PEN-200 OSCP - Penetration Testing with Kali Linux Cheat Sheet

PEN-200 is OffSec's hands-on penetration testing course that leads to the OSCP and OSCP+ certifications, proving you can enumerate, exploit, and pivot through real systems during a 24 hour proctored exam. The exam is scored out of 100 points across three standalone machines (each graded on initial access plus privilege escalation) and a three host Active Directory set worth 40 points, and you must submit a professional report to pass. This sheet maps every PEN-200 module to the concepts the exam actually rewards: methodical enumeration, web and client side attacks, Windows and Linux privilege escalation, tunneling, and Active Directory compromise. The guiding mindset is enumerate first, exploit second, because most failed machines come from missed enumeration rather than missing exploits.

What This Cheat Sheet Covers

This topic spans 28 focused tables and 295 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Cybersecurity Fundamentals and the Penetration Testing ProcessTable 2: Cryptography and Encryption EssentialsTable 3: Penetration Test Report WritingTable 4: Passive Information Gathering (OSINT)Table 5: Active Information Gathering and Port ScanningTable 6: Service EnumerationTable 7: Vulnerability ScanningTable 8: Web Application Architecture and EnumerationTable 9: Cross-Site Scripting (XSS)Table 10: Directory Traversal and File InclusionTable 11: Command Injection and File Upload AttacksTable 12: SQL Injection: Types and DetectionTable 13: SQL Injection: Exploitation and AutomationTable 14: Client-Side AttacksTable 15: Locating Public ExploitsTable 16: Fixing and Adapting Public ExploitsTable 17: Antivirus EvasionTable 18: Password AttacksTable 19: Windows Privilege Escalation: EnumerationTable 20: Windows Privilege Escalation: ExploitationTable 21: Linux Privilege Escalation: EnumerationTable 22: Linux Privilege Escalation: ExploitationTable 23: Port Redirection and TunnelingTable 24: The Metasploit FrameworkTable 25: Active Directory EnumerationTable 26: Attacking Active Directory AuthenticationTable 27: Lateral Movement in Active DirectoryTable 28: AWS Cloud Penetration Testing

Table 1: Cybersecurity Fundamentals and the Penetration Testing Process

PEN-200 / OSCP+ Introduction to Cybersecurity: the foundational security concepts, the OffSec-taught penetration testing lifecycle, engagement scoping, and the Try Harder learning mindset every candidate is built on before touching a tool.

Concept	Example	Description
CIA Triad	Encryption protects confidentiality; hashing protects integrity; backups protect availability	The three pillars of information security: confidentiality (no unauthorized disclosure), integrity (data stays accurate and unaltered), availability (authorized users can access it when needed). Every security control maps back to one of these three.
Threat Actor	An external criminal deploying ransomware vs a careless insider leaking data	The person or group behind an attack, defined by intent and capability. Compare the hacker hats: white hat (authorized, ethical), black hat (unauthorized, criminal), grey hat (no malicious intent but no proper authorization).
Attack Surface	Open ports, exposed web forms, and login pages are all entry points on the surface	• All the points on a system's boundary where an attacker can try to enter, affect, or extract data • Reducing it (fewer exposed services, ports, inputs) gives attackers fewer opportunities
Defense in Depth	Firewall + access controls + IDS + monitoring, so one failure does not mean compromise	A layered approach to security: multiple independent layers of protection so that if one layer fails, the others still mitigate and contain the damage. Not a single perfect control.
Least Privilege	A backup service account gets read access to one share, not domain admin	Grant every user, process, or account only the minimum access required to do its job. Limiting access minimizes the impact when an account is breached. This is why privilege escalation is its own pentest phase.
Penetration Testing Lifecycle	Recon, then scanning, exploitation, privilege escalation, post-exploitation, and reporting	The repeatable methodology OffSec teaches: information gathering, vulnerability scanning, exploitation, privilege escalation, post-exploitation/lateral movement, then reporting. A structured process, not random hacking.

Table 1: Cybersecurity Fundamentals and the Penetration Testing Process

Concept	Example	Description
CIA Triad	Encryption protects confidentiality; hashing protects integrity; backups protect availability	The three pillars of information security: confidentiality (no unauthorized disclosure), integrity (data stays accurate and unaltered), availability (authorized users can access it when needed). Every security control maps back to one of these three.
Threat Actor	An external criminal deploying ransomware vs a careless insider leaking data	The person or group behind an attack, defined by intent and capability. Compare the hacker hats: white hat (authorized, ethical), black hat (unauthorized, criminal), grey hat (no malicious intent but no proper authorization).
Attack Surface	Open ports, exposed web forms, and login pages are all entry points on the surface	• All the points on a system's boundary where an attacker can try to enter, affect, or extract data • Reducing it (fewer exposed services, ports, inputs) gives attackers fewer opportunities
Defense in Depth	Firewall + access controls + IDS + monitoring, so one failure does not mean compromise	A layered approach to security: multiple independent layers of protection so that if one layer fails, the others still mitigate and contain the damage. Not a single perfect control.
Least Privilege	A backup service account gets read access to one share, not domain admin	Grant every user, process, or account only the minimum access required to do its job. Limiting access minimizes the impact when an account is breached. This is why privilege escalation is its own pentest phase.
Penetration Testing Lifecycle	Recon, then scanning, exploitation, privilege escalation, post-exploitation, and reporting	The repeatable methodology OffSec teaches: information gathering, vulnerability scanning, exploitation, privilege escalation, post-exploitation/lateral movement, then reporting. A structured process, not random hacking.