours across cohort + after-hours: ~280 hours over the 12-week program. Mentor office hours run twice weekly on Tuesday/Saturday evenings (IST).

The OSCP exam is a 24-hour hands-on attack window followed by a 24-hour report-writing window (48 hours total). OffSec sets the exam network with five target machines: an AD set (three machines, +40 points proxy/relay/DA path, marked atomically as one chain) and two standalone machines (20 points each, partial credit for local + root). Pass mark is 70/100 — typical pass paths are AD-full + 1 standalone full + 1 standalone local, OR AD-full + 2 standalones full.

Bootcamp exam-day playbook: First hour is enumeration-only (no exploitation tunnels yet) on every target. Hours 2-12 prioritise AD chain (highest point density). Hours 12-18 swing to standalones. Hours 18-24 are buffer time for re-enumeration of any missed footholds. Sleep is non-negotiable — the report window is unforgiving when fatigued.

OSCP+ (introduced late 2024): The OSCP+ designation is a continuous-renewal version of OSCP that requires 40 continuing professional education credits every three years. Pricing and exam content are identical to legacy OSCP; OSCP+ is automatically issued to anyone who passes the current PEN-200 exam. Legacy OSCP holders retain lifetime validity but won’t be issued OSCP+ unless they re-sit.

Retake strategy: If your first attempt comes back short, OffSec lets you retake at the standard exam fee (one attempt at a time, 14-day cooldown). The Macksofy bootcamp includes one post-exam debrief session for any cohort member who needs to retake — we walk through the score breakdown and target the specific machine class (PE vs initial access vs AD pivot) where points were lost.

OSCP is the single most-mentioned cert in Indian penetration-tester JDs. Of 200 sampled India pentest roles in Q1 2026 (Naukri + LinkedIn + Hirist), 78% list OSCP as ‘required’ or ‘strongly preferred’. The credential maps cleanly to TCS/Wipro/Infosys/HCL cyber consulting tracks, Big 4 (Deloitte/EY/PwC/KPMG India), pure-play firms (NotSoSecure, Lucideus, Payatu, K7 Computing, Aujas), and product-security teams at fintech/SaaS unicorns (Razorpay, Cred, Swiggy, Zomato, Atlassian Bangalore, Microsoft IDC, Adobe NCR).

Salary bands (India, 2026):

• 0-2 years + OSCP: ₹8-14 LPA at consultancies, ₹12-18 LPA at product firms.
• 2-5 years + OSCP: ₹16-28 LPA at consultancies, ₹22-38 LPA at product firms / GCCs.
• 5-8 years + OSCP + secondary cert (CRTO/OSCE3/OSEP): ₹32-55 LPA at lead-pentester / red-team-lead roles.
• Bug bounty supplement: Active hunters with OSCP report ₹3-15 LPA from HackerOne/Bugcrowd disclosures.

Average time-to-first-offer after passing OSCP, per recent Macksofy cohort surveys: 6-10 weeks for candidates with 1+ years prior IT/security experience; 12-20 weeks for career-switchers without prior cyber roles. The Macksofy placement cell maintains warm-intro relationships with 40+ India hiring partners; cohort members get direct referral channels during weeks 10-12 of the program.

OSCP vs CPTS (HackTheBox Certified Penetration Testing Specialist): CPTS is younger, cheaper (~$490 vs OSCP’s ~$1,749), and the exam permits unrestricted Metasploit. It signals strong infrastructure-pentest skills. India recruiter recognition of CPTS is rising but still 10x lower than OSCP — by H2 2026, expect 1-in-10 JDs to accept CPTS as an OSCP substitute. Pick CPTS if you’re early-career, on a budget, and the target employer’s JD doesn’t name OSCP specifically. Pick OSCP if the JD lists it or you want the broadest market acceptance.

OSCP vs PNPT (TCM Security Practical Network Penetration Tester): PNPT is exam-only $399 (no lab subscription), 5-day exam, focuses on internal AD-heavy assessments. Cheaper, faster, externally-graded. Recognition in India is small but growing. Pick PNPT if you have prior AD attack experience and want to validate it inexpensively. OSCP remains the safer recruiter-facing credential.

OSCP vs CRTP (Pentester Academy Certified Red Team Professional): Different scope. CRTP is AD-only and uses MS C2 frameworks (Covenant/Empire/Cobalt-style). OSCP includes Linux/web/buffer-overflow plus AD. Pick CRTP after OSCP as an AD specialisation, not instead of.

OSCP vs eJPT (eLearnSecurity Junior Pen Tester): eJPT is an entry-level tier; takes 1-2 weeks of prep, $200 exam, no lab. Pick eJPT as a stepping-stone before OSCP if you’ve never used Burp / Nmap / Metasploit. Not a substitute for OSCP at hiring time.

To make the methodology concrete, here’s the playbook a Macksofy cohort member runs on a representative classroom box (‘Jeeves’, a Windows AD foothold machine modelled on the well-known HackTheBox retired set):

1. Enumeration (10 min): Nmap full-port scan reveals 80 (Jetty), 50000 (Jetty), and 445 (SMB). Jetty fingerprinting flags a Jenkins CI server.
2. Initial access (15 min): Jenkins admin console is unauthenticated. Groovy script-console executes Java payload; reverse shell to attacker box.
3. User pivot (20 min): Shell runs as SYSTEM but we want domain-context creds. Search desktops for KeePass file (jeeves.kdbx), exfil over web, john-format KeePass2John → hashcat → master password.
4. Privilege escalation (10 min): KeePass yields domain creds. SeImpersonate privilege detected → JuicyPotato (legacy) or PrintSpoofer (modern) → SYSTEM persists across sessions.
5. Domain pivot (30 min): SharpHound runs against the now-credentialed user. BloodHound shortest-path query reveals user has GenericWrite on a service account → password-reset via Set-DomainUserPassword → service account is Kerberoastable → DA-equivalent shadow-credential attack.
6. Report (45 min): Screenshot every step, capture commands, write the OffSec-style executive summary + technical chain + remediation block.

Total time on a familiar box: ~2 hours. The exam variant will be unfamiliar but follows the same shape: enumeration → foothold → user privilege → DA path. Drilling the workflow until it’s muscle-memory is what the Macksofy bootcamp practises.

The bootcamp succeeds for candidates who arrive with the following baseline. Use this as a self-assessment — if you can confidently tick 8+ of 12, you’re ready.

• Comfortable in a Linux terminal — file ops, redirection, find, grep, awk, ssh.
• Can write 50-line Python or Bash scripts (loops, args, file I/O) without copy-paste.
• Understand TCP/UDP, the OSI layers, basic routing, NAT, DNS, HTTP request/response shape.
• Have used Nmap with -sC -sV on a lab box at least once.
• Have used Burp Suite (Community is fine) to intercept and modify a request.
• Can read SQL injection / XSS / CSRF — recognise the bug class from a sink, even if you can’t yet exploit it cleanly.
• Have spun up a VM (VMware/VirtualBox/Hyper-V) and installed Kali Linux from scratch.
• Have rooted at least 3-5 ‘easy’ boxes on HackTheBox, TryHackMe, or VulnHub.
• Understand Windows file paths, services, scheduled tasks, the registry at a basic level.
• Familiar with Active Directory at a concept level — domain, user, group, GPO, DC, the trust idea.
• Can commit 12-15 study hours/week consistently for 12 weeks.
• Have a workstation with 16GB+ RAM (24GB+ recommended for AD lab on local hypervisor).

If you tick fewer than 5, we’ll route you through the ‘OSCP Foundations’ 4-week bridge module before the main cohort starts. The bridge adds ₹15,000 to the program fee and is non-negotiable when prerequisites are thin — students who skip foundations historically fail OSCP on the first attempt at 3x the cohort average.