ACTUAL OSCP(OFFENSIVE SECURITY CERTIFIED PROFESSIONAL)
CERTIFICATION
DOMAINS:
Reconnaissance & Scanning (1-15)
Web Application Attacks (16-30)
Buffer Overflows (31-40)
Privilege Escalation: Windows (41-55)
Privilege Escalation: Linux (56-70)
Password Attacks & Lateral Movement (71-85)
Pivoting, Port Forwarding & Metasploit (86-100)
Each question includes the correct answer and a rationale
Domain 1: Reconnaissance & Scanning
1. During an external penetration test, you discover that the target domain
"target.local" has a DNS record for "vpn.target.local" that points to a public IP.
What is the most critical piece of information to gather next?
A) The operating system of the web server on that IP
B) Whether the VPN service allows split-tunneling
C) The version of the SSL/TLS certificate
D) The presence of a "Connect to VPN" portal on port 443 or 8443
Rationale: If the VPN service is exposed, it becomes a prime attack surface. Credential
stuffing, phishing, or exploiting known VPN vulnerabilities (e.g., Fortinet, Pulse Secure)
often provide initial access to the internal network, bypassing perimeter firewalls.
2. You run nmap -sS -sV -p- -T4 10.10.10.10 but the scan is taking too long. What
optimization technique would most effectively reduce scan time without losing
critical service information on high ports?
A) Increase timing to -T5
B) Use -sU instead of -sS
, C) Run an initial -p- scan with --min-rate 5000, then a separate -sV scan on open
ports
D) Disable host discovery with -Pn
*Rationale: The -p- flag scans all 65535 ports, which is slow. The OSCP methodology
often involves a "quick" all-ports scan using high min-rate to find open ports quickly,
followed by a targeted version scan. -T5 can cause packet loss and inaccurate results.*
3. A WAF is blocking your Nmap scans. Which of the following techniques is least
likely to trigger the WAF during a port scan?
A) nmap -sS -D RND:10 10.10.10.10
B) nmap -sT -Pn 10.10.10.10
C) nmap -sS -f --mtu 24 10.10.10.10
D) nmap -sW 10.10.10.10
Rationale: Fragmentation (-f) and setting custom MTU sizes can help evade simple packet
inspection firewalls that fail to reassemble fragments properly. Decoys (-D) disguise the
source but still send the same volume of traffic, which is often blocked by stateful WAFs.
4. You find an open port 161/udp. Which tool and script is most effective for
enumerating read-only community strings?
A) snmp-check -t 10.10.10.10
B) nmap -sU -p 161 --script snmp-brute 10.10.10.10
C) nc -vu 10.10.10.10 161
D) hydra -P /usr/share/wordlists/nmap.lst snmp://10.10.10.10
Rationale: snmp-brute attempts common community strings (public, private, manager).
SNMP misconfiguration often leaks system details, network interfaces, and running
processes, which can be used for further exploitation.
5. During a web application assessment, you encounter a login form. What is the
most efficient method to determine if SQL injection is possible manually?
A) Run sqlmap with --batch immediately
B) Submit a single quote (') and look for a database error or behavior change
C) Try admin'-- as the username
D) Check the robots.txt file
Rationale: Manual testing begins with injecting a single quote to induce a syntax error.
While sqlmap is powerful, it can be noisy. Manual verification first ensures the vulnerability
exists and confirms the WAF behavior.
, 6. You receive a list of IPs (10.10.0.0/24) and need to find live hosts. Which
command would provide the fastest, most reliable results assuming ICMP is
blocked?
A) nmap -sn 10.10.0.0/24
B) fping -a -g 10.10.0.0/24 2>/dev/null
C) nmap -sn -PS80,443,445 10.10.0.0/24
D) arp-scan --localnet
Rationale: -sn disables port scan. The -PS flag sends SYN packets to common ports. If ICMP
is blocked, a SYN/ACK response confirms a live host. arp-scan only works on the local
subnet, not routed networks.
7. Which Nmap script is most effective for discovering Microsoft Windows domain
controllers and their associated services?
A) smb-os-discovery
B) ldap-rootdse
C) nbstat
D) dns-recursion
*Rationale: Domain controllers expose LDAP (389/tcp). The ldap-rootdse script retrieves
the root DSE naming context, revealing the domain name, functional level, and other
AD-specific information.*
8. You have a set of TCP ports: 21, 22, 25, 80, 110, 139, 443, 445, 3306, 8080.
Which service is likely running on port 3306?
A) MongoDB
B) MySQL/MariaDB
C) PostgreSQL
D) Redis
Rationale: Port 3306 is the default for MySQL. Knowing default port assignments is crucial
for rapid manual reconnaissance.
9. When performing a UDP scan, Nmap often reports open|filtered. Why does this
occur?
A) The port did not respond to the probe, but firewalls may drop the packets
instead of sending ICMP port unreachable
B) The service is running but using a non-standard protocol
C) The source port was blocked by the host firewall
CERTIFICATION
DOMAINS:
Reconnaissance & Scanning (1-15)
Web Application Attacks (16-30)
Buffer Overflows (31-40)
Privilege Escalation: Windows (41-55)
Privilege Escalation: Linux (56-70)
Password Attacks & Lateral Movement (71-85)
Pivoting, Port Forwarding & Metasploit (86-100)
Each question includes the correct answer and a rationale
Domain 1: Reconnaissance & Scanning
1. During an external penetration test, you discover that the target domain
"target.local" has a DNS record for "vpn.target.local" that points to a public IP.
What is the most critical piece of information to gather next?
A) The operating system of the web server on that IP
B) Whether the VPN service allows split-tunneling
C) The version of the SSL/TLS certificate
D) The presence of a "Connect to VPN" portal on port 443 or 8443
Rationale: If the VPN service is exposed, it becomes a prime attack surface. Credential
stuffing, phishing, or exploiting known VPN vulnerabilities (e.g., Fortinet, Pulse Secure)
often provide initial access to the internal network, bypassing perimeter firewalls.
2. You run nmap -sS -sV -p- -T4 10.10.10.10 but the scan is taking too long. What
optimization technique would most effectively reduce scan time without losing
critical service information on high ports?
A) Increase timing to -T5
B) Use -sU instead of -sS
, C) Run an initial -p- scan with --min-rate 5000, then a separate -sV scan on open
ports
D) Disable host discovery with -Pn
*Rationale: The -p- flag scans all 65535 ports, which is slow. The OSCP methodology
often involves a "quick" all-ports scan using high min-rate to find open ports quickly,
followed by a targeted version scan. -T5 can cause packet loss and inaccurate results.*
3. A WAF is blocking your Nmap scans. Which of the following techniques is least
likely to trigger the WAF during a port scan?
A) nmap -sS -D RND:10 10.10.10.10
B) nmap -sT -Pn 10.10.10.10
C) nmap -sS -f --mtu 24 10.10.10.10
D) nmap -sW 10.10.10.10
Rationale: Fragmentation (-f) and setting custom MTU sizes can help evade simple packet
inspection firewalls that fail to reassemble fragments properly. Decoys (-D) disguise the
source but still send the same volume of traffic, which is often blocked by stateful WAFs.
4. You find an open port 161/udp. Which tool and script is most effective for
enumerating read-only community strings?
A) snmp-check -t 10.10.10.10
B) nmap -sU -p 161 --script snmp-brute 10.10.10.10
C) nc -vu 10.10.10.10 161
D) hydra -P /usr/share/wordlists/nmap.lst snmp://10.10.10.10
Rationale: snmp-brute attempts common community strings (public, private, manager).
SNMP misconfiguration often leaks system details, network interfaces, and running
processes, which can be used for further exploitation.
5. During a web application assessment, you encounter a login form. What is the
most efficient method to determine if SQL injection is possible manually?
A) Run sqlmap with --batch immediately
B) Submit a single quote (') and look for a database error or behavior change
C) Try admin'-- as the username
D) Check the robots.txt file
Rationale: Manual testing begins with injecting a single quote to induce a syntax error.
While sqlmap is powerful, it can be noisy. Manual verification first ensures the vulnerability
exists and confirms the WAF behavior.
, 6. You receive a list of IPs (10.10.0.0/24) and need to find live hosts. Which
command would provide the fastest, most reliable results assuming ICMP is
blocked?
A) nmap -sn 10.10.0.0/24
B) fping -a -g 10.10.0.0/24 2>/dev/null
C) nmap -sn -PS80,443,445 10.10.0.0/24
D) arp-scan --localnet
Rationale: -sn disables port scan. The -PS flag sends SYN packets to common ports. If ICMP
is blocked, a SYN/ACK response confirms a live host. arp-scan only works on the local
subnet, not routed networks.
7. Which Nmap script is most effective for discovering Microsoft Windows domain
controllers and their associated services?
A) smb-os-discovery
B) ldap-rootdse
C) nbstat
D) dns-recursion
*Rationale: Domain controllers expose LDAP (389/tcp). The ldap-rootdse script retrieves
the root DSE naming context, revealing the domain name, functional level, and other
AD-specific information.*
8. You have a set of TCP ports: 21, 22, 25, 80, 110, 139, 443, 445, 3306, 8080.
Which service is likely running on port 3306?
A) MongoDB
B) MySQL/MariaDB
C) PostgreSQL
D) Redis
Rationale: Port 3306 is the default for MySQL. Knowing default port assignments is crucial
for rapid manual reconnaissance.
9. When performing a UDP scan, Nmap often reports open|filtered. Why does this
occur?
A) The port did not respond to the probe, but firewalls may drop the packets
instead of sending ICMP port unreachable
B) The service is running but using a non-standard protocol
C) The source port was blocked by the host firewall
