Offensive Security Experienced Penetration Tester (OSEP) Review

Evasion Techniques and Breaching Defenses (PEN-300) is Offensive Security’s latest course on advanced penetration testing techniques.

An associated certification, the Offensive Security Experienced Penetration Tester (OSEP) is available for people who have completed the course.

The course goes into more depth than the OSCP, and is probably the next logical step if you have already completed that.

A number of topics are covered on the course including;

  • Operating System and Programming Theory
  • Client Side Code Execution With Office
  • Client Side Code Execution With Jscript
  • Process Injection and Migration
  • Introduction to Antivirus Evasion
  • Advanced Antivirus Evasion
  • Application Whitelisting
  • Bypassing Network Filters
  • Linux Post-Exploitation
  • Kiosk Breakouts
  • Windows Credentials
  • Windows Lateral Movement
  • Linux Lateral Movement
  • Microsoft SQL Attacks
  • Active Directory Exploitation

A full list of the topics covered in the course is available in the course syllabus.

I think Offensive Security breaking the OSCE into three exams is a positive change. The old OSCE covered a few tricks not in the OSCP, but didn’t really provide comprehensive coverage of any area of pentesting.

The Course

I thought the course content was great. A large amount of the content goes into creating tools in C# to perform the attacks described. This is useful for evading security controls, but also provides a good understanding of how the tools work.

It would be highly beneficial to have experience writing C# code before starting the course, particularly utilising InterOp services and reflection to invoke native Win32 functions.

Given the amount of content, including a 700+ page PDF, 19+ hours of videos I think it would take most people at least 2 months to get through the course.

A lot of the topics discussed such as Active Directory exploitation and client side payloads would typically be deemed “red team”. However Offensive Security state it’s a penetration testing as opposed to red team course as there is no blue team involved. Regardless, I think the course content would be beneficial to both groups.

Aside from the main course content, you are also provided with access to lab systems which require using techniques described in the course materials. The labs often require breaching perimeter systems, then moving laterally across multiple hosts.

Exploitation of systems typically requires identifying and exploiting subtle misconfigurations, rather than just running exploit code. As such, it felt close to a real world scenario rather than a CTF.

The Exam

Probably the bit most people are interested in 😊 I can’t go into too much detail, but I think particularly in comparison to the old OSCE certification, provided you have covered all the course material and completed the labs the exam should be fairly straight forward.

You have 48 hours to complete the exam, which is plenty of time if you are prepared. As per other Offensive Security exams you need to submit a report documenting how you compromised the target systems.

I think it’s worth practicing the labs with a view to completing them as quickly as possible. Since you’re allowed to use custom code, creating tools to complete common tasks will be a major benefit.

For instance, I wrote a tool to encode/encrypt/obfuscate msfvenom payloads to evade AV detection which reduced the time the exam would have taken if I was attempting to do it manually.